vault migration

Co-authored-by: Copilot <copilot@github.com>

.gitignore

@@ -16,11 +16,3 @@ devbox.d/
 devbox.lock
 .devbox/
 bash.exe.stackdump
-
-# OpenTofu
-.tofu/configs/*.env
-.tofu/scripts/*.config
-.tofu/platforms/**/.terraform/
-.tofu/platforms/**/terraform.tfstate*
-.tofu/platforms/**/tfplan
-.tofu/platforms/**/.terraform.lock.hcl

.tofu/configs/aks.env.example

@@ -1,9 +0,0 @@
-# Azure AKS credentials — copy to aks.env and fill in values
-# NEVER commit aks.env to git!
-
-# Required
-AZURE_TENANT_ID=your-azure-tenant-id
-AZURE_SUBSCRIPTION_ID=your-azure-subscription-id
-
-# Optional — defaults to cluster name if not set
-ARM_RESOURCE_GROUP=

.tofu/configs/eks.env.example

@@ -1,10 +0,0 @@
-# AWS EKS credentials — copy to eks.env and fill in values
-# NEVER commit eks.env to git!
-
-# Required — AWS CLI profile or access key
-AWS_PROFILE=default
-AWS_REGION=eu-west-1
-
-# Optional — override with explicit keys instead of profile
-# AWS_ACCESS_KEY_ID=
-# AWS_SECRET_ACCESS_KEY=

.tofu/configs/gke.env.example

@@ -1,9 +0,0 @@
-# GCP GKE credentials — copy to gke.env and fill in values
-# NEVER commit gke.env to git!
-
-# Required
-GCP_PROJECT_ID=your-gcp-project-id
-GCP_REGION=europe-west4
-
-# Optional — path to service account JSON key (if not using gcloud auth)
-# GOOGLE_APPLICATION_CREDENTIALS=/path/to/sa-key.json

.tofu/configs/upc.env.example

@@ -1,8 +0,0 @@
-# UpCloud credentials — copy to upc.env and fill in values
-# NEVER commit upc.env to git!
-
-# Required
-UPCLOUD_TOKEN=your-upcloud-api-token
-
-# Optional — set after cluster creation for kubeconfig retrieval
-UPCLOUD_CLUSTER_ID=

.tofu/platforms/aks/dev/main.tf

@@ -1,18 +0,0 @@
-module "cluster" {
-  source = "../modules/cluster"
-
-  prefix              = "clst-dev"
-  location            = "norwayeast"
-  resource_group_name = "clst-dev-rg"
-
-  # AKS — small dev nodes
-  aks_node_vm_size = "Standard_B2s"
-  aks_node_count   = 2
-
-  enable_delete_lock = false
-
-  tags = {
-    Environment = "dev"
-    ManagedBy   = "tofu"
-  }
-}

.tofu/platforms/aks/dev/outputs.tf

@@ -1,26 +0,0 @@
-# ─── Cluster ─────────────────────────────────────────────────────────
-
-output "cluster_name" {
-  value = module.cluster.cluster_name
-}
-
-output "resource_group_name" {
-  value = module.cluster.resource_group_name
-}
-
-output "kubernetes_version" {
-  value = module.cluster.kubernetes_version
-}
-
-output "location" {
-  value = module.cluster.location
-}
-
-output "oidc_issuer_url" {
-  value = module.cluster.oidc_issuer_url
-}
-
-output "kubeconfig" {
-  value     = module.cluster.kubeconfig
-  sensitive = true
-}

.tofu/platforms/aks/dev/providers.tf

@@ -1,17 +0,0 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    azurerm = {
-      source  = "hashicorp/azurerm"
-      version = "~> 4.0"
-    }
-  }
-}
-
-provider "azurerm" {
-  features {}
-  # Credentials via environment variables:
-  #   ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET
-  # Or: az login (uses your Azure CLI session)
-}

.tofu/platforms/aks/modules/cluster/main.tf

@@ -1,72 +0,0 @@
-# Current Azure/Entra ID context — provides tenant_id used in outputs
-data "azurerm_client_config" "current" {}
-
-# ─── Resource Group ───────────────────────────────────────────────────
-
-resource "azurerm_resource_group" "main" {
-  name     = var.resource_group_name
-  location = var.location
-  tags     = var.tags
-}
-
-resource "azurerm_management_lock" "main" {
-  count      = var.enable_delete_lock ? 1 : 0
-  name       = "${var.prefix}-delete-lock"
-  scope      = azurerm_resource_group.main.id
-  lock_level = "CanNotDelete"
-  notes      = "Prevents accidental deletion of production resources"
-}
-
-# ─── Networking ───────────────────────────────────────────────────────
-
-resource "azurerm_virtual_network" "main" {
-  name                = "${var.prefix}-vnet"
-  resource_group_name = azurerm_resource_group.main.name
-  location            = azurerm_resource_group.main.location
-  address_space       = [var.vnet_address_space]
-  tags                = var.tags
-}
-
-# AKS nodes subnet
-resource "azurerm_subnet" "aks" {
-  name                 = "${var.prefix}-aks-subnet"
-  resource_group_name  = azurerm_resource_group.main.name
-  virtual_network_name = azurerm_virtual_network.main.name
-  address_prefixes     = [var.aks_subnet_cidr]
-}
-
-# ─── AKS Cluster ──────────────────────────────────────────────────────
-
-resource "azurerm_kubernetes_cluster" "main" {
-  name                = "${var.prefix}-aks"
-  resource_group_name = azurerm_resource_group.main.name
-  location            = azurerm_resource_group.main.location
-  dns_prefix          = replace(var.prefix, "-", "")
-  kubernetes_version  = var.aks_kubernetes_version
-  tags                = var.tags
-
-  default_node_pool {
-    name           = "system"
-    node_count     = var.aks_node_count
-    vm_size        = var.aks_node_vm_size
-    vnet_subnet_id = azurerm_subnet.aks.id
-    node_labels = {
-      prefix = var.prefix
-      role   = "worker"
-      env    = lookup(var.tags, "Environment", "dev")
-    }
-  }
-
-  identity {
-    type = "SystemAssigned"
-  }
-
-  network_profile {
-    network_plugin = "azure"
-    network_policy = "azure"
-  }
-
-  # Enable Workload Identity for keyless Azure service access (MSI)
-  oidc_issuer_enabled       = true
-  workload_identity_enabled = true
-}

.tofu/platforms/aks/modules/cluster/outputs.tf

@@ -1,32 +0,0 @@
-# ─── Cluster ─────────────────────────────────────────────────────────
-
-output "cluster_name" {
-  description = "AKS cluster name"
-  value       = azurerm_kubernetes_cluster.main.name
-}
-
-output "resource_group_name" {
-  description = "Resource group name"
-  value       = azurerm_resource_group.main.name
-}
-
-output "kubernetes_version" {
-  description = "Kubernetes version"
-  value       = azurerm_kubernetes_cluster.main.kubernetes_version
-}
-
-output "location" {
-  description = "Azure region"
-  value       = azurerm_resource_group.main.location
-}
-
-output "oidc_issuer_url" {
-  description = "AKS OIDC issuer URL (for workload identity federation)"
-  value       = azurerm_kubernetes_cluster.main.oidc_issuer_url
-}
-
-output "kubeconfig" {
-  description = "Kubeconfig for the AKS cluster"
-  value       = azurerm_kubernetes_cluster.main.kube_config_raw
-  sensitive   = true
-}

.tofu/platforms/aks/modules/cluster/providers.tf

@@ -1,18 +0,0 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    azurerm = {
-      source  = "hashicorp/azurerm"
-      version = "~> 4.0"
-    }
-    azuread = {
-      source  = "hashicorp/azuread"
-      version = "~> 3.0"
-    }
-    random = {
-      source  = "hashicorp/random"
-      version = "~> 3.0"
-    }
-  }
-}

.tofu/platforms/aks/modules/cluster/variables.tf

@@ -1,56 +0,0 @@
-# ─── Cluster ─────────────────────────────────────────────────────────
-
-variable "prefix" {
-  description = "Prefix for resource names"
-  type        = string
-}
-
-variable "location" {
-  description = "Azure region (e.g., norwayeast, westeurope, northeurope)"
-  type        = string
-}
-
-variable "resource_group_name" {
-  description = "Name of the Azure Resource Group to create"
-  type        = string
-}
-
-variable "vnet_address_space" {
-  description = "Address space for the virtual network"
-  type        = string
-  default     = "10.100.0.0/16"
-}
-
-variable "aks_subnet_cidr" {
-  description = "CIDR block for the AKS node subnet"
-  type        = string
-  default     = "10.100.0.0/22"
-}
-
-variable "aks_node_vm_size" {
-  description = "VM size for AKS worker nodes (e.g., Standard_B2s, Standard_D4s_v3)"
-  type        = string
-}
-
-variable "aks_node_count" {
-  description = "Number of AKS worker nodes"
-  type        = number
-}
-
-variable "aks_kubernetes_version" {
-  description = "Kubernetes version for AKS (null = latest stable)"
-  type        = string
-  default     = null
-}
-
-variable "enable_delete_lock" {
-  description = "Protect the resource group from accidental deletion"
-  type        = bool
-  default     = false
-}
-
-variable "tags" {
-  description = "Tags applied to all resources"
-  type        = map(string)
-  default     = {}
-}

.tofu/platforms/aks/prod/main.tf

@@ -1,18 +0,0 @@
-module "cluster" {
-  source = "../modules/cluster"
-
-  prefix              = "clst"
-  location            = "westeurope"
-  resource_group_name = "clst-prod-rg"
-
-  # AKS — general-purpose nodes for production
-  aks_node_vm_size = "Standard_D4s_v3"
-  aks_node_count   = 3
-
-  enable_delete_lock = true
-
-  tags = {
-    Environment = "prod"
-    ManagedBy   = "tofu"
-  }
-}

.tofu/platforms/aks/prod/outputs.tf

@@ -1,26 +0,0 @@
-# ─── Cluster ─────────────────────────────────────────────────────────
-
-output "cluster_name" {
-  value = module.cluster.cluster_name
-}
-
-output "resource_group_name" {
-  value = module.cluster.resource_group_name
-}
-
-output "kubernetes_version" {
-  value = module.cluster.kubernetes_version
-}
-
-output "location" {
-  value = module.cluster.location
-}
-
-output "oidc_issuer_url" {
-  value = module.cluster.oidc_issuer_url
-}
-
-output "kubeconfig" {
-  value     = module.cluster.kubeconfig
-  sensitive = true
-}

.tofu/platforms/aks/prod/providers.tf

@@ -1,17 +0,0 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    azurerm = {
-      source  = "hashicorp/azurerm"
-      version = "~> 4.0"
-    }
-  }
-}
-
-provider "azurerm" {
-  features {}
-  # Credentials via environment variables:
-  #   ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET
-  # Or: az login (uses your Azure CLI session)
-}

.tofu/platforms/aks/workload/main.tf

@@ -1,173 +0,0 @@
-# =============================================================================
-# Azure Workload Cluster
-# =============================================================================
-# A lean AKS cluster for running application workloads. No managed data
-# services — those live on the platform cluster. ArgoCD (on the platform
-# cluster) deploys apps to this cluster via the app-of-apps pattern.
-#
-# Platform components deployed by deploy-workload.sh:
-#   nginx-ingress, cert-manager, external-dns, external-secrets, alloy
-#
-# Usage:
-#   tofu init && tofu plan && tofu apply
-#   ./sync-tofu-outputs.sh --env azure-workload
-#   ./deploy-workload.sh --env azure-workload
-# =============================================================================
-
-variable "prefix" {
-  description = "Prefix for resource names (e.g., clst-workload)"
-  type        = string
-  default     = "clst-workload"
-}
-
-variable "location" {
-  description = "Azure region"
-  type        = string
-  default     = "norwayeast"
-}
-
-variable "resource_group_name" {
-  description = "Name of the Azure Resource Group to create"
-  type        = string
-  default     = "clst-workload-rg"
-}
-
-variable "vnet_address_space" {
-  description = "Address space for the virtual network"
-  type        = string
-  default     = "10.110.0.0/16"
-}
-
-variable "aks_subnet_cidr" {
-  description = "CIDR block for the AKS node subnet"
-  type        = string
-  default     = "10.110.0.0/22"
-}
-
-variable "aks_node_vm_size" {
-  description = "VM size for AKS worker nodes"
-  type        = string
-  default     = "Standard_B2s"
-}
-
-variable "aks_node_count" {
-  description = "Number of AKS worker nodes"
-  type        = number
-  default     = 2
-}
-
-variable "aks_kubernetes_version" {
-  description = "Kubernetes version for AKS (null = latest stable)"
-  type        = string
-  default     = null
-}
-
-variable "domain" {
-  description = "Public domain name — must have an existing Azure DNS zone"
-  type        = string
-}
-
-variable "dns_zone_resource_group" {
-  description = "Resource group containing the Azure DNS zone (defaults to cluster RG)"
-  type        = string
-  default     = ""
-}
-
-variable "tags" {
-  description = "Tags applied to all resources"
-  type        = map(string)
-  default = {
-    Environment = "workload"
-    ManagedBy   = "tofu"
-  }
-}
-
-# ─── Resource Group ───────────────────────────────────────────────────
-
-resource "azurerm_resource_group" "main" {
-  name     = var.resource_group_name
-  location = var.location
-  tags     = var.tags
-}
-
-# ─── Networking ───────────────────────────────────────────────────────
-
-resource "azurerm_virtual_network" "main" {
-  name                = "${var.prefix}-vnet"
-  resource_group_name = azurerm_resource_group.main.name
-  location            = azurerm_resource_group.main.location
-  address_space       = [var.vnet_address_space]
-  tags                = var.tags
-}
-
-resource "azurerm_subnet" "aks" {
-  name                 = "${var.prefix}-aks-subnet"
-  resource_group_name  = azurerm_resource_group.main.name
-  virtual_network_name = azurerm_virtual_network.main.name
-  address_prefixes     = [var.aks_subnet_cidr]
-}
-
-# ─── AKS Cluster ──────────────────────────────────────────────────────
-
-resource "azurerm_kubernetes_cluster" "main" {
-  name                = "${var.prefix}-aks"
-  resource_group_name = azurerm_resource_group.main.name
-  location            = azurerm_resource_group.main.location
-  dns_prefix          = replace(var.prefix, "-", "")
-  kubernetes_version  = var.aks_kubernetes_version
-  tags                = var.tags
-
-  default_node_pool {
-    name           = "system"
-    node_count     = var.aks_node_count
-    vm_size        = var.aks_node_vm_size
-    vnet_subnet_id = azurerm_subnet.aks.id
-    node_labels = {
-      prefix = var.prefix
-      role   = "worker"
-      env    = lookup(var.tags, "Environment", "workload")
-    }
-  }
-
-  identity {
-    type = "SystemAssigned"
-  }
-
-  network_profile {
-    network_plugin = "azure"
-    network_policy = "azure"
-  }
-
-  oidc_issuer_enabled       = true
-  workload_identity_enabled = true
-}
-
-# ─── External-DNS Workload Identity ──────────────────────────────────
-# Allows external-dns to manage Azure DNS records for app ingresses.
-
-data "azurerm_dns_zone" "main" {
-  name                = var.domain
-  resource_group_name = var.dns_zone_resource_group != "" ? var.dns_zone_resource_group : azurerm_resource_group.main.name
-}
-
-resource "azurerm_user_assigned_identity" "external_dns" {
-  name                = "${var.prefix}-external-dns-identity"
-  resource_group_name = azurerm_resource_group.main.name
-  location            = azurerm_resource_group.main.location
-  tags                = var.tags
-}
-
-resource "azurerm_role_assignment" "external_dns_dns_contributor" {
-  scope                = data.azurerm_dns_zone.main.id
-  role_definition_name = "DNS Zone Contributor"
-  principal_id         = azurerm_user_assigned_identity.external_dns.principal_id
-}
-
-resource "azurerm_federated_identity_credential" "external_dns" {
-  name                = "${var.prefix}-external-dns-fedcred"
-  resource_group_name = azurerm_resource_group.main.name
-  parent_id           = azurerm_user_assigned_identity.external_dns.id
-  audience            = ["api://AzureADTokenExchange"]
-  issuer              = azurerm_kubernetes_cluster.main.oidc_issuer_url
-  subject             = "system:serviceaccount:external-dns:external-dns"
-}

.tofu/platforms/aks/workload/outputs.tf

@@ -1,4 +0,0 @@
-output "cluster_name"                    { value = azurerm_kubernetes_cluster.main.name }
-output "resource_group_name"             { value = azurerm_resource_group.main.name }
-output "location"                        { value = azurerm_resource_group.main.location }
-output "external_dns_identity_client_id" { value = azurerm_user_assigned_identity.external_dns.client_id }

.tofu/platforms/aks/workload/providers.tf

@@ -1,21 +0,0 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    azurerm = {
-      source  = "hashicorp/azurerm"
-      version = "~> 4.0"
-    }
-    random = {
-      source  = "hashicorp/random"
-      version = "~> 3.0"
-    }
-  }
-}
-
-provider "azurerm" {
-  features {}
-  # Credentials via environment variables:
-  #   ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET
-  # Or: az login (uses your Azure CLI session)
-}

.tofu/platforms/eks/dev/main.tf

@@ -1,21 +0,0 @@
-module "cluster" {
-  source = "../modules/cluster"
-
-  region = var.region
-  prefix = "clst-dev"
-
-  # VPC
-  availability_zones = ["${var.region}a", "${var.region}b"]
-
-  # EKS — small dev nodes
-  node_instance_type = "t3.medium"
-  node_count         = 2
-  node_min_count     = 1
-  node_max_count     = 4
-  kubernetes_version = "1.30"
-
-  tags = {
-    Environment = "dev"
-    ManagedBy   = "tofu"
-  }
-}

.tofu/platforms/eks/dev/outputs.tf

@@ -1,5 +0,0 @@
-output "cluster_name"    { value = module.cluster.cluster_name }
-output "aws_region"      { value = module.cluster.aws_region }
-output "oidc_issuer_url" { value = module.cluster.oidc_issuer_url }
-output "oidc_provider_arn" { value = module.cluster.oidc_provider_arn }
-output "vpc_id"          { value = module.cluster.vpc_id }

.tofu/platforms/eks/dev/providers.tf

@@ -1,24 +0,0 @@
-terraform {
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 5.0"
-    }
-    tls = {
-      source  = "hashicorp/tls"
-      version = "~> 4.0"
-    }
-  }
-}
-
-# Authentication: set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
-# or configure an AWS profile: export AWS_PROFILE=clst
-provider "aws" {
-  region = var.region
-}
-
-variable "region" {
-  description = "AWS region for dev environment"
-  type        = string
-  default     = "eu-west-1"
-}

.tofu/platforms/eks/modules/cluster/main.tf

@@ -1,207 +0,0 @@
-# ─── VPC ──────────────────────────────────────────────────────────────
-
-resource "aws_vpc" "main" {
-  cidr_block           = var.vpc_cidr
-  enable_dns_hostnames = true
-  enable_dns_support   = true
-
-  tags = merge(var.tags, { Name = "${var.prefix}-vpc" })
-}
-
-resource "aws_internet_gateway" "main" {
-  vpc_id = aws_vpc.main.id
-  tags   = merge(var.tags, { Name = "${var.prefix}-igw" })
-}
-
-# Public subnets (one per AZ) — for NAT gateways and load balancers
-resource "aws_subnet" "public" {
-  count             = length(var.availability_zones)
-  vpc_id            = aws_vpc.main.id
-  cidr_block        = cidrsubnet(var.vpc_cidr, 4, count.index)
-  availability_zone = var.availability_zones[count.index]
-
-  map_public_ip_on_launch = true
-
-  tags = merge(var.tags, {
-    Name                                        = "${var.prefix}-public-${count.index + 1}"
-    "kubernetes.io/cluster/${var.prefix}-eks"   = "shared"
-    "kubernetes.io/role/elb"                    = "1"
-  })
-}
-
-# Private subnets (one per AZ) — for EKS nodes
-resource "aws_subnet" "private" {
-  count             = length(var.availability_zones)
-  vpc_id            = aws_vpc.main.id
-  cidr_block        = cidrsubnet(var.vpc_cidr, 4, count.index + length(var.availability_zones))
-  availability_zone = var.availability_zones[count.index]
-
-  tags = merge(var.tags, {
-    Name                                        = "${var.prefix}-private-${count.index + 1}"
-    "kubernetes.io/cluster/${var.prefix}-eks"   = "shared"
-    "kubernetes.io/role/internal-elb"           = "1"
-  })
-}
-
-# NAT Gateway (single, in first public subnet — use one per AZ for prod HA)
-resource "aws_eip" "nat" {
-  domain = "vpc"
-  tags   = merge(var.tags, { Name = "${var.prefix}-nat-eip" })
-}
-
-resource "aws_nat_gateway" "main" {
-  allocation_id = aws_eip.nat.id
-  subnet_id     = aws_subnet.public[0].id
-  tags          = merge(var.tags, { Name = "${var.prefix}-nat" })
-
-  depends_on = [aws_internet_gateway.main]
-}
-
-resource "aws_route_table" "public" {
-  vpc_id = aws_vpc.main.id
-
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.main.id
-  }
-
-  tags = merge(var.tags, { Name = "${var.prefix}-public-rt" })
-}
-
-resource "aws_route_table_association" "public" {
-  count          = length(var.availability_zones)
-  subnet_id      = aws_subnet.public[count.index].id
-  route_table_id = aws_route_table.public.id
-}
-
-resource "aws_route_table" "private" {
-  vpc_id = aws_vpc.main.id
-
-  route {
-    cidr_block     = "0.0.0.0/0"
-    nat_gateway_id = aws_nat_gateway.main.id
-  }
-
-  tags = merge(var.tags, { Name = "${var.prefix}-private-rt" })
-}
-
-resource "aws_route_table_association" "private" {
-  count          = length(var.availability_zones)
-  subnet_id      = aws_subnet.private[count.index].id
-  route_table_id = aws_route_table.private.id
-}
-
-# ─── EKS Cluster ──────────────────────────────────────────────────────
-
-resource "aws_iam_role" "eks_cluster" {
-  name_prefix = "${var.prefix}-eks-cluster-"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [{
-      Action    = "sts:AssumeRole"
-      Effect    = "Allow"
-      Principal = { Service = "eks.amazonaws.com" }
-    }]
-  })
-
-  tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
-  role       = aws_iam_role.eks_cluster.name
-}
-
-resource "aws_eks_cluster" "main" {
-  name     = "${var.prefix}-eks"
-  role_arn = aws_iam_role.eks_cluster.arn
-  version  = var.kubernetes_version
-
-  vpc_config {
-    subnet_ids              = concat(aws_subnet.private[*].id, aws_subnet.public[*].id)
-    endpoint_private_access = true
-    endpoint_public_access  = true
-  }
-
-  # Enable OIDC issuer for IRSA (IAM Roles for Service Accounts)
-  access_config {
-    authentication_mode = "API_AND_CONFIG_MAP"
-  }
-
-  tags = var.tags
-
-  depends_on = [aws_iam_role_policy_attachment.eks_cluster_policy]
-}
-
-# OIDC provider — required for IRSA (IAM Roles for Service Accounts)
-data "tls_certificate" "eks" {
-  url = aws_eks_cluster.main.identity[0].oidc[0].issuer
-}
-
-resource "aws_iam_openid_connect_provider" "eks" {
-  client_id_list  = ["sts.amazonaws.com"]
-  thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint]
-  url             = aws_eks_cluster.main.identity[0].oidc[0].issuer
-
-  tags = var.tags
-}
-
-# EKS Node Group
-
-resource "aws_iam_role" "eks_nodes" {
-  name_prefix = "${var.prefix}-eks-nodes-"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [{
-      Action    = "sts:AssumeRole"
-      Effect    = "Allow"
-      Principal = { Service = "ec2.amazonaws.com" }
-    }]
-  })
-
-  tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "eks_worker_node_policy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
-  role       = aws_iam_role.eks_nodes.name
-}
-
-resource "aws_iam_role_policy_attachment" "eks_cni_policy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
-  role       = aws_iam_role.eks_nodes.name
-}
-
-resource "aws_iam_role_policy_attachment" "eks_ecr_readonly" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
-  role       = aws_iam_role.eks_nodes.name
-}
-
-resource "aws_eks_node_group" "main" {
-  cluster_name    = aws_eks_cluster.main.name
-  node_group_name = "${var.prefix}-nodes"
-  node_role_arn   = aws_iam_role.eks_nodes.arn
-  subnet_ids      = aws_subnet.private[*].id
-
-  instance_types = [var.node_instance_type]
-
-  scaling_config {
-    desired_size = var.node_count
-    max_size     = var.node_max_count
-    min_size     = var.node_min_count
-  }
-
-  update_config {
-    max_unavailable = 1
-  }
-
-  tags = var.tags
-
-  depends_on = [
-    aws_iam_role_policy_attachment.eks_worker_node_policy,
-    aws_iam_role_policy_attachment.eks_cni_policy,
-    aws_iam_role_policy_attachment.eks_ecr_readonly,
-  ]
-}

.tofu/platforms/eks/modules/cluster/outputs.tf

@@ -1,26 +0,0 @@
-# ─── Cluster ─────────────────────────────────────────────────────────
-
-output "cluster_name" {
-  description = "EKS cluster name"
-  value       = aws_eks_cluster.main.name
-}
-
-output "aws_region" {
-  description = "AWS region"
-  value       = var.region
-}
-
-output "oidc_issuer_url" {
-  description = "EKS OIDC issuer URL (for IRSA)"
-  value       = aws_eks_cluster.main.identity[0].oidc[0].issuer
-}
-
-output "oidc_provider_arn" {
-  description = "IAM OIDC provider ARN (for IRSA trust policies)"
-  value       = aws_iam_openid_connect_provider.eks.arn
-}
-
-output "vpc_id" {
-  description = "VPC ID"
-  value       = aws_vpc.main.id
-}

.tofu/platforms/eks/modules/cluster/providers.tf

@@ -1,12 +0,0 @@
-terraform {
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 5.0"
-    }
-    tls = {
-      source  = "hashicorp/tls"
-      version = "~> 4.0"
-    }
-  }
-}

.tofu/platforms/eks/modules/cluster/variables.tf

@@ -1,61 +0,0 @@
-# ─── Region ──────────────────────────────────────────────────────────
-
-variable "region" {
-  description = "AWS region (e.g., eu-west-1, us-east-1)"
-  type        = string
-}
-
-variable "prefix" {
-  description = "Prefix for resource names (e.g., clst-dev)"
-  type        = string
-}
-
-# ─── Networking ───────────────────────────────────────────────────────
-
-variable "vpc_cidr" {
-  description = "VPC CIDR block"
-  type        = string
-  default     = "10.100.0.0/16"
-}
-
-variable "availability_zones" {
-  description = "List of AZs for subnets (2–3 recommended)"
-  type        = list(string)
-}
-
-# ─── EKS Cluster ─────────────────────────────────────────────────────
-
-variable "node_instance_type" {
-  description = "EKS node instance type (e.g., t3.medium, m5.xlarge)"
-  type        = string
-}
-
-variable "node_count" {
-  description = "Desired number of EKS worker nodes"
-  type        = number
-}
-
-variable "node_min_count" {
-  description = "Minimum number of EKS worker nodes"
-  type        = number
-  default     = 1
-}
-
-variable "node_max_count" {
-  description = "Maximum number of EKS worker nodes"
-  type        = number
-}
-
-variable "kubernetes_version" {
-  description = "Kubernetes version for EKS (e.g., \"1.30\")"
-  type        = string
-  default     = "1.30"
-}
-
-# ─── Tags ─────────────────────────────────────────────────────────────
-
-variable "tags" {
-  description = "Tags applied to all resources"
-  type        = map(string)
-  default     = {}
-}

.tofu/platforms/eks/prod/main.tf

@@ -1,21 +0,0 @@
-module "cluster" {
-  source = "../modules/cluster"
-
-  region = var.region
-  prefix = "clst"
-
-  # VPC
-  availability_zones = ["${var.region}a", "${var.region}b", "${var.region}c"]
-
-  # EKS — general-purpose nodes for production
-  node_instance_type = "m5.xlarge"
-  node_count         = 3
-  node_min_count     = 3
-  node_max_count     = 6
-  kubernetes_version = "1.30"
-
-  tags = {
-    Environment = "prod"
-    ManagedBy   = "tofu"
-  }
-}

.tofu/platforms/eks/prod/outputs.tf

@@ -1,5 +0,0 @@
-output "cluster_name"    { value = module.cluster.cluster_name }
-output "aws_region"      { value = module.cluster.aws_region }
-output "oidc_issuer_url" { value = module.cluster.oidc_issuer_url }
-output "oidc_provider_arn" { value = module.cluster.oidc_provider_arn }
-output "vpc_id"          { value = module.cluster.vpc_id }

.tofu/platforms/eks/prod/providers.tf

@@ -1,22 +0,0 @@
-terraform {
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 5.0"
-    }
-    tls = {
-      source  = "hashicorp/tls"
-      version = "~> 4.0"
-    }
-  }
-}
-
-provider "aws" {
-  region = var.region
-}
-
-variable "region" {
-  description = "AWS region for prod environment"
-  type        = string
-  default     = "eu-west-1"
-}

.tofu/platforms/eks/workload/main.tf

@@ -1,339 +0,0 @@
-# =============================================================================
-# AWS Workload Cluster
-# =============================================================================
-# A lean EKS cluster for running application workloads. No managed data
-# services — those live on the platform cluster. ArgoCD (on the platform
-# cluster) deploys apps to this cluster via the app-of-apps pattern.
-#
-# Platform components deployed by deploy-workload.sh:
-#   nginx-ingress, cert-manager, external-dns, external-secrets, alloy
-#
-# Usage:
-#   tofu init && tofu plan && tofu apply
-#   ./sync-tofu-outputs.sh --env aws-workload
-#   ./deploy-workload.sh --env aws-workload
-# =============================================================================
-
-variable "prefix" {
-  description = "Prefix for resource names (e.g., clst-workload)"
-  type        = string
-  default     = "clst-workload"
-}
-
-variable "availability_zones" {
-  description = "List of AZs for subnets"
-  type        = list(string)
-  default     = ["eu-west-1a", "eu-west-1b"]
-}
-
-variable "vpc_cidr" {
-  description = "VPC CIDR block"
-  type        = string
-  default     = "10.110.0.0/16"
-}
-
-variable "node_instance_type" {
-  description = "EKS node instance type"
-  type        = string
-  default     = "t3.medium"
-}
-
-variable "node_count" {
-  description = "Desired number of EKS worker nodes"
-  type        = number
-  default     = 2
-}
-
-variable "node_min_count" {
-  description = "Minimum number of EKS worker nodes"
-  type        = number
-  default     = 1
-}
-
-variable "node_max_count" {
-  description = "Maximum number of EKS worker nodes"
-  type        = number
-  default     = 4
-}
-
-variable "kubernetes_version" {
-  description = "Kubernetes version for EKS"
-  type        = string
-  default     = "1.30"
-}
-
-variable "domain" {
-  description = "Public domain name — must have an existing Route53 hosted zone"
-  type        = string
-}
-
-variable "tags" {
-  description = "Tags applied to all resources"
-  type        = map(string)
-  default = {
-    Environment = "workload"
-    ManagedBy   = "tofu"
-  }
-}
-
-# ─── VPC ──────────────────────────────────────────────────────────────
-
-resource "aws_vpc" "main" {
-  cidr_block           = var.vpc_cidr
-  enable_dns_hostnames = true
-  enable_dns_support   = true
-
-  tags = merge(var.tags, { Name = "${var.prefix}-vpc" })
-}
-
-resource "aws_internet_gateway" "main" {
-  vpc_id = aws_vpc.main.id
-  tags   = merge(var.tags, { Name = "${var.prefix}-igw" })
-}
-
-resource "aws_subnet" "public" {
-  count             = length(var.availability_zones)
-  vpc_id            = aws_vpc.main.id
-  cidr_block        = cidrsubnet(var.vpc_cidr, 4, count.index)
-  availability_zone = var.availability_zones[count.index]
-
-  map_public_ip_on_launch = true
-
-  tags = merge(var.tags, {
-    Name                                        = "${var.prefix}-public-${count.index + 1}"
-    "kubernetes.io/cluster/${var.prefix}-eks"   = "shared"
-    "kubernetes.io/role/elb"                    = "1"
-  })
-}
-
-resource "aws_subnet" "private" {
-  count             = length(var.availability_zones)
-  vpc_id            = aws_vpc.main.id
-  cidr_block        = cidrsubnet(var.vpc_cidr, 4, count.index + length(var.availability_zones))
-  availability_zone = var.availability_zones[count.index]
-
-  tags = merge(var.tags, {
-    Name                                        = "${var.prefix}-private-${count.index + 1}"
-    "kubernetes.io/cluster/${var.prefix}-eks"   = "shared"
-    "kubernetes.io/role/internal-elb"           = "1"
-  })
-}
-
-resource "aws_eip" "nat" {
-  domain = "vpc"
-  tags   = merge(var.tags, { Name = "${var.prefix}-nat-eip" })
-}
-
-resource "aws_nat_gateway" "main" {
-  allocation_id = aws_eip.nat.id
-  subnet_id     = aws_subnet.public[0].id
-  tags          = merge(var.tags, { Name = "${var.prefix}-nat" })
-
-  depends_on = [aws_internet_gateway.main]
-}
-
-resource "aws_route_table" "public" {
-  vpc_id = aws_vpc.main.id
-
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.main.id
-  }
-
-  tags = merge(var.tags, { Name = "${var.prefix}-public-rt" })
-}
-
-resource "aws_route_table_association" "public" {
-  count          = length(var.availability_zones)
-  subnet_id      = aws_subnet.public[count.index].id
-  route_table_id = aws_route_table.public.id
-}
-
-resource "aws_route_table" "private" {
-  vpc_id = aws_vpc.main.id
-
-  route {
-    cidr_block     = "0.0.0.0/0"
-    nat_gateway_id = aws_nat_gateway.main.id
-  }
-
-  tags = merge(var.tags, { Name = "${var.prefix}-private-rt" })
-}
-
-resource "aws_route_table_association" "private" {
-  count          = length(var.availability_zones)
-  subnet_id      = aws_subnet.private[count.index].id
-  route_table_id = aws_route_table.private.id
-}
-
-# ─── EKS Cluster ──────────────────────────────────────────────────────
-
-resource "aws_iam_role" "eks_cluster" {
-  name_prefix = "${var.prefix}-eks-cluster-"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [{
-      Action    = "sts:AssumeRole"
-      Effect    = "Allow"
-      Principal = { Service = "eks.amazonaws.com" }
-    }]
-  })
-
-  tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
-  role       = aws_iam_role.eks_cluster.name
-}
-
-resource "aws_eks_cluster" "main" {
-  name     = "${var.prefix}-eks"
-  role_arn = aws_iam_role.eks_cluster.arn
-  version  = var.kubernetes_version
-
-  vpc_config {
-    subnet_ids              = concat(aws_subnet.private[*].id, aws_subnet.public[*].id)
-    endpoint_private_access = true
-    endpoint_public_access  = true
-  }
-
-  access_config {
-    authentication_mode = "API_AND_CONFIG_MAP"
-  }
-
-  tags = var.tags
-
-  depends_on = [aws_iam_role_policy_attachment.eks_cluster_policy]
-}
-
-# OIDC provider — required for IRSA
-data "tls_certificate" "eks" {
-  url = aws_eks_cluster.main.identity[0].oidc[0].issuer
-}
-
-resource "aws_iam_openid_connect_provider" "eks" {
-  client_id_list  = ["sts.amazonaws.com"]
-  thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint]
-  url             = aws_eks_cluster.main.identity[0].oidc[0].issuer
-
-  tags = var.tags
-}
-
-resource "aws_iam_role" "eks_nodes" {
-  name_prefix = "${var.prefix}-eks-nodes-"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [{
-      Action    = "sts:AssumeRole"
-      Effect    = "Allow"
-      Principal = { Service = "ec2.amazonaws.com" }
-    }]
-  })
-
-  tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "eks_worker_node_policy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
-  role       = aws_iam_role.eks_nodes.name
-}
-
-resource "aws_iam_role_policy_attachment" "eks_cni_policy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
-  role       = aws_iam_role.eks_nodes.name
-}
-
-resource "aws_iam_role_policy_attachment" "eks_ecr_readonly" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
-  role       = aws_iam_role.eks_nodes.name
-}
-
-resource "aws_eks_node_group" "main" {
-  cluster_name    = aws_eks_cluster.main.name
-  node_group_name = "${var.prefix}-nodes"
-  node_role_arn   = aws_iam_role.eks_nodes.arn
-  subnet_ids      = aws_subnet.private[*].id
-
-  instance_types = [var.node_instance_type]
-
-  scaling_config {
-    desired_size = var.node_count
-    max_size     = var.node_max_count
-    min_size     = var.node_min_count
-  }
-
-  update_config {
-    max_unavailable = 1
-  }
-
-  tags = var.tags
-
-  depends_on = [
-    aws_iam_role_policy_attachment.eks_worker_node_policy,
-    aws_iam_role_policy_attachment.eks_cni_policy,
-    aws_iam_role_policy_attachment.eks_ecr_readonly,
-  ]
-}
-
-# ─── External-DNS IRSA ───────────────────────────────────────────────
-# Allows external-dns to manage Route53 records for app ingresses.
-
-data "aws_route53_zone" "main" {
-  name         = var.domain
-  private_zone = false
-}
-
-data "aws_iam_policy_document" "external_dns_assume_role" {
-  statement {
-    effect = "Allow"
-
-    principals {
-      type        = "Federated"
-      identifiers = [aws_iam_openid_connect_provider.eks.arn]
-    }
-
-    actions = ["sts:AssumeRoleWithWebIdentity"]
-
-    condition {
-      test     = "StringEquals"
-      variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:sub"
-      values   = ["system:serviceaccount:external-dns:external-dns"]
-    }
-
-    condition {
-      test     = "StringEquals"
-      variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:aud"
-      values   = ["sts.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role" "external_dns_irsa" {
-  name_prefix        = "${var.prefix}-external-dns-irsa-"
-  assume_role_policy = data.aws_iam_policy_document.external_dns_assume_role.json
-
-  tags = var.tags
-}
-
-data "aws_iam_policy_document" "external_dns_route53" {
-  statement {
-    effect    = "Allow"
-    actions   = ["route53:ChangeResourceRecordSets"]
-    resources = ["arn:aws:route53:::hostedzone/${data.aws_route53_zone.main.zone_id}"]
-  }
-
-  statement {
-    effect  = "Allow"
-    actions = ["route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:ListTagsForResource"]
-    resources = ["*"]
-  }
-}
-
-resource "aws_iam_role_policy" "external_dns_route53" {
-  name_prefix = "${var.prefix}-external-dns-route53-"
-  role        = aws_iam_role.external_dns_irsa.id
-  policy      = data.aws_iam_policy_document.external_dns_route53.json
-}

.tofu/platforms/eks/workload/outputs.tf

@@ -1,3 +0,0 @@
-output "cluster_name"              { value = aws_eks_cluster.main.name }
-output "aws_region"                { value = var.region }
-output "external_dns_irsa_role_arn" { value = aws_iam_role.external_dns_irsa.arn }

.tofu/platforms/eks/workload/providers.tf

@@ -1,24 +0,0 @@
-terraform {
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 5.0"
-    }
-    tls = {
-      source  = "hashicorp/tls"
-      version = "~> 4.0"
-    }
-  }
-}
-
-# Authentication: set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
-# or configure an AWS profile: export AWS_PROFILE=clst
-provider "aws" {
-  region = var.region
-}
-
-variable "region" {
-  description = "AWS region for the workload environment"
-  type        = string
-  default     = "eu-west-1"
-}

.tofu/platforms/gke/dev/main.tf

@@ -1,17 +0,0 @@
-module "cluster" {
-  source = "../modules/cluster"
-
-  project_id = var.project_id
-  region     = var.region
-  prefix     = "clst-dev"
-
-  # GKE — small dev nodes
-  node_machine_type   = "e2-standard-2"
-  node_count          = 2
-  deletion_protection = false
-
-  labels = {
-    environment = "dev"
-    managed-by  = "tofu"
-  }
-}

.tofu/platforms/gke/dev/outputs.tf

@@ -1,3 +0,0 @@
-output "cluster_name" { value = module.cluster.cluster_name }
-output "project_id"   { value = module.cluster.project_id }
-output "region"       { value = module.cluster.region }

.tofu/platforms/gke/dev/providers.tf

@@ -1,26 +0,0 @@
-terraform {
-  required_providers {
-    google = {
-      source  = "hashicorp/google"
-      version = "~> 6.0"
-    }
-  }
-}
-
-# Authentication: use Application Default Credentials (gcloud auth application-default login)
-# or set GOOGLE_APPLICATION_CREDENTIALS to a service account key file.
-provider "google" {
-  project = var.project_id
-  region  = var.region
-}
-
-variable "project_id" {
-  description = "GCP project ID for the dev environment"
-  type        = string
-}
-
-variable "region" {
-  description = "GCP region"
-  type        = string
-  default     = "europe-west4"
-}

.tofu/platforms/gke/modules/cluster/main.tf

@@ -1,115 +0,0 @@
-# ─── Required APIs ────────────────────────────────────────────────────
-
-resource "google_project_service" "compute" {
-  project            = var.project_id
-  service            = "compute.googleapis.com"
-  disable_on_destroy = false
-}
-
-resource "google_project_service" "container" {
-  project            = var.project_id
-  service            = "container.googleapis.com"
-  disable_on_destroy = false
-}
-
-# ─── Networking ───────────────────────────────────────────────────────
-
-resource "google_compute_network" "main" {
-  project                 = var.project_id
-  name                    = "${var.prefix}-vpc"
-  auto_create_subnetworks = false
-
-  depends_on = [google_project_service.compute]
-}
-
-resource "google_compute_subnetwork" "main" {
-  project       = var.project_id
-  name          = "${var.prefix}-subnet"
-  ip_cidr_range = "10.100.0.0/22"
-  region        = var.region
-  network       = google_compute_network.main.id
-
-  # Secondary ranges required for GKE VPC-native cluster
-  secondary_ip_range {
-    range_name    = "pods"
-    ip_cidr_range = "10.200.0.0/14" # /14 = ~262k pod IPs
-  }
-
-  secondary_ip_range {
-    range_name    = "services"
-    ip_cidr_range = "10.204.0.0/20" # /20 = ~4k service IPs
-  }
-}
-
-# ─── GKE Cluster ──────────────────────────────────────────────────────
-#
-# Regional cluster (3 control-plane replicas) for HA.
-# Workload Identity enabled — allows K8s service accounts to impersonate
-# Google Service Accounts for keyless access to GCP services.
-
-resource "google_container_cluster" "main" {
-  project  = var.project_id
-  name     = "${var.prefix}-gke"
-  location = var.region # regional cluster
-
-  network    = google_compute_network.main.id
-  subnetwork = google_compute_subnetwork.main.id
-
-  # VPC-native cluster with alias IP ranges
-  ip_allocation_policy {
-    cluster_secondary_range_name  = "pods"
-    services_secondary_range_name = "services"
-  }
-
-  # Workload Identity pool — enables OIDC token projection for pods
-  workload_identity_config {
-    workload_pool = "${var.project_id}.svc.id.goog"
-  }
-
-  # Remove default node pool — we manage our own below
-  remove_default_node_pool = true
-  initial_node_count       = 1
-
-  deletion_protection = var.deletion_protection
-
-  dynamic "release_channel" {
-    for_each = var.kubernetes_version == null ? [1] : []
-    content {
-      channel = "STABLE"
-    }
-  }
-
-  resource_labels = var.labels
-
-  depends_on = [google_project_service.container]
-}
-
-resource "google_container_node_pool" "main" {
-  project    = var.project_id
-  name       = "${var.prefix}-nodes"
-  location   = var.region
-  cluster    = google_container_cluster.main.name
-  node_count = var.node_count
-
-  node_config {
-    machine_type = var.node_machine_type
-
-    # GKE_METADATA mode is required for Workload Identity
-    workload_metadata_config {
-      mode = "GKE_METADATA"
-    }
-
-    oauth_scopes = [
-      "https://www.googleapis.com/auth/cloud-platform",
-    ]
-
-    labels = merge(var.labels, {
-      role = "worker"
-    })
-  }
-
-  management {
-    auto_repair  = true
-    auto_upgrade = true
-  }
-}

.tofu/platforms/gke/modules/cluster/outputs.tf

@@ -1,16 +0,0 @@
-# ─── Cluster ─────────────────────────────────────────────────────────
-
-output "cluster_name" {
-  description = "GKE cluster name"
-  value       = google_container_cluster.main.name
-}
-
-output "project_id" {
-  description = "GCP project ID"
-  value       = var.project_id
-}
-
-output "region" {
-  description = "GCP region"
-  value       = var.region
-}

.tofu/platforms/gke/modules/cluster/providers.tf

@@ -1,8 +0,0 @@
-terraform {
-  required_providers {
-    google = {
-      source  = "hashicorp/google"
-      version = "~> 6.0"
-    }
-  }
-}

.tofu/platforms/gke/modules/cluster/variables.tf

@@ -1,48 +0,0 @@
-# ─── Project / Region ────────────────────────────────────────────────
-
-variable "project_id" {
-  description = "GCP project ID"
-  type        = string
-}
-
-variable "region" {
-  description = "GCP region (e.g., europe-west4, europe-west1)"
-  type        = string
-}
-
-variable "prefix" {
-  description = "Prefix for resource names (e.g., clst-dev)"
-  type        = string
-}
-
-# ─── GKE Cluster ─────────────────────────────────────────────────────
-
-variable "node_machine_type" {
-  description = "GKE node machine type (e.g., e2-standard-2, e2-standard-4)"
-  type        = string
-}
-
-variable "node_count" {
-  description = "Number of nodes per zone (regional cluster spawns nodes in each zone)"
-  type        = number
-}
-
-variable "kubernetes_version" {
-  description = "GKE Kubernetes version channel (null = STABLE release channel)"
-  type        = string
-  default     = null
-}
-
-variable "deletion_protection" {
-  description = "Prevent cluster deletion (set true for production)"
-  type        = bool
-  default     = false
-}
-
-# ─── Labels ──────────────────────────────────────────────────────────
-
-variable "labels" {
-  description = "Labels applied to all resources"
-  type        = map(string)
-  default     = {}
-}

.tofu/platforms/gke/prod/main.tf

@@ -1,17 +0,0 @@
-module "cluster" {
-  source = "../modules/cluster"
-
-  project_id = var.project_id
-  region     = var.region
-  prefix     = "clst"
-
-  # GKE — general-purpose nodes for production
-  node_machine_type   = "e2-standard-4"
-  node_count          = 3
-  deletion_protection = true
-
-  labels = {
-    environment = "prod"
-    managed-by  = "tofu"
-  }
-}

.tofu/platforms/gke/prod/outputs.tf

@@ -1,3 +0,0 @@
-output "cluster_name" { value = module.cluster.cluster_name }
-output "project_id"   { value = module.cluster.project_id }
-output "region"       { value = module.cluster.region }

.tofu/platforms/gke/prod/providers.tf

@@ -1,24 +0,0 @@
-terraform {
-  required_providers {
-    google = {
-      source  = "hashicorp/google"
-      version = "~> 6.0"
-    }
-  }
-}
-
-provider "google" {
-  project = var.project_id
-  region  = var.region
-}
-
-variable "project_id" {
-  description = "GCP project ID for the prod environment"
-  type        = string
-}
-
-variable "region" {
-  description = "GCP region"
-  type        = string
-  default     = "europe-west1"
-}

.tofu/platforms/gke/workload/main.tf

@@ -1,194 +0,0 @@
-# =============================================================================
-# GCP Workload Cluster
-# =============================================================================
-# A lean GKE cluster for running application workloads. No managed data
-# services — those live on the platform cluster. ArgoCD (on the platform
-# cluster) deploys apps to this cluster via the app-of-apps pattern.
-#
-# Platform components deployed by deploy-workload.sh:
-#   nginx-ingress, cert-manager, external-dns, external-secrets, alloy
-#
-# Usage:
-#   tofu init && tofu plan && tofu apply
-#   ./sync-tofu-outputs.sh --env gcp-workload
-#   ./deploy-workload.sh --env gcp-workload
-# =============================================================================
-
-variable "prefix" {
-  description = "Prefix for resource names (e.g., clst-workload)"
-  type        = string
-  default     = "clst-workload"
-}
-
-variable "node_machine_type" {
-  description = "GKE node machine type"
-  type        = string
-  default     = "e2-standard-2"
-}
-
-variable "node_count" {
-  description = "Number of nodes per zone"
-  type        = number
-  default     = 1
-}
-
-variable "kubernetes_version" {
-  description = "GKE Kubernetes version (null = STABLE release channel)"
-  type        = string
-  default     = null
-}
-
-variable "deletion_protection" {
-  description = "Prevent cluster deletion"
-  type        = bool
-  default     = false
-}
-
-variable "labels" {
-  description = "Labels applied to all resources"
-  type        = map(string)
-  default = {
-    environment = "workload"
-    managed-by  = "tofu"
-  }
-}
-
-# ─── Required APIs ────────────────────────────────────────────────────
-
-resource "google_project_service" "compute" {
-  project            = var.project_id
-  service            = "compute.googleapis.com"
-  disable_on_destroy = false
-}
-
-resource "google_project_service" "container" {
-  project            = var.project_id
-  service            = "container.googleapis.com"
-  disable_on_destroy = false
-}
-
-resource "google_project_service" "iam" {
-  project            = var.project_id
-  service            = "iam.googleapis.com"
-  disable_on_destroy = false
-}
-
-resource "google_project_service" "dns" {
-  project            = var.project_id
-  service            = "dns.googleapis.com"
-  disable_on_destroy = false
-}
-
-# ─── Networking ───────────────────────────────────────────────────────
-
-resource "google_compute_network" "main" {
-  project                 = var.project_id
-  name                    = "${var.prefix}-vpc"
-  auto_create_subnetworks = false
-
-  depends_on = [google_project_service.compute]
-}
-
-resource "google_compute_subnetwork" "main" {
-  project       = var.project_id
-  name          = "${var.prefix}-subnet"
-  ip_cidr_range = "10.110.0.0/22"
-  region        = var.region
-  network       = google_compute_network.main.id
-
-  secondary_ip_range {
-    range_name    = "pods"
-    ip_cidr_range = "10.210.0.0/14"
-  }
-
-  secondary_ip_range {
-    range_name    = "services"
-    ip_cidr_range = "10.214.0.0/20"
-  }
-}
-
-# ─── GKE Cluster ──────────────────────────────────────────────────────
-
-resource "google_container_cluster" "main" {
-  project  = var.project_id
-  name     = "${var.prefix}-gke"
-  location = var.region
-
-  network    = google_compute_network.main.id
-  subnetwork = google_compute_subnetwork.main.id
-
-  ip_allocation_policy {
-    cluster_secondary_range_name  = "pods"
-    services_secondary_range_name = "services"
-  }
-
-  workload_identity_config {
-    workload_pool = "${var.project_id}.svc.id.goog"
-  }
-
-  remove_default_node_pool = true
-  initial_node_count       = 1
-
-  deletion_protection = var.deletion_protection
-
-  dynamic "release_channel" {
-    for_each = var.kubernetes_version == null ? [1] : []
-    content {
-      channel = "STABLE"
-    }
-  }
-
-  resource_labels = var.labels
-
-  depends_on = [google_project_service.container]
-}
-
-resource "google_container_node_pool" "main" {
-  project    = var.project_id
-  name       = "${var.prefix}-nodes"
-  location   = var.region
-  cluster    = google_container_cluster.main.name
-  node_count = var.node_count
-
-  node_config {
-    machine_type = var.node_machine_type
-
-    workload_metadata_config {
-      mode = "GKE_METADATA"
-    }
-
-    oauth_scopes = [
-      "https://www.googleapis.com/auth/cloud-platform",
-    ]
-
-    labels = merge(var.labels, { role = "worker" })
-  }
-
-  management {
-    auto_repair  = true
-    auto_upgrade = true
-  }
-}
-
-# ─── External-DNS Workload Identity ──────────────────────────────────
-# Allows external-dns to manage Cloud DNS records for app ingresses.
-
-resource "google_service_account" "external_dns" {
-  project      = var.project_id
-  account_id   = "${var.prefix}-external-dns"
-  display_name = "External-DNS Service Account (Workload Identity)"
-
-  depends_on = [google_project_service.iam]
-}
-
-resource "google_project_iam_member" "external_dns_dns_admin" {
-  project = var.project_id
-  role    = "roles/dns.admin"
-  member  = "serviceAccount:${google_service_account.external_dns.email}"
-}
-
-resource "google_service_account_iam_member" "external_dns_workload_identity" {
-  service_account_id = google_service_account.external_dns.name
-  role               = "roles/iam.workloadIdentityUser"
-  member             = "serviceAccount:${var.project_id}.svc.id.goog[external-dns/external-dns]"
-}

.tofu/platforms/gke/workload/outputs.tf

@@ -1,4 +0,0 @@
-output "cluster_name"           { value = google_container_cluster.main.name }
-output "project_id"             { value = var.project_id }
-output "region"                 { value = var.region }
-output "external_dns_gsa_email" { value = google_service_account.external_dns.email }

.tofu/platforms/gke/workload/providers.tf

@@ -1,26 +0,0 @@
-terraform {
-  required_providers {
-    google = {
-      source  = "hashicorp/google"
-      version = "~> 6.0"
-    }
-  }
-}
-
-# Authentication: use Application Default Credentials (gcloud auth application-default login)
-# or set GOOGLE_APPLICATION_CREDENTIALS to a service account key file.
-provider "google" {
-  project = var.project_id
-  region  = var.region
-}
-
-variable "project_id" {
-  description = "GCP project ID for the workload environment"
-  type        = string
-}
-
-variable "region" {
-  description = "GCP region"
-  type        = string
-  default     = "europe-west4"
-}

.tofu/platforms/upc/dev/main.tf

@@ -1,14 +0,0 @@
-module "cluster" {
-  source = "../modules/cluster"
-
-  prefix       = "clst-dev"
-  zone         = "no-svg1"
-  node_plan    = "DEV-1xCPU-2GB"
-  node_count   = 2
-  network_cidr = "10.100.0.0/24"
-
-  tags = {
-    Environment = "dev"
-    ManagedBy   = "tofu"
-  }
-}

.tofu/platforms/upc/dev/outputs.tf

@@ -1,13 +0,0 @@
-# ─── Cluster ─────────────────────────────────────────────────────────
-
-output "cluster_id" {
-  value = module.cluster.cluster_id
-}
-
-output "cluster_name" {
-  value = module.cluster.cluster_name
-}
-
-output "zone" {
-  value = module.cluster.zone
-}

.tofu/platforms/upc/dev/providers.tf

@@ -1,14 +0,0 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    upcloud = {
-      source  = "UpCloudLtd/upcloud"
-      version = "~> 5.0"
-    }
-  }
-}
-
-provider "upcloud" {
-  # Set via environment variables: UPCLOUD_USERNAME, UPCLOUD_PASSWORD
-}

.tofu/platforms/upc/modules/cluster/main.tf

@@ -1,56 +0,0 @@
-# Router for the private network
-resource "upcloud_router" "kubernetes" {
-  name = "${var.prefix}-${var.cluster_name}-router"
-}
-
-# Gateway for internet connectivity
-resource "upcloud_gateway" "kubernetes" {
-  name     = "${var.prefix}-${var.cluster_name}-gateway"
-  zone     = var.zone
-  features = ["nat"]
-  router {
-    id = upcloud_router.kubernetes.id
-  }
-}
-
-# Private network for the Kubernetes cluster
-resource "upcloud_network" "kubernetes" {
-  name   = "${var.prefix}-${var.cluster_name}-network"
-  zone   = var.zone
-  router = upcloud_router.kubernetes.id
-
-  ip_network {
-    address            = var.network_cidr
-    dhcp               = true
-    dhcp_default_route = true
-    family             = "IPv4"
-    gateway            = cidrhost(var.network_cidr, 1)
-  }
-
-  depends_on = [upcloud_gateway.kubernetes]
-}
-
-# Kubernetes cluster
-resource "upcloud_kubernetes_cluster" "main" {
-  name                    = "${var.prefix}-${var.cluster_name}"
-  zone                    = var.zone
-  network                 = upcloud_network.kubernetes.id
-  control_plane_ip_filter = var.control_plane_ip_filter
-
-  private_node_groups = true
-}
-
-# Node group for worker nodes
-resource "upcloud_kubernetes_node_group" "workers" {
-  cluster       = upcloud_kubernetes_cluster.main.id
-  name          = "${var.prefix}-${var.cluster_name}-workers"
-  node_count    = var.node_count
-  plan          = var.node_plan
-  anti_affinity = var.node_count > 1
-  labels = {
-    prefix  = var.prefix
-    cluster = var.cluster_name
-    role    = "worker"
-    env     = lookup(var.tags, "Environment", "dev")
-  }
-}

.tofu/platforms/upc/modules/cluster/outputs.tf

@@ -1,31 +0,0 @@
-# ─── Cluster ─────────────────────────────────────────────────────────
-
-output "cluster_id" {
-  description = "The ID of the Kubernetes cluster"
-  value       = upcloud_kubernetes_cluster.main.id
-}
-
-output "cluster_name" {
-  description = "The name of the Kubernetes cluster"
-  value       = upcloud_kubernetes_cluster.main.name
-}
-
-output "network_id" {
-  description = "The ID of the private network"
-  value       = upcloud_network.kubernetes.id
-}
-
-output "network_cidr" {
-  description = "The CIDR block of the private network"
-  value       = var.network_cidr
-}
-
-output "kubernetes_version" {
-  description = "The Kubernetes version of the cluster"
-  value       = upcloud_kubernetes_cluster.main.version
-}
-
-output "zone" {
-  description = "The zone where the cluster is deployed"
-  value       = var.zone
-}

.tofu/platforms/upc/modules/cluster/providers.tf

@@ -1,8 +0,0 @@
-terraform {
-  required_providers {
-    upcloud = {
-      source  = "UpCloudLtd/upcloud"
-      version = "~> 5.0"
-    }
-  }
-}

.tofu/platforms/upc/modules/cluster/variables.tf

@@ -1,44 +0,0 @@
-# ─── Cluster ─────────────────────────────────────────────────────────
-
-variable "prefix" {
-  description = "Prefix for resource names"
-  type        = string
-}
-
-variable "cluster_name" {
-  description = "Name of the Kubernetes cluster"
-  type        = string
-  default     = "main"
-}
-
-variable "zone" {
-  description = "UpCloud zone"
-  type        = string
-}
-
-variable "node_plan" {
-  description = "UpCloud server plan for worker nodes"
-  type        = string
-}
-
-variable "node_count" {
-  description = "Number of worker nodes"
-  type        = number
-}
-
-variable "network_cidr" {
-  description = "CIDR block for the private network"
-  type        = string
-  default     = "10.100.0.0/24"
-}
-
-variable "control_plane_ip_filter" {
-  description = "CIDRs allowed to access the K8s API"
-  type        = list(string)
-  default     = ["0.0.0.0/0"]
-}
-
-variable "tags" {
-  description = "Labels to apply to resources"
-  type        = map(string)
-}

.tofu/platforms/upc/prod/main.tf

@@ -1,16 +0,0 @@
-module "cluster" {
-  source = "../modules/cluster"
-
-  prefix       = "clst"
-  zone         = "de-fra1"
-  node_plan    = "4xCPU-8GB"
-  node_count   = 3
-  network_cidr = "10.100.0.0/24"
-
-  control_plane_ip_filter = ["0.0.0.0/0"] # TODO: restrict to known CIDRs
-
-  tags = {
-    Environment = "prod"
-    ManagedBy   = "tofu"
-  }
-}

.tofu/platforms/upc/prod/outputs.tf

@@ -1,13 +0,0 @@
-# ─── Cluster ─────────────────────────────────────────────────────────
-
-output "cluster_id" {
-  value = module.cluster.cluster_id
-}
-
-output "cluster_name" {
-  value = module.cluster.cluster_name
-}
-
-output "zone" {
-  value = module.cluster.zone
-}

.tofu/platforms/upc/prod/providers.tf

@@ -1,14 +0,0 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    upcloud = {
-      source  = "UpCloudLtd/upcloud"
-      version = "~> 5.0"
-    }
-  }
-}
-
-provider "upcloud" {
-  # Set via environment variables: UPCLOUD_USERNAME, UPCLOUD_PASSWORD
-}

.tofu/platforms/upc/workload/main.tf

@@ -1,116 +0,0 @@
-# =============================================================================
-# UpCloud Workload Cluster
-# =============================================================================
-# A lean UCS cluster for running application workloads. No managed data
-# services — those live on the platform cluster. ArgoCD (on the platform
-# cluster) deploys apps to this cluster via the app-of-apps pattern.
-#
-# Platform components deployed by deploy-workload.sh:
-#   nginx-ingress, cert-manager, external-dns, external-secrets, alloy
-#
-# Usage:
-#   tofu init && tofu plan && tofu apply
-#   ./sync-tofu-outputs.sh --env upcloud-workload
-#   ./deploy-workload.sh --env upcloud-workload
-# =============================================================================
-
-variable "prefix" {
-  description = "Prefix for resource names"
-  type        = string
-  default     = "clst-workload"
-}
-
-variable "zone" {
-  description = "UpCloud zone"
-  type        = string
-  default     = "fi-hel1"
-}
-
-variable "node_plan" {
-  description = "UpCloud server plan for worker nodes"
-  type        = string
-  default     = "2xCPU-4GB"
-}
-
-variable "node_count" {
-  description = "Number of worker nodes"
-  type        = number
-  default     = 2
-}
-
-variable "network_cidr" {
-  description = "CIDR block for the private network"
-  type        = string
-  default     = "10.110.0.0/24"
-}
-
-variable "control_plane_ip_filter" {
-  description = "CIDRs allowed to access the K8s API"
-  type        = list(string)
-  default     = ["0.0.0.0/0"]
-}
-
-variable "tags" {
-  description = "Labels to apply to resources"
-  type        = map(string)
-  default = {
-    Environment = "workload"
-    ManagedBy   = "tofu"
-  }
-}
-
-# ─── Networking ───────────────────────────────────────────────────────
-
-resource "upcloud_router" "kubernetes" {
-  name = "${var.prefix}-workload-router"
-}
-
-resource "upcloud_gateway" "kubernetes" {
-  name     = "${var.prefix}-workload-gateway"
-  zone     = var.zone
-  features = ["nat"]
-  router {
-    id = upcloud_router.kubernetes.id
-  }
-}
-
-resource "upcloud_network" "kubernetes" {
-  name   = "${var.prefix}-workload-network"
-  zone   = var.zone
-  router = upcloud_router.kubernetes.id
-
-  ip_network {
-    address            = var.network_cidr
-    dhcp               = true
-    dhcp_default_route = true
-    family             = "IPv4"
-    gateway            = cidrhost(var.network_cidr, 1)
-  }
-
-  depends_on = [upcloud_gateway.kubernetes]
-}
-
-# ─── Kubernetes Cluster ───────────────────────────────────────────────
-
-resource "upcloud_kubernetes_cluster" "main" {
-  name                    = "${var.prefix}-workload"
-  zone                    = var.zone
-  network                 = upcloud_network.kubernetes.id
-  control_plane_ip_filter = var.control_plane_ip_filter
-
-  private_node_groups = true
-}
-
-resource "upcloud_kubernetes_node_group" "workers" {
-  cluster       = upcloud_kubernetes_cluster.main.id
-  name          = "${var.prefix}-workload-workers"
-  node_count    = var.node_count
-  plan          = var.node_plan
-  anti_affinity = var.node_count > 1
-  labels = {
-    prefix  = var.prefix
-    cluster = "workload"
-    role    = "worker"
-    env     = lookup(var.tags, "Environment", "workload")
-  }
-}

.tofu/platforms/upc/workload/outputs.tf

@@ -1,3 +0,0 @@
-output "cluster_name" { value = upcloud_kubernetes_cluster.main.name }
-output "cluster_id"   { value = upcloud_kubernetes_cluster.main.id }
-output "zone"         { value = var.zone }

.tofu/platforms/upc/workload/providers.tf

@@ -1,14 +0,0 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    upcloud = {
-      source  = "UpCloudLtd/upcloud"
-      version = "~> 5.0"
-    }
-  }
-}
-
-provider "upcloud" {
-  # Set via environment variables: UPCLOUD_USERNAME, UPCLOUD_PASSWORD
-}

.tofu/scripts/get-kubeconfig.sh

@@ -1,66 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-TOFU_ROOT="$(dirname "$SCRIPT_DIR")"
-PROJECT_ROOT="$(dirname "$TOFU_ROOT")"
-
-CLUSTER="${1:?Usage: $0 <cluster> (e.g., aks-dev, eks-prod)}"
-PLATFORM="${CLUSTER%%-*}"
-ENV="${CLUSTER#*-}"
-
-KUBECONFIG_FILE="$PROJECT_ROOT/private/$CLUSTER/kubeconfig"
-
-if [[ -f "$KUBECONFIG_FILE" ]]; then
-  echo "Kubeconfig already exists: $KUBECONFIG_FILE"
-  echo ""
-  echo "  export KUBECONFIG=$KUBECONFIG_FILE"
-else
-  echo "No cached kubeconfig. Fetching from platform..."
-
-  # Load platform credentials
-  ENV_FILE="$TOFU_ROOT/configs/$PLATFORM.env"
-  if [[ -f "$ENV_FILE" ]]; then
-    set -a; source "$ENV_FILE"; set +a
-  fi
-
-  TOFU_DIR="$TOFU_ROOT/platforms/$PLATFORM/$ENV"
-  mkdir -p "$(dirname "$KUBECONFIG_FILE")"
-
-  case "$PLATFORM" in
-    aks)
-      cd "$TOFU_DIR"
-      RG=$(tofu output -raw resource_group_name 2>/dev/null || echo "$CLUSTER-rg")
-      NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "$CLUSTER")
-      az aks get-credentials --resource-group "$RG" --name "$NAME" --file "$KUBECONFIG_FILE" --overwrite-existing
-      ;;
-    eks)
-      cd "$TOFU_DIR"
-      NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "$CLUSTER")
-      REGION=$(tofu output -raw aws_region 2>/dev/null || echo "${AWS_REGION:-eu-west-1}")
-      aws eks update-kubeconfig --name "$NAME" --region "$REGION" --kubeconfig "$KUBECONFIG_FILE"
-      ;;
-    gke)
-      cd "$TOFU_DIR"
-      NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "$CLUSTER")
-      REGION=$(tofu output -raw region 2>/dev/null || echo "${GCP_REGION:-europe-west4}")
-      PROJECT=$(tofu output -raw project_id 2>/dev/null || echo "${GCP_PROJECT_ID:-}")
-      gcloud container clusters get-credentials "$NAME" --region "$REGION" --project "$PROJECT"
-      cp ~/.kube/config "$KUBECONFIG_FILE"
-      ;;
-    upc)
-      cd "$TOFU_DIR"
-      CLUSTER_ID=$(tofu output -raw cluster_id 2>/dev/null || echo "${UPCLOUD_CLUSTER_ID:-}")
-      upctl kubernetes config "$CLUSTER_ID" > "$KUBECONFIG_FILE"
-      ;;
-    *)
-      echo "Error: unknown platform '$PLATFORM'"
-      exit 1
-      ;;
-  esac
-
-  chmod 600 "$KUBECONFIG_FILE"
-  echo "Kubeconfig saved: $KUBECONFIG_FILE"
-  echo ""
-  echo "  export KUBECONFIG=$KUBECONFIG_FILE"
-fi

.tofu/scripts/setup-cluster.sh

@@ -1,246 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-TOFU_ROOT="$(dirname "$SCRIPT_DIR")"
-PROJECT_ROOT="$(dirname "$TOFU_ROOT")"
-
-# ─── Usage ────────────────────────────────────────────────────────────
-usage() {
-  cat <<EOF
-Usage: $0 <cluster> [options]
-
-  Provision a Kubernetes cluster using OpenTofu.
-  Mirrors bootstrap.sh convention: cluster = <platform>-<env>
-
-  Clusters:   aks-dev | aks-prod | eks-dev | eks-prod
-              gke-dev | gke-prod | upc-dev | upc-prod
-              <platform>-workload (for workload clusters)
-
-  Options:
-    --plan        Plan only, don't apply
-    --destroy     Destroy the cluster (use teardown-cluster.sh instead)
-    --auto        Skip confirmation prompts
-    -h, --help    Show this help
-
-  Examples:
-    $0 aks-dev
-    $0 eks-prod --plan
-    $0 upc-dev --auto
-
-  Prerequisites:
-    - tofu, kubectl, helm installed
-    - Platform credentials in .tofu/configs/<platform>.env
-    - Cluster config in clusters/<cluster>.yaml
-
-  After provisioning, run:
-    ./bootstrap.sh <cluster>
-EOF
-  exit "${1:-0}"
-}
-
-# ─── Parse arguments ──────────────────────────────────────────────────
-CLUSTER=""
-PLAN_ONLY=false
-DESTROY=false
-AUTO_APPROVE=false
-
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --plan)       PLAN_ONLY=true; shift ;;
-    --destroy)    DESTROY=true; shift ;;
-    --auto)       AUTO_APPROVE=true; shift ;;
-    -h|--help)    usage 0 ;;
-    -*)           echo "Unknown option: $1"; usage 1 ;;
-    *)
-      if [[ -z "$CLUSTER" ]]; then
-        CLUSTER="$1"
-      else
-        echo "Error: unexpected argument '$1'"
-        usage 1
-      fi
-      shift
-      ;;
-  esac
-done
-
-[[ -z "$CLUSTER" ]] && { echo "Error: <cluster> argument required"; usage 1; }
-
-# ─── Map cluster → platform + env ────────────────────────────────────
-PLATFORM="${CLUSTER%%-*}"   # aks-dev → aks
-ENV="${CLUSTER#*-}"         # aks-dev → dev
-
-case "$PLATFORM" in
-  aks|eks|gke|upc) ;;
-  *) echo "Error: unknown platform '$PLATFORM'. Expected: aks, eks, gke, upc"; exit 1 ;;
-esac
-
-TOFU_DIR="$TOFU_ROOT/platforms/$PLATFORM/$ENV"
-if [[ ! -d "$TOFU_DIR" ]]; then
-  echo "Error: tofu directory not found: $TOFU_DIR"
-  echo "Available environments for $PLATFORM:"
-  ls -1 "$TOFU_ROOT/platforms/$PLATFORM/" 2>/dev/null | grep -v modules || echo "  (none)"
-  exit 1
-fi
-
-echo "========================================="
-echo "  Kubernetes Cluster Setup"
-echo "========================================="
-echo ""
-echo "  Cluster:   $CLUSTER"
-echo "  Platform:  $PLATFORM"
-echo "  Env:       $ENV"
-echo "  Tofu dir:  $TOFU_DIR"
-echo ""
-
-# ─── Prerequisites ────────────────────────────────────────────────────
-echo "=== Checking Prerequisites ==="
-command -v tofu    >/dev/null 2>&1 || { echo "Error: tofu is not installed."; exit 1; }
-command -v kubectl >/dev/null 2>&1 || { echo "Error: kubectl is not installed."; exit 1; }
-command -v helm    >/dev/null 2>&1 || { echo "Error: helm is not installed."; exit 1; }
-echo "  tofu, kubectl, helm: OK"
-
-# ─── Load platform credentials ────────────────────────────────────────
-ENV_FILE="$TOFU_ROOT/configs/$PLATFORM.env"
-if [[ -f "$ENV_FILE" ]]; then
-  echo "  Loading credentials from configs/$PLATFORM.env"
-  set -a
-  # shellcheck disable=SC1090
-  source "$ENV_FILE"
-  set +a
-else
-  echo "  Warning: $ENV_FILE not found — using existing environment/CLI auth"
-  echo "  Copy configs/$PLATFORM.env.example → configs/$PLATFORM.env to configure"
-fi
-
-# ─── Load cluster config (if exists) ──────────────────────────────────
-CLUSTER_CONFIG="$PROJECT_ROOT/clusters/$CLUSTER.yaml"
-if [[ -f "$CLUSTER_CONFIG" ]]; then
-  echo "  Loading cluster config from clusters/$CLUSTER.yaml"
-  if command -v yq >/dev/null 2>&1; then
-    eval "$(yq -r 'to_entries[] | "export CLUSTER_\(.key)=\"\(.value)\""' "$CLUSTER_CONFIG")"
-    echo "  Cluster name: ${CLUSTER_clusterName:-$CLUSTER}"
-  else
-    echo "  Warning: yq not installed — cluster config not loaded"
-  fi
-else
-  echo "  Warning: $CLUSTER_CONFIG not found — using defaults"
-fi
-echo ""
-
-# ─── Run OpenTofu ─────────────────────────────────────────────────────
-cd "$TOFU_DIR"
-
-echo "=== Initializing OpenTofu ==="
-tofu init
-
-echo ""
-if $DESTROY; then
-  echo "=== Planning Destruction ==="
-  tofu plan -destroy -out=tfplan
-
-  if ! $AUTO_APPROVE; then
-    echo ""
-    read -rp "DESTROY cluster $CLUSTER? This is irreversible. (yes/no) " REPLY
-    [[ "$REPLY" == "yes" ]] || { echo "Cancelled."; exit 1; }
-  fi
-
-  echo "Destroying infrastructure..."
-  tofu apply tfplan
-  echo ""
-  echo "=== Cluster $CLUSTER Destroyed ==="
-
-elif $PLAN_ONLY; then
-  echo "=== Planning Infrastructure ==="
-  tofu plan
-  echo ""
-  echo "=== Plan complete (--plan mode, no changes applied) ==="
-
-else
-  echo "=== Planning Infrastructure ==="
-  tofu plan -out=tfplan
-
-  if ! $AUTO_APPROVE; then
-    echo ""
-    read -rp "Apply this plan for $CLUSTER? (y/n) " -n 1 REPLY
-    echo
-    [[ "$REPLY" =~ ^[Yy]$ ]] || { echo "Cancelled."; exit 1; }
-  fi
-
-  echo "Applying infrastructure..."
-  tofu apply tfplan
-
-  # ─── Save kubeconfig ──────────────────────────────────────────────
-  KUBECONFIG_DIR="$PROJECT_ROOT/private/$CLUSTER"
-  mkdir -p "$KUBECONFIG_DIR"
-  KUBECONFIG_FILE="$KUBECONFIG_DIR/kubeconfig"
-
-  echo ""
-  echo "=== Saving Kubeconfig ==="
-
-  case "$PLATFORM" in
-    aks)
-      if tofu output -raw kubeconfig > "$KUBECONFIG_FILE" 2>/dev/null; then
-        echo "  Saved from tofu output"
-      else
-        echo "  Fetching from Azure CLI..."
-        RG=$(tofu output -raw resource_group_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}-rg")
-        NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}")
-        az aks get-credentials --resource-group "$RG" --name "$NAME" --file "$KUBECONFIG_FILE" --overwrite-existing
-      fi
-      ;;
-    eks)
-      NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}")
-      REGION=$(tofu output -raw aws_region 2>/dev/null || echo "${AWS_REGION:-eu-west-1}")
-      aws eks update-kubeconfig --name "$NAME" --region "$REGION" --kubeconfig "$KUBECONFIG_FILE"
-      ;;
-    gke)
-      NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}")
-      REGION=$(tofu output -raw region 2>/dev/null || echo "${GCP_REGION:-europe-west4}")
-      PROJECT=$(tofu output -raw project_id 2>/dev/null || echo "${GCP_PROJECT_ID:-}")
-      gcloud container clusters get-credentials "$NAME" --region "$REGION" --project "$PROJECT" 2>/dev/null \
-        && cp ~/.kube/config "$KUBECONFIG_FILE" \
-        || echo "  Warning: could not fetch kubeconfig via gcloud"
-      ;;
-    upc)
-      if tofu output -raw kubeconfig > "$KUBECONFIG_FILE" 2>/dev/null; then
-        echo "  Saved from tofu output"
-      else
-        CLUSTER_ID=$(tofu output -raw cluster_id 2>/dev/null || echo "${UPCLOUD_CLUSTER_ID:-}")
-        if [[ -n "$CLUSTER_ID" ]]; then
-          upctl kubernetes config "$CLUSTER_ID" > "$KUBECONFIG_FILE"
-        else
-          echo "  Warning: could not determine cluster ID for kubeconfig"
-        fi
-      fi
-      ;;
-  esac
-
-  if [[ -f "$KUBECONFIG_FILE" ]]; then
-    chmod 600 "$KUBECONFIG_FILE"
-    echo "  Kubeconfig: $KUBECONFIG_FILE"
-  fi
-
-  # ─── Wait for nodes ──────────────────────────────────────────────
-  echo ""
-  echo "=== Waiting for Cluster Nodes ==="
-  export KUBECONFIG="$KUBECONFIG_FILE"
-  if kubectl wait --for=condition=Ready nodes --all --timeout=300s 2>/dev/null; then
-    echo "  All nodes ready"
-  else
-    echo "  Warning: nodes not ready within timeout — check cluster status"
-  fi
-
-  # ─── Summary ─────────────────────────────────────────────────────
-  echo ""
-  echo "========================================="
-  echo "  Cluster $CLUSTER Provisioned"
-  echo "========================================="
-  echo ""
-  echo "  Kubeconfig: $KUBECONFIG_FILE"
-  echo ""
-  echo "  Next steps:"
-  echo "    export KUBECONFIG=$KUBECONFIG_FILE"
-  echo "    ./bootstrap.sh $CLUSTER"
-  echo ""
-fi

.tofu/scripts/teardown-cluster.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-
-# Delegate to setup-cluster.sh with --destroy flag
-exec "$SCRIPT_DIR/setup-cluster.sh" "$@" --destroy

README.md

@@ -57,11 +57,11 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 
 ### What's Inside
 
-- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Vault, Vault Secrets Operator, Homepage (platform dashboard)
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
 - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
-- **Secrets**: Sealed Secrets for secure Git storage
+- **Secrets**: Vault Secrets Operator (VSO) syncs secrets from HashiCorp Vault to K8s
 
 ### Key Features
 
@@ -80,23 +80,8 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 
 ```
 .
-├── bootstrap.sh                # Cluster initialization (ArgoCD + GitOps)
-├── _app-of-apps-{cluster}.yaml # Root ArgoCD Application (per cluster)
-│
-├── .tofu/                     # Infrastructure provisioning (OpenTofu)
-│   ├── platforms/             # Per-platform IaC (one dir per cloud)
-│   │   ├── aks/               # Azure AKS (modules/ + dev/ + prod/ + workload/)
-│   │   ├── eks/               # AWS EKS
-│   │   ├── gke/               # GCP GKE
-│   │   └── upc/               # UpCloud
-│   ├── configs/               # Platform credentials (git-ignored)
-│   │   └── *.env.example      # Template for each platform
-│   └── scripts/               # Cluster lifecycle scripts
-│       ├── setup-cluster.sh   # Create cluster: ./setup-cluster.sh aks-dev
-│       ├── teardown-cluster.sh
-│       └── get-kubeconfig.sh
-│
-├── clusters/                  # Cluster metadata (domain, trustedIPs, etc.)
+├── bootstrap.sh                # Cluster initialization script
+├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
 │
 ├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
 │   ├── base/                  # Base ArgoCD Application manifests (one dir per component)
@@ -202,7 +187,7 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A
 **Quick version**:
 1. Create `apps/myapp.yaml` (ArgoCD Application manifest)
 2. Create `helm-prod-values/myapp/values.yaml` (configuration)
-3. Create sealed secrets if needed
+3. Write secrets to Vault and create VaultStaticSecret CRD if needed
 4. Commit and push - ArgoCD auto-syncs!
 
 ### Update an Existing Application
@@ -215,22 +200,18 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A
 
 ### Manage Secrets
 
-**See detailed guide**: [Developer Guide - Working with Secrets](docs/DEVELOPER-GUIDE.md#working-with-secrets)
+**See detailed guide**: [Vault Secrets Operator Reference](docs/vault-secrets-operator.md)
 
 ```bash
-# Create plain secret
-kubectl create secret generic myapp-creds \
-  --from-literal=KEY=value \
-  --dry-run=client -o yaml > private/myapp-creds.yaml
+# 1. Write secret to Vault
+vault kv put kv/myapp/myapp-creds KEY=value
 
-# Seal it
-kubeseal --format=yaml --cert=pub-cert.pem \
-  < private/myapp-creds.yaml > secrets/myapp-creds-sealed.yaml
+# 2. Create VaultStaticSecret CRD (one-time, commit to git)
+# See docs/vault-secrets-operator.md for CRD template
 
-# Commit sealed version
-git add secrets/myapp-creds-sealed.yaml
-git commit -m "Add myapp credentials"
-git push
+# 3. Rotate secrets — no git commit needed!
+vault kv put kv/myapp/myapp-creds KEY=new-value
+# VSO picks up changes within 30 seconds
 ```
 
 ### Enable Authentication
@@ -343,7 +324,7 @@ kubectl patch application myapp -n argocd \
 ## 🔐 Security
 
 ### Secret Management
-- ✅ Sealed Secrets for Git storage
+- ✅ Vault Secrets Operator (VSO) for secret management
 - ✅ Kyverno auto-clones secrets to namespaces
 - ❌ Never commit plain secrets
 
@@ -370,7 +351,8 @@ kubectl patch application myapp -n argocd \
 | **Traefik** | Ingress controller | `traefik` | 2 |
 | **Cert-Manager** | TLS certificates | `cert-manager` | 1 |
 | **Kyverno** | Policy engine | `kyverno` | 1 |
-| **Sealed Secrets** | Secret encryption | `kube-system` | 1 |
+| **Vault** | Secret storage | `vault` | 1 |
+| **Vault Secrets Operator** | Secret sync (Vault → K8s) | `vault-secrets-operator-system` | 1 |
 | **Prometheus** | Metrics | `monitoring` | 1 |
 | **Grafana** | Dashboards | `monitoring` | 1 |
 | **Loki** | Logs | `monitoring` | 1 |
@@ -470,7 +452,7 @@ Applications deploy in order using `argocd.argoproj.io/sync-wave`:
 1. Read [Developer Guide - Deploying Your First Application](docs/DEVELOPER-GUIDE.md#deploying-your-first-application)
 2. Create ArgoCD Application manifest in `apps/`
 3. Create Helm values in `helm-prod-values/`
-4. Create sealed secrets if needed
+4. Write secrets to Vault and create VaultStaticSecret CRD if needed
 5. Commit and push - ArgoCD handles the rest!
 
 ### Modifying Infrastructure
@@ -514,7 +496,8 @@ Documentation lives in `docs/`. To update:
 - [Traefik Documentation](https://doc.traefik.io/traefik/)
 - [Cert-Manager Documentation](https://cert-manager.io/docs/)
 - [Grafana Tempo Documentation](https://grafana.com/docs/tempo/)
-- [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
+- [Vault Secrets Operator](https://developer.hashicorp.com/vault/docs/platform/k8s/vso)
+- [HashiCorp Vault](https://developer.hashicorp.com/vault/docs)
 
 ### Related Repositories
 - [forte-helm](https://git.forteapps.net/Forte/forte-helm) - Helm chart templates

apps/base/argo-mcp/argocd-mcp-credentials-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: argocd-mcp-credentials
+  namespace: argocd-mcp
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd-mcp/argocd-mcp-credentials
+  destination:
+    name: argocd-mcp-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/argo-mcp/auth-oidc-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: auth-oidc
+  namespace: argocd-mcp
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd-mcp/auth-oidc
+  destination:
+    name: auth-oidc
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/argo-mcp/kustomization.yaml

@@ -2,5 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - argo-mcp.yaml
-- argocdmcp-auth-oidc-sealed.yaml
-- argocd-mcp-credentials.yaml
+- vault-auth.yaml
+- auth-oidc-vault.yaml
+- argocd-mcp-credentials-vault.yaml
+# Removed: argocdmcp-auth-oidc-sealed.yaml, argocd-mcp-credentials.yaml (migrated to VSO)

apps/base/argo-mcp/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-argocd-mcp
+  namespace: argocd-mcp
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: argocd-mcp
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-argocd-mcp
+    serviceAccount: vault-auth-argocd-mcp
+    audiences:
+    - vault

apps/base/dot-ai-stack/dot-ai-secrets-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: dot-ai-secrets
+  namespace: dot-ai
+spec:
+  type: kv-v2
+  mount: kv
+  path: dot-ai/dot-ai-secrets
+  destination:
+    name: dot-ai-secrets
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/dot-ai-stack/kustomization.yaml

@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - dot-ai-stack.yaml
-- dot-ai-secrets.yaml
+- vault-auth.yaml
+- dot-ai-secrets-vault.yaml
+# Removed: dot-ai-secrets.yaml (migrated to VSO)

apps/base/dot-ai-stack/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-dot-ai
+  namespace: dot-ai
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: dot-ai
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-dot-ai
+    serviceAccount: vault-auth-dot-ai
+    audiences:
+    - vault

apps/base/mcp10x/app-credentials-vault.yaml

@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: app-credentials
+  namespace: mcp10x
+spec:
+  type: kv-v2
+  mount: kv
+  path: mcp10x/app-credentials
+  destination:
+    name: app-credentials
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/mcp10x/kustomization.yaml

@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - mcp10x.yaml
-- forte10x-app-credentials-sealed.yaml
+- vault-auth.yaml
+- app-credentials-vault.yaml
+# Removed: forte10x-app-credentials-sealed.yaml (migrated to VSO)

apps/base/mcp10x/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-mcp10x
+  namespace: mcp10x
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: mcp10x
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-mcp10x
+    serviceAccount: vault-auth-mcp10x
+    audiences:
+    - vault

apps/base/musicman/kustomization.yaml

@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - musicman.yaml
-- musicman-credentials.yaml
+- vault-auth.yaml
+- musicman-credentials-vault.yaml
+# Removed: musicman-credentials.yaml (migrated to VSO)

apps/base/musicman/musicman-credentials-vault.yaml

@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: musicman-credentials
+  namespace: music-man
+spec:
+  type: kv-v2
+  mount: kv
+  path: music-man/musicman-credentials
+  destination:
+    name: musicman-credentials
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/musicman/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-music-man
+  namespace: music-man
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: music-man
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-music-man
+    serviceAccount: vault-auth-music-man
+    audiences:
+    - vault

apps/base/ts-mcp/kustomization.yaml

@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ts-mcp.yaml
-- ts-mcp-secrets-sealed.yaml
+- vault-auth.yaml
+- ts-mcp-secrets-vault.yaml
+# Removed: ts-mcp-secrets-sealed.yaml (migrated to VSO)

apps/base/ts-mcp/ts-mcp-secrets-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: ts-mcp-secrets
+  namespace: ts-mcp
+spec:
+  type: kv-v2
+  mount: kv
+  path: ts-mcp/ts-mcp-secrets
+  destination:
+    name: ts-mcp-secrets
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/ts-mcp/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-ts-mcp
+  namespace: ts-mcp
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: ts-mcp
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-ts-mcp
+    serviceAccount: vault-auth-ts-mcp
+    audiences:
+    - vault

apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml

@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dbunk-demo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
+  labels:
+    app.kubernetes.io/name: dbunk-demo
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/dbunk-demo/values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: dbunk-demo
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m

apps/overlays/upc-dev/dbunk-demo/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- dbunk-demo.yaml

apps/overlays/upc-dev/feedback/feedback.yaml

@@ -0,0 +1,53 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: feedback
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
+  labels:
+    app.kubernetes.io/name: feedback
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/feedback/values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: feedback
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates

apps/overlays/upc-dev/feedback/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- feedback.yaml

apps/overlays/upc-dev/kustomization.yaml

@@ -2,6 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
+- dbunk-demo
+- feedback
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster

bootstrap.sh

@@ -28,7 +28,6 @@ Bootstrap()
 Gitea()
 {
     echo "Installing secret..."
-    kubectl apply -f "secrets/"
     kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
     kubectl apply -f "private/${CLUSTER}/main.key"
 }

cluster-resources/argocd-notifications-secret-vault.yaml

@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: argocd-notifications-secret
+  namespace: argocd
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd/argocd-notifications-secret
+  destination:
+    name: argocd-notifications-secret
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

cluster-resources/forte-helm-repo-vault.yaml

@@ -0,0 +1,16 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: forte-helm-repo
+  namespace: argocd
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd/forte-helm-repo
+  destination:
+    name: forte-helm-repo
+    create: true
+    labels:
+      argocd.argoproj.io/secret-type: repository
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

cluster-resources/forte10x-repo-credentials-vault.yaml

@@ -0,0 +1,17 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: forte10x-repo-creds
+  namespace: argocd
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd/forte10x-repo-creds
+  destination:
+    name: forte10x-repo-creds
+    create: true
+    type: Opaque
+    labels:
+      argocd.argoproj.io/secret-type: repository
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

cluster-resources/mcp10x-repo-credentials-vault.yaml

@@ -0,0 +1,17 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: mcp10x-repo-creds
+  namespace: argocd
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd/mcp10x-repo-creds
+  destination:
+    name: mcp10x-repo-creds
+    create: true
+    type: Opaque
+    labels:
+      argocd.argoproj.io/secret-type: repository
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

cluster-resources/policies/auth-sidecar-injector.yaml

@@ -245,6 +245,12 @@ spec:
                 secretKeyRef:
                   name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
                   key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
+            - name: AUTH_OIDC_IDP_HINT
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-idp-hint\" || '' }}"
+            - name: AUTH_OIDC_BROKER_ALIAS
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-alias\" || '' }}"
+            - name: AUTH_OIDC_BROKER_TOKEN_HEADER
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-token-header\" || '' }}"
             resources:
               limits:
                 cpu: 50m
@@ -324,6 +330,8 @@ spec:
               value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}"
             - name: AUTH_MCP_SCOPES_SUPPORTED
               value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'profile'  }}"
+            - name: AUTH_MCP_IDP_HINT
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-idp-hint\" || '' }}"
             resources:
               limits:
                 cpu: 50m

cluster-resources/vault-auth-argocd.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-argocd
+  namespace: argocd
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: argocd
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-argocd
+    serviceAccount: vault-auth-argocd
+    audiences:
+    - vault

docs/DEVELOPER-GUIDE.md

@@ -60,18 +60,16 @@ If you do need cluster access, install:
    curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
    ```
 
-2. **kubeseal** - For sealing secrets
+2. **vault** CLI - For managing secrets in HashiCorp Vault
    ```bash
    # macOS
-   brew install kubeseal
+   brew install hashicorp/tap/vault
 
    # Windows
-   choco install kubeseal
+   choco install vault
 
    # Linux
-   wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/kubeseal-0.24.0-linux-amd64.tar.gz
-   tar -xvzf kubeseal-0.24.0-linux-amd64.tar.gz
-   sudo mv kubeseal /usr/local/bin/
+   # See https://developer.hashicorp.com/vault/install
    ```
 
 3. **Git** - Version control
@@ -634,115 +632,100 @@ git push
 
 ### Understanding Secret Management
 
-**NEVER commit plain secrets to Git.** We use **Sealed Secrets** to encrypt secrets before committing.
+Secrets are managed via **HashiCorp Vault** and synced to Kubernetes by the **Vault Secrets Operator (VSO)**. See [Vault Secrets Operator Reference](vault-secrets-operator.md) for full details.
+
+**NEVER commit plain secret values to Git.** Only VaultStaticSecret CRD manifests are committed.
 
 ### Creating a New Secret
 
-#### Step 1: Create Plain Secret Locally
+#### Step 1: Write Secret to Vault
 
 ```bash
-cd ~/dev/k8s/launchpad
-
-# Create secret in private/ folder (Git-ignored)
-kubectl create secret generic myapp-credentials \
-  --from-literal=API_KEY=your-secret-key-here \
-  --from-literal=DB_PASSWORD=super-secret-password \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
+vault kv put kv/myapp/myapp-credentials \
+  API_KEY=your-secret-key-here \
+  DB_PASSWORD=super-secret-password
 ```
 
-**DO NOT commit this file!** It's in `private/` which is Git-ignored.
+#### Step 2: Create VaultStaticSecret CRD
 
-#### Step 2: Seal the Secret
+Create a YAML file (e.g., `apps/base/myapp/myapp-credentials-vault.yaml`):
 
-Seal your secret:
-
-```bash
-kubeseal --format=yaml \
-  --namespace=myapp \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
+```yaml
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: myapp-credentials
+  namespace: myapp
+spec:
+  type: kv-v2
+  mount: kv
+  path: myapp/myapp-credentials
+  destination:
+    name: myapp-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
 ```
 
-#### Step 3: Commit Sealed Secret
+#### Step 3: Add VaultAuth (if new namespace)
+
+If this is a new namespace, also create a `vault-auth.yaml` with a ServiceAccount and VaultAuth CRD. See [VSO Reference](vault-secrets-operator.md#vaultauth) for template.
+
+#### Step 4: Commit and Push
 
 ```bash
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Add myapp credentials (sealed)"
+git add apps/base/myapp/myapp-credentials-vault.yaml
+git commit -m "Add myapp credentials (VSO)"
 git push
 ```
 
-#### Step 4: Reference Secret in Application
+ArgoCD syncs the CRD, VSO creates the K8s Secret.
+
+#### Step 5: Reference Secret in Application
 
 Update your `helm-prod-values/myapp/values.yaml`:
 
 ```yaml
 app:
-  envSecretName: "myapp-credentials"  # References the SealedSecret
+  envSecretName: "myapp-credentials"  # VSO creates this K8s Secret
 ```
 
-Commit and push:
+### Updating / Rotating a Secret
+
+**No git commit needed** — just update in Vault:
+
 ```bash
-cd ~/dev/k8s/helm-prod-values
-git add myapp/values.yaml
-git commit -m "Reference myapp credentials"
-git push
+vault kv put kv/myapp/myapp-credentials \
+  API_KEY=new-key-here \
+  DB_PASSWORD=new-password
 ```
 
-### Updating a Secret
-
-To update an existing secret:
+VSO picks up changes within 30 seconds. Restart pods if they don't watch for secret updates:
 
 ```bash
-# 1. Create new version of secret
-kubectl create secret generic myapp-credentials \
-  --from-literal=API_KEY=new-key-here \
-  --from-literal=DB_PASSWORD=new-password \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
-
-# 2. Seal it
-kubeseal --format=yaml \
-  --namespace=myapp \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
-
-# 3. Commit sealed version
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Update myapp credentials"
-git push
-
-# 4. Restart pods to pick up new secret
 kubectl rollout restart deployment myapp -n myapp
 ```
 
 ### Secret Best Practices
 
-✅ **DO**:
-- Store secrets in `private/` folder locally
-- Always seal secrets before committing
-- Delete plain secrets after sealing
-- Use meaningful secret names
+- Write secrets to Vault via UI or CLI — never commit values to Git
+- Use meaningful secret names matching the KV path convention: `kv/{namespace}/{secret-name}`
 - Document what each secret contains
-
-❌ **DON'T**:
-- Commit plain secrets to Git
-- Share secrets via Slack/email
-- Hard-code secrets in code
-- Use the same secret across multiple environments
-- Store secrets in Docker images
+- Use Vault's versioning for audit trail
 
 ### Where Secrets Are Stored
 
 ```
-┌─────────────────────────────────────────────────────────────┐
-│  Location                │  Content           │  Committed?│
-├──────────────────────────┼────────────────────┼────────────┤
-│  private/                │  Plain secrets     │  ❌ NO      │
-│  secrets/                │  Sealed secrets    │  ✅ YES     │
-│  Kubernetes cluster      │  Unsealed secrets  │  N/A       │
-└─────────────────────────────────────────────────────────────┘
+┌──────────────────────────────────────────────────────────────────┐
+│  Location                  │  Content                │  In Git? │
+├────────────────────────────┼─────────────────────────┼──────────┤
+│  Vault KV (kv/{ns}/{name}) │  Secret values          │  ❌ NO   │
+│  VaultStaticSecret CRD     │  Sync config (no values)│  ✅ YES  │
+│  Kubernetes cluster        │  K8s Secret (synced)    │  N/A     │
+└──────────────────────────────────────────────────────────────────┘
 ```
 
-**Sealed Secrets Controller** in the cluster decrypts sealed secrets automatically.
+**Vault Secrets Operator** syncs secrets from Vault to K8s automatically (30s refresh).
 
 ---
 
@@ -876,28 +859,13 @@ In your identity provider (e.g., Keycloak):
 #### Step 2: Create OIDC Secret
 
 ```bash
-# Create plain secret
-kubectl create secret generic auth-oidc \
-  --from-literal=client-secret=your-oidc-client-secret \
-  --from-literal=cookie-secret=$(openssl rand -hex 32) \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
+# Write OIDC secret to Vault
+vault kv put kv/myapp/auth-oidc \
+  client-secret=your-oidc-client-secret \
+  cookie-secret=$(openssl rand -hex 32)
 
-# Seal it
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-auth-oidc.yaml \
-  > secrets/myapp-auth-oidc-sealed.yaml
-
-# Commit sealed secret
-cd ~/dev/k8s/launchpad
-git add secrets/myapp-auth-oidc-sealed.yaml
-git commit -m "Add OIDC secrets for myapp"
-git push
-
-# Clean up
-rm private/myapp-auth-oidc.yaml
+# Create VaultStaticSecret CRD (see docs/vault-secrets-operator.md for template)
+# Add to apps/base/myapp/auth-oidc-vault.yaml and commit
 ```
 
 #### Step 3: Configure Helm Values
@@ -1127,16 +1095,13 @@ ingress:
   host: web-app.forteapps.net
 ```
 
-**With sealed OIDC secret**:
+**With Vault OIDC secret**:
 ```bash
-# Create and seal secret
-kubectl create secret generic auth-oidc \
-  --from-literal=client-secret=super-secret-value \
-  --from-literal=cookie-secret=$(openssl rand -hex 32) \
-  --namespace=web-app \
-  --dry-run=client -o yaml | \
-  kubeseal --format=yaml --cert=pub-cert.pem --namespace=web-app \
-  > secrets/web-app-auth-oidc-sealed.yaml
+# Write OIDC secret to Vault
+vault kv put kv/web-app/auth-oidc \
+  client-secret=super-secret-value \
+  cookie-secret=$(openssl rand -hex 32)
+# Then create VaultStaticSecret CRD — see docs/vault-secrets-operator.md
 ```
 
 #### Example 3: MCP Server with OAuth 2.0
@@ -1264,7 +1229,7 @@ kubectl logs -n myapp <pod-name> -c authn
 - Use token auth for service-to-service communication
 - Rotate tokens and secrets regularly
 - Use strong random tokens (32+ bytes)
-- Store client secrets in SealedSecrets
+- Store client secrets in Vault
 - Test authentication before deploying to production
 - Document which tokens/users have access
 
@@ -1568,22 +1533,22 @@ curl http://localhost:8080
 
 #### Problem: Secret not found
 
-**Check if SealedSecret exists:**
+**Check VSO sync status:**
 ```bash
-kubectl get sealedsecret -n myapp
+kubectl get vaultstaticsecret -n myapp
 kubectl get secret -n myapp
 ```
 
 **Solutions:**
 ```bash
-# Check if secret is in Git
-ls -l secrets/myapp-credentials-sealed.yaml
+# Check VaultAuth is authenticated
+kubectl get vaultauth -n myapp
 
-# Re-apply sealed secret
-kubectl apply -f secrets/myapp-credentials-sealed.yaml
+# Check VaultStaticSecret events
+kubectl describe vaultstaticsecret myapp-credentials -n myapp
 
-# Check sealed-secrets-controller logs
-kubectl logs -n kube-system deployment/sealed-secrets-controller
+# Verify secret exists in Vault
+vault kv get kv/myapp/myapp-credentials
 ```
 
 #### Problem: Secret exists but pods can't access it
@@ -1694,7 +1659,7 @@ If you're stuck:
 ### Secret Management
 
 ✅ **DO**:
-- Use kubeseal for all secrets
+- Use Vault for all secrets (see docs/vault-secrets-operator.md)
 - Store plain secrets in password manager
 - Rotate secrets regularly
 - Use different secrets per environment
@@ -1746,16 +1711,9 @@ kubectl rollout restart deployment myapp -n myapp
 # Port-forward to service
 kubectl port-forward -n myapp service/myapp 8080:3000
 
-# Create secret
-kubectl create secret generic myapp-credentials \
-  --from-literal=KEY=value \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
-
-# Seal secret
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
+# Write secret to Vault
+vault kv put kv/myapp/myapp-credentials KEY=value
+# Create VaultStaticSecret CRD — see docs/vault-secrets-operator.md
 ```
 
 ### Repository Locations

docs/GITOPS-ARCHITECTURE.md

@@ -115,30 +115,9 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
 
 ```
 launchpad/
-├── bootstrap.sh                      # Cluster initialization (ArgoCD + GitOps)
-├── _app-of-apps-{cluster}.yaml      # Root ArgoCD Application (per cluster)
-│
-├── .tofu/                            # Infrastructure provisioning (OpenTofu)
-│   ├── platforms/                    # Per-platform IaC
-│   │   ├── aks/                      # Azure AKS
-│   │   │   ├── modules/cluster/     # Reusable AKS module
-│   │   │   ├── dev/                 # tofu root for aks-dev
-│   │   │   ├── prod/                # tofu root for aks-prod
-│   │   │   └── workload/            # workload cluster (no data services)
-│   │   ├── eks/                      # AWS EKS (same structure)
-│   │   ├── gke/                      # GCP GKE
-│   │   └── upc/                      # UpCloud
-│   ├── configs/                      # Platform credentials (git-ignored)
-│   │   └── {platform}.env.example   # Template per platform
-│   └── scripts/
-│       ├── setup-cluster.sh          # ./setup-cluster.sh <cluster> [--plan|--auto]
-│       ├── teardown-cluster.sh       # ./teardown-cluster.sh <cluster>
-│       └── get-kubeconfig.sh         # ./get-kubeconfig.sh <cluster>
-│
-├── clusters/                         # Cluster metadata YAML (domain, IPs, etc.)
-│   ├── aks-dev.yaml
-│   ├── upc-dev.yaml
-│   └── ...
+├── bootstrap.sh                      # Cluster initialization script
+├── _app-of-apps-upc-dev.yaml        # Root ArgoCD Application (upc-dev cluster)
+├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
 │
 ├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
 │   ├── base/                         # Base Application manifests (one dir per component)

docs/OPERATIONS-RUNBOOK.md

@@ -188,13 +188,15 @@ Save the following file in private/ (gitignored) folder as secret.yaml
       <paste your private key here>
     project: default
 ```
-Seal the secret using `kubeseal` command 
+Write the secret to Vault:
 ```bash
-kubeseal --format=yaml \
-  --namespace=argocd \
-  < private/secret.yaml \
-  > secrets/forte-helm-repo-secret-sealed.yaml
+vault kv put kv/argocd/forte-helm-repo \
+  type=git \
+  url=ssh://git@git.forteapps.net:2222/Forte/forte-helm.git \
+  sshPrivateKey="$(cat private/ssh-key)" \
+  project=default
 ```
+Then create a VaultStaticSecret CRD with `argocd.argoproj.io/secret-type: repository` label.
 
 **Step 4: Register Repository in ArgoCD**
 
@@ -499,7 +501,7 @@ See [Developer Guide](DEVELOPER-GUIDE.md#deploying-your-first-application) for d
 **Quick checklist:**
 - [ ] Create `helm-prod-values/myapp/values.yaml`
 - [ ] Create `apps/myapp.yaml` in config repo
-- [ ] Create SealedSecret if needed
+- [ ] Write secrets to Vault and create VaultStaticSecret CRD if needed
 - [ ] Commit and push changes
 - [ ] Verify sync in Slack/ArgoCD
 - [ ] Configure DNS for domain
@@ -670,92 +672,61 @@ db:
 
 ## Secret Management
 
+Secrets are managed via **HashiCorp Vault** and synced to Kubernetes by the **Vault Secrets Operator (VSO)**. See [Vault Secrets Operator Reference](vault-secrets-operator.md) for full details.
+
 ### Creating Secrets
 
-#### Step 1: Get Public Certificate
+#### Step 1: Write to Vault
 
 ```bash
-# Fetch sealed-secrets public cert (one-time)
-kubeseal --fetch-cert \
-  --controller-name=sealed-secrets-controller \
-  --controller-namespace=kube-system \
-  > pub-cert.pem
-
-# Save this certificate for future use
+# From literal values
+vault kv put kv/myapp/myapp-credentials \
+  API_KEY=secret123 \
+  DB_PASSWORD=pass456
 ```
 
-#### Step 2: Create Plain Secret
+#### Step 2: Create VaultStaticSecret CRD
 
-```bash
-# Method 1: From literal values
-kubectl create secret generic myapp-credentials \
-  --from-literal=API_KEY=secret123 \
-  --from-literal=DB_PASSWORD=pass456 \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
-
-# Method 2: From file
-kubectl create secret generic myapp-credentials \
-  --from-file=.env \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
-
-# Method 3: From multiple files
-kubectl create secret generic myapp-credentials \
-  --from-file=api-key.txt \
-  --from-file=db-password.txt \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
+```yaml
+# apps/base/myapp/myapp-credentials-vault.yaml
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: myapp-credentials
+  namespace: myapp
+spec:
+  type: kv-v2
+  mount: kv
+  path: myapp/myapp-credentials
+  destination:
+    name: myapp-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
 ```
 
-#### Step 3: Seal Secret
+#### Step 3: Commit CRD
 
 ```bash
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
-```
-
-#### Step 4: Commit Sealed Secret
-
-```bash
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Add myapp credentials"
+git add apps/base/myapp/myapp-credentials-vault.yaml
+git commit -m "Add myapp credentials (VSO)"
 git push
-
-# Delete plain secret
-rm private/myapp-credentials.yaml
 ```
 
-### Updating Secrets
+ArgoCD syncs the CRD, VSO creates the K8s Secret automatically.
+
+### Updating / Rotating Secrets
+
+**No git commit needed** — just update in Vault:
 
 ```bash
-# 1. Create new version
-kubectl create secret generic myapp-credentials \
-  --from-literal=API_KEY=new-secret-key \
-  --from-literal=DB_PASSWORD=new-password \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
+vault kv put kv/myapp/myapp-credentials \
+  API_KEY=new-secret-key \
+  DB_PASSWORD=new-password
 
-# 2. Seal it
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
-
-# 3. Commit
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Update myapp credentials"
-git push
-
-# 4. Restart pods to pick up new secret
+# VSO picks up changes within 30 seconds
+# Restart pods if needed
 kubectl rollout restart deployment myapp -n myapp
-
-# 5. Delete plain secret
-rm private/myapp-credentials.yaml
 ```
 
 ### Viewing Secrets (Unsealed)
@@ -832,30 +803,13 @@ OIDC auth requires an `auth-oidc` Secret with two keys:
 CLIENT_SECRET="your-oidc-client-secret-from-provider"
 COOKIE_SECRET=$(openssl rand -hex 32)
 
-# Create plain secret
-kubectl create secret generic auth-oidc \
-  --from-literal=client-secret=$CLIENT_SECRET \
-  --from-literal=cookie-secret=$COOKIE_SECRET \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
+# Write to Vault
+vault kv put kv/myapp/auth-oidc \
+  client-secret=$CLIENT_SECRET \
+  cookie-secret=$COOKIE_SECRET
 
-# Seal it
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-auth-oidc.yaml \
-  > secrets/myapp-auth-oidc-sealed.yaml
-
-# Apply sealed secret
-kubectl apply -f secrets/myapp-auth-oidc-sealed.yaml
-
-# Commit to Git
-git add secrets/myapp-auth-oidc-sealed.yaml
-git commit -m "Add OIDC secrets for myapp"
-git push
-
-# Clean up
-rm private/myapp-auth-oidc.yaml
+# Create VaultStaticSecret CRD (one-time) and commit
+# See docs/vault-secrets-operator.md for CRD template
 ```
 
 #### Rotating Authentication Secrets
@@ -882,16 +836,12 @@ kubectl rollout restart deployment myapp -n myapp
 # Rotate cookie secret (safe - invalidates existing sessions)
 NEW_COOKIE_SECRET=$(openssl rand -hex 32)
 
-# Recreate secret
-kubectl create secret generic auth-oidc \
-  --from-literal=client-secret=$CLIENT_SECRET \
-  --from-literal=cookie-secret=$NEW_COOKIE_SECRET \
-  --namespace=myapp \
-  --dry-run=client -o yaml | \
-  kubeseal --format=yaml --cert=pub-cert.pem --namespace=myapp | \
-  kubectl apply -f -
+# Update in Vault — no git commit needed
+vault kv put kv/myapp/auth-oidc \
+  client-secret=$CLIENT_SECRET \
+  cookie-secret=$NEW_COOKIE_SECRET
 
-# Restart to pick up new secret
+# VSO picks up within 30s. Restart pods to use new secret:
 kubectl rollout restart deployment myapp -n myapp
 ```
 
@@ -1342,13 +1292,11 @@ kubectl get applications -n argocd -w
                - pg_dump -U $DB_USER -d $DB_NAME > /backup/dump-$(date +%Y%m%d).sql
    ```
 
-3. **Sealed Secrets private key backup**
+3. **Vault backup**
    ```bash
-   # Backup sealed-secrets controller private key
-   kubectl get secret -n kube-system sealed-secrets-key \
-     -o yaml > sealed-secrets-key-backup.yaml
-
-   # Store in secure location (password manager, vault)
+   # Vault data is stored on PVC — ensure PVC snapshots are configured
+   # For disaster recovery, maintain Vault unseal keys in a secure location
+   # All secrets can be re-seeded from source if needed
    ```
 
 ---
@@ -1668,7 +1616,7 @@ echo "Remember to delete: $SECRET_FILE"
 - [ ] Gitea Actions workflow configured
 - [ ] Helm values created in `helm-prod-values/`
 - [ ] ArgoCD application manifest created in `apps/`
-- [ ] Secrets created and sealed
+- [ ] Secrets written to Vault and VaultStaticSecret CRD created
 - [ ] DNS record added for domain
 - [ ] Application synced successfully
 - [ ] Health check passed

docs/REFERENCE.md

@@ -72,22 +72,9 @@ Internet
 
 ```
 launchpad/
-├── bootstrap.sh                   # Cluster initialization (ArgoCD + GitOps)
-├── _app-of-apps-{cluster}.yaml   # Root ArgoCD Application (per cluster)
-│
-├── .tofu/                         # Infrastructure provisioning (OpenTofu)
-│   ├── platforms/                 # Per-platform IaC
-│   │   ├── aks/                   # Azure: modules/cluster/, dev/, prod/, workload/
-│   │   ├── eks/                   # AWS: same structure
-│   │   ├── gke/                   # GCP
-│   │   └── upc/                   # UpCloud
-│   ├── configs/                   # Platform credentials (git-ignored)
-│   └── scripts/                   # setup-cluster.sh, teardown-cluster.sh, get-kubeconfig.sh
-│
-├── clusters/                      # Cluster metadata YAML
-│   ├── aks-dev.yaml
-│   ├── upc-dev.yaml
-│   └── ...
+├── bootstrap.sh                   # Cluster initialization script
+├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
+├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
 │
 ├── infra/                         # Infrastructure applications (Kustomize)
 │   ├── base/                      # One subdirectory per component
@@ -738,6 +725,59 @@ TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
 
 ## Infrastructure Components
 
+### Homepage (Platform Dashboard)
+
+**Chart**: `jameswynn/homepage`
+**Namespace**: `homepage`
+**URL**: `https://start.forteapps.net`
+
+Platform dashboard that auto-discovers deployed apps via Kubernetes service annotations.
+
+**Discovery mechanism**: Services annotated with `gethomepage.dev/enabled: "true"` appear in the dashboard. Apps not deployed = annotations absent = not shown. Fully dynamic per environment.
+
+**Annotated services**:
+| Service | Namespace | Group | Widget |
+|---------|-----------|-------|--------|
+| `gitea-http` | `gitea` | DevOps | `gitea` |
+| `argocd-server` | `argocd` | DevOps | `argocd` |
+| `keycloak` | `keycloak` | Identity | none |
+| `grafana` | `monitoring` | Monitoring | `grafana` |
+| `karpor-server` | `karpor` | DevOps | none |
+
+**Adding a new app**: Annotate the app's Service in its Helm values:
+```yaml
+service:
+  annotations:
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/name: "My App"
+    gethomepage.dev/description: "What it does"
+    gethomepage.dev/group: "GroupName"
+    gethomepage.dev/icon: "icon-name"     # https://github.com/walkxcode/dashboard-icons
+    gethomepage.dev/href: "https://myapp.forteapps.net"
+    # Optional live widget:
+    gethomepage.dev/widget.type: "myapp"
+    gethomepage.dev/widget.url: "https://myapp.forteapps.net"
+    # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_MYAPP_TOKEN}}"
+```
+
+**Widget API credentials**: Inject via env vars into the Homepage pod:
+```yaml
+# In homepage-values.yaml per environment
+env:
+- name: HOMEPAGE_VAR_GRAFANA_TOKEN
+  valueFrom:
+    secretKeyRef:
+      name: homepage-widget-credentials
+      key: grafana-token
+```
+Then reference as `gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"`.
+
+**Values files**:
+- `infra/values/base/homepage-values.yaml` — RBAC, kubernetes mode, layout
+- `infra/values/{env}/homepage-values.yaml` — hostname per environment
+
+---
+
 ### Traefik
 
 **Chart**: `traefik/traefik`
@@ -1344,6 +1384,46 @@ spec:
 - Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
 - `synchronize: true` — changes to the source Secret are reflected in the clone
 
+### Keycloak Microsoft/Entra Identity Provider
+
+**File**: `infra/values/upc-dev/keycloak-values.yaml`
+**Namespace**: `keycloak`
+
+**Purpose**: Configures Microsoft Entra (Azure AD) as an external identity provider for the Forte realm, enabling SSO via Microsoft accounts with token storage for downstream API access (e.g., Microsoft Graph).
+
+**Configuration via keycloakConfigCli**:
+- IdP alias: `forte-entra`, provider: `microsoft`
+- Client secret injected from `microsoft-idp-credentials` Secret via `$(env:MS_IDP_CLIENT_SECRET)` syntax
+- `extraEnvVarsSecret: microsoft-idp-credentials` makes the Secret available as env vars to config-cli
+
+**Key Configuration Notes**:
+
+| Field | Location | Notes |
+|-------|----------|-------|
+| `tenant` | `config.tenant` | **Must be `tenant`, NOT `tenantId`** — wrong key silently falls back to `common` (multi-tenant) |
+| `storeToken` | Top-level IdP field | **NOT inside `config`** — enables broker token storage for KC broker API |
+| `defaultScope` | `config.defaultScope` | Space-separated: `openid email profile User.Read Mail.Send` |
+| `syncMode` | `config.syncMode` | `IMPORT` — imports user on first login |
+
+**Token Storage & Broker Access**:
+- `storeToken: true` persists the Entra access token in Keycloak
+- Realm role `default-roles-forte` includes composite `broker.read-token` — grants all realm users access to broker token API
+- Broker token retrievable via: `GET /realms/forte/broker/forte-entra/token`
+
+**Identity Provider Mappers**:
+- `forte-entra-email`: Hardcodes `emailVerified=true` for Entra-authenticated users (Entra guarantees email verification)
+
+**Required Secret** (`microsoft-idp-credentials`):
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: microsoft-idp-credentials
+  namespace: keycloak
+stringData:
+  MS_IDP_CLIENT_SECRET: "<entra-app-client-secret>"
+```
+
 ### Default Namespace Blocker
 
 **File**: `cluster-resources/policies/default-ns-blocker.yaml`

docs/vault-secrets-operator.md

@@ -0,0 +1,206 @@
+# Vault Secrets Operator (VSO) Reference
+
+## Overview
+
+The platform uses HashiCorp Vault Secrets Operator (VSO) to sync secrets from Vault KV v2 to native Kubernetes Secrets. This replaces the previous SealedSecrets workflow.
+
+**Key benefit**: Secret values can be rotated via Vault UI/CLI without a git commit. Only new VaultStaticSecret CRDs need to be committed.
+
+## Architecture
+
+```
+Vault (KV v2)                VSO                        K8s Secret
+kv/{namespace}/{name}  -->  VaultStaticSecret CRD  -->  Secret in namespace
+                            (polls every 30s)
+```
+
+- **Vault**: Standalone instance in `vault` namespace, KV v2 at `kv/`
+- **VSO**: Deployed in `vault-secrets-operator-system` namespace via ArgoCD
+- **Auth**: Kubernetes auth method — each namespace has its own ServiceAccount + VaultAuth CRD
+
+## KV Path Convention
+
+```
+kv/{namespace}/{secret-name}
+```
+
+Examples:
+- `kv/homepage/homepage-widget-credentials`
+- `kv/argocd/forte-helm-repo`
+- `kv/gitea/gitea-smtp-secret`
+- `kv/keycloak/keycloak-credentials`
+
+## Vault Policy Structure
+
+Each namespace gets a read-only policy:
+
+```hcl
+# Policy: ns-{namespace}
+path "kv/data/{namespace}/*" {
+  capabilities = ["read"]
+}
+path "kv/metadata/{namespace}/*" {
+  capabilities = ["read", "list"]
+}
+```
+
+## Kubernetes Auth Roles
+
+Each namespace has a bound ServiceAccount:
+
+```
+Role: ns-{namespace}
+  bound_service_account_names: vault-auth-{namespace}
+  bound_service_account_namespaces: {namespace}
+  policies: ns-{namespace}
+  audience: vault
+  ttl: 1h
+```
+
+## CRD Reference
+
+### VaultAuth
+
+Per-namespace auth binding. One per namespace.
+
+```yaml
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: {namespace}
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-{namespace}
+    serviceAccount: vault-auth-{namespace}
+    audiences:
+    - vault
+```
+
+Each VaultAuth requires a corresponding ServiceAccount:
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-{namespace}
+  namespace: {namespace}
+```
+
+### VaultStaticSecret
+
+One per secret. Syncs a Vault KV path to a K8s Secret.
+
+```yaml
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: {secret-name}
+  namespace: {namespace}
+spec:
+  type: kv-v2
+  mount: kv
+  path: {namespace}/{secret-name}
+  destination:
+    name: {secret-name}        # K8s Secret name (must match what apps expect)
+    create: true
+    type: Opaque               # Optional, defaults to Opaque
+    labels:                    # Optional, for secrets that need labels
+      some-label: "value"
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
+```
+
+## Special Labels
+
+Some secrets require specific labels for correct operation:
+
+| Secret | Label | Purpose |
+|--------|-------|---------|
+| `renovate-env` | `allowedToBeCloned: "true"` | Kyverno secret-cloner policy |
+| `gitea-smtp-secret` | `allowedToBeCloned: "true"` | Kyverno secret-cloner policy |
+| `forte-helm-repo` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
+| `forte10x-repo-creds` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
+| `mcp10x-repo-creds` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
+
+These are set in `destination.labels` of the VaultStaticSecret CRD.
+
+## Namespaces & Secrets Map
+
+| Namespace | Secrets |
+|-----------|---------|
+| `homepage` | homepage-widget-credentials |
+| `renovate` | renovate-env |
+| `gitea` | gitea-credentials, gitea-backup-s3, gitea-smtp-secret, gitea-runner-token |
+| `keycloak` | keycloak-credentials, microsoft-idp-credentials (overlay) |
+| `argocd` | forte-helm-repo, forte10x-repo-creds, mcp10x-repo-creds, argocd-notifications-secret |
+| `mcp10x` | app-credentials |
+| `ts-mcp` | ts-mcp-secrets |
+| `argocd-mcp` | auth-oidc, argocd-mcp-credentials |
+| `dot-ai` | dot-ai-secrets |
+| `music-man` | musicman-credentials |
+
+## Common Operations
+
+### Add a new secret
+
+1. Write to Vault:
+   ```bash
+   vault kv put kv/{namespace}/{secret-name} key1=val1 key2=val2
+   ```
+
+2. Create VaultStaticSecret YAML (see template above)
+
+3. Add to kustomization.yaml in the appropriate directory
+
+4. Commit and push — ArgoCD syncs the CRD, VSO creates the K8s Secret
+
+### Rotate a secret value
+
+No git commit needed:
+```bash
+vault kv put kv/{namespace}/{secret-name} key1=new-val1 key2=new-val2
+```
+VSO picks up changes within 30 seconds.
+
+### Check sync status
+
+```bash
+# VaultAuth status
+kubectl get vaultauth -n {namespace}
+
+# VaultStaticSecret status
+kubectl get vaultstaticsecret -n {namespace}
+
+# Verify K8s Secret exists with correct keys
+kubectl get secret {name} -n {namespace} -o jsonpath='{.data}' | jq
+```
+
+### Troubleshooting
+
+1. **VaultAuth not authenticating**: Check ServiceAccount exists, Vault role matches SA name/namespace
+2. **VaultStaticSecret not syncing**: Check `kubectl describe vaultstaticsecret {name} -n {ns}` for events
+3. **Secret missing keys**: Verify Vault KV path has all expected keys: `vault kv get kv/{ns}/{name}`
+4. **Permission denied**: Verify Vault policy allows read on `kv/data/{ns}/*`
+
+## File Locations
+
+| Type | Location |
+|------|----------|
+| VSO ArgoCD Application | `infra/base/vault-secrets-operator/` |
+| VSO Helm values | `infra/values/base/vault-secrets-operator-values.yaml` |
+| Vault policies script | `scripts/vault-setup-policies.sh` |
+| Seed script | `scripts/seed-vault-from-cluster.sh` |
+| VaultAuth + VaultStaticSecret | Alongside ArgoCD Application in each component directory |
+
+## Setup Scripts
+
+```bash
+# Create all Vault policies and auth roles
+./scripts/vault-setup-policies.sh
+
+# Seed Vault KV from existing K8s Secrets
+./scripts/seed-vault-from-cluster.sh
+```

infra/base/gitea/gitea-backup-s3-vault.yaml

@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-backup-s3
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-backup-s3
+  destination:
+    name: gitea-backup-s3
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/gitea/gitea-credentials-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-credentials
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-credentials
+  destination:
+    name: gitea-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/gitea/gitea-runner-token-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-runner-token
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-runner-token
+  destination:
+    name: gitea-runner-token
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/gitea/gitea-smtp-secret-vault.yaml

@@ -0,0 +1,17 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-smtp-secret
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-smtp-secret
+  destination:
+    name: gitea-smtp-secret
+    create: true
+    type: Opaque
+    labels:
+      allowedToBeCloned: "true"
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/gitea/kustomization.yaml

@@ -2,7 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gitea.yaml
-- gitea-backup-s3-sealed.yaml
-- gitea-credentials-sealed.yaml
-- gitea-runner-token-sealed.yaml
-- gitea-smtp-secret-sealed.yaml
+- vault-auth.yaml
+- gitea-credentials-vault.yaml
+- gitea-backup-s3-vault.yaml
+- gitea-smtp-secret-vault.yaml
+- gitea-runner-token-vault.yaml
+# Removed: gitea-*-sealed.yaml (migrated to VSO)

infra/base/gitea/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-gitea
+  namespace: gitea
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: gitea
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-gitea
+    serviceAccount: vault-auth-gitea
+    audiences:
+    - vault