smtp config

README.md

@@ -95,6 +95,7 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 │   ├── fluent-bit.yaml
 │   ├── trivy.yaml
 │   ├── sealedsecrets.yaml
+│   ├── renovate.yaml
 │   └── values/                # Helm value overrides
 │
 ├── apps/                      # Business Applications
@@ -335,6 +336,7 @@ kubectl patch application myapp -n argocd \
 | **Tempo** | Distributed tracing | `monitoring` | 1 |
 | **Fluent-Bit** | Log shipping | `monitoring` | DaemonSet |
 | **OpenCost** | Cost monitoring | `monitoring` | 1 |
+| **Renovate** | Dependency updates | `renovate` | CronJob |
 | **Trivy** | Vulnerability scanning | `trivy-system` | 1 |
 
 **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components)

docs/REFERENCE.md

@@ -90,6 +90,7 @@ launchpad/
 │   ├── gitea-actions.yaml
 │   ├── sealedsecrets.yaml
 │   ├── secrets.yaml
+│   ├── renovate.yaml
 │   └── values/
 │       ├── argocd-values.yaml
 │       ├── prometheus-values.yaml
@@ -98,7 +99,8 @@ launchpad/
 │       ├── tempo-values.yaml
 │       ├── gitea-values.yaml
 │       ├── gitea-actions-values.yaml
-│       └── fluent-bit-values.yaml
+│       ├── fluent-bit-values.yaml
+│       └── renovate-values.yaml
 │
 ├── apps/                          # Business applications
 │   ├── mcp10x.yaml
@@ -811,7 +813,7 @@ postgresql:
   persistence: 8Gi (upcloud-block-storage-maxiops)
 ```
 
-**Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`)
+**Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`). Protocol mapper: `email_verified` hardcoded claim (`true`, boolean) on ID token, Access token, and Userinfo.
 
 **Endpoints**:
 - Web UI: `https://git.forteapps.net`
@@ -867,6 +869,48 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes
 
+### Renovate
+
+**Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`)
+**Version**: 46.109.0 (app v43.113.0)
+**Namespace**: `renovate`
+**Sync Wave**: 2
+
+**Purpose**: Automated dependency update bot. Runs as a CronJob that scans Gitea repositories for outdated dependencies and creates pull requests with updates.
+
+**Configuration**:
+```yaml
+# infra/renovate.yaml + infra/values/renovate-values.yaml
+cronjob:
+  schedule: "@hourly"
+  concurrencyPolicy: Forbid
+
+renovate:
+  config:
+    platform: gitea
+    endpoint: https://git.forteapps.net
+    autodiscover: true
+    gitAuthor: "Renovate Bot <renovate@forteapps.net>"
+
+resources:
+  requests: { cpu: 250m, memory: 512Mi }
+  limits: { cpu: "1", memory: 1Gi }
+```
+
+**Secrets**: `renovate-env` (SealedSecret in `secrets` namespace, cloned by Kyverno) containing:
+- `RENOVATE_TOKEN` — Gitea PAT with repo write + issue write permissions
+- `RENOVATE_GITHUB_COM_TOKEN` — GitHub PAT (public_repo read-only) for changelog fetching
+
+**Setup Steps**:
+1. Fill in `private/renovate-env.yaml` with tokens
+2. Seal: `kubeseal --format yaml < private/renovate-env.yaml > secrets/renovate-env-sealed.yaml`
+3. Commit and push — ArgoCD deploys the CronJob, Kyverno clones the secret
+
+**Verification**:
+- `kubectl get cronjob -n renovate` — CronJob exists
+- `kubectl create job --from=cronjob/renovate renovate-test -n renovate` — manual trigger
+- `kubectl logs -n renovate job/renovate-test` — check logs
+
 ---
 
 ## Kyverno Policies
@@ -1472,6 +1516,7 @@ team: platform
 | **Fluent-Bit** | 2.1.0+ | Latest |
 | **Gitea** | 1.25.4 | 12.5.0 |
 | **Gitea Act Runner** | Latest | Latest |
+| **Renovate** | v43.113.0 | 46.109.0 |
 | **PostgreSQL** | 16-alpine | N/A |
 | **Trivy** | Latest | Latest |
 
@@ -1483,6 +1528,6 @@ team: platform
 
 ---
 
-**Last Updated**: 2026-04-08
+**Last Updated**: 2026-04-14
 **Maintained By**: Platform Team
 **Version**: 1.0.0

infra/renovate.yaml

@@ -0,0 +1,42 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: renovate
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+  labels:
+    app.kubernetes.io/name: renovate
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: ghcr.io/renovatebot/charts
+    chart: renovate
+    targetRevision: "46.109.0"
+    helm:
+      releaseName: renovate
+      valueFiles:
+      - $values/infra/values/renovate-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: renovate
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true

infra/values/gitea-values.yaml

@@ -65,9 +65,28 @@ gitea:
       ISSUE_INDEXER_TYPE: bleve
       REPO_INDEXER_ENABLED: true
 
-  # -- OIDC authentication via Keycloak
+    mailer:
+      ENABLED: true
+      PROTOCOL: smtps
+      SMTP_ADDR: smtp.office365.com
+      SMTP_PORT: 587
+      FROM: "noreply@fortedigital.com"
+
+  # -- SMTP credentials injected from secret (USER and PASSWD)
+  additionalConfigFromEnvs:
+  - name: GITEA__mailer__USER
+    valueFrom:
+      secretKeyRef:
+        name: gitea-smtp-secret
+        key: username
+  - name: GITEA__mailer__PASSWD
+    valueFrom:
+      secretKeyRef:
+        name: gitea-smtp-secret
+        key: password
+  # -- OIDC authentication via Forte
   oauth:
-  - name: "Keycloak"
+  - name: "Forte"
     provider: "openidConnect"
     existingSecret: gitea-credentials
     key: gitea

infra/values/keycloak-values.yaml

@@ -78,7 +78,22 @@ keycloakConfigCli:
             "publicClient": false,
             "redirectUris": ["https://git.forteapps.net/*"],
             "webOrigins": ["https://git.forteapps.net"],
-            "defaultClientScopes": ["openid", "email", "profile"]
+            "defaultClientScopes": ["openid", "email", "profile"],
+            "protocolMappers": [
+              {
+                "name": "email_verified",
+                "protocol": "openid-connect",
+                "protocolMapper": "oidc-hardcoded-claim-mapper",
+                "config": {
+                  "claim.name": "email_verified",
+                  "claim.value": "true",
+                  "jsonType.label": "boolean",
+                  "id.token.claim": "true",
+                  "access.token.claim": "true",
+                  "userinfo.token.claim": "true"
+                }
+              }
+            ]
           }
         ]
       }

infra/values/renovate-values.yaml

@@ -0,0 +1,42 @@
+cronjob:
+  schedule: "@daily"
+  concurrencyPolicy: Forbid
+
+renovate:
+  config: |
+    {
+      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+      "platform": "gitea",
+      "endpoint": "https://git.forteapps.net",
+      "autodiscover": true,
+      "gitAuthor": "Renovate Bot <renovate@forteapps.net>",
+      "packageRules": [
+        {
+          "matchRepositories": ["**/10x"],
+          "assignees": ["edvard.unsvag"]
+        },
+        {
+          "matchRepositories": ["**/auth-sidecar"],
+          "assignees": ["danijel.simeunovic"]
+        },
+        {
+          "matchRepositories": ["**/forte-helm"],
+          "assignees": ["danijel.simeunovic"]
+        }
+      ]
+    }
+
+envFrom:
+- secretRef:
+    name: renovate-env
+
+env:
+  LOG_LEVEL: info
+
+resources:
+  requests:
+    cpu: 500m
+    memory: 1Gi
+  limits:
+    cpu: "2"
+    memory: 4Gi

secrets/gitea-smtp-secret-sealed.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: gitea-smtp-secret
+  namespace: gitea
+spec:
+  encryptedData:
+    password: AgBMuISQeA41mtBIOo686sND2EO12Jv7BIogL5G7xxt7wKfIk88dQrU74vs+fv3OtPce2Ra63QkR6po31M9fZkoiYba5yqJtEOc6em3y0ZxM/UzavbRvHwrvsWEYqmHBnkCUjcJijdGbSX+rHyGsXLfZO0gOjqXO379Zl1fzmV4p3F5REXFQm6HorVtWX/LOSRj9GDW76l6KgPR/A+CbtAx8Cq0m3D3fyiaVLEReP3uOgBOo70APHj9Yp56EcgOtVa1pEgCxR4ctXeS4t/EliWcHc/JT4TBdRBRDYPKLfME6FvJxjLjaSZcWxtJrJzCv3+vA5LlfObuHY31aSDRqYwO4VBCPhf3Aa6Z5UXgUnmAtJRhHa9pKSSjW48jgNb1jDPIkQn5XgB2/twJ+gX3inAkrTQ82JJ75Rz7XWC8KmYkOtkgXgU2buCa4nIfPeXOr5qvutyywxV1Ge1nK0fQYneQZVFXlHTbAQXBJMpVvJoJ+G3xGjm1904/iBGkVKmNrQwaABUsGBC6ZIHGOTa45GBqrg3ODU2Gr61SCYxv6m3pMU1msR7QYne0oqLCVD8mLDaeSeiQI4ZY9u4ddsVwM6l2BFrT6+3IQuYPBgOoodzDVlCgmA7hoekhpak9vZ0loSHaWDXdNt75SemAjsQfwCO5sSEkr+wbCJEQpXh5p38RMZKTuOh3nYEGQEx/MQNl3VD4FarK/zOJM9EO9IkqdM4LnqVo3zPX4KAPosS1PPKS8
+    username: AgBF6MiaI1x2xQOUoF4NUh4MeFF64Db3vywcEO0FdJ0U9EirVFMsBSSiqJLy8ok43ha72s+/RLBNHiSSRKX1UMWwwCsfs+LQJNh9EetgHRxoyqkHiqRMX5V2acU2scdPE/FCFQFOYzAjweup+kP8xNu1WKuDtPBRiAgBNDfW59ihFi9TgOJQ2AnDHottjm5CNaWsbTOSgZrXqzCEChfHu5K0W9cty9ENHYqnYDfcm/zPLYeUPW0gVN5GJq3lPo9vZjM7T2JnwryjOkBaPCRCzHOpRF3bMrArFrjbUlH6gdI0APf4CzGLMMKol/jTMG2tLBseaNQHfbz6p1vFYExCL60gSN46fzh10zIWaIC2O+SgoLLOizkQZWf/v86cdRerBSl6PFmbRUO18XUQ4SyR/WPM71HD1jeLnUZjKtkOu+fqQKlv8kBSELHGqiURNYDnbmUA1LQpdNkDnMkRS+uzQ3XwWCSQBAn+u9wh69kg1oPVEN60Nc4KpNwFIg25aycGkP3cMklfl3/u9nr5KruwtJe+hl2ynSk8zeEFWWQrBki7+88CH9aWVW/GTA8Ho7Fz+gp4ZUdUA0WhH2LRAQIN945pvJIkHm/AYAhH6pZiXdBzYeguPY5VEf6hDVM1sa39aSZzs81cj0YHxbjR/BoBxbUAa9xW7JYH2rcIqXDhJB4zq2H++8e0eABsdQC3tMmE1eQA51d0yg8+2fX+CRkcvMCmI3VjS/mdirrtnctv
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        allowedToBeCloned: "true"
+      name: gitea-smtp-secret
+      namespace: gitea
+    type: Opaque

secrets/renovate-env-sealed.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: renovate-env
+  namespace: renovate
+spec:
+  encryptedData:
+    RENOVATE_GITHUB_COM_TOKEN: AgBliRXcjCrWeZKa3A0RuQatvluoF30R8HEAt7aVJwSf9EbMtB/ozbtsbHxYTsyfpdnaewD+BMRbaDdQOTpmlPxfK5eqKFuLXJGCXmiiMEHvK3GG0y0STjfgC2GyrXvtmh/lg/Awod9ZneJ2+Xoi0X7ZIngWwHXmgvsRfczKtwZAZm/YVDLGHRW2BCwBgzStZquopxYGQRa58WSx9XkE/cV8UOb6Kw+4fGMKggJPr8ERUQyermCZ0HBOpkQwPpWoPhRFdCMj2qasVLttkK/jLG2romy3JZ59RGrQ7bj2p9IdJujqtteWb4vDdOc4jvplKWlB8QptZ872a2MPeyvopqkCsmnsfi6tup6uBaUzE8Hym0olpqK73dCjc4RP7x64KwsdGOyi2aJgEz1/Ro7GMu7sam5sdpTjpdA3EbyC8tZrnlC51mUlq4ghP5XELGj6DjvLWZ3dk0UOSQ4vQ/KLGyA29VBgvV3MdabpGNhs5VlU69p4RofxoFT9n9CrtJN8FPOnMUK6L58Zf3w+eYJQMuyttgf/h/stQUx6OU7R4d/4xA1j4YCFRxw2mXaYO9Tjsxsq2KB1v3TzyZKtZfYLeiNhv/rAfPs7krACs1ncNXVtS7sP3G14+Asvu6EdnlM86LThBmIeKRW8lSry5pO3IMOIzNGrqulFnuTGP9fy9cs5d58q/E4sUXoY0Liiod92+1RO8dpyn+xf9afCAei8lG6TFNPWdLzcl8WOJgZLWmRdRNhezOmSZHxnh8P/Ul2oxhrVZSYGLhvIfBVU9oY+s7lgw8FpM08RLdP3OsKigs5/uiE/56qHZHvj2YZf6mg=
+    RENOVATE_TOKEN: AgCV8DmDz1CT+wjtghW9ERy9tY/GCZfehPbd3vqikGx8tsZzxEoKukJzkeRJmsHqDTXylFMZHB+saYuk+vWOeMT7oGs/6wIC7eC08GN4OcBYpihrTSrzoAkp1WwLJV0KoNGbtbgoQXdlPJOWBjs6X90mrFmpwRewcaADks/uS/ONZw3MhiSbukYN3L45uL6b6gUp1Yl4nDyCyvCDoRpr1FQt2MMltyChimUtLXoMrnV3iO0oFlFMITJRjvauYrKXdD0xyWxji3Rbrowbgr/iFkz/0fTpg6AwhP/ISRWtO+NDB3kZ6/CvcK2a1phTIgf2eiHfvMQIwnpfRauyUPtNHkCInC7OOtn0eyHZmAqkSaJTN1rJN3X8lRIgjhtZr9upE6ZCLK5kMdq87oDjtvwc0X0AyeTxV3EGXh87Zfda97KhG5LSC3uShzc8AYPA7SGxMTuoF4wON0Qa7AdAeGvtL+2GuhRkHhmyOeY4iORrVo8TlJsN1DsZmrbRArJWzvMcb31gefxTmg8tSZhuLOo4RHsUayCNIPmW/AvpcbGJS1pPXS8nPkDqSoeL6UW/G8CoEEisr50+9ztGOCmurobbadHcs4LhwAC2s9SuYuCTTSK4c98ke901ks4Iho8TuG3WmBkgJlEsNMigMsnW6pwlx/Xnij06csRY8Xcfh77MjluQXx833oKRxffwC9NuIgXcBG0cqGraEF6RFxKlu3DsWRIElt5Rnju/WSNhDsWubKrMVtKXuYX0tTBn
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        allowedToBeCloned: "true"
+      name: renovate-env
+      namespace: renovate
+    type: Opaque