secrets

cluster-resources/letsencrypt-issuer.yaml

@@ -12,18 +12,6 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-staging-key
     solvers:
-    # DNS-01 solver for wildcard certificates (*.example.com)
-    - dns01:
-        cloudflare:
-          email: danijels@gmail.com
-          apiTokenSecretRef:
-            name: cloudflare-api-token-secret
-            key: api-token
-      selector:
-        dnsNames:
-        - '*.example.com'
-        - 'example.com'
-    # HTTP-01 fallback for non-wildcard certificates
     - http01:
         ingress:
           class: traefik
@@ -42,116 +30,6 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-prod-key
     solvers:
-    # DNS-01 solver for wildcard certificates (*.example.com)
-    - dns01:
-        cloudflare:
-          email: danijels@gmail.com
-          apiTokenSecretRef:
-            name: cloudflare-api-token-secret
-            key: api-token
-      selector:
-        dnsNames:
-        - '*.example.com'
-        - 'example.com'
-    # HTTP-01 fallback for non-wildcard certificates
     - http01:
         ingress:
           class: traefik
-
-# =============================================================================
-# DNS PROVIDER EXAMPLES - Uncomment and configure based on your provider:
-# =============================================================================
-
-# -----------------------------------------------------------------------------
-# Option 1: Cloudflare (recommended - supports API tokens with limited scope)
-# -----------------------------------------------------------------------------
-# Create secret with: kubectl create secret generic cloudflare-api-token-secret \
-#   --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager
-#
-# dns01:
-#   cloudflare:
-#     email: your-cloudflare-email@example.com
-#     apiTokenSecretRef:
-#       name: cloudflare-api-token-secret
-#       key: api-token
-
-# -----------------------------------------------------------------------------
-# Option 2: AWS Route53
-# -----------------------------------------------------------------------------
-# Create secret with: kubectl create secret generic route53-credentials \
-#   --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager
-#
-# dns01:
-#   route53:
-#     region: us-east-1
-#     hostedZoneID: ZXXXXXXXXXXXXX  # Optional: auto-detected if not specified
-#     accessKeyID: YOUR_ACCESS_KEY_ID
-#     secretAccessKeySecretRef:
-#       name: route53-credentials
-#       key: secret-access-key
-
-# -----------------------------------------------------------------------------
-# Option 3: Azure DNS
-# -----------------------------------------------------------------------------
-# Create secret with: kubectl create secret generic azuredns-config \
-#   --from-literal=client-secret=YOUR_CLIENT_SECRET -n cert-manager
-#
-# dns01:
-#   azureDNS:
-#     subscriptionID: YOUR_SUBSCRIPTION_ID
-#     resourceGroupName: YOUR_RESOURCE_GROUP
-#     hostedZoneName: example.com
-#     environment: AzurePublicCloud
-#     managedIdentity:
-#       clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID  # For AKS with pod identity
-#     # OR use service principal:
-#     # clientID: YOUR_SERVICE_PRINCIPAL_CLIENT_ID
-#     # clientSecretSecretRef:
-#     #   name: azuredns-config
-#     #   key: client-secret
-
-# -----------------------------------------------------------------------------
-# Option 4: Google Cloud DNS
-# -----------------------------------------------------------------------------
-# Create secret with service account JSON key:
-# kubectl create secret generic clouddns-service-account \
-#   --from-file=service-account.json=path/to/key.json -n cert-manager
-#
-# dns01:
-#   cloudDNS:
-#     project: YOUR_GCP_PROJECT_ID
-#     hostedZoneName: example-com  # Managed zone name in Cloud DNS
-#     serviceAccountSecretRef:
-#       name: clouddns-service-account
-#       key: service-account.json
-
-# -----------------------------------------------------------------------------
-# Option 5: GoDaddy
-# -----------------------------------------------------------------------------
-# Requires external webhook: https://github.com/snowdrop/godaddy-webhook
-#
-# dns01:
-#   webhook:
-#     groupName: acme.yourcompany.com
-#     solverName: godaddy
-#     config:
-#       apiKeySecretRef:
-#         name: godaddy-api-credentials
-#         key: api-key
-#       apiSecretSecretRef:
-#         name: godaddy-api-credentials
-#         key: api-secret
-
-# -----------------------------------------------------------------------------
-# Option 6: Manual/Dynamic DNS (for homelab)
-# -----------------------------------------------------------------------------
-# Requires RFC2136 provider or external webhook
-#
-# dns01:
-#   rfc2136:
-#     nameserver: your-dns-server.example.com
-#     tsigKeyName: cert-manager-key
-#     tsigAlgorithm: HMACSHA256
-#     tsigSecretSecretRef:
-#       name: tsig-secret
-#       key: secret

cluster-resources/policies/label-checker.yaml

@@ -0,0 +1,40 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+  annotations:
+    policies.kyverno.io/title: Require Labels
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod, Label
+    policies.kyverno.io/description: Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: check-for-labels
+    skipBackgroundRequests: true
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - istio-system
+          - argocd
+          - cert-manager
+          - monitoring
+          - secrets
+          - kyverno
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: The label `app.kubernetes.io/name` is required.
+      allowExistingViolations: true
+      pattern:
+        metadata:
+          labels:
+            app.kubernetes.io/name: "?*"

cluster-resources/wildcard-certificate-example.yaml

@@ -1,92 +0,0 @@
----
-# Example: Wildcard Certificate for *.example.com
-# This creates a certificate that covers ALL subdomains of example.com
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: wildcard-example-com
-  namespace: default  # Change to your application's namespace
-spec:
-  # The secret where the TLS certificate will be stored
-  secretName: wildcard-example-com-tls
-  
-  # Use the production issuer (use letsencrypt-staging for testing)
-  issuerRef:
-    name: letsencrypt-prod
-    kind: ClusterIssuer
-    
-  # DNS names this certificate will cover
-  # Both wildcard AND apex domain are recommended
-  dnsNames:
-    - '*.example.com'    # Covers: app.example.com, api.example.com, etc.
-    - 'example.com'      # Also include apex domain explicitly
-  
-  # Optional: Configure certificate duration and renewal
-  duration: 2160h0m0s    # 90 days (Let's Encrypt default)
-  renewBefore: 720h0m0s  # Renew 30 days before expiry
-  
-  # Optional: Private key settings
-  privateKey:
-    algorithm: RSA
-    encoding: PKCS1
-    size: 4096
-
----
-# Example: Using the wildcard certificate with a Traefik IngressRoute
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: app-ingress
-  namespace: default
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    # Match any subdomain - the wildcard cert covers all of them
-    - match: Host(`app.example.com`) || Host(`api.example.com`) || Host(`www.example.com`)
-      kind: Rule
-      services:
-        - name: my-service
-          port: 80
-  tls:
-    # Reference the secret created by the Certificate
-    secretName: wildcard-example-com-tls
-
----
-# Example: Using wildcard certificate with standard Kubernetes Ingress
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: wildcard-ingress
-  namespace: default
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  tls:
-    - hosts:
-        - '*.example.com'
-        - 'example.com'
-      secretName: wildcard-example-com-tls
-  rules:
-    - host: app.example.com
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: app-service
-                port:
-                  number: 80
-    - host: api.example.com
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: api-service
-                port:
-                  number: 80

infra/overlays/upc-dev/kustomization.yaml

@@ -4,6 +4,8 @@ resources:
 - ../../base
 - vaultwarden-postgresql
 - vaultwarden
+- passwordpusher-postgresql
+- passwordpusher
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster

infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- passwordpusher-postgresql.yaml

infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: passwordpusher
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: passwordpusher-postgresql
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  labels:
+    app.kubernetes.io/name: passwordpusher-postgresql
+    app.kubernetes.io/part-of: security
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/upc-dev/passwordpusher-postgresql/resources
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: passwordpusher
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates

infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- postgresql.yaml
+- passwordpusher-db-secret-sealed.yaml
+- passwordpusher-smtp-secret-sealed.yaml

infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: passwordpusher-db-creds
+  namespace: passwordpusher
+spec:
+  encryptedData:
+    DATABASE_URL: AgBeCVhdJoq18FFbP/8CUFFHBu3cUHisStmqeU3stH33qRgm0sh1Agw87QaiECBlKGp9yEjDVgQEjU/h9vEqs5L13vnzTvzmzEIMy23m1nWEyX6pY06O/ISDD6AVeW73SX6ctgZ4wabv8zZhEQ/GiKTLq8indTrNglINpItUKdjpZ5IhJWNScOkykZdIN/OyJxxzKQ5fM48ZVfL8HnTNQ+sqEJQ/P4CEHVwJQaEuIKsS+P1PKNmOxzI7IB7PegkZwORMKA83r1oufiV5q+/wY2eMujt/PkZxkokj9jdI9ATGwXfOVgPR16BXrKRIKO2AwObL1ter+Y0LnNGxl9gAz8q65b4KHdM//sKSscLo9rPWKq0R0y4octiC1FlQEvsbMZnNntDLR1vBiqRUz5YaoKcEH6nlLpubCrBpIve8f5Ty3w2YUk7k4dpQzITgZqpJirmw5RAY9OIQQldB8NHjfmKkTtlHxW1Bif/yo+XqCKX4+1xh4nbWb6z2VQtUeQHm++ITZokxAV5as/EEZyEfCfqLbQbQkk5xuPpc3B6VjyGNbAIyQQz3Ktx5t2bqa/qf2YQQTVMZaBijHV6jaK3YzyWyheefZAqliF3xUY8mm2zrOAK4+JaKbRKSQzvCzpYtcwxVO5hCV0Wki4qbMXCWbLV0SmUgiJeL/SC/iXSPBmdQIw2P8Pao1gPzhtJl/rGzdw+Nx0VtYeCID8PlsvjUO3oiv3wYFVE/Xb9oYkoQnadOrnBmUNoXATvPLb6bN/cxlZ6c5bDAReY5M5k4Im9XMWDUDiH/9bIk+V8C
+    pgpassword: AgBneCXX9h7cFbvVcqk9bNSgHqPGpYQmDxDHmI2CdgIPXwogVA/HxGpaR/HnByUwXbk9PBzHuNJHTWB5XtbEgd7EVvhmhNkEuW9cfBpO6RhSYWr4yQsEQ4tRIDicCMnCh3qWFxMJKPxhN4+gB+KY0HxVQXlr/TkPEnHGNILCrwJsSP9JYufYy5xcL25c949X6M2iSi1i8OFDOYC7s72VZmS2iAEIdnY01yDJ/pW5UYNi53rtAYWZ0tzRJbl55NdWeZGJdmKEQ0OvywW50So97R0ceC6QCkBzzRin4IP5dWuWbqm/D9FL4pxUfIvNuXbMd2fGbn1DjgqfeiN9QSfgLeHqMWbFAmelA/ETKGZBJJkp8MQta7PYk30yDo9cD147AnfLSjR74plGCZBFt0tn/8fGE00G70ymo1FPqWqnVMvlrnaWwdgdlKeKbamPWw0Uo6ZHcglFlHq5ke2kEhRG4yFvk8PuuUygHShGe7uQAlWcqLw4H4/WZyy/bBVTyUfmXTg0ArEKdbb7iI/izGgGMv2NtSiV9/DutkiqmrGoc+gO6fYGfUc66XJMpAlH/FUs3Ebqk0ZSIR4j8NyygwgY+1Jm3yuSQCs6+MVH5nrf1VoAYGadMiB40lfmn1FkZwrkdWm+C00/exVqT2dys+AjMfpAFfmGY2LDjSavvqJXKYyX1x/kZ6D+gndhP2FcT9qscnScGjys8JrH
+    pgusername: AgBUzpTtG8uIRRCjX3xN5UEvCybo2sgMk2v6SwoaO0TDVNMwZNKEjNigWeaD0nOX/gXu14X2KPX12YfXyaag+1CmaprUAVZzQDmF3Rseaz5MzqQnJlYfYdlWM4O+x0j2KLj+hKiw30P0T3IxZyngRw+T5c8hevYA2tXU0dvdmXZhs7L5M1mO1DJcef0tH/170RQ/8klUxaj/reWibK3DNxqCU/BOkJvUMoDkmb+hGlX4i4f0cPWEIYRjjXejDtL+LO7bMxzESqmb8VDPlDiIBvCYyBNdkN/F4ngfIAWxKBiMQTvsD8O7W3qdMDy55qHW3gPZY6ugLEyw/un6MtsaYSBame6kbjjEoy0pyyjB+SGWB6xxUIZ2Lfzflu8rZBnKEi2fkxsIAE71vhnLzcXn0WYjF3Hgh/fWQ6GYqJK9M5Ieiq6WVnWvztvWKuscZmVlHtRO9HtucCyiArvZE2yLRUDwI6NAws4R6gELadfjSECp1CRaOc53MrPHvYjIE/WWq1uI+0f0spaPV09mYEl5qGgcPW7V5ADXcmxIXHqtOfhEevrckILr9U9G/FU2q3ohveUiUUxBaMOzgAJ9mO64oDfLbit2WJqaqmdKy4xiVWwzxVDmWmNKFAs3DHNK7y9QNvYmrbM6370Pw2zsxc89yl0PvqCtzj57uUDh3ohNE3ZrTUHWsHkEniKiSCVRZD5LG9dEJKMD1nE=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: passwordpusher-db-creds
+      namespace: passwordpusher

infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: passwordpusher-smtp-creds
+  namespace: passwordpusher
+spec:
+  encryptedData:
+    PWP__MAIL_SMTP_PASSWORD: AgBgRYGOS6O5u6WDXxfqkLsVClufJe8O0K3/NBWKEnwKFKd/yeQVnkB/sd2apIFADK6auge+G5uFv9TejWJuqkU3QHbkvmnjnMtinRkt/lh0GrrCygmvzvwTQKCXefeqWHT5yvGtN0z6mLP73yOLoJmAMnZk9/QGHuw9jfuLEDREZ3cSrdYAAIWhospSPpvau2UNN2/yanjhmH0Yux2fZVkwKtDcS6YHFtL+s4VR7wcB/cvMaCX4vSezMtyQJhgHcmFLNHnNjjVdMEQVGMtrZ7XocbWJ0ZkvKotkuOFf/XMq5AM9ZVgaJB9di39JLweqpsfGVQJftgGW/f/edDSlbiOTjDO2cM93xY9OD9T2kts5MkeX1jLD+Q+V0OXL7+nor1jAfv/CwZ5sBibnQFKYaQpCRCw4c4pYX73VjbRsEcTHXJyfUpTJdlw8Jd3yPPL1Uqb6ga5xxUO7YsgfdH4HZYWuLR/x8Pk1Ne/qpctzHZcUkRto6MKPhkK1IW83qSJPGT3wNHgYcx6uMW9f9L/ox7k00GGWZ3Pj79khv9NJ8PXO0thsTuZktjskHYBmZk044CWpSiill0318pCaIXW6mpg5adGbeZLa+LZ9GNxMWP+iOJIcFyYNZs3GmlV08OQ741S2cbumOQhxppJkcWTdpkZrZlAanLa4XZsmW+PXmsujOsMLEuto3PpJxpujYAt3s6Nv7O79FlGqrfisRipdFw==
+    PWP__MAIL_SMTP_USER_NAME: AgAli4SWEtNSiuRvbhuAYdRtBPpPYQfVp1cjiPXUqX7CxBG6bOdlMFzUPnjmZ3RVDq8UaRbwF1eJisnLt1nRCh5+DzpOXNgiU8ex2uZx7mQPf/nr/5p1HwJHbMZUo6Qieqo8NIwA0fwapQPsLizI90wI2J8f4m4nk4SXb0FW0h23SpulEJV99w92TPdOd/KuovVzEFltWeCWOsaHdVufKDsKLMFc4SNrkBwYxaCkuGnM6zICiLc7+5lF7cza8JukfGXsF12U04CkqgMDOOQG4GNNIeGSOc2GGtngpmYbuKZA1vk8ZnG3K+nVyD12bW2JhvWOBpNSc+29gLbizkNGI8QLhlxet3HznjYal9aqiIR2/glZgIUsnmgwmVg+VpxnM6A/R47sljeIzyzY0dkVxDyG1fDfKiWmXIWQU/7750Ct8XgMsVIkyDGQAK2g8o97a75lSnTngGq88VvTBLCiSEgumhPrMYf4n7ot4tSM1lfGuxmYdrOKXqXNkhBF+jxe27pd4ayCzcXniibZKRqhCozZZkAoYoo+V8tnIlewrTJhzm9THgKL849Df3Va9tI7EOvqHy82FjwTL++jCpUrOe1Emp11WpUJElnn+PUWRJnW02Xz+a0vP+mJMjC1XsylDM78i31a6Tw8Rfu7W4G7yuwzgU9GDCDL6dt7nsGUSNuucZz7CVx2pePFLWJBC8DmcuuWh/UlnrNp8IY/9kC34DAbwuBTQuFhYne1xWSA
+  template:
+    metadata:
+      creationTimestamp: null
+      name: passwordpusher-smtp-creds
+      namespace: passwordpusher

infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml

@@ -0,0 +1,98 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: passwordpusher-postgresql
+  namespace: passwordpusher
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: passwordpusher
+    app.kubernetes.io/component: database
+spec:
+  type: ClusterIP
+  ports:
+  - name: tcp-postgresql
+    port: 5432
+    targetPort: tcp-postgresql
+  selector:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: passwordpusher
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: passwordpusher-postgresql
+  namespace: passwordpusher
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: passwordpusher
+    app.kubernetes.io/component: database
+spec:
+  serviceName: passwordpusher-postgresql
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/instance: passwordpusher
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: postgresql
+        app.kubernetes.io/instance: passwordpusher
+        app.kubernetes.io/component: database
+    spec:
+      containers:
+      - name: postgresql
+        image: postgres:16-alpine
+        ports:
+        - name: tcp-postgresql
+          containerPort: 5432
+        env:
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: passwordpusher-db-creds
+              key: pgusername
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: passwordpusher-db-creds
+              key: pgpassword
+        - name: POSTGRES_DB
+          value: passwordpusher
+        - name: PGDATA
+          value: /var/lib/postgresql/data/pgdata
+        volumeMounts:
+        - name: data
+          mountPath: /var/lib/postgresql/data
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 2Gi

infra/overlays/upc-dev/passwordpusher/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- passwordpusher.yaml

infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml

@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: passwordpusher
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: passwordpusher
+    app.kubernetes.io/part-of: security
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://pglombardo.github.io/passwordpusher-charts
+    chart: password-pusher
+    targetRevision: "1.4.4"
+    helm:
+      releaseName: passwordpusher
+      valueFiles:
+      - $values/infra/values/base/passwordpusher-values.yaml
+      - $values/infra/values/upc-dev/passwordpusher-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: passwordpusher
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true

infra/values/base/passwordpusher-values.yaml

@@ -0,0 +1,7 @@
+image:
+  repository: docker.io/pglombardo/pwpush
+  tag: "release-1.51.0"
+
+# Disable the bundled postgresql subchart — we run our own StatefulSet
+postgresql:
+  enabled: false

infra/values/upc-dev/passwordpusher-values.yaml

@@ -0,0 +1,50 @@
+env:
+  PWP__HOST_DOMAIN: pwpush.forteapps.net
+  PWP__HOST_PROTOCOL: https
+  PWP__ENABLE_LOGINS: "true"
+  PWP__ALLOW_ANONYMOUS: "false"
+  PWP__SIGNUPS_ENABLED: "false"
+  PWP__MAIL_RAISE_DELIVERY_ERRORS: "false"
+  PWP__MAIL_SMTP_ADDRESS: smtp.office365.com
+  PWP__MAIL_SMTP_PORT: "587"
+  PWP__MAIL_SMTP_AUTHENTICATION: login
+  PWP__MAIL_SMTP_STARTTLS: "true"
+  PWP__MAIL_SMTP_DOMAIN: fortedigital.com
+  PWP__MAIL_SENDER: noreply@fortedigital.com
+
+envFrom:
+- secretRef:
+    name: passwordpusher-db-creds
+- secretRef:
+    name: passwordpusher-smtp-creds
+
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/name: "PasswordPusher"
+    gethomepage.dev/description: "Share passwords securely with expiring links"
+    gethomepage.dev/group: "Security"
+    gethomepage.dev/icon: "passwordpusher"
+    gethomepage.dev/href: "https://pwpush.forteapps.net"
+  hosts:
+  - host: pwpush.forteapps.net
+    paths:
+    - path: /
+      pathType: Prefix
+  tls:
+  - secretName: passwordpusher-tls
+    hosts:
+    - pwpush.forteapps.net
+
+resources:
+  requests:
+    cpu: 100m
+    memory: 256Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
+
+replicaCount: 1