Per platform review (danijel):
- keycloak-client-forte-drop: add the secret{} block telling the
registrar where to write the credential Secret + key names
(forte-drop-oidc-credentials, client-id/client-secret). The
forte-helm oidc sidecar consumes that registrar-created Secret —
no manual auth-oidc SealedSecret step (removed that NOTE).
- Delete keycloak-client-forte-drop-mcp: auth.type: mcp auto-registers
the MCP client; no manual config needed.
- Re-seal forte-drop-secrets with all shared env (BASE_DOMAIN, PG*,
S3_*, PASSWORD_GATE_SECRET) so both deployments get identical values
via envSecretName (values extraEnv now carries only APP_MODE).
Sealed forte-drop-secrets with the real UpCloud Managed Object Storage
creds (existing drops bucket), PG creds matching the deployed
forte-drop-pg-creds, and PASSWORD_GATE_SECRET. Consumed by both web +
mcp deployments (envSecretName) and the pg-backup CronJob (S3 creds).
