sync

infra/values/aks-prod/gitea-values.yaml

@@ -1,4 +1,4 @@
-# Azure Managed Disk (Premium SSD via CSI driver)
+# AKS-specific: Azure managed disk storage class (prod)
 persistence:
   storageClass: managed-csi-premium
 postgresql:

infra/values/aks-prod/grafana-values.yaml

@@ -0,0 +1,4 @@
+# AKS-specific: Grafana hostname (prod)
+ingress:
+  hosts:
+  - grafana.fortedigital.com

infra/values/aks-prod/keycloak-values.yaml

@@ -0,0 +1,3 @@
+# AKS-specific: Keycloak hostname (prod)
+ingress:
+  hostname: id.fortedigital.com

infra/values/aks-prod/opencost-values.yaml

@@ -1,11 +1,8 @@
-# Azure native pricing via Billing API
+# AKS-specific: Azure pricing via Cloud Billing API (prod)
 opencost:
   exporter:
+    cloudProviderApiKey: ""
     customPricing:
-      enabled: true
-      provider: azure
+      enabled: false
     azure:
-      subscriptionID: ""          # <- populate
-      clientID: ""
-      clientSecret: ""
-      tenantID: ""
+      secretName: opencost-azure-billing

infra/values/aks-prod/traefik-values.yaml

@@ -1,16 +1,12 @@
-# Azure AKS — Standard Load Balancer
-# Note: Azure Standard LB does not support Proxy Protocol.
-# Use externalTrafficPolicy: Local on the Traefik service to preserve
-# client IPs, or deploy behind Azure Application Gateway.
+# AKS-specific: Azure Load Balancer for Traefik (prod)
 service:
   annotations:
-    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/ping"
-  spec:
-    externalTrafficPolicy: Local
+    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
+    service.beta.kubernetes.io/azure-load-balancer-internal: "false"
 ports:
   web:
     forwardedHeaders:
-      trustedIPs: "10.0.0.0/8,168.63.129.16/32"    # <- VNet CIDR + Azure health probe
+      trustedIPs: "10.0.0.0/8"
   websecure:
     forwardedHeaders:
-      trustedIPs: "10.0.0.0/8,168.63.129.16/32"
+      trustedIPs: "10.0.0.0/8"