KC deploy 3

KC deploy 2
KC deploy
2026-05-04 15:00:28 +02:00 · 2026-05-04 14:56:06 +02:00 · 2026-05-04 13:49:18 +02:00 · 2026-05-04 12:08:32 +02:00 · 2026-04-30 19:08:24 +02:00 · 2026-04-30 18:24:34 +02:00
36 changed files with 297 additions and 1065 deletions
--- a/apps/overlays/upc-dev/forte-drop-mcp/forte-drop-mcp.yaml
+++ b/apps/overlays/upc-dev/forte-drop-mcp/forte-drop-mcp.yaml
@@ -1,37 +1,53 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: forte-drop-mcp
+  name: feedback
  namespace: argocd
  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
-    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
-    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+    argocd.argoproj.io/sync-wave: "12"
  labels:
-    app.kubernetes.io/name: forte-drop-mcp
+    app.kubernetes.io/name: feedback
    app.kubernetes.io/part-of: apps
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
+
  sources:
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
-      - $values/forte-drop-mcp/values.yaml
+      - $values/feedback/values.yaml
+
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
    targetRevision: HEAD
    ref: values
+
  destination:
    server: https://kubernetes.default.svc
-    namespace: forte-drop
+    namespace: feedback
+
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
+      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
--- a/apps/overlays/upc-dev/forte-drop-postgresql/kustomization.yaml
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- forte-drop-postgresql.yaml
+- feedback.yaml
--- a/apps/overlays/upc-dev/forte-drop-mcp/kustomization.yaml
+++ b/apps/overlays/upc-dev/forte-drop-mcp/kustomization.yaml
@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- forte-drop-mcp.yaml
-# No keycloak-client config + no auth-oidc Secret for mcp mode. The chart's
-# auth.type: mcp auto-registers the MCP client; the sidecar is an RFC 9728
-# resource server that validates tokens (no client-secret of its own).
-# forte-drop-secrets (shared with web) covers PG + S3 creds.
--- a/apps/overlays/upc-dev/forte-drop-postgresql/RESTORE.md
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/RESTORE.md
@@ -1,143 +0,0 @@
-# forte-drop Postgres — backup & restore runbook
-
-## What gets backed up
-
-A CronJob (`forte-drop-pg-backup`, namespace `forte-drop`) runs nightly at **02:00 UTC**:
-
-1. `pg_dump` of the `drops` database → gzip.
-2. Upload to **UpCloud Managed Object Storage**: `s3://drops/_pgbackups/forte-drop-<TS>.sql.gz`
-   (the `_pgbackups/` prefix is collision-proof: app slugs match `/^[a-z0-9][a-z0-9-]{0,62}$/`
-   and can never start with `_`).
-3. Retention: dumps older than **30 days** are pruned.
-
-S3 creds come from the `forte-drop-secrets` Secret (`S3_ENDPOINT` / `S3_KEY` / `S3_SECRET`).
-Postgres creds from `forte-drop-pg-creds` (`pgusername` / `pgpassword`).
-
-> **Object storage is the durable tier.** App data + DB backups both live in UpCloud
-> Managed Object Storage (replicated by UpCloud). The in-cluster Postgres PVC is the
-> live working copy; the nightly dump is the recovery point. The PVC carries
-> `Prune=false,Delete=false` so ArgoCD never deletes it.
-
-## Prerequisites
-
-```bash
-export KUBECONFIG=~/Downloads/dev-fd-no-svg1_kubeconfig.yaml
-# Confirm the namespace + DB pod are up:
-kubectl -n forte-drop get pods -l app.kubernetes.io/name=postgresql
-```
-
-## List available backups
-
-```bash
-# Run an ephemeral mc pod with the app's S3 creds:
-kubectl -n forte-drop run mc-list --rm -it --restart=Never \
-  --image=quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z \
-  --overrides='{"spec":{"containers":[{"name":"mc","image":"quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z","command":["sh","-c","mc alias set obj \"$S3_ENDPOINT\" \"$S3_KEY\" \"$S3_SECRET\" >/dev/null && mc ls obj/drops/_pgbackups/"],"envFrom":[{"secretRef":{"name":"forte-drop-secrets"}}]}]}}'
-```
-
-## Manually trigger a backup (before risky changes)
-
-```bash
-kubectl -n forte-drop create job --from=cronjob/forte-drop-pg-backup pg-backup-manual-$(date +%s)
-# Watch:
-kubectl -n forte-drop get jobs -l app.kubernetes.io/component=backup
-kubectl -n forte-drop logs -l app.kubernetes.io/component=backup --tail=40
-```
-
-## Restore a dump
-
-> **Destructive.** This overwrites the live `drops` database. Take a fresh manual
-> backup first (above) and confirm with whoever owns the data before proceeding.
-
-### 1. Pick the dump to restore
-
-List backups (above), choose `forte-drop-<TS>.sql.gz`.
-
-### 2. Run a restore pod that pulls the dump and pipes it into Postgres
-
-```bash
-DUMP="forte-drop-20260530T020000Z.sql.gz"   # <-- set to the chosen file
-
-kubectl -n forte-drop run pg-restore --rm -it --restart=Never \
-  --image=postgres:16-alpine \
-  --overrides='{
-    "spec": {
-      "containers": [{
-        "name": "restore",
-        "image": "postgres:16-alpine",
-        "command": ["sh","-c","set -euo pipefail; \
-          apk add --no-cache curl >/dev/null; \
-          # download via mc is simpler — use a 2-step instead (see note). \
-          echo placeholder"],
-        "envFrom": [
-          {"secretRef":{"name":"forte-drop-pg-creds"}},
-          {"secretRef":{"name":"forte-drop-secrets"}}
-        ]
-      }]
-    }
-  }'
-```
-
-**Simpler 2-pod approach (recommended — avoids cramming mc + psql in one image):**
-
-```bash
-DUMP="forte-drop-20260530T020000Z.sql.gz"
-
-# (a) Download the dump from object storage to a local file:
-kubectl -n forte-drop run mc-get --rm -it --restart=Never \
-  --image=quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z \
-  --overrides='{"spec":{"containers":[{"name":"mc","image":"quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z","command":["sh","-c","mc alias set obj \"$S3_ENDPOINT\" \"$S3_KEY\" \"$S3_SECRET\" >/dev/null && mc cat obj/drops/_pgbackups/'"$DUMP"'"],"envFrom":[{"secretRef":{"name":"forte-drop-secrets"}}]}]}}' \
-  > /tmp/$DUMP
-
-# (b) Pipe it into the live Postgres via the service:
-gunzip -c /tmp/$DUMP | kubectl -n forte-drop run pg-restore --rm -i --restart=Never \
-  --image=postgres:16-alpine \
-  --overrides='{"spec":{"containers":[{"name":"psql","image":"postgres:16-alpine","stdin":true,"command":["sh","-c","PGPASSWORD=\"$pgpassword\" psql -h forte-drop-postgresql.forte-drop.svc -U \"$pgusername\" -d drops"],"env":[{"name":"pgusername","valueFrom":{"secretKeyRef":{"name":"forte-drop-pg-creds","key":"pgusername"}}},{"name":"pgpassword","valueFrom":{"secretKeyRef":{"name":"forte-drop-pg-creds","key":"pgpassword"}}}]}]}}'
-```
-
-> The app's schema is created idempotently on boot (`CREATE TABLE IF NOT EXISTS` +
-> `ALTER TABLE ... ADD COLUMN IF NOT EXISTS` in `src/repo/pg.ts`), and `pg_dump`
-> output includes the data. For a clean restore into a fresh DB this just works.
-> To restore over an existing DB with conflicting rows, drop/recreate the `drops`
-> database first (coordinate downtime — scale the web Deployment to 0 during the
-> restore so the app isn't writing).
-
-### 3. Verify
-
-```bash
-kubectl -n forte-drop run pg-check --rm -it --restart=Never \
-  --image=postgres:16-alpine \
-  --env="PGPASSWORD=$(kubectl -n forte-drop get secret forte-drop-pg-creds -o jsonpath='{.data.pgpassword}' | base64 -d)" \
-  --command -- psql -h forte-drop-postgresql.forte-drop.svc -U drops -d drops \
-  -c "SELECT count(*) AS drops FROM drops;" -c "SELECT count(*) AS view_hits FROM view_hits;"
-```
-
-### 4. Bring the app back
-
-```bash
-# If you scaled web to 0 for the restore:
-kubectl -n forte-drop scale deploy/forte-drop --replicas=2
-```
-
-## Object data (uploaded drop files)
-
-Drop files live in `s3://drops/<slug>/...` in the same managed bucket. They are
-**not** part of the pg backup (the dump only holds metadata). Object storage is
-UpCloud-managed/replicated, so no separate file backup is configured. If a
-file-level backup is later required, mirror the bucket to a second bucket/region:
-
-```bash
-mc mirror --overwrite obj/drops/ backup-target/drops-mirror/
-```
-
-(Exclude `_pgbackups/` from the app-data mirror if you split them.)
-
-## Disaster scenarios
-
-| Scenario | Recovery |
-|---|---|
-| Postgres pod crash / reschedule | StatefulSet reattaches the PVC; ~1–2 min downtime; no data loss. |
-| PVC lost / corrupted | Recreate StatefulSet, restore latest nightly dump (above). Data since last dump is lost. |
-| Accidental `drops` table data loss | Restore latest dump; or `pg_restore` a single table from a dump. |
-| Namespace deleted | PVC has `Prune=false,Delete=false`; recreate Applications, PVC re-binds, app recovers. Backups in object storage are independent. |
-| Object storage bucket lost | UpCloud-managed (replicated). If the IAM key is rotated, update `forte-drop-secrets` (re-seal). |
--- a/apps/overlays/upc-dev/forte-drop-postgresql/forte-drop-postgresql.yaml
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/forte-drop-postgresql.yaml
@@ -1,40 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: forte-drop-postgresql
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  labels:
-    app.kubernetes.io/name: forte-drop-postgresql
-    app.kubernetes.io/part-of: apps
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: apps/overlays/upc-dev/forte-drop-postgresql/resources
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: forte-drop
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates
--- a/apps/overlays/upc-dev/forte-drop-postgresql/resources/forte-drop-pg-creds-sealed.yaml
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/resources/forte-drop-pg-creds-sealed.yaml
@@ -1,14 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: forte-drop-pg-creds
-  namespace: forte-drop
-spec:
-  encryptedData:
-    pgpassword: AgBYokuQRCTmPGC8soB7n8W39nmSAZDTV97i77NmdMh5ndaZNtCtXxhMcpM2z8kaGv2tCWIh47dr38a5tGPZ0TsmeEQOF9Rbbtq1fyR7pJwT8S+N2Z2zu354wNWQlltEAVvTvthe2wTer/BpyRofeSZprxihmfNpuHUP8rLsnIXln5tOWDzJ8hnRWoYZFITaihC2qrJj/kFE0Rfdcmzt1tSq3jCB/rWijVaJF9XSh4rzQoqZDiUNjDPUjyERILw59JWU4zf9OKcqNHDnmpXBR4LSjLhd9waN6ElEzO4gGcVaHISKrTwewX1ONwPHDnw6lqkQObyBPx8aUsGzxLkUhNDtvIYDkB4BKWP5Qu4bNcSztIbrxi6l7Lr/DWC9qTbKm1/p83rc6r8VqRMURUyQg8/vBlCHOIUbZ8DM1OfNlMd8gvcSkaxEVIdCDUjguCvE3cGyG4cqv2unllZQ+9417WwLNJecT6x1EL3nQyAlK5c9vUIbcVyaFlbSUcGB7xmPgZrZ6/3RDyOH6Tmew1ssV9gLvdaehscUE0fjnnFnJpczkwdyxIOSNLIkjlWetCKEbhowJbzk05h3M2p6XQQOuNTnsYjAADMGD72GUgAQlY8KXmDELtv09KELcXbeYS4gABPpMrVmvZymq8lqQ13Py8o+cIqbrU5V86WxASTfQ5gMo/ymYabuhTBIapcnaKR1dFCCfu8deh5f2HJ6/1NjdWR+XvEshg+EF5OkTUInukX4vA==
-    pgusername: AgCs6vyQ8CIv5OneP/jMltIPGdZQbpq/BFmQM1mkBD61Ve+anzve5K0Gkg+zsNfbZf0pOPAXtu4C4aL1Lwv7gqpoe4Hp/UEb/X9uLfJ1b8ZitmM1XsPmmSiCskHjrc2BLkAvfrVIXkHc3LOY2uZ/E5stc6Ss2WFE8/uzzVXW0B8fdEK0criludQ8iwR1gypulEcDNomXgkK/1gmmCWosUcVv4jDMDhqBD+b9WYnBB6J73gUclWVMvYDFdNas2PuoRzu5Twc9TAZrTxN5lvLOXAonOo0YiUbUhEC83sfMWYDT5/9OxqcJhAxtgFe9j83MpCwLSwfeLZm7UsUapWDb60MxPJLGvoGD/ZOhkeYt/YCZYROa57TMslVIL5YU1KCiNWvtRjIqnvdiBxI7MRvPUfAoawS4ktT5PDhTTfrixFbaF95jul2kKBXV+OYB1UNsFhcCgZx9rzYRt4lNmBv4m4HeXIp3EYY8VlGLQ45BVVqjJ4QkISvb7ifQWH1aPMQllj+J3GwW0KJN0dEgsh1LT+C7W5I5mq461NOTF1eih/XRBeuPoLlgApxiGXvFCTx8lji2/JIdOaqcg29hdabSprxa0YMStChi2pbtHhRzAuFCp8mInGt8Q406vu67Y4/51yuwI40YeDVu0lf010TB+/v2Zy3OrNyjlqrD5JNynsLuRl3UhuAKC14Xhg/MiDLvTzfsYE8aog==
-  template:
-    metadata:
-      name: forte-drop-pg-creds
-      namespace: forte-drop
--- a/apps/overlays/upc-dev/forte-drop-postgresql/resources/kustomization.yaml
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/resources/kustomization.yaml
@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- postgresql.yaml
- forte-drop-pg-creds-sealed.yaml
- pg-backup-cronjob.yaml
--- a/apps/overlays/upc-dev/forte-drop-postgresql/resources/pg-backup-cronjob.yaml
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/resources/pg-backup-cronjob.yaml
@@ -1,93 +0,0 @@
-# Nightly logical backup of the forte-drop Postgres → UpCloud Managed Object Storage.
-# Dumps to s3://drops/_pgbackups/ (the `_` prefix is collision-proof: app slugs match
-# /^[a-z0-9][a-z0-9-]{0,62}$/ and can never start with `_`). Retains 30 days.
-#
-# Pod shape: initContainer pg_dump → shared emptyDir → mc upload + retention prune.
-# Both images pinned. S3 creds reuse forte-drop-secrets (the app's UpCloud user has
-# s3:* on the drops bucket). PG creds from forte-drop-pg-creds.
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: forte-drop-pg-backup
-  namespace: forte-drop
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: forte-drop
-    app.kubernetes.io/component: backup
-spec:
-  schedule: "0 2 * * *"           # 02:00 UTC daily
-  concurrencyPolicy: Forbid
-  successfulJobsHistoryLimit: 3
-  failedJobsHistoryLimit: 3
-  jobTemplate:
-    spec:
-      backoffLimit: 2
-      template:
-        metadata:
-          labels:
-            app.kubernetes.io/name: postgresql
-            app.kubernetes.io/instance: forte-drop
-            app.kubernetes.io/component: backup
-        spec:
-          restartPolicy: Never
-          securityContext:
-            runAsNonRoot: true
-            runAsUser: 65532
-            fsGroup: 65532
-          volumes:
-          - name: work
-            emptyDir: {}
-          initContainers:
-          - name: dump
-            image: postgres:16-alpine
-            command:
-            - sh
-            - -c
-            - |
-              set -euo pipefail
-              TS=$(date -u +%Y%m%dT%H%M%SZ)
-              echo "dumping to /work/forte-drop-${TS}.sql.gz"
-              PGPASSWORD="$PGPASSWORD" pg_dump \
-                -h forte-drop-postgresql.forte-drop.svc \
-                -p 5432 -U "$PGUSER" -d drops \
-                --no-owner --no-privileges \
-                | gzip -9 > "/work/forte-drop-${TS}.sql.gz"
-              echo "dump complete: $(ls -lh /work/)"
-            env:
-            - name: PGUSER
-              valueFrom:
-                secretKeyRef: { name: forte-drop-pg-creds, key: pgusername }
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef: { name: forte-drop-pg-creds, key: pgpassword }
-            volumeMounts:
-            - name: work
-              mountPath: /work
-          containers:
-          - name: upload
-            image: quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z
-            command:
-            - sh
-            - -c
-            - |
-              set -euo pipefail
-              mc alias set obj "$S3_ENDPOINT" "$S3_KEY" "$S3_SECRET"
-              mc cp /work/*.sql.gz "obj/${S3_BUCKET}/_pgbackups/"
-              echo "uploaded. pruning backups older than 30d:"
-              mc rm --recursive --force --older-than 30d "obj/${S3_BUCKET}/_pgbackups/" || true
-              echo "backup retention pass complete"
-            env:
-            - name: S3_ENDPOINT
-              valueFrom:
-                secretKeyRef: { name: forte-drop-secrets, key: S3_ENDPOINT }
-            - name: S3_BUCKET
-              value: "drops"
-            - name: S3_KEY
-              valueFrom:
-                secretKeyRef: { name: forte-drop-secrets, key: S3_KEY }
-            - name: S3_SECRET
-              valueFrom:
-                secretKeyRef: { name: forte-drop-secrets, key: S3_SECRET }
-            volumeMounts:
-            - name: work
-              mountPath: /work
--- a/apps/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml
@@ -1,105 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: forte-drop-postgresql
-  namespace: forte-drop
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: forte-drop
-    app.kubernetes.io/component: database
-spec:
-  type: ClusterIP
-  ports:
-  - name: tcp-postgresql
-    port: 5432
-    targetPort: tcp-postgresql
-  selector:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: forte-drop
---
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: forte-drop-postgresql
-  namespace: forte-drop
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: forte-drop
-    app.kubernetes.io/component: database
-spec:
-  serviceName: forte-drop-postgresql
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: postgresql
-      app.kubernetes.io/instance: forte-drop
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: postgresql
-        app.kubernetes.io/instance: forte-drop
-        app.kubernetes.io/component: database
-    spec:
-      containers:
-      - name: postgresql
-        image: postgres:16-alpine
-        # NOTE: no securityContext. The official postgres image's entrypoint must
-        # start as root to chown a fresh /var/lib/postgresql/data, then drops to
-        # the postgres user (uid 70 in alpine) via gosu. Forcing runAsNonRoot here
-        # breaks initdb on a fresh PVC. Matches the vaultwarden-postgresql pattern.
-        ports:
-        - name: tcp-postgresql
-          containerPort: 5432
-        env:
-        - name: POSTGRES_USER
-          valueFrom:
-            secretKeyRef:
-              name: forte-drop-pg-creds
-              key: pgusername
-        - name: POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: forte-drop-pg-creds
-              key: pgpassword
-        - name: POSTGRES_DB
-          value: drops
-        - name: PGDATA
-          value: /var/lib/postgresql/data/pgdata
-        volumeMounts:
-        - name: data
-          mountPath: /var/lib/postgresql/data
-        livenessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d drops
-          initialDelaySeconds: 30
-          periodSeconds: 10
-        readinessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d drops
-          initialDelaySeconds: 5
-          periodSeconds: 5
-        resources:
-          requests:
-            cpu: 100m
-            memory: 256Mi
-          limits:
-            cpu: 500m
-            memory: 512Mi
-  volumeClaimTemplates:
-  - metadata:
-      name: data
-      annotations:
-        argocd.argoproj.io/sync-options: Prune=false,Delete=false
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      storageClassName: upcloud-block-storage-maxiops
-      resources:
-        requests:
-          storage: 5Gi
--- a/apps/overlays/upc-dev/forte-drop/forte-drop-pdb.yaml
+++ b/apps/overlays/upc-dev/forte-drop/forte-drop-pdb.yaml
@@ -1,24 +0,0 @@
-# Keep at least 1 web pod up during voluntary disruptions (node drain, upgrade).
-# Pairs with replicaCount: 2 so a drain can evict one pod while the other serves.
-#
-# Selector verified against live forteapp-chart deployments (mcp10x, argocd-mcp):
-# the chart's pod selector is {app.kubernetes.io/instance, app.kubernetes.io/name,
-# component: app} where instance/name == the ArgoCD Application (Helm release) name.
-# Using all three labels also disambiguates the web pods from the forte-drop-mcp
-# deployment that shares the forte-drop namespace (its instance/name == forte-drop-mcp).
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
-  name: forte-drop-web
-  namespace: forte-drop
-  labels:
-    app.kubernetes.io/name: forte-drop
-    app.kubernetes.io/part-of: apps
-    app.kubernetes.io/managed-by: argocd
-spec:
-  minAvailable: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/instance: forte-drop
-      app.kubernetes.io/name: forte-drop
-      component: app
--- a/apps/overlays/upc-dev/forte-drop/forte-drop-secrets-sealed.yaml
+++ b/apps/overlays/upc-dev/forte-drop/forte-drop-secrets-sealed.yaml
@@ -1,24 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: forte-drop-secrets
-  namespace: forte-drop
-spec:
-  encryptedData:
-    BASE_DOMAIN: AgAFybdBryVb2AQuGQC8REXzW0YZlyycJp/KeXnROkW71UjDe4qMAWkWszrJWxZMvAPO/tXmibp7jEol6aB5GKG0k3tswWoprTFXLd9CMR2U9SWR3ZCol4npPXo7uOxhBcNSVt+cDXyejSiFTi6goY2oOtbKAJSF9Nv7Z5ePaqhhFni3ntcmM0S1Ad1l3QR7VvyazHFBXfO0b8Z9NgYsUNbGrXWDwoSAZIv3ly3wx90AXn+dXX5FNPtl9CtyAVhHsl3liwQdhEwS2krZZjj7NiQTCfNXp7BSB9ZETpo9KkoV4AZNy1zupd3HpeXHsyhHjq/JqXIAF3iFU0tZTWjhcwnehYdEU5oduwfLCWym5PYgpiQAGiazpkm1Ss3/PYpZYnR2nWv60b1Pa5i79ZiPNi4GL67AiWoJDw6QxV0Kbzi0AvUkZI1E2PeIJvv1w9NKdMRo49xK8LUx2qSTpWeqRP+1kzklHqclTuNVxiWtR2wUgdoLzvU7p5ETu7kPEmaoE8rYw4dKgQvHlMok2Ky2JsELGBkCiYjUN75T+yNlGs5dzbiwtWOja/r0dJ3ZGBQjcK4/BbTLiMYsrxmJTPPF/2zhCOlFY6cfcRMmc7Mwr68mK9m2rTOJQNjBMDoASiqVMmeSqfRSln7JNb1pAeq4xcz9YJMBJhPy2XNiBvRJK3pGIjVcNST0jSpic1X01NJTy7aFbcniZzYnsKJV61AQb+daGEsB1Ib3GnJ+Rv8+9NfvWg==
-    PASSWORD_GATE_SECRET: AgDIiAPb7bCpTeORoZXIn7Is/yKT7Qm+qSexgmXuXpe+WaLCJDWM5uOlvxp5tbtK2KD3SNtUDrOJQYfWYBOAPrBMBnSpDr8Ie7/wlJBxXCfROk1TldOU3s5O+5OnFfTDS9rAdcWdZdJ+Bt0aktnpuHJpjdurFca5o8ne5SRwYtGk6mNinCYRcnwMApZ9Y7IxvC9xzOi1QIhoOepMrotRkVJtbrXiclN5cI+P/nU8LaGwM4AEJtO3L8zY5QK30SZ/Tsz20Qo8HHGdIBLhHbhTALrFe8+n+Egda66Vr1DkKgDERW59PeWBd6xHCRGNuAk2ZzUmuiN5DJmWgacAGy9QblMMjhOIGKgiqsd4jx/8wC8FoyxBSstGFajahL2C6oFzCpbp5NiS185znN0ohJXqQzkp5RbcBliSYUZgHC8D1jDGxzcTksD2Hgh2NIAlJOStsfB3fUb6hWIFzxim0lyP9kFM5y92Sf5B1/h6PeHKOi1CMC5RFAEKhoyM4W1W+NxASJeT/NptTehcrjBPxLVKBPh/qgMcuNYNk34EB0asELalYBJ5cxzt31LLiLE/uDxCydXiSk7ACho7LxNffcUUakEwwsJDmjFiCscu83TfZq2vw5/2bgOzUng4XGDBgYwwr/KEHueGX4Keg255R3KqxyiMSKDi4CUEtYShjSsSYwU62rdogOQu20N3HGVn+/CksqKky7GoD958d4PwT5MGJwQhp8EjemBomDxTKNsO+C4moMNZpAEBtPlP65Lc1cfcaLlaFrwP4VtYHLXXBIvMzCC+
-    PGDATABASE: AgCCkY7AUaoy2V+fRXrEeLODlHOTXWXmWCW6MBWEY1J32QrN0bWUmwDdTxv5KHchbhH8lra9bABNOGfRcz59GIg8fH3fwTWOE8luh9cD50QkphjZPe9eGXc6YzheG0CG5hDnUoiJjnP9/l5cZc6sRxAo7for/bbLa0zja3VMzI+NMhVVRZT01G5R/Aoyf+B/TGm4mYbMyWAIgEEfjl50yIkc4WscfQrRkbxAtBF2qFuS3OL95TYSRULBAt0f3Z2WpCdS2b/pUyHJuuoi8aTo1a9QLFMrUdxVi6ydIKaMcx8xR8DlXQLOOdtIQu4TrgzGX2MgHwrbWuf/SFO5IWB/6/JI3yubo+i88M9LwPKsGeslcquoBG3Ibqlnmw8pcPrXUwBq2BowjAqpGsxdiR5XIi2j8QnpA8dTmFARX9CWKHoXFH5+uxx7SSTPG+izlGtVspsu5xx3F8MZ6eStInCyBimTVrn74+IvMPEBrj7wThO6Bl9EA3POkTRf6AmjuPItTgZK8lfXY/t0qDN5zApeB051+jSGZ0/o4PaY414vCm/+OteuCAI4ooCpDOwG3QD52VtpmoAvGjtuWExrvCHMW+hTIxsNbYJ+2SE1oQy8n8J5kKK+AU/SnYf/VEpbawHrpU48g6sDUHQzzPhoLN41j67qopmfRZAo1r5Tb4n7MnEOF3Yi7aT3lE6JvB3gZUSRqnDYSWObTg==
-    PGHOST: AgCWDPCQ4P+vPKQXmzNspODUJYVidwQDzFRxY8JDj5JYW1u+2xK8LqE2uWWYCW3YjF+H6yJoH6gu35KqOtjm0E23zMlknwZwkK+L93J/nrnNZHCznoub9jEzaAsTRhytvuIUBPQnFulP/t9Q04RjmR9c14puS7VS/tM57/cLq5zq/BiSYL3Wx2lblE7Xn6k44+8robPP3YkmlOuqziM1li/qevB/jxRV9YFjIpCz6D7WG6Kkx9CA6fzgalMJ5ErUVTJOuLDDty3qKd+9mg4WCLahjyzhPq/rIPUFE77EBDCulnnlMyvOSPSP7pMzkaNR1Ce3cOxOYAZ5mO2u5Y5pXt34V8iPe87N85KHQNZTu1Mu5ELMLdhEYOlO5ZX2x/RsdEuriWz1NW8MC57pEUGE/XrFhDe6x80eHi++qDRat2d04rTBOtlceZMmPVxs8tTa3VaD4PepekSogddLVooscLL7lYIpyR0Q6qOA1NdF2uOpx7hf6QLY1HeD4V8RSVVxV9uK5lUTrnBjtU/aUwnGs0xKxVNdBEKwG5Kh7qdsgyBiEa9V4Y2ElteGHave4J7xzimdASrbgMnlgIfcMuo94eX/0M0BAmpD4bEByMCWbcFgAfNnIOpXLZvoEfZ3DxVysmCzD+0nq+CEatdOjKp11EKbtf3H4PgnKqWDe2p8FNPXhev60CMhFvXS/QYg9fe2YJt/wqcN5MstCej4IuiOJkuFJ0UhZ/F5760xhuPYCUWP1suIVZM=
-    PGPASSWORD: AgBH32G+EUtc3jzGCA9bf27TCbzgK9xz+r4dqd0QQJL9xHbqgOARGVVaQ88AOkWV5VgYjqc/GFp51jLzVOHxgLdkqO/oCBuX9ajQEoGfq24AxFnaB7fh+Vlc3/N9yhT8lWoxHmHjyMVeX75g/9KvhNaRKBgiWQNHlt1C2FNh1h3U/aMfWVJIENmKKH2A5sxWe5haB7nynZc9r1QXBQKa7XVpuxAFXDHz3j3cFyR5Qflp+ac2APEM1/xbiaZDgkBtBd6dsDoCP56Dr1m91kaRGgbeX6WmRJ/Y89WAp4yt3QVfa8uGL1+DrBBMcfB1nAQKA45eZjPE6zTOEHxgTETCcmXJQiOzttDmBHRkIClOLLipgGDJwMqtgQoEMoJKjXMC0rsRy0NVRmibZa310R3PQjuHrQXxRD9ZAXkYg3opwLKeKi07b/7mvLHr7hU81fkBGnqNm/6heOSAqDZfRdregbBbcI/go72aypn2vQ5R+ozCdfwcp1tGla8FGpkI+zAdBKihp5Yo21VZ83FlIMq2JHF2+tv58C+LFeyqL1nr6BUmGKUQ+lEOnRzGYo1sbO5wBChc6yP3ZbzZYfxfvXAdfDY7vZUsareOC4uyR1wDnIiJgQ4kqmAKf7HulJJatKNgsvbmukj7c6lHLsfFRg5pwLO6iese9TZgtima2wkdcRpHSdt4ycnyHbwrEZ4kepfFlN1pGUl573/3l2cOdzO+WLCqV96P5myL6OOmCTxOaLdSyA==
-    PGPORT: AgCXyGjhlTcq3ffD+ZZZxe5gvqRLQl2MYGl7SfJDjw4LMdr3iojAeQNdYZIeZN4Bec9thhz1DI/Bc5Iiw5TiB3MAAvl/XtQM/T23JrSlUsfqECuHKQGw5kkgeVCds4j4d/IHFt9yBv4W4+ogcL5TZIGGgMiKa/99T77xgE4OqjeqqC+bpFuLObiKt5sYcqcHl2DDshTy4xeukfdA2yI3N9Tq7zfbLpZUKHWWe1gE+FbA0s+QA1ZCYv9uEtu/E5BWOYxE0u4GKhMDfMpguks0CNnIoRpovY3vmOxzFtqa7RpPoQrQtEN2Xtizu/G8K8p+mZLQ0cf3KX0rwp8tAsVKWrp8FYOy6+2OLYlhmDl1hK+M15czaL60DVBqiRIlQFdj9K+s5KQ0qfsG9m4v2WPSeCLEKwcsyLyq9vzXbDKwcMN2DOMOan8VDo04UZzkfdZa3lztfw7MWIdpvB0+cpgK3mdbbPCqSIQ8UTjeSVBgEz4EPUds81W8gqAgmeVKpUQplgFuLNwCTnCkuMSNiA93D3dgGccXzXiDrIBIcLzxHAWr0XEjISyD/pmNEowbDvXB5yRlNi1ZB5AHsRPurUYs4XtZN5ar+sxyex78tG18OkcBbABatBp3ol28Rs1LEN+HJupzNl4XDUx35/j3t/FPcw9PkcF+hzaQL7aWj4EDEWfjlzz5FEBlU5N6sd078tB79TpasuIk
-    PGUSER: AgDH9oSzu61NVOUlK7Evr278VuOx7ZxZgdsk+kdJmwpBGX7r5gmPrdomh/mqLYTuLokkanFiTfchRWHc76FvjbA/KxqwCq1qsZbW+dXrRtx/z1wQApKxNUJ7JolwMwP7tHE6QlGzO2mWj6RUROnhKpNybJXVvC3E5sSyz2QWC9hjamQP997RGA9yiiT/OShC7I6drFYR5cRDtpjW7Sy46qhMwlCRppiKh3wOV7qIAa0aPQE3Rfcg2WpK2ugRL1N+SiVnM+wPQwYVLiDaVF40vP40Kari99hIgmhcbjPeGG3kGX5VLww9KGm7iryrW3Yx45L/CCh1arUUpjkK2FGLVKtb3+YmDadnOA/I8Rr5kebhoMc93E3U3+mDfQA3cO/23xgpOJEGRCQwBlN9mazqkdq4zQkb4+nuxsdyQcxYtncgxhfCcZ0mXnbX2aW2kYcxKqa/jNjBcEpGMvos7dq6QzNq2nHrITo15S74M0292CAje2NFvKURA/KZnT26dDw3e5xa74E1nI/tBJEHWrUwRXpPu7naCZ2sZMxQV6ixQMuDakx3YamXZmMwgFO2FZ6ZL9BDDsbV4+JAsNwEaHGIIaTbE28R/xPIcUqcxrQV4ZWmHnJXFGyJ0XXxJ57GGjs7QwvvzAm+9WGYtlSC6H/8rX8uZIQLr3llVbJMuLpIv45i3p0Nkx8jyxGSG3rNQ4l3K0rjly2qZg==
-    S3_BUCKET: AgBcx2UvWafkVQ4fc+Xuc+gCLm5O5DceYSYBslL1bd8p4hKI/2hJF9z9UoLyAedyyrx8pHizcugkcIccrV1iyfQod2lDrivVJCy3qHz0mrQ6ZCOAk9ApNJTYUn+x/AYZL9EKVj/vfEzSwOTqlri6H53aUrZr8lv01TqLcrZDeG+jv64psydYKmSESkPl0iQ9DOx2sGkowNYbiTjux+ED9yXDMDdzojhMepbuUHhjNr7V7Z2NpX8+pNVz2o8o/oIA0zAJs3+C02018N3cyJ9P9BP2/qR6N31aykyI4P6GU5WlL0CDGKaheYy9ukM5x8SoU87yZBHLUxN0MhrMVKoFswU6CwTG/A8Gjkp84ce2cvlnuXP6JEMlqgSb+O+SeCH8+kwL9A87xmb42OOXSGokS188/2/13b6S733WL81B0RX1X1pOfWybpJzDhgiOC3Pjn18ItVHjKw3FlY6kwk1+P1vbZoRl343avRdyQyJam28A9UvZeTG+ac7drRTDndKYKGP8IWg/A32MEFSiKHsvnRQoYE7KORyzJxp610L1+w46KOUF5VF2afch02Jt4uLcmCOyUb6LdcWln3Jiz+wydJI1HK1RPio5oUT5d5se3K3DCa+GffbPMorHe/SdzqaBH2+uBcQn+wZO7JC1ei7hz4U1xdV41gkG1uq7Xz49ymW6P7G6qUr65MtvD73iMRlnJt/mdkw5UQ==
-    S3_ENDPOINT: AgDA5n96LeW1spJfmm7f9lcus5Ndv/91HAlhOfv0YwP+9R8rQhKF1sEL9Oi7Fpd4VJCQi9vDbeWYjGOMtsMqsLJivcZK6367rdSqL/YpKax9SkDgU+UG5Bpr5SDv4p5C3/J4+GPkZV+BduJQlNVPycTrdM80VBK8aALCNs7gGxy68v6mMgI90MpTp84ZeWgtJ7ZpTySivpwgycwcezldJTYDDjOvVfbK79trsRzDtjbAZzbDn0M8At4LYAfY7JTqcdCRHSGnzyg+81CX2jjyMOH0K55SsIqPEBdXqvh+VmC+jPyFMzfAN5hA8+otWTXfI7VucxAMZtRUiLU3I4/kIO60OkVjEf/SWrJv3nKb85aVfvRZ9k/A7kJ/ysKTXz2/iSAHU1DHTJlMW7SfhXciotx1p3BWOREF0QAQvrNCURFP+eZogBCIuiP38fD0gHkhG2BZkAY/OVZTr17a3F02kwemAuJ85hgUf0iwFV+/LD6X2OiqM85lnac/3B5Qp7UQf+Enn5RTqd90Pk/7QtAf/zTDmfxiWTkwpKXeQ62xcnHL9dQnUmDDs16eJZd04AJGgT8yrC//2lVOht7u6KuyG/+JXRxLBXAkGkr68lHBBuGmeVZ/t7ChL2Asyfu/uUTl9E1BOUfNvZXxwyLgqueL0Uw/MGLgswBsP6pYNGraMF+K5v7dse8cUxpyqk3s1C1zqoAhkehsCBtTjI+hF90G9Nh6mVSocoH12znt7fgUnwNbpg==
-    S3_KEY: AgAiciTM2ZNVlU1M1CNNXLkhCEYYbO7q5+Mp/DoC4OHBgIDKVfHurH39Dniuwxe6DcvE3vG2glRyTxQEg/ASLcwa7HBwBAwXe3wl1tRGM5Bp40/Vq935BXpkhcdp2fSoup8lPEbKS8q+L5LOqUlx7jmnkHXbI1tasz63KE8O9RUFDdQ8Gxy3nn/u4xkvibYxwmo60ApLKYgOu/ODPEETrWBcITHAVFUxbA8Kr9X9mPm3VpfrnFcUlxsCFr/zZwE/Y01eWdi8GGafb+apDPKMd7mAsLHFcPIQlpkHVT1M21qwwntZg9yV0RBACNu5BVPUgbmtUOQeWYMXn3FE+NJ7ajfdKAUCcEUV/f4s00b0S7jJTJwOUixDquMKSfu00AwDRCs8UcouikZe110uWnfEF3tVE0xQGF/3ItLni9VugBz7wQv7ACvmwnHmX5ZcjE0hxYcIS7ABWgHOZxgWoRWPao8eNAATipafcVIG1szl5ZMNTmAqHFyp2dlNU3zaiW6fz4q4CU7SrlhsrtqYM788qHvpJvDpFdF/i6oitH9CgpwmdCpH6YbBXxatnkWq9bqjEFcSZGDfDyT+iZaoPwhiOfaEoCyKlZ9RLLaK3E8zFcCDRXHnvnkqPtP/+VG30xz9pIat2EVB1N4b/kVIrr+fIM28mwk0vkC/tU8T55GF5BZr7VaYedHM9DVcQ4OJl7Ctrc9Ki8PXrne8gywyomA0F+YY9lxdDw==
-    S3_REGION: AgAAHTbNQ3gGnvg67ck2N5zSKKhMwR1j6pi/tZzYMEPK8jSnDTBkLYAt6ZVRtdsO+dG9kjnMsc/xTUMxJspbvQkgLSd9mG5FzJ37rBn+azCCSTDYBKq2ddGK1Yf/9w7MxOgN8aCyD4QCFOzR0EI49GbVYQynxDD5BwYuf7y4t2xCYt5wRGsjyNAmH3202Z90XKUkts8Na1hyD+xrrtrAtNfugyZqKo2WUSsHu82TD+cu5xZI51oQ9w9Mh9LaH3nfn/X5S+t17TjYvI7/c6hOwCVv10OdoaZa+SzqOvy7XxnqAShAYkPqJKfWhjecE1b9c/Cun32X4MRI0GBWyA02z4nR+WBbaVmasicx6hchVn8/wZeKMIl68F5LE7184MKKPNNwqsYslwFhuWq8dEw3TaVvnWgx3+cSMiX15SBwcLtE2UzJp+jjN/dpQ2MM0+6uV1GK4mNso5JAwGpUUUi2i+V1Ng7uXipI+5J9w6K0IMg1puGqFyahby42saSuH6vuPnjSx+2dXQTlgbl2SvCBoCgyOOJs4q5IafEvupAmRCNzx2HHv8/z6CFbSQZITQ3plmyNGLFXjynVw/6Q1PD4z3Pows4uVcYOEPbC0UoaXVgwgdBWa2N44BUhpdbqJUCyKuapLigpjKujG43jmdLzuk6gaPeH7SJTZKr624vs9hrGhzQYKdl6FZOQhmCFRDKXVCUiH2Z2pfwd3oo=
-    S3_SECRET: AgCcVQ7YtBAGpKBm+rE/hQBHrFlX5O0JO94xkZeoAppA9Tf8YR/PguZRGBWgLdNEJRI8C08lRRCUX3PY68jTySyjamb32iQkslOXGjAfnULeNGoGg05nLY2ZDYCEom6ieL8cc2xfbrV3yHoPQ7yVz9vcLjh1vATxyfdkqMapl8FpvQf0k0Zecmw3rLWE9y6vAn6Gb+/CWTnuhcW/8uDykmjIBTDQQddWshaZi+HosHyDbNxlnGj4U8mie68wytpS+Unp1gIWWE0hvelqO/3OUEEBB1OYMLV2DW8v86HXAE1Ix9jiCpSbyB+UzjOlrE/p4fJpeG4FtUC+/5ibRSxxgQRQYklKFJmdRDYWUnOngjgcT/Ewe41mTrpCUvb+jtir68pYLmVrLoha7S60w1YQHNkDAN2GftOyBjkkt6MtUDNzvNkfnKqKGUWyDSC27yfJdE/9k/4lDxQs0Sp20kIuz66/culBpg/s/oPSNs4SolCqG3GVLlKL775uqwLLuDN3txlPLb+Ex5vZAUapke+rn2zXzJVc1qlPfI/96vSEy6cx58LXdBadmBXn6c4Uy2MDa66EwsxOMXxzGLTd7AGkd5oeQVYfVPdTfGV5zx1AdzQhP3u/DD5FhKeWGDOr21iYB2jNm/P/hw0nFP2pf83W4/jLzPvuth1LF/WLF8cjclnGbcep2Kxrh/Xq0LmufofuVJyEI9/fl6onl5KIa6ZnVBJ8TsQesXJtNEKt9cPHiCvBKfLj5C+a4FlY
-  template:
-    metadata:
-      name: forte-drop-secrets
-      namespace: forte-drop
--- a/apps/overlays/upc-dev/forte-drop/forte-drop.yaml
+++ b/apps/overlays/upc-dev/forte-drop/forte-drop.yaml
@@ -1,37 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: forte-drop
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
-    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
-    notifications.argoproj.io/subscribe.on-degraded.slack: ""
-  labels:
-    app.kubernetes.io/name: forte-drop
-    app.kubernetes.io/part-of: apps
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  sources:
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
-    path: forteapp
-    targetRevision: HEAD
-    helm:
-      valueFiles:
-      - $values/forte-drop/values.yaml
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
-    targetRevision: HEAD
-    ref: values
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: forte-drop
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true
--- a/apps/overlays/upc-dev/forte-drop/keycloak-client-forte-drop.yaml
+++ b/apps/overlays/upc-dev/forte-drop/keycloak-client-forte-drop.yaml
@@ -1,38 +0,0 @@
-# Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it
-# to the keycloak namespace; a CronJob registers the OIDC client in the forte
-# realm and writes the credentials back as forte-drop-oidc-credentials in THIS
-# namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that
-# registrar-created Secret automatically — no manual SealedSecret step needed.
-apiVersion: v1
-kind: Secret
-metadata:
-  name: keycloak-client-forte-drop
-  namespace: forte-drop
-  labels:
-    keycloak.forteapps.net/client-config: "true"
-  annotations:
-    keycloak.forteapps.net/source-namespace: "forte-drop"
-stringData:
-  client.json: |
-    {
-      "clientId": "forte-drop",
-      "name": "Forte Drop (web)",
-      "enabled": true,
-      "protocol": "openid-connect",
-      "clientAuthenticatorType": "client-secret",
-      "standardFlowEnabled": true,
-      "directAccessGrantsEnabled": false,
-      "serviceAccountsEnabled": false,
-      "publicClient": false,
-      "redirectUris": ["https://drop-k8s.hackathon.forteapps.net/auth/callback"],
-      "webOrigins": ["https://drop-k8s.hackathon.forteapps.net"],
-      "defaultClientScopes": ["openid","email","profile"],
-      "secret": {
-        "namespace": "forte-drop",
-        "name": "forte-drop-oidc-credentials",
-        "keys": {
-          "clientId": "client-id",
-          "clientSecret": "client-secret"
-        }
-      }
-    }
--- a/apps/overlays/upc-dev/forte-drop/kustomization.yaml
+++ b/apps/overlays/upc-dev/forte-drop/kustomization.yaml
@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- namespace.yaml
- forte-drop.yaml
- keycloak-client-forte-drop.yaml
- forte-drop-pdb.yaml
- forte-drop-secrets-sealed.yaml
--- a/apps/overlays/upc-dev/forte-drop/namespace.yaml
+++ b/apps/overlays/upc-dev/forte-drop/namespace.yaml
@@ -1,17 +0,0 @@
-# Owns the forte-drop namespace shared by the web + mcp deployments and the
-# postgres StatefulSet (infra overlay). sync-wave -1 ensures the namespace exists
-# before the namespaced Secrets/PDB in this base apply (avoids a first-sync
-# "namespaces forte-drop not found" race when the business-apps parent syncs).
-# Prune=false so removing this base never cascade-deletes the namespace (and with
-# it postgres data + the mcp deployment) — matches the earlier decision to keep
-# namespace ownership decoupled from any single workload.
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: forte-drop
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-    argocd.argoproj.io/sync-options: Prune=false
-  labels:
-    app.kubernetes.io/managed-by: argocd
-    app.kubernetes.io/part-of: apps
--- a/apps/overlays/upc-dev/kustomization.yaml
+++ b/apps/overlays/upc-dev/kustomization.yaml
@@ -2,13 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
- forte-drop-postgresql
- forte-drop
- forte-drop-mcp
 - dbunk-demo
+- feedback

-# No patches needed — base apps already default to "upc-dev" value paths
-# (upc-dev is the default/base cluster).
-# forte-drop (postgres + web + mcp) and dbunk-demo are upc-dev-only apps — they
-# have hackathon-domain hardcoded values and must not sync to upc-prod, so they
-# live here in the overlay rather than in apps/base/.
+# No patches needed — base already has "upc-dev" paths
+# upc-dev is the default/base cluster
--- a/cluster-resources/policies/auth-sidecar-injector.yaml
+++ b/cluster-resources/policies/auth-sidecar-injector.yaml
@@ -245,6 +245,12 @@ spec:
                secretKeyRef:
                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
+            - name: AUTH_OIDC_IDP_HINT
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-idp-hint\" || '' }}"
+            - name: AUTH_OIDC_BROKER_ALIAS
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-alias\" || '' }}"
+            - name: AUTH_OIDC_BROKER_TOKEN_HEADER
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-token-header\" || '' }}"
            resources:
              limits:
                cpu: 50m
@@ -324,6 +330,8 @@ spec:
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}"
            - name: AUTH_MCP_SCOPES_SUPPORTED
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'profile'  }}"
+            - name: AUTH_MCP_IDP_HINT
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-idp-hint\" || '' }}"
            resources:
              limits:
                cpu: 50m
--- a/cluster-resources/policies/label-checker.yaml
+++ b/cluster-resources/policies/label-checker.yaml
@@ -0,0 +1,40 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+  annotations:
+    policies.kyverno.io/title: Require Labels
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod, Label
+    policies.kyverno.io/description: Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: check-for-labels
+    skipBackgroundRequests: true
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - istio-system
+          - argocd
+          - cert-manager
+          - monitoring
+          - secrets
+          - kyverno
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: The label `app.kubernetes.io/name` is required.
+      allowExistingViolations: true
+      pattern:
+        metadata:
+          labels:
+            app.kubernetes.io/name: "?*"
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -1063,52 +1063,6 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes

-### Vaultwarden
-
-**Chart**: `guerzon/vaultwarden`
-**Version**: 0.36.4 (app v1.36.0-alpine)
-**Namespace**: `vaultwarden`
-
-**Purpose**: Self-hosted Bitwarden-compatible password manager.
-
-**Configuration**:
-```yaml
-# infra/overlays/upc-dev/vaultwarden/ + infra/values/
-domain: "https://bitwarden.forteapps.net"
-
-ingress:
-  enabled: true
-  class: "traefik"
-  tls: true
-  tlsSecret: vaultwarden-tls
-  hostname: bitwarden.forteapps.net
-  additionalAnnotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-
-database:
-  type: postgresql
-  host: vaultwarden-postgresql  # StatefulSet in overlay
-  existingSecret: prod-db-creds
-
-storage:
-  data: 5Gi (ReadWriteOnce)
-  attachments: 5Gi (ReadWriteOnce)
-```
-
-**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc).
-
-**SSO**: Keycloak OIDC via `forte` realm (client ID: `vaultwarden`). Self-service client config Secret (`keycloak-client-vaultwarden`) triggers registrar to create KC client and sync credentials to `vaultwarden-oidc-credentials`. PKCE enabled.
-
-**Endpoints**:
- Web UI: `https://bitwarden.forteapps.net`
-
-**Database**: Separate ArgoCD Application `vaultwarden-postgresql` (sync-wave `"0"`) deploys PostgreSQL 16 StatefulSet + SealedSecret before Vaultwarden (wave `"1"`). 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately.
-
-**Secrets**:
- `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials
- `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
- `vaultwarden-tls` — auto-managed by cert-manager
-
 ### AI Code Review (ai-review)

 **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
@@ -1187,30 +1141,6 @@ ignore:
 - Check Gitea Actions tab for workflow run status and logs
 - Monitor Anthropic usage dashboard for token consumption

-### Keycloak Browser Flow (IdP Auto-Redirect)
-
-**File**: `infra/values/base/keycloak-values.yaml` (inside `forte-realm.json`)
-
-The realm uses a custom browser authentication flow (`browser-auto-idp`) that skips the Keycloak login page and redirects directly to the Entra ID identity provider.
-
-**Flow executions**:
-
-| Priority | Authenticator | Requirement | Purpose |
-|----------|--------------|-------------|---------|
-| 10 | `auth-cookie` | ALTERNATIVE | Reuse existing session (no redirect) |
-| 20 | `identity-provider-redirector` | ALTERNATIVE | Auto-redirect to `forte-entra` IdP |
-
-**Key fields in realm JSON**:
- `"browserFlow": "browser-auto-idp"` — overrides the default `browser` flow at realm level
- `"authenticationFlows"` — defines the custom flow with its executions
- `"authenticatorConfig"` — sets `defaultProvider: "forte-entra"` on the redirector
-
-**Why custom flow**: The default KC browser flow shows a username/password form with an IdP button. Since all authentication is via Entra ID, the custom flow eliminates this step. The `auth-cookie` execution preserves session reuse so returning users aren't redirected again.
-
-**Important**: The `forte-entra` identity provider must exist in Keycloak (currently configured manually in the KC admin console). If the IdP alias changes, update the `defaultProvider` value in the realm JSON.
-
---
-
 ### Keycloak Client Registrar

 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
@@ -1454,6 +1384,46 @@ spec:
 - Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
 - `synchronize: true` — changes to the source Secret are reflected in the clone

+### Keycloak Microsoft/Entra Identity Provider
+
+**File**: `infra/values/upc-dev/keycloak-values.yaml`
+**Namespace**: `keycloak`
+
+**Purpose**: Configures Microsoft Entra (Azure AD) as an external identity provider for the Forte realm, enabling SSO via Microsoft accounts with token storage for downstream API access (e.g., Microsoft Graph).
+
+**Configuration via keycloakConfigCli**:
+- IdP alias: `forte-entra`, provider: `microsoft`
+- Client secret injected from `microsoft-idp-credentials` Secret via `$(env:MS_IDP_CLIENT_SECRET)` syntax
+- `extraEnvVarsSecret: microsoft-idp-credentials` makes the Secret available as env vars to config-cli
+
+**Key Configuration Notes**:
+
+| Field | Location | Notes |
+|-------|----------|-------|
+| `tenant` | `config.tenant` | **Must be `tenant`, NOT `tenantId`** — wrong key silently falls back to `common` (multi-tenant) |
+| `storeToken` | Top-level IdP field | **NOT inside `config`** — enables broker token storage for KC broker API |
+| `defaultScope` | `config.defaultScope` | Space-separated: `openid email profile User.Read Mail.Send` |
+| `syncMode` | `config.syncMode` | `IMPORT` — imports user on first login |
+
+**Token Storage & Broker Access**:
+- `storeToken: true` persists the Entra access token in Keycloak
+- Realm role `default-roles-forte` includes composite `broker.read-token` — grants all realm users access to broker token API
+- Broker token retrievable via: `GET /realms/forte/broker/forte-entra/token`
+
+**Identity Provider Mappers**:
+- `forte-entra-email`: Hardcodes `emailVerified=true` for Entra-authenticated users (Entra guarantees email verification)
+
+**Required Secret** (`microsoft-idp-credentials`):
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: microsoft-idp-credentials
+  namespace: keycloak
+stringData:
+  MS_IDP_CLIENT_SECRET: "<entra-app-client-secret>"
+```
+
 ### Default Namespace Blocker

 **File**: `cluster-resources/policies/default-ns-blocker.yaml`
--- a/infra/base/keycloak/keycloak.yaml
+++ b/infra/base/keycloak/keycloak.yaml
@@ -43,6 +43,10 @@ spec:
    - ServerSideApply=true

  ignoreDifferences:
+  - group: batch
+    kind: CronJob
+    jsonPointers:
+    - /spec/jobTemplate/spec/template/spec/containers/0/args
  - group: apps
    kind: StatefulSet
    jsonPointers:
--- a/infra/overlays/upc-dev/entra-upc-dev-credentials-sealed.yaml
+++ b/infra/overlays/upc-dev/entra-upc-dev-credentials-sealed.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: microsoft-idp-credentials
+  namespace: keycloak
+spec:
+  encryptedData:
+    MS_IDP_CLIENT_SECRET: AgBGeloOR8LVop8yluydjc7qj4JUkb85z7B3h07i3xLPup1ojgSqtx08huv+8gvSaFoPdxOY8g23iuKeAr2b2A70paHv0ILSVRsIpxzjuao4aDRWxMHD/SFzvitvqaXD1eQUcBNRDk/1NOG0o5b9o4ddMWkNmyCYuZcmOyx18DC1kFrcWGUgJkLTr+YRZcLJ2T80obZ+y4zztYc+vNQlu11KSIALz++c9XzK2XYSdOMdFHmzadWxoCjvkJqG4W5C6AQBlYa7NSydyU6K3TnwS4VHF8w1DRNneM/IuHLMNbcL8WZjHlSS8xgXFUMhG4rkejwM6joQLx57OosTQe1/xdCOPBXq4NO8Q76RXXkoI0EYMbzfK33vr4NVh8zmBUYxhaeQySh2jYdYp7t/79UzvP7jtGYUgqIZNEBqbDKkzvXsJ4dHJnss8U8lWVgLev31ZhaTjIr3A8VKDPbJKIRZPO71/4DiCF0WKLYNKfbYJ5tsyTxivFWDY5NPNkKkgXk4QoScZ3r4bYNZjDp1rC5zCRPGf0Lt1C5Zovx1HTUjpGpAFVi7DyNmEc0uXn2sTwPARAuAj8str+RnlRNzBkpPWKdlOoDVPTSA41dSTfUVZMlQlluu4fdDgGj5sEnhEN0iIxZNRwU/2DD2AVSqG+KtdIkfH6/j0jzdFn4D3Ha6vwAsBIURK4Ird/pLuNGGCDB+LrrNGXDTTKAPFydCuRtpyoM9kFOtSZb7T7q6Vfkqa7LfgP8mdG9JGXJx
+  template:
+    metadata:
+      creationTimestamp: null
+      name: microsoft-idp-credentials
+      namespace: keycloak
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -2,8 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
- vaultwarden-postgresql
- vaultwarden
+- entra-upc-dev-credentials-sealed.yaml

 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- vaultwarden-postgresql.yaml
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- postgresql.yaml
- vaultwarden-db-secret-sealed.yaml
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml
@@ -1,98 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: vaultwarden-postgresql
-  namespace: vaultwarden
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: vaultwarden
-    app.kubernetes.io/component: database
-spec:
-  type: ClusterIP
-  ports:
-  - name: tcp-postgresql
-    port: 5432
-    targetPort: tcp-postgresql
-  selector:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: vaultwarden
---
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: vaultwarden-postgresql
-  namespace: vaultwarden
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: vaultwarden
-    app.kubernetes.io/component: database
-spec:
-  serviceName: vaultwarden-postgresql
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: postgresql
-      app.kubernetes.io/instance: vaultwarden
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: postgresql
-        app.kubernetes.io/instance: vaultwarden
-        app.kubernetes.io/component: database
-    spec:
-      containers:
-      - name: postgresql
-        image: postgres:16-alpine
-        ports:
-        - name: tcp-postgresql
-          containerPort: 5432
-        env:
-        - name: POSTGRES_USER
-          valueFrom:
-            secretKeyRef:
-              name: prod-db-creds
-              key: pgusername
-        - name: POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: prod-db-creds
-              key: pgpassword
-        - name: POSTGRES_DB
-          value: vaultwarden
-        - name: PGDATA
-          value: /var/lib/postgresql/data/pgdata
-        volumeMounts:
-        - name: data
-          mountPath: /var/lib/postgresql/data
-        livenessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d vaultwarden
-          initialDelaySeconds: 30
-          periodSeconds: 10
-        readinessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d vaultwarden
-          initialDelaySeconds: 5
-          periodSeconds: 5
-        resources:
-          requests:
-            cpu: 100m
-            memory: 256Mi
-          limits:
-            cpu: 500m
-            memory: 512Mi
-  volumeClaimTemplates:
-  - metadata:
-      name: data
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml
@@ -1,20 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: prod-db-creds
-  namespace: vaultwarden
-spec:
-  encryptedData:
-    DATABASE_URL: AgAy1d//kBevUqZxB5KAXd+qxm8QykNxp5J1QP7Y30XCpE8hldPXF+NIx3w0B0PUyMAVsa+JrBmCMtzgibddIJqqF2upu/8EYxJZNusrJPOi47g3VcZIg1WyxoFfffH6jwhzv69TE/T8WGBXmWbD2vr+XWjE24Q+lgwLut0mocVfihUjpuYq0WDjgJx7pqLnY1VatTwgSkAv1uRRVqdi7e1M5isDNEpdItCbEoWwdvZhG5JIMAA/2vecY4/vEne3cg46lJAkv4ueZNATG6DOXGgQgz6h7zCKSGS1xTfGr+4A2V2/vSYpQ/r8Td37mlseoBvwN4H5O+FgHrVREm7N6aafDariYd+ZfqUIGObsZIXhxhDmAM96pjtP8ehYVwq1srWTU+SUewEmwLFWhVP1UFnTB5vgIuOWoKjHlS7dSUpStpw2u7/mQ6vhRhEaDqY6cNzJgM9hipQM/pt5an7z4ovWVeAeK8InGzKU+uxOpv/oxmi9N54B+5O4DVZC+BIbFXchxDvqivRcZrTK+CNjHjkk4We5MvN0qlhSuCYOGzEVaQ192yHciDoncw58D7fG4NicT2AcCJDVIwRGG05wqKal7g61g7Qg16oqdZIauKIU7ChSgBk7Xv33biZ4ZPe+JoSEmp9izJ8R7yyNO3KJgqH7iQ2UQzXDUqhfTr6w/oIdFST8sQtEIo7o1Z5JoXpzd4R1gVkcPWqtbbB22iRrDJsofeW+yvgGqyZLsWT2bKuDMLUn3GiqvaHaeQ9AbhNBnl6Qth3X8heBm2Zle1xxapFktisPwBQC7FDlukgvkiAOO7BywVI0+ITU4KLLOAftVqHmZ4fgDDqNFg8=
-    SMTP_PASSWORD: AgCbhM99+DbSTCcuxtcccOrZq99GjR51B5SkW6DNxz1jW2q4lgc6o21+gHEGGAamRDg/mWyu2UBBNgEzrW024558qP6SjVPwJclWhNZHyL4R4MCA0kv/kqNa43na2j3pq7kzT0MrqPAXD8IJrtYPxr+ngiuo7MCRef/TzEfwbwK+KgkeB1g+9ErwHWr5tU1B+3yAn5tfNeHmGFrLX230mra2ie+ntNx9kn80mb5TYoJ/mSaX7wv4bqZGEHkg7isXrMoMROXLBepCvP0zi3ta+SKJjHy73TvhKSzo7/ZHxapHw3oaazdpKJobeolWB7SziWsbXfT0gYYim3LrcieQeb7hhN3OAvSYx1Z/3UefEE1o3GFEzK1UV9ISwU/mBjMDZWyM7dK9lSbuPGvbpKU1jjP8qZWQP5v2SIT6Nb5TQgNeATdO3RkjoviqRzjJfpuu+oe5paXNeEIUSTskL7HuUjWj13DX1zDqQWTR1/Tb9ntxRtgIoAl2ymDsOednurnJeX71OJ3G++Oc8b5P2EkNQuEwaYb9raNHqZkCXeRpQVyEGIUh9sAGZUplUJSues/Jw25WuFoNBfMi/F022Mkvfnp/s0J+QrMIxSRvqiWS+7hODknvE3Zf2DI+DKClWxspfv084DAkOSV1Lq9fqNy/bKoJR/5MVHmxbW6teza6zXBnwn2nk+2DZ8IU20P15aVdtKR2zG9u8hnrqWrTQHTdvzb34WKjC0km4/MaIGKvboyw
-    SMTP_USERNAME: AgCijAuSvlGeMME1FyPXQdOTGKktyXfT8tjBK/ozt3X8O5hebFVvM61hNLDQTe9V/O/NLw6P1wbV4V+wtztqLs9TPDyq9L3D9JUEDjh97gWxVf7nFf8/d24F0PJoR8srKp3onb7+Rx02318RUp+gp7YsXbK6YBfkaOsoD08UgrFY3ARnP4eIirRICNCdouPgKkh038yAWcQDA20GBN2faJlQSejS4cr8WAa/ME1fRe40Q4tewgiX7hK5BWjt2eoovLrPzcHvbgTbfjwUWvmeiSicnF+VLrc3M56aKML2xuAggBk4vKtla/Af1pJfjv+Ut2z6VzECfIth12yQa6kIvKOE8aa3o/6oKLRJQRO8rQOOmLiInR+jQxrOmYw+OzkON07nBIeBon7nKYSIMiBt68kXKWJ9ZDexF7WGOHsFgUo4hA/z/c/Ccg6XHgxFt7uXZYLyziihQXy33zIsvu0rXOaczT5j3NJIhO60jz2Q8ig9JuWhd7+Dnd9EFMC0WJOM9kjpxeSjg4MYjH7VGnnEDF2GAQTlwDn5HwZJXRQFHfdCiHS5CCpfmak9MtIC9uoIsbPAnEhdTC20wDvIGlR5O4JGlQRyirKKmCdT1MJt8zi5d+EVQiicVZLGGD6nsqCNchvFYcx+glMYqWWsmyS6M+uVaYa/Fb/n+0QR6GNCF3Qi7voMJf2bFxFDk78fk76MG919XPQVAG/FPliNyWJJ7gEM+j/rDYuSrul14duV
-    adminToken: AgCVSgRK39WksTX6GogBvMZtPMd4XzMFkKSPhjTCm8pllzuc88pS2LXHxyGDWVLf+GZXRTCNrf5JLPst8/GTvOX17J9scRAjmhoyVVgzFNbcqGI/czLf9vH6JnhorMmUHxS+kWBm3oLZjhW3f/9vq0xzSbut87VDsyenaK4EcFLrYnfVRlMrwxL9oxPPTeB+Wah/uGoyLNfc7MMLK+/sUma4RO61VJ8YvmLUnwYNFosUcbF2B9hXMSzKKCJ+ihXYIdNIz2YWdMmj7a3D+Mor5x4jIjC+tunT4Zge5L1mx0i92KPgPkP48jKxayIZ/FxnYej+ggU6PmdYD1B6wgUbgLQV6ccwysjHce7ICvGWiM+PozFWI1qEVKqtNgp3kwInThD63Hyub9Euj0g/SE/nZcwy8DuIEhsLpLSdvxDT2lCps0VdXcb01kuta/3i4vgozSBvdIL1FrQKPLqF5+6ZEQ6BdZDkgxVqQ845WZoGbfqIyI03BMvsx/8HB5c+0Y0w0C6DRpEW55T9yRTZqzvqWUOpXy5/L2Nc9G4PCUK3lY0QPIFlPCBDl+cKgfP/XvKhMFcFpwp/Ssd0o+RhgOMBHJ5qk7RxAN1k2Y6Tkros39eUKWbM6UQ97LjrAdLcgJKX86ZkEChdeeKOnSxRmqHFXx5m4Wa6syixjipeQPwybCYQA9TgNBv0lToA7gi+lcVvXkoAgYIeB9Cp0j8UVEwdgvwWp8YgkpuWhPCAafhboH8qGhHhVfKADmlB05vUItZ0eoEVv7D9SqUTFueUmoZXwo67uyMLZhQo7eGr9+k8hiesCoEm11HCTa4DvF9zE54zgkyt0TMsKAEKmX47zJwnw76zidZC/K9e
-    pgpassword: AgCeQLwzajVBHW+o1ZSAcfbcJXny5K7UxxMfjud0j3hm9qx3TlLaFJrNoWd4XCuHAW1Ybl23ynWm+8kpXfZv95bXGkl0jZIm989MlAJQYKcaSTdhIM6Bkl3Cbr8kTVj2yrylGPJ96QISKNoiV7IetU82t8f21kxjyrNwt4lQEwWRFjW45jozb32qFXRkTioJ1WKaeJkyRSHWn7nLVitqZ4QjZzoN9AC7cUDOY/FffEiz7QRYSf6xaVPqQfCeH6QVtfmwtU5qNTcthOW0+/LQKpkg8i2nuoAsyOe7tsOYCENbDGkLckNTns2oPvDnH5eA8F5VDlnyJtROlwKjWfTC2zjazZynpA6cBH9XzX3Pg9P45G5HJ/4TVSUbTMCSVrbW8Ec+zdA2P4l3ytfVM2ER4N2/bQrUEVW2/ngDzhsKllmOPEN/M7b/VTed7U1xyJHsoT+AJEqVJO/vFBRxpI/ZacD+m5kWf3sp1SUWSgkUi+YWH8xuRurM2/kiUGwwUXu5ZMumjpMTkJBfX4NYRezq0DCsgaXdO2yI4xTfAysj78UikdU0PKyAXPcT8y55kJQ1jECszFauyeSYh0FpLu/XAmeB8dunlBqgISLszwnnman0/ThLeo96MFo6WPXoAeMTy8+GfTSH5tkmm8TVD7A+gRHprfFS66eY5Zi38OPU+VGRJS1J8yLSD2cNvCFR/sz1Br9VV7IySx1S+HvbEd7BwmdWrIoEcVUwIAD/U0Uxbw4sr7wLQ2wFQjDil4VItA==
-    pgusername: AgAcgel8GpdRVThE9i4EfFwcJYHEPnCyi4jHEaAltn4VMtub6hvhtH+ihxS97AhK6kgrTLEgtlfb07n1EZ3AK18A+ci9P5ulP0GgwMrMt1yxiHliqInvZPNb8vWC/2f2lZm7EFrBvYqMFRPV10YygtkW3Kku8h31l0xc2/DUKqZ2hMymIjx7hupabUOhnPJeF+IxVhTcsAa6SjhppX1ED0R/Im73pxTxbfLQETkHd5KcB4h6RLIPvuNiG5uftkPP8qjJqFIhNew+0IxMrsTzJbyLx90vqI6LHHtsrNDAsOHqWGnyZqIdkK+Bagm84VlpBfIdz8Fs0YqzBQaZts4+QXByzkcQZBDy11Hg9FCjdUVk3VgVLDQj+hL+aWTeJ0Iui4zW4LMSB0Dk0ZQeQa4BtwuDllky5GUA7sLmkbceAWymBNzNXSOeeAi1qfR6h6rNnh0x5yOnSN8soReNaCEYBSa8HjUamvuzu4yn+fKOJyI50QEJ7hKLXLaqyiNpa5bJw4FQvGM7qESkZW2BZLEvkq4mlKjzvSm891DozA44Zy1s/3CvytFsUtaWmquSvqqHWUxqEEemJ8zOCFXEYo1TjEfkYIUipM5KJ+PrpQGTgjdnL8FbAv3r3NG7DoucQtVeJJVeaBqOZcfEQw4Xz15grsdjggFunhmz+ZjWjgEwV4G/dCmeus3SBWJWLMOoPWCvBWrQZRQq9KVj
-  template:
-    metadata:
-      creationTimestamp: null
-      name: prod-db-creds
-      namespace: vaultwarden
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml
@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: vaultwarden
---
-
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vaultwarden-postgresql
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  labels:
-    app.kubernetes.io/name: vaultwarden-postgresql
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/upc-dev/vaultwarden-postgresql/resources
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: vaultwarden
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates
--- a/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml
@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: keycloak-client-vaultwarden
-  namespace: vaultwarden
-  labels:
-    keycloak.forteapps.net/client-config: "true"
-stringData:
-  client.json: |
-    {
-      "clientId": "vaultwarden",
-      "name": "Vaultwarden",
-      "redirectUris": ["https://vaultwarden.forteapps.net/*"],
-      "webOrigins": ["https://vaultwarden.forteapps.net"],
-      "protocolMappers": [],
-      "secret": {
-        "namespace": "vaultwarden",
-        "name": "vaultwarden-oidc-credentials",
-        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
-      }
-    }
--- a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- vaultwarden.yaml
- keycloak-client-config.yaml
--- a/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml
@@ -1,43 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vaultwarden
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: vaultwarden
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://guerzon.github.io/vaultwarden
-    chart: vaultwarden
-    targetRevision: "0.36.4"
-    helm:
-      releaseName: vaultwarden
-      valueFiles:
-      - $values/infra/values/base/vaultwarden-values.yaml
-      - $values/infra/values/upc-dev/vaultwarden-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: vaultwarden
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -41,7 +41,6 @@ gitea:
    oauth2:
      ENABLED: true
      ENABLE_AUTO_REGISTRATION: true
-      ACCOUNT_LINKING: auto
      USERNAME: email

    session:
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -58,9 +58,6 @@ keycloakConfigCli:
  enabled: true
  image:
    repository: bitnamilegacy/keycloak-config-cli
-  extraEnvVars:
-  - name: IMPORT_MANAGED_PROTOCOL_MAPPER
-    value: "no-delete"
  configuration:
    forte-realm.json: |
      {
@@ -104,18 +101,6 @@ keycloakConfigCli:
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
-              },
-              {
-                "name": "groups",
-                "protocol": "openid-connect",
-                "protocolMapper": "oidc-group-membership-mapper",
-                "config": {
-                  "claim.name": "groups",
-                  "full.path": "false",
-                  "id.token.claim": "true",
-                  "access.token.claim": "true",
-                  "userinfo.token.claim": "true"
-                }
              }
            ]
          },
@@ -188,54 +173,7 @@ keycloakConfigCli:
            ]
          }
        ],
-        "browserFlow": "browser-auto-idp",
-        "authenticationFlows": [
-          {
-            "alias": "browser-auto-idp",
-            "description": "Browser flow with auto-redirect to Forte Entra IdP",
-            "providerId": "basic-flow",
-            "topLevel": true,
-            "builtIn": false,
-            "authenticationExecutions": [
-              {
-                "authenticator": "auth-cookie",
-                "authenticatorFlow": false,
-                "requirement": "ALTERNATIVE",
-                "priority": 10
-              },
-              {
-                "authenticator": "identity-provider-redirector",
-                "authenticatorFlow": false,
-                "requirement": "ALTERNATIVE",
-                "priority": 20,
-                "authenticatorConfig": "forte-entra-redirector"
-              }
-            ]
-          }
-        ],
-        "authenticatorConfig": [
-          {
-            "alias": "forte-entra-redirector",
-            "config": {
-              "defaultProvider": "forte-entra"
-            }
-          }
-        ],
        "groups": [
-          {
-            "name": "k8s",
-            "path": "/k8s",
-            "clientRoles": {
-              "grafana": ["Editor"]
-            }
-          },
-          {
-            "name": "dev",
-            "path": "/dev",
-            "clientRoles": {
-              "grafana": ["Viewer"]
-            }
-          },
          {
            "name": "ArgoCD Admins",
            "path": "/ArgoCD Admins"
@@ -321,7 +259,7 @@ extraDeploy:
                ADMIN_PASS=$(cat /secrets/admin-password)

                echo "Authenticating to Keycloak..."
-                TOKEN=$(curl -sf -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
+                TOKEN=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
                  -d "client_id=admin-cli" \
                  -d "username=${ADMIN_USER}" \
                  -d "password=${ADMIN_PASS}" \
@@ -338,7 +276,7 @@ extraDeploy:
                upsert_secret() {
                  local ns="$1" name="$2" manifest="$3"
                  local code
-                  code=$(curl -sf -o /dev/null -w "%{http_code}" \
+                  code=$(curl -s -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/json" \
@@ -347,7 +285,7 @@ extraDeploy:
                  if [ "$code" = "200" ]; then
                    echo "  Updated secret '${ns}/${name}'"
                  elif [ "$code" = "404" ]; then
-                    code=$(curl -sf -o /dev/null -w "%{http_code}" \
+                    code=$(curl -s -o /dev/null -w "%{http_code}" \
                      --cacert "$CA_CERT" \
                      -H "Authorization: Bearer ${SA_TOKEN}" \
                      -H "Content-Type: application/json" \
@@ -394,7 +332,7 @@ extraDeploy:

                  # Get the client secret from Keycloak
                  local secret_value
-                  secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                  secret_value=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
                    | jq -r '.value')

@@ -409,7 +347,7 @@ extraDeploy:

                  # Write to target namespace (if it exists)
                  local ns_status
-                  ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \
+                  ns_status=$(curl -s -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    "${K8S_API}/api/v1/namespaces/${target_ns}")
@@ -433,12 +371,12 @@ extraDeploy:
                  local ns="$1" name="$2" key="$3" value="$4"
                  local patch
                  patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
-                  curl -sf -o /dev/null \
+                  curl -s -o /dev/null \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/strategic-merge-patch+json" \
                    -X PATCH -d "$patch" \
-                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}"
+                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" || true
                }

                # =============================================
@@ -446,7 +384,7 @@ extraDeploy:
                # =============================================
                echo "=== Legacy sync: clients with k8s.secret.sync=true ==="

-                CLIENTS=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                CLIENTS=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                  "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")

                SYNC_CLIENTS=$(echo "$CLIENTS" | jq -c '[.[] | select(.attributes["k8s.secret.sync"] == "true")]')
@@ -471,7 +409,7 @@ extraDeploy:
                echo ""
                echo "=== Self-service: config Secrets with label keycloak.forteapps.net/client-config=true ==="

-                CONFIG_SECRETS=$(curl -sf \
+                CONFIG_SECRETS=$(curl -s \
                  --cacert "$CA_CERT" \
                  -H "Authorization: Bearer ${SA_TOKEN}" \
                  "${K8S_API}/api/v1/namespaces/keycloak/secrets?labelSelector=keycloak.forteapps.net/client-config=true")
@@ -492,6 +430,10 @@ extraDeploy:
                  CLIENT_JSON=$(printf '%s' "$CLIENT_JSON_B64" | base64 -d)

                  CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId')
+                  if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
+                    echo "ERROR: Could not extract clientId from config '${CONFIG_NAME}', skipping"
+                    continue
+                  fi
                  echo "Processing self-service client '${CLIENT_ID}' from config '${CONFIG_NAME}'"

                  # Compute config hash for change detection
@@ -508,7 +450,7 @@ extraDeploy:
                  CRED_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
-                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}" || echo "000")
+                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")

                  # Skip if hash matches and credential Secret exists
                  if [ "$CONFIG_HASH" = "$EXISTING_HASH" ] && [ "$CRED_EXISTS" = "200" ]; then
@@ -529,46 +471,68 @@ extraDeploy:
                    redirectUris: .redirectUris,
                    webOrigins: .webOrigins,
                    protocolMappers: (.protocolMappers // [])
-                  } | with_entries(select(.value != null))')
+                  } + if .defaultClientScopes then {defaultClientScopes: .defaultClientScopes} else {} end')

                  # Check if client already exists
-                  EXISTING_RESPONSE=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
-                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" || true)
-                  EXISTING=$(echo "$EXISTING_RESPONSE" | jq -r '.[0].id // empty' 2>/dev/null || true)
+                  EXISTING=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
+                    | jq -r '.[0].id // empty')

                  if [ -n "$EXISTING" ]; then
                    echo "  Updating existing Keycloak client (uuid: ${EXISTING})"
-                    RESPONSE=$(curl -s -w "\n%{http_code}" \
+                    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X PUT -d "$KC_CLIENT" \
-                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}" || true)
-                    HTTP_CODE=$(echo "$RESPONSE" | tail -1)
-                    RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}")
                    if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "200" ]; then
-                      echo "  ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
+                      echo "  ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                      continue
                    fi
                    CLIENT_UUID="$EXISTING"
                  else
                    echo "  Creating new Keycloak client '${CLIENT_ID}'"
-                    RESPONSE=$(curl -s -w "\n%{http_code}" \
+                    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X POST -d "$KC_CLIENT" \
-                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients" || true)
-                    HTTP_CODE=$(echo "$RESPONSE" | tail -1)
-                    RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
                    if [ "$HTTP_CODE" != "201" ]; then
-                      echo "  ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
+                      echo "  ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                      continue
                    fi
                    # Fetch the newly created client's UUID
                    CLIENT_UUID=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
-                      | jq -r '.[0].id' || true)
+                      | jq -r '.[0].id')
+                  fi
+
+                  # Assign default client scopes (KC REST API ignores defaultClientScopes in POST/PUT body)
+                  REQUESTED_SCOPES=$(echo "$CLIENT_JSON" | jq -r '.defaultClientScopes // [] | .[]' 2>/dev/null)
+                  if [ -n "$REQUESTED_SCOPES" ]; then
+                    # Fetch all realm client scopes once
+                    ALL_SCOPES=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/client-scopes")
+
+                    echo "$REQUESTED_SCOPES" | while read -r SCOPE_NAME; do
+                      [ -z "$SCOPE_NAME" ] && continue
+                      SCOPE_ID=$(echo "$ALL_SCOPES" | jq -r --arg name "$SCOPE_NAME" '.[] | select(.name == $name) | .id // empty')
+                      if [ -z "$SCOPE_ID" ]; then
+                        echo "  WARNING: Scope '${SCOPE_NAME}' not found in realm, skipping"
+                        continue
+                      fi
+                      SC_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+                        -H "Authorization: Bearer ${TOKEN}" \
+                        -X PUT \
+                        "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${CLIENT_UUID}/default-client-scopes/${SCOPE_ID}")
+                      if [ "$SC_CODE" = "204" ] || [ "$SC_CODE" = "200" ]; then
+                        echo "  Assigned scope '${SCOPE_NAME}'"
+                      else
+                        echo "  WARNING: Failed to assign scope '${SCOPE_NAME}' (HTTP ${SC_CODE})"
+                      fi
+                    done
                  fi

                  # Sync credentials to target namespace
--- a/infra/values/base/vaultwarden-values.yaml
+++ b/infra/values/base/vaultwarden-values.yaml
@@ -1,3 +0,0 @@
-image:
-  tag: "1.36.0-alpine"
-domain: "https://vaultwarden.forteapps.net"
--- a/infra/values/upc-dev/homepage-values.yaml
+++ b/infra/values/upc-dev/homepage-values.yaml
@@ -59,10 +59,6 @@ config:
        href: https://benken.hackathon.forteapps.net
        description: Teknisk kompetanse fra offentlige anbud
        icon: forte
-    - Forte Drop:
-        href: https://drop.hackathon.forteapps.net
-        description: Self-hosted HTML-drops + MCP for Claude
-        icon: forte
    - Forte Feedback:
        href: https://feedback.forteapps.net
        description: Fortes internal feedback app
--- a/infra/values/upc-dev/keycloak-values.yaml
+++ b/infra/values/upc-dev/keycloak-values.yaml
@@ -1,2 +1,112 @@
 ingress:
  hostname: id.forteapps.net
+
+extraEnvVars:
+  - name: KC_FEATURES
+    value: "token-exchange:v1,admin-fine-grained-authz:v1"
+
+keycloakConfigCli:
+  enabled: true
+  extraEnvVars:
+    - name: IMPORT_VAR_SUBSTITUTION_ENABLED
+      value: "true"
+    - name: MS_IDP_CLIENT_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: microsoft-idp-credentials
+          key: MS_IDP_CLIENT_SECRET
+  configuration:
+    microsoft-idp.json: |
+      {
+        "realm": "forte",
+        "authenticationFlows": [
+          {
+            "alias": "auto-link-first-broker-login",
+            "description": "Auto-link IdP accounts to existing users by email",
+            "providerId": "basic-flow",
+            "topLevel": true,
+            "builtIn": false,
+            "authenticationExecutions": [
+              {
+                "authenticator": "idp-create-user-if-unique",
+                "authenticatorFlow": false,
+                "requirement": "ALTERNATIVE",
+                "priority": 10
+              },
+              {
+                "authenticator": "idp-auto-link",
+                "authenticatorFlow": false,
+                "requirement": "ALTERNATIVE",
+                "priority": 20
+              }
+            ]
+          }
+        ],
+        "identityProviders": [
+          {
+            "alias": "forte-entra",
+            "displayName": "Forte Entra",
+            "providerId": "microsoft",
+            "enabled": true,
+            "trustEmail": true,
+            "firstBrokerLoginFlowAlias": "auto-link-first-broker-login",
+            "config": {
+              "clientId": "7995d2b5-b798-4caf-8da6-b00b78bb34d7",
+              "clientSecret": "$(env:MS_IDP_CLIENT_SECRET)",
+              "defaultScope": "openid email profile",
+              "tenantId": "063afd9e-5fcb-48d2-a769-ca31b0f5b443",
+              "syncMode": "IMPORT"
+            }
+          },
+          {
+            "alias": "forte-entra-graph",
+            "displayName": "Forte Entra (Graph)",
+            "providerId": "microsoft",
+            "enabled": true,
+            "storeToken": true,
+            "trustEmail": true,
+            "firstBrokerLoginFlowAlias": "auto-link-first-broker-login",
+            "config": {
+              "clientId": "7995d2b5-b798-4caf-8da6-b00b78bb34d7",
+              "clientSecret": "$(env:MS_IDP_CLIENT_SECRET)",
+              "defaultScope": "openid email profile User.Read Mail.Send",
+              "tenantId": "063afd9e-5fcb-48d2-a769-ca31b0f5b443",
+              "syncMode": "IMPORT"
+            }
+          }
+        ],
+        "identityProviderMappers": [
+          {
+            "name": "forte-entra-email",
+            "identityProviderAlias": "forte-entra",
+            "identityProviderMapper": "hardcoded-attribute-idp-mapper",
+            "config": {
+              "syncMode": "INHERIT",
+              "attribute": "emailVerified",
+              "attribute.value": "true"
+            }
+          },
+          {
+            "name": "forte-entra-graph-email",
+            "identityProviderAlias": "forte-entra-graph",
+            "identityProviderMapper": "hardcoded-attribute-idp-mapper",
+            "config": {
+              "syncMode": "INHERIT",
+              "attribute": "emailVerified",
+              "attribute.value": "true"
+            }
+          }
+        ],
+        "roles": {
+          "realm": [
+            {
+              "name": "default-roles-forte",
+              "composites": {
+                "client": {
+                  "broker": ["read-token"]
+                }
+              }
+            }
+          ]
+        }
+      }
--- a/infra/values/upc-dev/vaultwarden-values.yaml
+++ b/infra/values/upc-dev/vaultwarden-values.yaml
@@ -1,82 +0,0 @@
-adminToken:
-  existingSecret: "prod-db-creds"
-  existingSecretKey: "adminToken"
-domain: "https://vaultwarden.forteapps.net"
-signupsAllowed: false
-resourceType: StatefulSet
-database:
-  type: postgresql
-  host: vaultwarden-postgresql
-  port: "5432"
-  dbName: vaultwarden
-  existingSecret: prod-db-creds
-  existingSecretKey: DATABASE_URL
-  existingSecretUserKey: pgusername
-  existingSecretPasswordKey: pgpassword
-ingress:
-  enabled: true
-  class: "traefik"
-  tls: true
-  tlsSecret: vaultwarden-tls
-  hostname: vaultwarden.forteapps.net
-  additionalAnnotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "VaultWarden"
-    gethomepage.dev/description: "Password management"
-    gethomepage.dev/group: "Security"
-    gethomepage.dev/icon: "vaultwarden"
-    gethomepage.dev/href: "https://vaultwarden.forteapps.net"
-
-replicas: 1
-# Multi-Attach error for volume "pvc-102ec9a4-dccd-4cba-bb4b-650f7d934c81" Volume is already used by pod(s) vaultwarden-7f568875c7-m9cgs
-
-service:
-  sessionAffinity: ClientIP
-  sessionAffinityConfig:
-    clientIP:
-      timeoutSeconds: 10800
-
-smtp:
-  host: smtp.office365.com
-  security: starttls
-  port: 587
-  authMechanism: "Login"
-  from: noreply@fortedigital.com
-  fromName: "Forte Bitwarden Administrator"
-  debug: true
-  existingSecret: prod-db-creds
-  username:
-    existingSecretKey: SMTP_USERNAME
-  password:
-    existingSecretKey: SMTP_PASSWORD
-
-storage:
-  data:
-    name: "vaultwarden-data"
-    size: "5Gi"
-    class: ""
-    path: "/data"
-    keepPvc: true
-    accessMode: "ReadWriteOnce"
-
-  attachments:
-    name: "vaultwarden-files"
-    size: "5Gi"
-    class: ""
-    path: /files
-    keepPvc: true
-    accessMode: "ReadWriteOnce"
-
-sso:
-  enabled: true
-  existingSecret: vaultwarden-oidc-credentials
-  authority: "https://id.forteapps.net/realms/forte"
-  scopes: "email profile"
-  onlySSO: true
-  pkce: true
-  signupsMatchEmail: true
-  clientId:
-    existingSecretKey: client-id
-  clientSecret:
-    existingSecretKey: client-secret
Author	SHA1	Message	Date
Danijel Simeunovic	9d33b6a9c3	KC deploy 3	2026-05-04 15:00:28 +02:00
Danijel Simeunovic	0036d986a8	KC deploy 2	2026-05-04 14:56:06 +02:00
Danijel Simeunovic	70dab12b05	KC deploy	2026-05-04 13:49:18 +02:00
Danijel Simeunovic	47e9619ae2	KC_FEATURES	2026-05-04 12:08:32 +02:00
Danijel Simeunovic	2e09a2d404	ign diff	2026-04-30 19:08:24 +02:00
Danijel Simeunovic	9e9254a466	auto flow	2026-04-30 18:24:34 +02:00
Danijel Simeunovic	539217c3f2	subst	2026-04-30 18:16:25 +02:00
Danijel Simeunovic	80cf435486	test2	2026-04-30 18:11:48 +02:00
Danijel Simeunovic	0d7980d105	env secret	2026-04-30 18:05:09 +02:00
Danijel Simeunovic	f280596ddb	debug	2026-04-30 18:00:08 +02:00
Danijel Simeunovic	65dc795cd6	idp hint	2026-04-30 15:50:23 +02:00
Danijel Simeunovic	237dc0ff90	new idp	2026-04-30 15:34:58 +02:00
Danijel Simeunovic	788cc8f4f4	tenantId	2026-04-30 15:19:37 +02:00
Danijel Simeunovic	4def4d2ed7	cli enable	2026-04-30 15:08:20 +02:00
Danijel Simeunovic	7d1e2d4665	broker alias	2026-04-30 14:49:38 +02:00
Danijel Simeunovic	417185d567	idp auto config Co-authored-by: Copilot <copilot@github.com>	2026-04-30 14:37:13 +02:00
Danijel Simeunovic	03e60a3512	kc syncer	2026-04-30 11:45:30 +02:00
Danijel Simeunovic	2135580210	kc script	2026-04-29 14:42:27 +02:00
Danijel Simeunovic	37a38a1179	feedback app Co-authored-by: Copilot <copilot@github.com>	2026-04-29 14:22:02 +02:00