pw

Reviewed-on: #13
Reviewed-by: gitea_admin <admin@forteapps.net>
Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Co-committed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>

_app-of-apps-aks-dev.yaml

@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: infrastructure-apps
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: infrastructure-apps
-    app.kubernetes.io/part-of: platform
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/aks-dev
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true

_app-of-apps-aks-prod.yaml

@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: infrastructure-apps
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: infrastructure-apps
-    app.kubernetes.io/part-of: platform
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/aks-prod
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true

_app-of-apps-eks-dev.yaml

@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: infrastructure-apps
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: infrastructure-apps
-    app.kubernetes.io/part-of: platform
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/eks-dev
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true

_app-of-apps-eks-prod.yaml

@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: infrastructure-apps
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: infrastructure-apps
-    app.kubernetes.io/part-of: platform
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/eks-prod
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true

_app-of-apps-gke-dev.yaml

@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: infrastructure-apps
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: infrastructure-apps
-    app.kubernetes.io/part-of: platform
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/gke-dev
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true

_app-of-apps-gke-prod.yaml

@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: infrastructure-apps
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: infrastructure-apps
-    app.kubernetes.io/part-of: platform
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/gke-prod
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true

_app-of-apps-upc-prod.yaml

@@ -18,7 +18,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    repoURL: git@github.com:fortedigital/sturdy-adventure.git
     targetRevision: HEAD
     path: infra/overlays/upc-prod
   destination:

apps/base/dot-ai-stack.yaml

@@ -37,7 +37,7 @@ spec:
       - $values/infra/values/base/dot-ai-stack-values.yaml
       - $values/infra/values/upc-dev/dot-ai-stack-values.yaml
 
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
     targetRevision: HEAD
     ref: values
 

apps/base/kustomization.yaml

@@ -4,4 +4,5 @@ resources:
 - dot-ai-stack.yaml
 - mcp10x.yaml
 - musicman.yaml
+- ts-mcp.yaml
 - argo-mcp.yaml

apps/base/ts-mcp.yaml

@@ -0,0 +1,50 @@
+---
+# Namespace must be created first (sync-wave: -1)
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ts-mcp
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+# ArgoCD Application syncs last (sync-wave: 11)
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ts-mcp
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "11"
+    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
+    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+  labels:
+    app.kubernetes.io/name: ts-mcp
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  sources:
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/ts-mcp/values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: ts-mcp
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

bootstrap.sh

@@ -2,7 +2,7 @@
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
 
-CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod|aks-dev|aks-prod|eks-dev|eks-prod|gke-dev|gke-prod)}"
+CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod)}"
 
 echo "running $0 for cluster: ${CLUSTER}..."
 

cluster-resources/backstage-keycloak-client-config.yaml

@@ -0,0 +1,43 @@
+# Self-service Keycloak client config for Backstage.
+# Kyverno clones this to the keycloak namespace, where the
+# keycloak-client-registrar CronJob processes it and creates
+# the backstage-oidc-credentials Secret in the backstage namespace.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-backstage
+  namespace: backstage
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "backstage",
+      "name": "Backstage Developer Portal",
+      "redirectUris": ["https://backstage.forteapps.net/api/auth/oidc/handler/frame"],
+      "webOrigins": ["https://backstage.forteapps.net"],
+      "defaultClientScopes": ["openid", "email", "profile"],
+      "protocolMappers": [
+        {
+          "name": "email_verified",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-hardcoded-claim-mapper",
+          "config": {
+            "claim.name": "email_verified",
+            "claim.value": "true",
+            "jsonType.label": "boolean",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "userinfo.token.claim": "true"
+          }
+        }
+      ],
+      "secret": {
+        "namespace": "backstage",
+        "name": "backstage-oidc-credentials",
+        "keys": {
+          "clientId": "AUTH_OIDC_CLIENT_ID",
+          "clientSecret": "AUTH_OIDC_CLIENT_SECRET"
+        }
+      }
+    }

cluster-resources/gitea-backup-cronjob.yaml

@@ -57,17 +57,17 @@ spec:
                 - sh
                 - -c
                 - |
-                  mc alias set s3 "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}"
+                  mc alias set upcloud "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}"
 
                   TIMESTAMP=$(date +%Y%m%d-%H%M%S)
                   KEY="gitea-dump-${TIMESTAMP}.zip"
                   echo "Uploading ${KEY}..."
-                  mc cp /backup/gitea-dump.zip "s3/${S3_BUCKET}/${KEY}" && \
+                  mc cp /backup/gitea-dump.zip "upcloud/${S3_BUCKET}/${KEY}" && \
                   echo "Upload complete."
 
                   # Prune backups older than 7 days
                   echo "Pruning backups older than 7 days..."
-                  mc rm --older-than 7d --force "s3/${S3_BUCKET}/" 2>&1 || true
+                  mc rm --older-than 7d --force "upcloud/${S3_BUCKET}/" 2>&1 || true
                   echo "Pruning complete."
               envFrom:
                 - secretRef:

cluster-resources/policies/label-checker.yaml

@@ -1,41 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: require-labels
-  annotations:
-    policies.kyverno.io/title: Require Labels
-    policies.kyverno.io/category: Best Practices
-    policies.kyverno.io/minversion: 1.6.0
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Pod, Label
-    policies.kyverno.io/description: Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
-spec:
-  validationFailureAction: Audit
-  background: true
-  rules:
-  - name: check-for-labels
-    skipBackgroundRequests: true
-    exclude:
-      any:
-      - resources:
-          namespaces:
-          - kube-system
-          - istio-system
-          - argocd
-          - cert-manager
-          - monitoring
-          - secrets
-          - kyverno
-          - trivy-system
-    match:
-      any:
-      - resources:
-          kinds:
-          - Pod
-    validate:
-      message: The label `app.kubernetes.io/name` is required.
-      allowExistingViolations: true
-      pattern:
-        metadata:
-          labels:
-            app.kubernetes.io/name: "?*"

clusters/aks-dev.yaml

@@ -1,10 +0,0 @@
-clusterName: dev-fd-aks
-domain: forteapps.net
-argocdDomain: argocd.127.0.0.1.nip.io
-grafanaDomain: grafana.forteapps.net
-keycloakDomain: id.forteapps.net
-dotaiDomain: kubemcp.forteapps.net
-dotaiUiDomain: kubemcpui.forteapps.net
-letsencryptEmail: danijels@gmail.com
-trustedIPs: "10.0.0.0/8"
-cloudProvider: azure

clusters/aks-prod.yaml

@@ -1,10 +0,0 @@
-clusterName: prod-fd-aks
-domain: fortedigital.com
-argocdDomain: argocd.127.0.0.1.nip.io
-grafanaDomain: grafana.fortedigital.com
-keycloakDomain: id.fortedigital.com
-dotaiDomain: kubemcp.fortedigital.com
-dotaiUiDomain: kubemcpui.fortedigital.com
-letsencryptEmail: danijel.simeunovic@fortedigital.com
-trustedIPs: "10.0.0.0/8"
-cloudProvider: azure

clusters/eks-dev.yaml

@@ -1,10 +0,0 @@
-clusterName: dev-fd-eks
-domain: forteapps.net
-argocdDomain: argocd.127.0.0.1.nip.io
-grafanaDomain: grafana.forteapps.net
-keycloakDomain: id.forteapps.net
-dotaiDomain: kubemcp.forteapps.net
-dotaiUiDomain: kubemcpui.forteapps.net
-letsencryptEmail: danijels@gmail.com
-trustedIPs: "10.0.0.0/8"
-cloudProvider: aws

clusters/eks-prod.yaml

@@ -1,10 +0,0 @@
-clusterName: prod-fd-eks
-domain: fortedigital.com
-argocdDomain: argocd.127.0.0.1.nip.io
-grafanaDomain: grafana.fortedigital.com
-keycloakDomain: id.fortedigital.com
-dotaiDomain: kubemcp.fortedigital.com
-dotaiUiDomain: kubemcpui.fortedigital.com
-letsencryptEmail: danijel.simeunovic@fortedigital.com
-trustedIPs: "10.0.0.0/8"
-cloudProvider: aws

clusters/gke-dev.yaml

@@ -1,10 +0,0 @@
-clusterName: dev-fd-gke
-domain: forteapps.net
-argocdDomain: argocd.127.0.0.1.nip.io
-grafanaDomain: grafana.forteapps.net
-keycloakDomain: id.forteapps.net
-dotaiDomain: kubemcp.forteapps.net
-dotaiUiDomain: kubemcpui.forteapps.net
-letsencryptEmail: danijels@gmail.com
-trustedIPs: "10.0.0.0/8"
-cloudProvider: gcp

clusters/gke-prod.yaml

@@ -1,10 +0,0 @@
-clusterName: prod-fd-gke
-domain: fortedigital.com
-argocdDomain: argocd.127.0.0.1.nip.io
-grafanaDomain: grafana.fortedigital.com
-keycloakDomain: id.fortedigital.com
-dotaiDomain: kubemcp.fortedigital.com
-dotaiUiDomain: kubemcpui.fortedigital.com
-letsencryptEmail: danijel.simeunovic@fortedigital.com
-trustedIPs: "10.0.0.0/8"
-cloudProvider: gcp

docs/DEVELOPER-GUIDE.md

@@ -962,6 +962,46 @@ User sees application (authenticated)
 
 ---
 
+### Accessing Authenticated User Information
+
+The auth sidecar handles all authentication before requests reach your application. Your app never sees unauthenticated traffic — the sidecar returns 401 or redirects to the IdP first.
+
+After successful authentication, the sidecar forwards the request to your application with user identity injected as HTTP headers:
+
+| Header | Description | Available in |
+|--------|-------------|-------------|
+| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
+| `X-Auth-Email` | User email address | OIDC |
+| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
+| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if scope includes `groups`) |
+| `X-Auth-Token` | The validated access token | All modes |
+
+**Your application reads these headers — no auth library needed:**
+
+```javascript
+// Express.js example
+app.get('/profile', (req, res) => {
+  const user = req.headers['x-auth-user'];
+  const email = req.headers['x-auth-email'];
+  res.json({ user, email });
+});
+```
+
+```python
+# Flask example
+@app.route('/profile')
+def profile():
+    user = request.headers.get('X-Auth-User')
+    email = request.headers.get('X-Auth-Email')
+    return jsonify(user=user, email=email)
+```
+
+**Why this is safe**: The Kyverno-generated NetworkPolicy restricts ingress to the sidecar port only. Traffic cannot bypass the sidecar to reach the application port directly, so the `X-Auth-*` headers can be trusted unconditionally.
+
+**Key principle**: Your application is zero-trust-unaware by design. It reads headers and renders UI. All authentication complexity lives in the sidecar and Kyverno policy.
+
+---
+
 ### Authentication Configuration Reference
 
 #### Helm Values Schema

docs/REFERENCE.md

@@ -9,7 +9,6 @@
 - [Kyverno Policies](#kyverno-policies)
 - [Configuration Reference](#configuration-reference)
 - [API Endpoints](#api-endpoints)
-- [Cloud Overlay Pattern](#cloud-overlay-pattern)
 - [Glossary](#glossary)
 
 ---
@@ -20,9 +19,9 @@
 
 | Component | Value |
 |-----------|-------|
-| **Provider** | Multi-cloud (UpCloud, AKS, EKS, GKE) |
-| **Environment** | Dev + Production per cloud |
-| **Cluster Count** | Multi-cluster (upc-dev/prod, aks-dev/prod, eks-dev/prod, gke-dev/prod) |
+| **Provider** | UpCloud Managed Kubernetes |
+| **Environment** | Production (internal use) |
+| **Cluster Count** | Multi-cluster (upc-dev, upc-prod) |
 | **GitOps Tool** | ArgoCD |
 | **Ingress Controller** | Traefik v2 |
 | **Certificate Management** | Cert-Manager + Let's Encrypt |
@@ -93,34 +92,16 @@ launchpad/
 │   ├── sealedsecrets.yaml
 │   ├── secrets.yaml
 │   ├── renovate.yaml
-│   ├── base/                      # ArgoCD Application manifests (Kustomize base)
-│   │   ├── gitea.yaml
-│   │   ├── opencost.yaml
-│   │   ├── traefik-application.yaml
-│   │   ├── keycloak.yaml
-│   │   ├── grafana.yaml
-│   │   └── ...
-│   ├── overlays/
-│   │   └── upc-prod/
-│   │       └── kustomization.yaml # Patches upc-dev → upc-prod valueFile paths
 │   └── values/
-│       ├── base/                   # Cloud-agnostic Helm values
-│       │   ├── gitea-values.yaml
-│       │   ├── opencost-values.yaml
-│       │   ├── prometheus-values.yaml
-│       │   └── ...
-│       ├── upc-dev/               # UpCloud dev overlay values
-│       │   ├── traefik-values.yaml
-│       │   ├── keycloak-values.yaml
-│       │   ├── grafana-values.yaml
-│       │   ├── gitea-values.yaml
-│       │   └── opencost-values.yaml
-│       └── upc-prod/              # UpCloud prod overlay values
-│           ├── traefik-values.yaml
-│           ├── keycloak-values.yaml
-│           ├── grafana-values.yaml
-│           ├── gitea-values.yaml
-│           └── opencost-values.yaml
+│       ├── argocd-values.yaml
+│       ├── prometheus-values.yaml
+│       ├── grafana-values.yaml
+│       ├── loki-values.yaml
+│       ├── tempo-values.yaml
+│       ├── gitea-values.yaml
+│       ├── gitea-actions-values.yaml
+│       ├── fluent-bit-values.yaml
+│       └── renovate-values.yaml
 │
 ├── apps/                          # Business applications
 │   ├── mcp10x.yaml
@@ -154,15 +135,6 @@ launchpad/
 │   ├── mcp10x-credentials-sealed.yaml
 │   └── musicman-credentials.yaml
 │
-├── scripts/                       # Operational helper scripts
-│   ├── gitea-backup.sh            # S3 backup helper (list/download)
-│   ├── gitea-restore.sh
-│   └── backup/                    # Per-cloud backup reference scripts
-│       ├── s3-minio.sh            # S3-compatible (UpCloud, MinIO, Wasabi)
-│       ├── aws-s3.sh              # Native AWS S3
-│       ├── azure-blob.sh          # Azure Blob Storage
-│       └── gcp-gcs.sh             # GCP Cloud Storage
-│
 ├── private/                       # Local-only (Git-ignored)
 │   ├── *.yaml
 │   └── *.sh
@@ -630,6 +602,15 @@ retry:
 4. 40 seconds
 5. 80 seconds (capped at 3 minutes)
 
+### Global Settings (`argocd-cm`)
+
+| Setting | Value | Purpose |
+|---------|-------|---------|
+| `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
+| `timeout.reconciliation` | `60s` | Reconciliation interval |
+| `admin.enabled` | `true` | Enable admin account |
+| `git.submodule.enabled` | `false` | Disable git submodule checkout — submodules are not needed for manifest generation |
+
 ---
 
 ## Infrastructure Components
@@ -984,6 +965,83 @@ ignore:
 - Check Gitea Actions tab for workflow run status and logs
 - Monitor Anthropic usage dashboard for token consumption
 
+### Backstage / RHDH (Developer Portal)
+
+**Chart**: `backstage` (RHDH — Red Hat Developer Hub)
+**Version**: `5.8.0`
+**Namespace**: `backstage`
+**Helm Repo**: `https://redhat-developer.github.io/rhdh-chart`
+**Image**: `quay.io/rhdh-community/rhdh:next`
+
+**Purpose**: Internal developer portal where teams register and broadcast themselves, their applications, APIs, and systems. Provides a unified catalog, templates, and documentation hub.
+
+**Why RHDH over vanilla Backstage**: Ships 27+ plugins pre-bundled (ArgoCD, Kubernetes, Keycloak, GitHub, GitLab, Jira, SonarQube, Tekton, Jenkins, Quay, and more). Supports dynamic plugin installation at runtime — no image rebuilds needed.
+
+**Configuration** (`infra/values/base/backstage-values.yaml`):
+- OpenShift Route disabled (`route.enabled: false`) — uses Traefik ingress instead
+- PostgreSQL subchart enabled for persistence (2Gi)
+- SecurityContext configured for vanilla Kubernetes (non-OpenShift)
+- Traefik ingress with `websecure` entrypoint
+- App title: "Forte Developer Portal"
+- Dynamic plugins: loads `dynamic-plugins.default.yaml` (all 27+ bundled plugins)
+- Catalog rules: Component, System, API, Resource, Location, Template, Group, User, Domain
+
+**Authentication** (Keycloak OIDC):
+- Uses the self-service registrar pattern (see [Keycloak Client Registrar](#keycloak-client-registrar))
+- Config Secret: `cluster-resources/backstage-keycloak-client-config.yaml`
+- Kyverno clones it → registrar creates `backstage-oidc-credentials` Secret in `backstage` namespace
+- Credential keys: `AUTH_OIDC_CLIENT_ID`, `AUTH_OIDC_CLIENT_SECRET` (loaded via `extraEnvVarsSecrets`)
+- Redirect URI: `https://backstage.forteapps.net/api/auth/oidc/handler/frame`
+- Sign-in resolver: `emailMatchingUserEntityProfileEmail`
+
+**Catalog Discovery** (Gitea):
+- Auto-discovers `catalog-info.yaml` from all repos in the `Forte` organization
+- Scans every 30 minutes via the Gitea catalog provider plugin
+- Gitea SCM integration configured for URL resolution (`git.forteapps.net`)
+
+**Catalog Registration**:
+Teams register services by adding a `catalog-info.yaml` to their repo root:
+```yaml
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: my-service
+  description: My service description
+  annotations:
+    backstage.io/source-location: url:https://git.forteapps.net/Forte/my-service
+spec:
+  type: service
+  lifecycle: production
+  owner: team-name
+```
+
+Repos with this file are auto-discovered — no manual registration needed.
+
+**Dynamic Plugins**:
+Add plugins at runtime via `global.dynamic.plugins` in values — no image rebuild:
+```yaml
+global:
+  dynamic:
+    plugins:
+    - package: "@scope/my-plugin@1.0.0"
+      integrity: "sha512-..."
+```
+
+**Per-cluster Configuration** (`infra/values/upc-dev/backstage-values.yaml`):
+```yaml
+global:
+  host: backstage.forteapps.net
+upstream:
+  backstage:
+    appConfig:
+      app:
+        baseUrl: https://backstage.forteapps.net
+      backend:
+        baseUrl: https://backstage.forteapps.net
+  ingress:
+    host: backstage.forteapps.net
+```
+
 ### Keycloak Client Registrar
 
 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
@@ -1544,7 +1602,23 @@ Forward to Application (localhost:3000)
 Application processes request
 ```
 
-**See**: [Developer Guide - Enabling Authentication](DEVELOPER-GUIDE.md#enabling-authentication-for-applications) for usage examples.
+#### Forwarded Headers
+
+After successful authentication, the sidecar injects user identity as HTTP headers before forwarding the request to the application container:
+
+| Header | Description | Auth Modes |
+|--------|-------------|------------|
+| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
+| `X-Auth-Email` | User email address | OIDC |
+| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
+| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if `groups` scope) |
+| `X-Auth-Token` | The validated access token | All modes |
+
+These headers are trustworthy because the auto-generated `NetworkPolicy` restricts pod ingress to the sidecar port only — external traffic cannot reach the application container directly, so headers cannot be spoofed.
+
+Applications should read these headers to obtain authenticated user information (e.g. for display, authorisation decisions, or audit logging) instead of implementing their own authentication.
+
+**See**: [Developer Guide - Accessing Authenticated User Information](DEVELOPER-GUIDE.md#accessing-authenticated-user-information) for code examples.
 
 ---
 
@@ -1649,87 +1723,6 @@ POST /loki/api/v1/push
 
 ---
 
-## Cloud Overlay Pattern
-
-### Overview
-
-Cloud-specific configuration (StorageClass, LoadBalancer annotations, pricing models, etc.) lives in per-cloud overlay value files, **not** in `base/`. Adding a new cloud provider only requires a new overlay directory — no base changes.
-
-### Supported Clouds
-
-| Cloud | Dev overlay | Prod overlay | StorageClass | LB type |
-|-------|-----------|-------------|-------------|---------|
-| **UpCloud** | `upc-dev` | `upc-prod` | `upcloud-block-storage-maxiops` | UpCloud LB (proxy protocol v2) |
-| **Azure AKS** | `aks-dev` | `aks-prod` | `managed-csi-premium` | Azure LB |
-| **AWS EKS** | `eks-dev` | `eks-prod` | `gp3` | AWS NLB (proxy protocol) |
-| **GCP GKE** | `gke-dev` | `gke-prod` | `premium-rwo` | GCP NEG |
-
-Bootstrap any cluster with: `./bootstrap.sh <cluster>` (e.g., `./bootstrap.sh aks-dev`)
-
-### How It Works
-
-Each ArgoCD Application uses **multi-source Helm values** with two value files:
-
-```yaml
-# infra/base/gitea.yaml (example)
-helm:
-  valueFiles:
-  - $values/infra/values/base/gitea-values.yaml      # [0] cloud-agnostic
-  - $values/infra/values/upc-dev/gitea-values.yaml    # [1] cloud-specific (default: upc-dev)
-```
-
-The `upc-prod` Kustomize overlay patches index `[1]` to swap the cloud-specific file:
-
-```yaml
-# infra/overlays/upc-prod/kustomization.yaml
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/upc-prod/gitea-values.yaml
-```
-
-### Components Using Cloud Overlays
-
-| Component | Cloud-specific config | Overlay value file |
-|-----------|----------------------|-------------------|
-| **Traefik** | LB annotations, proxy protocol IPs | `traefik-values.yaml` |
-| **Keycloak** | Hostname, TLS settings | `keycloak-values.yaml` |
-| **Grafana** | Hostname, datasource URLs | `grafana-values.yaml` |
-| **Gitea** | StorageClass (persistence + PostgreSQL) | `gitea-values.yaml` |
-| **OpenCost** | Custom pricing model (CPU/RAM/storage rates) | `opencost-values.yaml` |
-
-### Backup CronJob
-
-The `gitea-backup` CronJob uses a generic `s3` alias for `minio/mc`. The actual endpoint and credentials come from the `gitea-backup-s3` Sealed Secret, which is per-cloud. Reference scripts for different cloud providers are in `scripts/backup/`:
-
-| Script | Provider | Tool |
-|--------|----------|------|
-| `s3-minio.sh` | S3-compatible (UpCloud, MinIO, Wasabi) | `minio/mc` |
-| `aws-s3.sh` | AWS S3 | `aws` CLI |
-| `azure-blob.sh` | Azure Blob Storage | `az` CLI |
-| `gcp-gcs.sh` | GCP Cloud Storage | `gsutil` |
-
-### Adding a New Cloud Provider
-
-To add support for a new cloud (e.g., `oci-dev` for Oracle Cloud):
-
-1. **Cluster config**: `clusters/oci-dev.yaml` — clusterName, domain, trustedIPs, cloudProvider
-2. **Overlay value files** in `infra/values/oci-dev/`:
-   - `traefik-values.yaml` — LB annotations, proxy protocol config
-   - `keycloak-values.yaml` — hostname
-   - `grafana-values.yaml` — hostname
-   - `gitea-values.yaml` — `storageClass` for persistence + PostgreSQL
-   - `opencost-values.yaml` — pricing model or cloud billing integration
-3. **Kustomize overlay**: `infra/overlays/oci-dev/kustomization.yaml` — patch `valueFiles[1]` for each Application
-4. **App-of-apps**: `_app-of-apps-oci-dev.yaml` — points to `infra/overlays/oci-dev`
-5. **Sealed Secrets**: `secrets/oci-dev/` — TLS certs, credentials, backup S3 config
-6. **Bootstrap**: `./bootstrap.sh oci-dev`
-
----
-
 ## Glossary
 
 ### Terms

infra/base/backstage.yaml

@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: backstage
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: backstage
+    app.kubernetes.io/part-of: developer-portal
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://redhat-developer.github.io/rhdh-chart
+    chart: backstage
+    targetRevision: "5.8.0"
+    helm:
+      releaseName: backstage
+      valueFiles:
+      - $values/infra/values/base/backstage-values.yaml
+      - $values/infra/values/upc-dev/backstage-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: backstage
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true

infra/base/gitea.yaml

@@ -22,7 +22,6 @@ spec:
       releaseName: gitea
       valueFiles:
       - $values/infra/values/base/gitea-values.yaml
-      - $values/infra/values/upc-dev/gitea-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/base/kustomization.yaml

@@ -22,3 +22,4 @@ resources:
 - tempo.yaml
 - grafana-dashboards.yaml
 - network-policies-application.yaml
+- backstage.yaml

infra/base/opencost.yaml

@@ -22,9 +22,8 @@ spec:
       releaseName: opencost
       valueFiles:
       - $values/infra/values/base/opencost-values.yaml
-      - $values/infra/values/upc-dev/opencost-values.yaml
 
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
     targetRevision: HEAD
     ref: values
 

infra/base/traefik-application.yaml

@@ -31,7 +31,7 @@ spec:
       - $values/infra/values/base/traefik-values.yaml
       - $values/infra/values/upc-dev/traefik-values.yaml
 
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
     targetRevision: HEAD
     ref: values
 

infra/overlays/aks-dev/kustomization.yaml

@@ -1,68 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-
-patches:
-# Traefik: swap upc-dev → aks-dev
-- target:
-    kind: Application
-    name: traefik
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-dev/traefik-values.yaml
-
-# Keycloak: swap upc-dev → aks-dev
-- target:
-    kind: Application
-    name: keycloak
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-dev/keycloak-values.yaml
-
-# Grafana: swap upc-dev → aks-dev
-- target:
-    kind: Application
-    name: grafana
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-dev/grafana-values.yaml
-
-# Gitea: swap upc-dev → aks-dev
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-dev/gitea-values.yaml
-
-# OpenCost: swap upc-dev → aks-dev
-- target:
-    kind: Application
-    name: opencost
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-dev/opencost-values.yaml
-
-# Secrets: change path to aks-dev
-- target:
-    kind: Application
-    name: secrets
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: secrets/aks-dev
-
-# Enterprise-apps: point to aks-dev overlay
-- target:
-    kind: Application
-    name: enterprise-apps
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: apps/overlays/aks-dev

infra/overlays/aks-prod/kustomization.yaml

@@ -1,68 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-
-patches:
-# Traefik: swap upc-dev → aks-prod
-- target:
-    kind: Application
-    name: traefik
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-prod/traefik-values.yaml
-
-# Keycloak: swap upc-dev → aks-prod
-- target:
-    kind: Application
-    name: keycloak
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-prod/keycloak-values.yaml
-
-# Grafana: swap upc-dev → aks-prod
-- target:
-    kind: Application
-    name: grafana
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-prod/grafana-values.yaml
-
-# Gitea: swap upc-dev → aks-prod
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-prod/gitea-values.yaml
-
-# OpenCost: swap upc-dev → aks-prod
-- target:
-    kind: Application
-    name: opencost
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-prod/opencost-values.yaml
-
-# Secrets: change path to aks-prod
-- target:
-    kind: Application
-    name: secrets
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: secrets/aks-prod
-
-# Enterprise-apps: point to aks-prod overlay
-- target:
-    kind: Application
-    name: enterprise-apps
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: apps/overlays/aks-prod

infra/overlays/eks-dev/kustomization.yaml

@@ -1,68 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-
-patches:
-# Traefik: swap upc-dev → eks-dev
-- target:
-    kind: Application
-    name: traefik
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-dev/traefik-values.yaml
-
-# Keycloak: swap upc-dev → eks-dev
-- target:
-    kind: Application
-    name: keycloak
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-dev/keycloak-values.yaml
-
-# Grafana: swap upc-dev → eks-dev
-- target:
-    kind: Application
-    name: grafana
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-dev/grafana-values.yaml
-
-# Gitea: swap upc-dev → eks-dev
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-dev/gitea-values.yaml
-
-# OpenCost: swap upc-dev → eks-dev
-- target:
-    kind: Application
-    name: opencost
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-dev/opencost-values.yaml
-
-# Secrets: change path to eks-dev
-- target:
-    kind: Application
-    name: secrets
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: secrets/eks-dev
-
-# Enterprise-apps: point to eks-dev overlay
-- target:
-    kind: Application
-    name: enterprise-apps
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: apps/overlays/eks-dev

infra/overlays/eks-prod/kustomization.yaml

@@ -1,68 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-
-patches:
-# Traefik: swap upc-dev → eks-prod
-- target:
-    kind: Application
-    name: traefik
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-prod/traefik-values.yaml
-
-# Keycloak: swap upc-dev → eks-prod
-- target:
-    kind: Application
-    name: keycloak
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-prod/keycloak-values.yaml
-
-# Grafana: swap upc-dev → eks-prod
-- target:
-    kind: Application
-    name: grafana
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-prod/grafana-values.yaml
-
-# Gitea: swap upc-dev → eks-prod
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-prod/gitea-values.yaml
-
-# OpenCost: swap upc-dev → eks-prod
-- target:
-    kind: Application
-    name: opencost
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-prod/opencost-values.yaml
-
-# Secrets: change path to eks-prod
-- target:
-    kind: Application
-    name: secrets
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: secrets/eks-prod
-
-# Enterprise-apps: point to eks-prod overlay
-- target:
-    kind: Application
-    name: enterprise-apps
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: apps/overlays/eks-prod

infra/overlays/gke-dev/kustomization.yaml

@@ -1,68 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-
-patches:
-# Traefik: swap upc-dev → gke-dev
-- target:
-    kind: Application
-    name: traefik
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-dev/traefik-values.yaml
-
-# Keycloak: swap upc-dev → gke-dev
-- target:
-    kind: Application
-    name: keycloak
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-dev/keycloak-values.yaml
-
-# Grafana: swap upc-dev → gke-dev
-- target:
-    kind: Application
-    name: grafana
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-dev/grafana-values.yaml
-
-# Gitea: swap upc-dev → gke-dev
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-dev/gitea-values.yaml
-
-# OpenCost: swap upc-dev → gke-dev
-- target:
-    kind: Application
-    name: opencost
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-dev/opencost-values.yaml
-
-# Secrets: change path to gke-dev
-- target:
-    kind: Application
-    name: secrets
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: secrets/gke-dev
-
-# Enterprise-apps: point to gke-dev overlay
-- target:
-    kind: Application
-    name: enterprise-apps
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: apps/overlays/gke-dev

infra/overlays/gke-prod/kustomization.yaml

@@ -1,68 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-
-patches:
-# Traefik: swap upc-dev → gke-prod
-- target:
-    kind: Application
-    name: traefik
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-prod/traefik-values.yaml
-
-# Keycloak: swap upc-dev → gke-prod
-- target:
-    kind: Application
-    name: keycloak
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-prod/keycloak-values.yaml
-
-# Grafana: swap upc-dev → gke-prod
-- target:
-    kind: Application
-    name: grafana
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-prod/grafana-values.yaml
-
-# Gitea: swap upc-dev → gke-prod
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-prod/gitea-values.yaml
-
-# OpenCost: swap upc-dev → gke-prod
-- target:
-    kind: Application
-    name: opencost
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-prod/opencost-values.yaml
-
-# Secrets: change path to gke-prod
-- target:
-    kind: Application
-    name: secrets
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: secrets/gke-prod
-
-# Enterprise-apps: point to gke-prod overlay
-- target:
-    kind: Application
-    name: enterprise-apps
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: apps/overlays/gke-prod

infra/overlays/upc-prod/kustomization.yaml

@@ -31,24 +31,6 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/upc-prod/grafana-values.yaml
 
-# Gitea: swap upc-dev → upc-prod
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/upc-prod/gitea-values.yaml
-
-# OpenCost: swap upc-dev → upc-prod
-- target:
-    kind: Application
-    name: opencost
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/upc-prod/opencost-values.yaml
-
 # Secrets: change path to upc-prod
 - target:
     kind: Application

infra/values/aks-dev/gitea-values.yaml

@@ -1,7 +0,0 @@
-# AKS-specific: Azure managed disk storage class
-persistence:
-  storageClass: managed-csi-premium
-postgresql:
-  primary:
-    persistence:
-      storageClass: managed-csi-premium

infra/values/aks-dev/grafana-values.yaml

@@ -1,4 +0,0 @@
-# AKS-specific: Grafana hostname
-ingress:
-  hosts:
-  - grafana.forteapps.net

infra/values/aks-dev/keycloak-values.yaml

@@ -1,3 +0,0 @@
-# AKS-specific: Keycloak hostname
-ingress:
-  hostname: id.forteapps.net

infra/values/aks-dev/opencost-values.yaml

@@ -1,8 +0,0 @@
-# AKS-specific: Azure pricing via Cloud Billing API
-opencost:
-  exporter:
-    cloudProviderApiKey: ""
-    customPricing:
-      enabled: false
-    azure:
-      secretName: opencost-azure-billing

infra/values/aks-dev/traefik-values.yaml

@@ -1,11 +0,0 @@
-# AKS-specific: Azure Load Balancer for Traefik
-service:
-  annotations:
-    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
-ports:
-  web:
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8"
-  websecure:
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8"

infra/values/aks-prod/gitea-values.yaml

@@ -1,7 +0,0 @@
-# AKS-specific: Azure managed disk storage class (prod)
-persistence:
-  storageClass: managed-csi-premium
-postgresql:
-  primary:
-    persistence:
-      storageClass: managed-csi-premium

infra/values/aks-prod/grafana-values.yaml

@@ -1,4 +0,0 @@
-# AKS-specific: Grafana hostname (prod)
-ingress:
-  hosts:
-  - grafana.fortedigital.com

infra/values/aks-prod/keycloak-values.yaml

@@ -1,3 +0,0 @@
-# AKS-specific: Keycloak hostname (prod)
-ingress:
-  hostname: id.fortedigital.com

infra/values/aks-prod/opencost-values.yaml

@@ -1,8 +0,0 @@
-# AKS-specific: Azure pricing via Cloud Billing API (prod)
-opencost:
-  exporter:
-    cloudProviderApiKey: ""
-    customPricing:
-      enabled: false
-    azure:
-      secretName: opencost-azure-billing

infra/values/aks-prod/traefik-values.yaml

@@ -1,12 +0,0 @@
-# AKS-specific: Azure Load Balancer for Traefik (prod)
-service:
-  annotations:
-    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
-    service.beta.kubernetes.io/azure-load-balancer-internal: "false"
-ports:
-  web:
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8"
-  websecure:
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8"

infra/values/base/argocd-values.yaml

@@ -2,12 +2,21 @@ configs:
   secret:
     createSecret: true
     argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
+  ssh:
+    knownHosts: |
+      [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
   cm:
     application.resourceTrackingMethod: annotation
     timeout.reconciliation: 60s
     admin.enabled: "true"
   params:
     "server.insecure": true
+repoServer:
+  env:
+  # Disable git submodule checkout - submodules (e.g. shared-prompts)
+  # are not needed for K8s manifest generation
+  - name: ARGOCD_GIT_MODULES_ENABLED
+    value: "false"
 server:
   ingress:
     enabled: false

infra/values/base/backstage-values.yaml

@@ -0,0 +1,150 @@
+# Red Hat Developer Hub (RHDH) - Internal Developer Portal
+# Helm chart: https://github.com/redhat-developer/rhdh-chart
+# Includes 27+ plugins out of the box: ArgoCD, Kubernetes, Keycloak,
+# GitHub, GitLab, Jira, SonarQube, Tekton, Jenkins, and more.
+
+global:
+  auth:
+    backend:
+      enabled: true
+  dynamic:
+    includes:
+    - dynamic-plugins.default.yaml
+    plugins: []
+
+# Disable OpenShift Route (not on OpenShift)
+route:
+  enabled: false
+
+upstream:
+  backstage:
+    image:
+      registry: quay.io
+      repository: rhdh-community/rhdh
+      tag: next
+
+    podSecurityContext:
+      runAsUser: 1001
+      runAsGroup: 1001
+      fsGroup: 1001
+
+    resources:
+      requests:
+        cpu: 250m
+        memory: 512Mi
+      limits:
+        cpu: 1000m
+        memory: 1Gi
+
+    extraEnvVarsSecrets:
+    - backstage-oidc-credentials
+    - backstage-session-secret
+
+    appConfig:
+      app:
+        title: "Forte Backstage"
+        baseUrl: http://localhost:7007
+
+      backend:
+        baseUrl: http://localhost:7007
+
+      # -- Keycloak OIDC authentication
+      signInPage: oidc
+      auth:
+        session:
+          secret: ${AUTH_SESSION_SECRET}
+        environment: production
+        providers:
+          oidc:
+            production:
+              metadataUrl: https://id.forteapps.net/realms/forte/.well-known/openid-configuration
+              clientId: ${AUTH_OIDC_CLIENT_ID}
+              clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
+              prompt: auto
+              # Allow login before User entities exist in the catalog.
+              # Remove once org data is populated.
+              dangerouslyAllowSignInWithoutUserInCatalog: true
+              signIn:
+                resolvers:
+                - resolver: emailMatchingUserEntityProfileEmail
+
+      # -- Gitea SCM integration (for catalog URL resolution)
+      integrations:
+        gitea:
+        - host: git.forteapps.net
+
+      # -- Software catalog
+      catalog:
+        rules:
+        - allow:
+          - Component
+          - System
+          - API
+          - Resource
+          - Location
+          - Template
+          - Group
+          - User
+          - Domain
+        providers:
+          # Auto-import users and groups from Keycloak
+          keycloakOrg:
+            default:
+              baseUrl: https://id.forteapps.net
+              realm: forte
+              clientId: ${AUTH_OIDC_CLIENT_ID}
+              clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
+              schedule:
+                frequency: { minutes: 30 }
+                timeout: { minutes: 3 }
+                initialDelay: { seconds: 15 }
+          # Auto-discover catalog-info.yaml from all Forte org repos
+          gitea:
+            forte:
+              organization: Forte
+              host: git.forteapps.net
+              catalogPath: catalog-info.yaml
+              schedule:
+                frequency: { minutes: 30 }
+                timeout: { minutes: 3 }
+        locations:
+          # Backstage's own org data (bootstrap teams, systems, domains)
+          # - type: url
+          #   target: https://git.forteapps.net/Forte/backstage-catalog/raw/branch/main/org.yaml
+          #   rules:
+          #   - allow: [Group, User, System, Domain]
+
+  ingress:
+    enabled: true
+    className: traefik
+    annotations:
+      traefik.ingress.kubernetes.io/router.entrypoints: websecure
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls:
+      enabled: true
+      secretName: backstage-tls
+
+  postgresql:
+    enabled: true
+    auth:
+      # Fixed passwords prevent Helm from regenerating the Secret on
+      # each sync, which would mismatch with the PVC-persisted data.
+      password: backstage-db-pw
+      postgresPassword: backstage-admin-pw
+    primary:
+      persistence:
+        enabled: true
+        size: 2Gi
+      podSecurityContext:
+        enabled: true
+        fsGroup: 26
+        runAsUser: 26
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 250m
+          memory: 512Mi
+    volumePermissions:
+      enabled: false

infra/values/base/gitea-values.yaml

@@ -130,6 +130,7 @@ persistence:
   size: 10Gi
   accessModes:
   - ReadWriteOnce
+  storageClass: upcloud-block-storage-maxiops
 
 # -- Recreate strategy to avoid Multi-Attach errors with RWO volumes
 strategy:
@@ -155,6 +156,7 @@ postgresql:
     persistence:
       enabled: true
       size: 8Gi
+      storageClass: upcloud-block-storage-maxiops
     resources:
       requests:
         cpu: 100m

infra/values/base/keycloak-values.yaml

@@ -116,12 +116,12 @@ extraDeploy:
   metadata:
     name: keycloak-client-registrar
   rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["namespaces"]
-    verbs: ["get", "list"]
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get", "list", "create", "update", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "namespaces" ]
+    verbs: [ "get", "list" ]
 
 # -- ClusterRoleBinding for the registrar ServiceAccount
 - apiVersion: rbac.authorization.k8s.io/v1
@@ -158,7 +158,7 @@ extraDeploy:
             containers:
             - name: registrar
               image: alpine:3.20
-              command: ["/bin/sh", "-c"]
+              command: [ "/bin/sh", "-c" ]
               args:
               - |
                 set -e

infra/values/base/opencost-values.yaml

@@ -10,6 +10,18 @@ opencost:
         serviceName: prometheus-server
         namespaceName: monitoring
         port: 80
+    customPricing:
+      enabled: true
+      provider: custom
+      costModel:
+        description: "UpCloud 4-node cluster pricing"
+        CPU: "5.86"
+        RAM: "1.46"
+        GPU: "0"
+        storage: "0.34"
+        zoneNetworkEgress: "0"
+        regionNetworkEgress: "0"
+        internetNetworkEgress: "0"
   ui:
     enabled: false
 service:

infra/values/eks-dev/gitea-values.yaml

@@ -1,7 +0,0 @@
-# EKS-specific: gp3 storage class
-persistence:
-  storageClass: gp3
-postgresql:
-  primary:
-    persistence:
-      storageClass: gp3

infra/values/eks-dev/grafana-values.yaml

@@ -1,4 +0,0 @@
-# EKS-specific: Grafana hostname
-ingress:
-  hosts:
-  - grafana.forteapps.net

infra/values/eks-dev/keycloak-values.yaml

@@ -1,3 +0,0 @@
-# EKS-specific: Keycloak hostname
-ingress:
-  hostname: id.forteapps.net

infra/values/eks-dev/opencost-values.yaml

@@ -1,11 +0,0 @@
-# EKS-specific: AWS pricing via Cost and Usage Report
-opencost:
-  exporter:
-    cloudProviderApiKey: ""
-    customPricing:
-      enabled: false
-    aws:
-      spot_data_region: ""
-      spot_data_bucket: ""
-      spot_data_prefix: ""
-      account_id: ""

infra/values/eks-dev/traefik-values.yaml

@@ -1,17 +0,0 @@
-# EKS-specific: AWS NLB for Traefik
-service:
-  annotations:
-    service.beta.kubernetes.io/aws-load-balancer-type: nlb
-    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
-    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
-ports:
-  web:
-    proxyProtocol:
-      trustedIPs: "10.0.0.0/8"
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8"
-  websecure:
-    proxyProtocol:
-      trustedIPs: "10.0.0.0/8"
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8"

infra/values/eks-prod/gitea-values.yaml

@@ -1,7 +0,0 @@
-# EKS-specific: gp3 storage class (prod)
-persistence:
-  storageClass: gp3
-postgresql:
-  primary:
-    persistence:
-      storageClass: gp3

infra/values/eks-prod/grafana-values.yaml

@@ -1,4 +0,0 @@
-# EKS-specific: Grafana hostname (prod)
-ingress:
-  hosts:
-  - grafana.fortedigital.com

infra/values/eks-prod/keycloak-values.yaml

@@ -1,3 +0,0 @@
-# EKS-specific: Keycloak hostname (prod)
-ingress:
-  hostname: id.fortedigital.com

infra/values/eks-prod/opencost-values.yaml

@@ -1,11 +0,0 @@
-# EKS-specific: AWS pricing via Cost and Usage Report (prod)
-opencost:
-  exporter:
-    cloudProviderApiKey: ""
-    customPricing:
-      enabled: false
-    aws:
-      spot_data_region: ""
-      spot_data_bucket: ""
-      spot_data_prefix: ""
-      account_id: ""

infra/values/eks-prod/traefik-values.yaml

@@ -1,18 +0,0 @@
-# EKS-specific: AWS NLB for Traefik (prod)
-service:
-  annotations:
-    service.beta.kubernetes.io/aws-load-balancer-type: nlb
-    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
-    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
-    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
-ports:
-  web:
-    proxyProtocol:
-      trustedIPs: "10.0.0.0/8"
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8"
-  websecure:
-    proxyProtocol:
-      trustedIPs: "10.0.0.0/8"
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8"

infra/values/gke-dev/gitea-values.yaml

@@ -1,7 +0,0 @@
-# GKE-specific: SSD persistent disk storage class
-persistence:
-  storageClass: premium-rwo
-postgresql:
-  primary:
-    persistence:
-      storageClass: premium-rwo

infra/values/gke-dev/grafana-values.yaml

@@ -1,4 +0,0 @@
-# GKE-specific: Grafana hostname
-ingress:
-  hosts:
-  - grafana.forteapps.net

infra/values/gke-dev/keycloak-values.yaml

@@ -1,3 +0,0 @@
-# GKE-specific: Keycloak hostname
-ingress:
-  hostname: id.forteapps.net

infra/values/gke-dev/opencost-values.yaml

@@ -1,10 +0,0 @@
-# GKE-specific: GCP pricing via BigQuery billing export
-opencost:
-  exporter:
-    cloudProviderApiKey: ""
-    customPricing:
-      enabled: false
-    google:
-      key: ""
-      project_id: ""
-      billing_account: ""

infra/values/gke-dev/traefik-values.yaml

@@ -1,12 +0,0 @@
-# GKE-specific: Google Cloud Load Balancer for Traefik
-service:
-  annotations:
-    cloud.google.com/neg: '{"ingress":true}'
-    networking.gke.io/load-balancer-type: External
-ports:
-  web:
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8"
-  websecure:
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8"

infra/values/gke-prod/gitea-values.yaml

@@ -1,7 +0,0 @@
-# GKE-specific: SSD persistent disk storage class (prod)
-persistence:
-  storageClass: premium-rwo
-postgresql:
-  primary:
-    persistence:
-      storageClass: premium-rwo

infra/values/gke-prod/grafana-values.yaml

@@ -1,4 +0,0 @@
-# GKE-specific: Grafana hostname (prod)
-ingress:
-  hosts:
-  - grafana.fortedigital.com

infra/values/gke-prod/keycloak-values.yaml

@@ -1,3 +0,0 @@
-# GKE-specific: Keycloak hostname (prod)
-ingress:
-  hostname: id.fortedigital.com

infra/values/gke-prod/opencost-values.yaml

@@ -1,10 +0,0 @@
-# GKE-specific: GCP pricing via BigQuery billing export (prod)
-opencost:
-  exporter:
-    cloudProviderApiKey: ""
-    customPricing:
-      enabled: false
-    google:
-      key: ""
-      project_id: ""
-      billing_account: ""

infra/values/gke-prod/traefik-values.yaml

@@ -1,12 +0,0 @@
-# GKE-specific: Google Cloud Load Balancer for Traefik (prod)
-service:
-  annotations:
-    cloud.google.com/neg: '{"ingress":true}'
-    networking.gke.io/load-balancer-type: External
-ports:
-  web:
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8"
-  websecure:
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8"

infra/values/upc-dev/backstage-values.yaml

@@ -0,0 +1,12 @@
+global:
+  host: backstage.forteapps.net
+
+upstream:
+  backstage:
+    appConfig:
+      app:
+        baseUrl: https://backstage.forteapps.net
+      backend:
+        baseUrl: https://backstage.forteapps.net
+  ingress:
+    host: backstage.forteapps.net

infra/values/upc-dev/gitea-values.yaml

@@ -1,7 +0,0 @@
-# UpCloud-specific: block storage class for Gitea + PostgreSQL
-persistence:
-  storageClass: upcloud-block-storage-maxiops
-postgresql:
-  primary:
-    persistence:
-      storageClass: upcloud-block-storage-maxiops

infra/values/upc-dev/opencost-values.yaml

@@ -1,15 +0,0 @@
-# UpCloud-specific: custom pricing model
-opencost:
-  exporter:
-    customPricing:
-      enabled: true
-      provider: custom
-      costModel:
-        description: "UpCloud 4-node cluster pricing"
-        CPU: "5.86"
-        RAM: "1.46"
-        GPU: "0"
-        storage: "0.34"
-        zoneNetworkEgress: "0"
-        regionNetworkEgress: "0"
-        internetNetworkEgress: "0"

infra/values/upc-prod/gitea-values.yaml

@@ -1,7 +0,0 @@
-# UpCloud-specific: block storage class for Gitea + PostgreSQL
-persistence:
-  storageClass: upcloud-block-storage-maxiops
-postgresql:
-  primary:
-    persistence:
-      storageClass: upcloud-block-storage-maxiops

infra/values/upc-prod/opencost-values.yaml

@@ -1,15 +0,0 @@
-# UpCloud-specific: custom pricing model
-opencost:
-  exporter:
-    customPricing:
-      enabled: true
-      provider: custom
-      costModel:
-        description: "UpCloud 4-node cluster pricing"
-        CPU: "5.86"
-        RAM: "1.46"
-        GPU: "0"
-        storage: "0.34"
-        zoneNetworkEgress: "0"
-        regionNetworkEgress: "0"
-        internetNetworkEgress: "0"

scripts/backup/aws-s3.sh

@@ -1,23 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-# AWS S3 backup upload (native AWS CLI)
-# Uses: aws cli v2
-# Env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION, S3_BUCKET
-
-BACKUP_FILE="${1:?Usage: $0 <backup-file>}"
-TIMESTAMP=$(date +%Y%m%d-%H%M%S)
-KEY="gitea-dump-${TIMESTAMP}.zip"
-
-echo "Uploading ${KEY}..."
-aws s3 cp "$BACKUP_FILE" "s3://${S3_BUCKET}/${KEY}"
-echo "Upload complete."
-
-# Prune backups older than 7 days
-echo "Pruning backups older than 7 days..."
-CUTOFF=$(date -d '7 days ago' +%Y-%m-%dT%H:%M:%S 2>/dev/null || date -v-7d +%Y-%m-%dT%H:%M:%S)
-aws s3api list-objects-v2 --bucket "${S3_BUCKET}" --query "Contents[?LastModified<'${CUTOFF}'].Key" --output text \
-  | tr '\t' '\n' \
-  | while read -r key; do
-      [ -n "$key" ] && aws s3 rm "s3://${S3_BUCKET}/${key}" && echo "Deleted: ${key}"
-    done
-echo "Pruning complete."

scripts/backup/azure-blob.sh

@@ -1,36 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-# Azure Blob Storage backup upload
-# Uses: az cli
-# Env: AZURE_STORAGE_ACCOUNT, AZURE_STORAGE_KEY, AZURE_CONTAINER
-
-BACKUP_FILE="${1:?Usage: $0 <backup-file>}"
-TIMESTAMP=$(date +%Y%m%d-%H%M%S)
-KEY="gitea-dump-${TIMESTAMP}.zip"
-
-echo "Uploading ${KEY}..."
-az storage blob upload \
-  --account-name "${AZURE_STORAGE_ACCOUNT}" \
-  --account-key "${AZURE_STORAGE_KEY}" \
-  --container-name "${AZURE_CONTAINER}" \
-  --name "${KEY}" \
-  --file "$BACKUP_FILE" \
-  --overwrite
-echo "Upload complete."
-
-# Prune backups older than 7 days
-echo "Pruning backups older than 7 days..."
-CUTOFF=$(date -d '7 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-7d +%Y-%m-%dT%H:%M:%SZ)
-az storage blob list \
-  --account-name "${AZURE_STORAGE_ACCOUNT}" \
-  --account-key "${AZURE_STORAGE_KEY}" \
-  --container-name "${AZURE_CONTAINER}" \
-  --query "[?properties.lastModified<'${CUTOFF}'].name" -o tsv \
-  | while read -r name; do
-      [ -n "$name" ] && az storage blob delete \
-        --account-name "${AZURE_STORAGE_ACCOUNT}" \
-        --account-key "${AZURE_STORAGE_KEY}" \
-        --container-name "${AZURE_CONTAINER}" \
-        --name "$name" && echo "Deleted: ${name}"
-    done
-echo "Pruning complete."

scripts/backup/gcp-gcs.sh

@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-# GCP Cloud Storage backup upload
-# Uses: gsutil (gcloud SDK)
-# Env: GCS_BUCKET (e.g. gs://my-bucket)
-
-BACKUP_FILE="${1:?Usage: $0 <backup-file>}"
-TIMESTAMP=$(date +%Y%m%d-%H%M%S)
-KEY="gitea-dump-${TIMESTAMP}.zip"
-
-echo "Uploading ${KEY}..."
-gsutil cp "$BACKUP_FILE" "${GCS_BUCKET}/${KEY}"
-echo "Upload complete."
-
-# Prune backups older than 7 days — GCS lifecycle rules are preferred,
-# but this works as a manual fallback
-echo "Pruning backups older than 7 days..."
-CUTOFF=$(date -d '7 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-7d +%Y-%m-%dT%H:%M:%SZ)
-gsutil ls -l "${GCS_BUCKET}/" \
-  | grep 'gitea-dump-' \
-  | while read -r size date name; do
-      if [[ "$date" < "$CUTOFF" ]]; then
-        gsutil rm "$name" && echo "Deleted: ${name}"
-      fi
-    done
-echo "Pruning complete."

scripts/backup/s3-minio.sh

@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-# S3-compatible backup upload (UpCloud Objects, MinIO, Wasabi, etc.)
-# Uses: minio/mc
-# Env: S3_ENDPOINT, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, S3_BUCKET
-
-BACKUP_FILE="${1:?Usage: $0 <backup-file>}"
-TIMESTAMP=$(date +%Y%m%d-%H%M%S)
-KEY="gitea-dump-${TIMESTAMP}.zip"
-
-mc alias set s3 "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}"
-
-echo "Uploading ${KEY}..."
-mc cp "$BACKUP_FILE" "s3/${S3_BUCKET}/${KEY}"
-echo "Upload complete."
-
-# Prune backups older than 7 days
-echo "Pruning backups older than 7 days..."
-mc rm --older-than 7d --force "s3/${S3_BUCKET}/" 2>&1 || true
-echo "Pruning complete."

scripts/gitea-backup.sh

@@ -13,7 +13,7 @@ NAMESPACE="gitea"
 SECRET="gitea-backup-s3"
 IMAGE="minio/mc:latest"
 POD_NAME="gitea-backup-helper"
-ALIAS_CMD='mc alias set s3 ${S3_ENDPOINT} ${AWS_ACCESS_KEY_ID} ${AWS_SECRET_ACCESS_KEY} > /dev/null'
+ALIAS_CMD='mc alias set upcloud ${S3_ENDPOINT} ${AWS_ACCESS_KEY_ID} ${AWS_SECRET_ACCESS_KEY} > /dev/null'
 
 cleanup() {
   kubectl -n "$NAMESPACE" delete pod "$POD_NAME" --ignore-not-found --grace-period=0 > /dev/null 2>&1 || true
@@ -41,7 +41,7 @@ mc_run() {
 case "${1:-help}" in
   list)
     echo "Listing backups..."
-    mc_run 'mc ls s3/${S3_BUCKET}/'
+    mc_run 'mc ls upcloud/${S3_BUCKET}/'
     ;;
 
   download)
@@ -49,7 +49,7 @@ case "${1:-help}" in
 
     if [ "$FILE" = "latest" ]; then
       echo "Finding latest backup..."
-      FILE=$(mc_run 'mc ls s3/${S3_BUCKET}/' | sort | tail -1 | awk '{print $NF}' | tr -d '[:space:]')
+      FILE=$(mc_run 'mc ls upcloud/${S3_BUCKET}/' | sort | tail -1 | awk '{print $NF}' | tr -d '[:space:]')
       if [ -z "$FILE" ]; then
         echo "No backups found."
         exit 1
@@ -74,7 +74,7 @@ case "${1:-help}" in
     kubectl -n "$NAMESPACE" wait --for=condition=Ready "pod/$POD_NAME" --timeout=60s > /dev/null 2>&1
 
     echo "Saving to ./$FILE ..."
-    kubectl -n "$NAMESPACE" exec "$POD_NAME" -- sh -c "${ALIAS_CMD} && mc cat s3/\${S3_BUCKET}/$FILE" > "./$FILE"
+    kubectl -n "$NAMESPACE" exec "$POD_NAME" -- sh -c "${ALIAS_CMD} && mc cat upcloud/\${S3_BUCKET}/$FILE" > "./$FILE"
     cleanup
 
     echo "Downloaded: ./$FILE"