multi-cloud no mcp

infra/base/gitea.yaml

@@ -22,6 +22,7 @@ spec:
       releaseName: gitea
       valueFiles:
       - $values/infra/values/base/gitea-values.yaml
+      - $values/infra/values/upc-dev/gitea-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/base/opencost.yaml

@@ -22,6 +22,7 @@ spec:
       releaseName: opencost
       valueFiles:
       - $values/infra/values/base/opencost-values.yaml
+      - $values/infra/values/upc-dev/opencost-values.yaml
 
   - repoURL: git@github.com:fortedigital/sturdy-adventure.git
     targetRevision: HEAD

infra/overlays/aws-dev/kustomization.yaml

@@ -0,0 +1,35 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → aws-dev
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aws-dev/traefik-values.yaml
+
+# Gitea: swap upc-dev → aws-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aws-dev/gitea-values.yaml
+
+# OpenCost: swap upc-dev → aws-dev
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aws-dev/opencost-values.yaml
+
+# TODO: add patches for keycloak, grafana, secrets, enterprise-apps
+# when deploying to this cluster (these are deployment-specific, not cloud-specific)

infra/overlays/aws-prod/kustomization.yaml

@@ -0,0 +1,35 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → aws-prod
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aws-prod/traefik-values.yaml
+
+# Gitea: swap upc-dev → aws-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aws-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → aws-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aws-prod/opencost-values.yaml
+
+# TODO: add patches for keycloak, grafana, secrets, enterprise-apps
+# when deploying to this cluster (these are deployment-specific, not cloud-specific)

infra/overlays/azure-dev/kustomization.yaml

@@ -0,0 +1,35 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → azure-dev
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/azure-dev/traefik-values.yaml
+
+# Gitea: swap upc-dev → azure-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/azure-dev/gitea-values.yaml
+
+# OpenCost: swap upc-dev → azure-dev
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/azure-dev/opencost-values.yaml
+
+# TODO: add patches for keycloak, grafana, secrets, enterprise-apps
+# when deploying to this cluster (these are deployment-specific, not cloud-specific)

infra/overlays/azure-prod/kustomization.yaml

@@ -0,0 +1,35 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → azure-prod
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/azure-prod/traefik-values.yaml
+
+# Gitea: swap upc-dev → azure-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/azure-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → azure-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/azure-prod/opencost-values.yaml
+
+# TODO: add patches for keycloak, grafana, secrets, enterprise-apps
+# when deploying to this cluster (these are deployment-specific, not cloud-specific)

infra/overlays/gcp-dev/kustomization.yaml

@@ -0,0 +1,35 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → gcp-dev
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gcp-dev/traefik-values.yaml
+
+# Gitea: swap upc-dev → gcp-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gcp-dev/gitea-values.yaml
+
+# OpenCost: swap upc-dev → gcp-dev
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gcp-dev/opencost-values.yaml
+
+# TODO: add patches for keycloak, grafana, secrets, enterprise-apps
+# when deploying to this cluster (these are deployment-specific, not cloud-specific)

infra/overlays/gcp-prod/kustomization.yaml

@@ -0,0 +1,35 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → gcp-prod
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gcp-prod/traefik-values.yaml
+
+# Gitea: swap upc-dev → gcp-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gcp-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → gcp-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gcp-prod/opencost-values.yaml
+
+# TODO: add patches for keycloak, grafana, secrets, enterprise-apps
+# when deploying to this cluster (these are deployment-specific, not cloud-specific)

infra/overlays/upc-prod/kustomization.yaml

@@ -48,3 +48,21 @@ patches:
     - op: replace
       path: /spec/source/path
       value: apps/overlays/upc-prod
+
+# Gitea: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/opencost-values.yaml

infra/values/aws-dev/gitea-values.yaml

@@ -0,0 +1,7 @@
+# AWS EBS gp3 storage class (requires EBS CSI driver)
+persistence:
+  storageClass: gp3
+postgresql:
+  primary:
+    persistence:
+      storageClass: gp3

infra/values/aws-dev/opencost-values.yaml

@@ -0,0 +1,13 @@
+# AWS native pricing via Cost and Usage Reports
+opencost:
+  exporter:
+    customPricing:
+      enabled: true
+      provider: aws
+    aws:
+      service_key_name: ""      # <- populate or use IRSA
+      service_key_secret: ""
+      spot_data_region: ""
+      spot_data_bucket: ""
+      spot_data_prefix: ""
+      account_id: ""

infra/values/aws-dev/traefik-values.yaml

@@ -0,0 +1,18 @@
+# AWS EKS — NLB with Proxy Protocol v2 for real client IPs
+service:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: "external"
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+ports:
+  web:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8"       # <- adjust to your VPC CIDR
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/aws-prod/gitea-values.yaml

@@ -0,0 +1,7 @@
+# AWS EBS gp3 storage class (requires EBS CSI driver)
+persistence:
+  storageClass: gp3
+postgresql:
+  primary:
+    persistence:
+      storageClass: gp3

infra/values/aws-prod/opencost-values.yaml

@@ -0,0 +1,13 @@
+# AWS native pricing via Cost and Usage Reports
+opencost:
+  exporter:
+    customPricing:
+      enabled: true
+      provider: aws
+    aws:
+      service_key_name: ""      # <- populate or use IRSA
+      service_key_secret: ""
+      spot_data_region: ""
+      spot_data_bucket: ""
+      spot_data_prefix: ""
+      account_id: ""

infra/values/aws-prod/traefik-values.yaml

@@ -0,0 +1,18 @@
+# AWS EKS — NLB with Proxy Protocol v2 for real client IPs
+service:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: "external"
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+ports:
+  web:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8"       # <- adjust to your VPC CIDR
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/azure-dev/gitea-values.yaml

@@ -0,0 +1,7 @@
+# Azure Managed Disk (Premium SSD via CSI driver)
+persistence:
+  storageClass: managed-csi-premium
+postgresql:
+  primary:
+    persistence:
+      storageClass: managed-csi-premium

infra/values/azure-dev/opencost-values.yaml

@@ -0,0 +1,11 @@
+# Azure native pricing via Billing API
+opencost:
+  exporter:
+    customPricing:
+      enabled: true
+      provider: azure
+    azure:
+      subscriptionID: ""          # <- populate
+      clientID: ""
+      clientSecret: ""
+      tenantID: ""

infra/values/azure-dev/traefik-values.yaml

@@ -0,0 +1,16 @@
+# Azure AKS — Standard Load Balancer
+# Note: Azure Standard LB does not support Proxy Protocol.
+# Use externalTrafficPolicy: Local on the Traefik service to preserve
+# client IPs, or deploy behind Azure Application Gateway.
+service:
+  annotations:
+    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/ping"
+  spec:
+    externalTrafficPolicy: Local
+ports:
+  web:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8,168.63.129.16/32"    # <- VNet CIDR + Azure health probe
+  websecure:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8,168.63.129.16/32"

infra/values/azure-prod/gitea-values.yaml

@@ -0,0 +1,7 @@
+# Azure Managed Disk (Premium SSD via CSI driver)
+persistence:
+  storageClass: managed-csi-premium
+postgresql:
+  primary:
+    persistence:
+      storageClass: managed-csi-premium

infra/values/azure-prod/opencost-values.yaml

@@ -0,0 +1,11 @@
+# Azure native pricing via Billing API
+opencost:
+  exporter:
+    customPricing:
+      enabled: true
+      provider: azure
+    azure:
+      subscriptionID: ""          # <- populate
+      clientID: ""
+      clientSecret: ""
+      tenantID: ""

infra/values/azure-prod/traefik-values.yaml

@@ -0,0 +1,16 @@
+# Azure AKS — Standard Load Balancer
+# Note: Azure Standard LB does not support Proxy Protocol.
+# Use externalTrafficPolicy: Local on the Traefik service to preserve
+# client IPs, or deploy behind Azure Application Gateway.
+service:
+  annotations:
+    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/ping"
+  spec:
+    externalTrafficPolicy: Local
+ports:
+  web:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8,168.63.129.16/32"    # <- VNet CIDR + Azure health probe
+  websecure:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8,168.63.129.16/32"

infra/values/base/gitea-values.yaml

@@ -127,7 +127,6 @@ persistence:
   size: 10Gi
   accessModes:
   - ReadWriteOnce
-  storageClass: upcloud-block-storage-maxiops
 
 # -- Recreate strategy to avoid Multi-Attach errors with RWO volumes
 strategy:
@@ -153,7 +152,6 @@ postgresql:
     persistence:
       enabled: true
       size: 8Gi
-      storageClass: upcloud-block-storage-maxiops
     resources:
       requests:
         cpu: 100m

infra/values/base/opencost-values.yaml

@@ -10,18 +10,8 @@ opencost:
         serviceName: prometheus-server
         namespaceName: monitoring
         port: 80
-    customPricing:
-      enabled: true
-      provider: custom
-      costModel:
-        description: "UpCloud 4-node cluster pricing"
-        CPU: "5.86"
-        RAM: "1.46"
-        GPU: "0"
-        storage: "0.34"
-        zoneNetworkEgress: "0"
-        regionNetworkEgress: "0"
-        internetNetworkEgress: "0"
+    # Cloud-specific pricing is in per-cluster value overrides
+    # (e.g. infra/values/upc-dev/opencost-values.yaml)
   ui:
     enabled: false
 service:

infra/values/gcp-dev/gitea-values.yaml

@@ -0,0 +1,7 @@
+# GCP Persistent Disk (SSD via CSI driver)
+persistence:
+  storageClass: premium-rwo
+postgresql:
+  primary:
+    persistence:
+      storageClass: premium-rwo

infra/values/gcp-dev/opencost-values.yaml

@@ -0,0 +1,9 @@
+# GCP native pricing via Cloud Billing API
+opencost:
+  exporter:
+    customPricing:
+      enabled: true
+      provider: gcp
+    gcp:
+      projectID: ""               # <- populate with your GCP project ID
+      key: ""                     # <- or use Workload Identity

infra/values/gcp-dev/traefik-values.yaml

@@ -0,0 +1,15 @@
+# GCP GKE — External passthrough Network Load Balancer
+service:
+  annotations:
+    cloud.google.com/l4-rbs: "enabled"
+ports:
+  web:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"   # <- subnet CIDR + GCP health checks
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
+  websecure:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"

infra/values/gcp-prod/gitea-values.yaml

@@ -0,0 +1,7 @@
+# GCP Persistent Disk (SSD via CSI driver)
+persistence:
+  storageClass: premium-rwo
+postgresql:
+  primary:
+    persistence:
+      storageClass: premium-rwo

infra/values/gcp-prod/opencost-values.yaml

@@ -0,0 +1,9 @@
+# GCP native pricing via Cloud Billing API
+opencost:
+  exporter:
+    customPricing:
+      enabled: true
+      provider: gcp
+    gcp:
+      projectID: ""               # <- populate with your GCP project ID
+      key: ""                     # <- or use Workload Identity

infra/values/gcp-prod/traefik-values.yaml

@@ -0,0 +1,15 @@
+# GCP GKE — External passthrough Network Load Balancer
+service:
+  annotations:
+    cloud.google.com/l4-rbs: "enabled"
+ports:
+  web:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"   # <- subnet CIDR + GCP health checks
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
+  websecure:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"

infra/values/upc-dev/gitea-values.yaml

@@ -0,0 +1,7 @@
+# UpCloud storage class for Gitea and its embedded PostgreSQL
+persistence:
+  storageClass: upcloud-block-storage-maxiops
+postgresql:
+  primary:
+    persistence:
+      storageClass: upcloud-block-storage-maxiops

infra/values/upc-dev/opencost-values.yaml

@@ -0,0 +1,15 @@
+# UpCloud custom pricing (no native OpenCost integration)
+opencost:
+  exporter:
+    customPricing:
+      enabled: true
+      provider: custom
+      costModel:
+        description: "UpCloud 4-node cluster pricing"
+        CPU: "5.86"
+        RAM: "1.46"
+        GPU: "0"
+        storage: "0.34"
+        zoneNetworkEgress: "0"
+        regionNetworkEgress: "0"
+        internetNetworkEgress: "0"

infra/values/upc-prod/gitea-values.yaml

@@ -0,0 +1,7 @@
+# UpCloud storage class for Gitea and its embedded PostgreSQL
+persistence:
+  storageClass: upcloud-block-storage-maxiops
+postgresql:
+  primary:
+    persistence:
+      storageClass: upcloud-block-storage-maxiops

infra/values/upc-prod/opencost-values.yaml

@@ -0,0 +1,15 @@
+# UpCloud custom pricing (no native OpenCost integration)
+opencost:
+  exporter:
+    customPricing:
+      enabled: true
+      provider: custom
+      costModel:
+        description: "UpCloud 4-node cluster pricing"
+        CPU: "5.86"
+        RAM: "1.46"
+        GPU: "0"
+        storage: "0.34"
+        zoneNetworkEgress: "0"
+        regionNetworkEgress: "0"
+        internetNetworkEgress: "0"