rbac

ignore diff
netpol all remove
2026-04-27 11:03:12 +02:00 · 2026-04-26 23:55:55 +02:00 · 2026-04-25 16:04:13 +02:00 · 2026-04-25 11:49:17 +02:00 · 2026-04-24 20:18:02 +02:00 · 2026-04-24 20:14:28 +02:00
176 changed files with 8923 additions and 2013 deletions
@@ -0,0 +1,2 @@
+# Force LF line endings for shell scripts
+*.sh text eol=lf
@@ -0,0 +1,47 @@
+name: AI Code Review
+
+on:
+  pull_request:
+    types: [ labeled, synchronize ]
+
+jobs:
+  ai-review:
+    if: >-
+      (github.event.action == 'synchronized' && contains(toJSON(github.event.pull_request.labels), 'ai-review')) || contains(toJSON(gitea.event.changes.added_labels), 'ai-review')
+    runs-on: ubuntu-latest
+
+    env:
+      AI_REVIEW_CONFIG_FILE_YAML: ./shared-prompts/iac/.ai-review.yaml
+      # VCS configuration
+      VCS__PROVIDER: GITEA
+      VCS__PIPELINE__OWNER: ${{ github.repository_owner }}
+      VCS__PIPELINE__REPO: ${{ github.event.repository.name }}
+      VCS__PIPELINE__PULL_NUMBER: ${{ github.event.pull_request.number }}
+      VCS__HTTP_CLIENT__API_URL: https://git.forteapps.net/api/v1
+      VCS__HTTP_CLIENT__API_TOKEN: ${{ secrets.AI_REVIEW_TOKEN }}
+      # Review — disable fallback to see real Gitea API errors
+      REVIEW__INLINE_COMMENT_FALLBACK: "false"
+      # LLM configuration
+      LLM__PROVIDER: CLAUDE
+      LLM__META__MODEL: claude-sonnet-4-20250514
+      LLM__META__MAX_TOKENS: "4096"
+      LLM__HTTP_CLIENT__API_URL: https://api.anthropic.com
+      LLM__HTTP_CLIENT__API_TOKEN: ${{ secrets.ANTHROPIC_API_KEY }}
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        submodules: true
+        fetch-depth: 0
+        token: ${{ secrets.AI_REVIEW_TOKEN }}
+
+    - name: Run inline review
+      uses: docker://nikitafilonov/ai-review:v0.64.0
+      with:
+        args: ai-review run-inline
+
+    - name: Run summary review
+      uses: docker://nikitafilonov/ai-review:v0.64.0
+      with:
+        args: ai-review run-summary
@@ -6,7 +6,6 @@
 # User-specific files (MonoDevelop/Xamarin Studio)
 *.userprefs

-.github/
 private/
 .helm/
 temp/
@@ -15,4 +14,5 @@ CLAUDE.md
 .claude/
 devbox.d/
 devbox.lock
-.devbox/
+.devbox/
+bash.exe.stackdump
@@ -0,0 +1,3 @@
+[submodule "shared-prompts"]
+	path = shared-prompts
+	url = https://git.forteapps.net/Forte/ai-review-prompts.git
@@ -1,9 +1,9 @@
 # Kubernetes Cluster - GitOps Configuration

-> **Kubernetes cluster bootstrapping and GitOps configuration repository** using ArgoCD for UpCloud Managed Kubernetes
+> **Kubernetes cluster bootstrapping and GitOps configuration repository** using ArgoCD for multi-cloud Kubernetes (UpCloud, AWS EKS, Azure AKS, GCP GKE)

 [![GitOps](https://img.shields.io/badge/GitOps-ArgoCD-blue)](https://argoproj.github.io/cd/)
-[![Kubernetes](https://img.shields.io/badge/Kubernetes-UpCloud-orange)](https://upcloud.com/)
+[![Kubernetes](https://img.shields.io/badge/Kubernetes-Multi--Cloud-orange)]()

 ---

@@ -27,8 +27,8 @@
 ### For New Developers
 ```bash
 # 1. Clone repositories
-git clone https://github.com/fortedigital/sturdy-adventure.git
-git clone git@github.com:fortedigital/helm-values.git
+git clone https://git.forteapps.net/Forte/launchpad.git
+git clone ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git

 # 2. Read the guides
 # - Start: docs/GITOPS-ARCHITECTURE.md
@@ -57,10 +57,10 @@ This repository contains the complete GitOps configuration for our Kubernetes cl

 ### What's Inside

- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Sealed Secrets
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
- **Monitoring**: Full observability stack with metrics, logs, and alerting
+- **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
 - **Secrets**: Sealed Secrets for secure Git storage

 ### Key Features
@@ -72,7 +72,7 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ✅ **Policy Enforcement**: Kyverno ensures security and compliance
 ✅ **Authentication**: Automatic sidecar injection (token & OIDC support)
 ✅ **TLS Everywhere**: Automatic Let's Encrypt certificates
-✅ **Full Observability**: Prometheus, Grafana, Loki integration
+✅ **Full Observability**: Prometheus, Grafana, Loki, Tempo integration

 ---

@@ -83,18 +83,38 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ├── bootstrap.sh                # Cluster initialization script
 ├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
 │
-├── infra/                     # Infrastructure ArgoCD Applications
-│   ├── enterprise-apps.yaml   # Manages all apps in apps/ folder
-│   ├── traefik-application.yaml
-│   ├── cert-manager-application.yaml
-│   ├── kyverno.yaml
-│   ├── prometheus.yaml
-│   ├── grafana.yaml
-│   ├── loki.yaml
-│   ├── fluent-bit.yaml
-│   ├── trivy.yaml
-│   ├── sealedsecrets.yaml
+├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
+│   ├── base/                  # Base ArgoCD Application manifests (EU defaults)
+│   │   ├── kustomization.yaml
+│   │   ├── traefik-application.yaml
+│   │   ├── keycloak.yaml
+│   │   ├── grafana.yaml
+│   │   ├── gitea.yaml
+│   │   ├── gitea-actions.yaml
+│   │   ├── tempo.yaml
+│   │   ├── renovate.yaml
+│   │   ├── ...                # All other Application manifests
+│   │   └── secrets.yaml
+│   ├── overlays/              # Per-cluster overrides (Kustomize)
+│   │   ├── upc-dev/           # UpCloud Dev (uses base as-is)
+│   │   ├── upc-prod/         # UpCloud Prod (patches value paths)
+│   │   ├── eks-dev/           # AWS EKS Dev
+│   │   ├── eks-prod/         # AWS EKS Prod
+│   │   ├── aks-dev/        # Azure AKS Dev
+│   │   ├── aks-prod/       # Azure AKS Prod
+│   │   ├── gke-dev/          # GCP GKE Dev
+│   │   └── gke-prod/         # GCP GKE Prod
+│   ├── dashboards/            # Grafana dashboard ConfigMaps
 │   └── values/                # Helm value overrides
+│       ├── base/              # Shared cloud-agnostic values
+│       ├── upc-dev/           # UpCloud Dev (storage, LB, pricing)
+│       ├── upc-prod/         # UpCloud Prod
+│       ├── eks-dev/           # AWS EKS Dev
+│       ├── eks-prod/         # AWS EKS Prod
+│       ├── aks-dev/        # Azure AKS Dev
+│       ├── aks-prod/       # Azure AKS Prod
+│       ├── gke-dev/          # GCP GKE Dev
+│       └── gke-prod/         # GCP GKE Prod
 │
 ├── apps/                      # Business Applications
 │   ├── mcp10x.yaml
@@ -136,14 +156,14 @@ This repository contains the complete GitOps configuration for our Kubernetes cl

 | Repository | Purpose | Who Edits | How Often |
 |------------|---------|-----------|-----------|
-| **[sturdy-adventure](https://github.com/fortedigital/sturdy-adventure.git)** (this repo) | ArgoCD Applications, cluster resources | Platform / DevOps engineers | ✅ Often |
-| **[forte-helm](https://github.com/snothub/forte-helm)** | Generic Helm chart templates | Platform engineers | ❌ Rarely |
-| **[helm-values](git@github.com:fortedigital/helm-values.git)** | App-specific configuration & versions | Developers / CI pipelines | ✅ Sometimes |
+| **[launchpad](https://git.forteapps.net/Forte/launchpad)** (this repo) | ArgoCD Applications, cluster resources | Platform / DevOps engineers | ✅ Often |
+| **[forte-helm](https://git.forteapps.net/Forte/forte-helm)** | Generic Helm chart templates | Platform engineers | ❌ Rarely |
+| **[helm-prod-values](ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git)** | App-specific configuration & versions | Developers / CI pipelines | ✅ Sometimes |

 ### GitOps Workflow

 ```
-Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD syncs → Deployed to cluster
+Developer commits code → CI/CD builds image → Updates helm-prod-values → ArgoCD syncs → Deployed to cluster
 ```

 **Learn more**: [GitOps Architecture - GitOps Workflow](docs/GITOPS-ARCHITECTURE.md#gitops-workflow)
@@ -158,7 +178,7 @@ Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD

 **Quick version**:
 1. Create `apps/myapp.yaml` (ArgoCD Application manifest)
-2. Create `helm-values/myapp/values.yaml` (configuration)
+2. Create `helm-prod-values/myapp/values.yaml` (configuration)
 3. Create sealed secrets if needed
 4. Commit and push - ArgoCD auto-syncs!

@@ -167,8 +187,8 @@ Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD
 **See detailed guide**: [Developer Guide - Updating an Existing Application](docs/DEVELOPER-GUIDE.md#updating-an-existing-application)

 **Quick version**:
- **Update code**: Push to app repo → CI/CD updates image tag in helm-values
- **Update config**: Edit `helm-values/myapp/values.yaml` → commit → push
+- **Update code**: Push to app repo → CI/CD updates image tag in helm-prod-values
+- **Update config**: Edit `helm-prod-values/myapp/values.yaml` → commit → push

 ### Manage Secrets

@@ -196,7 +216,7 @@ git push

 **Quick version**:
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml

 # Token-based auth (simple)
 auth:
@@ -331,8 +351,10 @@ kubectl patch application myapp -n argocd \
 | **Prometheus** | Metrics | `monitoring` | 1 |
 | **Grafana** | Dashboards | `monitoring` | 1 |
 | **Loki** | Logs | `monitoring` | 1 |
+| **Tempo** | Distributed tracing | `monitoring` | 1 |
 | **Fluent-Bit** | Log shipping | `monitoring` | DaemonSet |
-| **Trivy** | Vulnerability scanning | `trivy-system` | 1 |
+| **OpenCost** | Cost monitoring | `monitoring` | 1 |
+| **Renovate** | Dependency updates | `renovate` | CronJob |

 **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components)

@@ -350,12 +372,12 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts

 ### App-of-Apps Pattern
-`_app-of-apps.yaml` is the root Application that manages all other Applications in `infra/`. Each YAML in `infra/` becomes a child Application managed by ArgoCD.
+`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{cluster}/` render the base Applications with per-cluster patches (e.g., swapping value file paths). Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.

 ### Multi-Source Pattern
 Applications reference both:
 1. **Helm charts** from `forte-helm` (templates)
-2. **Values** from `helm-values` (configuration)
+2. **Values** from `helm-prod-values` (configuration)

 This separates reusable templates from environment-specific config.

@@ -424,7 +446,7 @@ Applications deploy in order using `argocd.argoproj.io/sync-wave`:
 ### Adding a New Application
 1. Read [Developer Guide - Deploying Your First Application](docs/DEVELOPER-GUIDE.md#deploying-your-first-application)
 2. Create ArgoCD Application manifest in `apps/`
-3. Create Helm values in `helm-values/`
+3. Create Helm values in `helm-prod-values/`
 4. Create sealed secrets if needed
 5. Commit and push - ArgoCD handles the rest!

@@ -447,16 +469,14 @@ Documentation lives in `docs/`. To update:
 ## 📝 Notes

 ### Current Environment
- **Provider**: UpCloud Managed Kubernetes
+- **Provider**: Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE)
+- **Active clusters**: UpCloud (upc-dev, upc-prod)
 - **Environment**: Production (internal use only)
- **Cluster**: Single cluster
 - **Auth**: Disabled for ArgoCD (internal access)
- **Backup**: None (cluster rebuildable via GitOps)
+- **Backup**: Gitea daily backup to S3-compatible storage

 ### Known Limitations
- No automated backups (yet)
 - Secret rotation not automated
- Single cluster (no multi-cluster setup)
 - DNS management is manual

 **Future improvements**: See [Operations Runbook - Disaster Recovery](docs/OPERATIONS-RUNBOOK.md#disaster-recovery)
@@ -470,11 +490,12 @@ Documentation lives in `docs/`. To update:
 - [Kyverno Documentation](https://kyverno.io/docs/)
 - [Traefik Documentation](https://doc.traefik.io/traefik/)
 - [Cert-Manager Documentation](https://cert-manager.io/docs/)
+- [Grafana Tempo Documentation](https://grafana.com/docs/tempo/)
 - [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)

 ### Related Repositories
- [forte-helm](https://github.com/snothub/forte-helm) - Helm chart templates
- [helm-values](git@github.com:fortedigital/helm-values.git) - Application values
+- [forte-helm](https://git.forteapps.net/Forte/forte-helm) - Helm chart templates
+- [helm-prod-values](git@github.com:fortedigital/helm-prod-values.git) - Application values

 ---

@@ -492,7 +513,7 @@ Internal use only. Not for public distribution.

 ---

-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-22
 **Documentation Version**: 1.0.0

 **🚀 Ready to get started? Check out the [Documentation Index](docs/README.md)!**
@@ -18,9 +18,9 @@ metadata:
 spec:
  project: default
  source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    path: infra
+    path: infra/overlays/aks-dev
  destination:
    server: https://kubernetes.default.svc
    namespace: default
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/aks-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/eks-dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/eks-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/gke-dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/gke-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/upc-dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/upc-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
@@ -16,14 +16,14 @@ metadata:
 spec:
  project: default
  sources:
-  - repoURL: https://github.com/snothub/forte-helm
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
      - $values/argocd-mcp/values.yaml

-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
    targetRevision: HEAD
    ref: values

@@ -27,29 +27,19 @@ metadata:
 spec:
  project: default

-  source:
-    repoURL: ghcr.io/vfarcic/dot-ai-stack/charts
+  sources:
+  - repoURL: ghcr.io/vfarcic/dot-ai-stack/charts
    chart: dot-ai-stack
    targetRevision: "0.56.0"
-
    helm:
      releaseName: dot-ai-stack
-      values: |
-        dot-ai:
-          ingress:
-            enabled: true
-            className: traefik
-            host: kubemcp.forteapps.net
-          webUI:
-            baseUrl: http://kubemcpui.forteapps.net
-        dot-ai-ui:
-          uiAuth:
-            secretRef:
-              name: dot-ai-secrets
-          ingress:
-            enabled: true
-            className: traefik
-            host: kubemcpui.forteapps.net
+      valueFiles:
+      - $values/infra/values/base/dot-ai-stack-values.yaml
+      - $values/infra/values/upc-dev/dot-ai-stack-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values

  destination:
    server: https://kubernetes.default.svc
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- dot-ai-stack.yaml
+- mcp10x.yaml
+- musicman.yaml
+- ts-mcp.yaml
+- argo-mcp.yaml
@@ -17,14 +17,14 @@ metadata:
 spec:
  project: default
  sources:
-  - repoURL: https://github.com/snothub/forte-helm
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
      - $values/mcp10x/values.yaml

-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
    targetRevision: HEAD
    ref: values

@@ -17,14 +17,14 @@ metadata:
 spec:
  project: default
  sources:
-  - repoURL: https://github.com/snothub/forte-helm
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
      - $values/musicman/values.yaml

-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
    targetRevision: HEAD
    ref: values

@@ -1,15 +1,15 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: mcpcoder
+  name: ts-mcp
  namespace: argocd
  annotations:
-    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/sync-wave: "11"
    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
    notifications.argoproj.io/subscribe.on-degraded.slack: ""
  labels:
-    app.kubernetes.io/name: mcpcoder
+    app.kubernetes.io/name: ts-mcp
    app.kubernetes.io/part-of: apps
    app.kubernetes.io/managed-by: argocd
  finalizers:
@@ -17,20 +17,21 @@ metadata:
 spec:
  project: default
  sources:
-  - repoURL: https://github.com/snothub/forte-helm
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
-      - $values/mcpcoder/values.yaml
+      - $values/ts-mcp/values.yaml

-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
    targetRevision: HEAD
    ref: values

  destination:
    server: https://kubernetes.default.svc
-    namespace: mcpcoder
+    namespace: ts-mcp
+
  syncPolicy:
    automated:
      prune: true
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+# No patches needed — base already has "upc-dev" paths
+# upc-dev is the default/base cluster
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# dot-ai-stack: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: dot-ai-stack
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/dot-ai-stack-values.yaml
@@ -1,8 +1,16 @@
 #!/bin/zsh
+
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh

-echo "running $0..."
+CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod|aks-dev|aks-prod|eks-dev|eks-prod|gke-dev|gke-prod)}"
+
+echo "running $0 for cluster: ${CLUSTER}..."
+
+# Source cluster config
+eval $(yq -r 'to_entries[] | "export \(.key)=\"\(.value)\""' "clusters/${CLUSTER}.yaml")
+
+echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."

 ############################################################
 # Bootstrap                                                     #
@@ -10,18 +18,18 @@ echo "running $0..."
 Bootstrap()
 {
    ArgoCd
-    Github
+#    Gitea
 }


 ############################################################
-# Github                                                     #
+# Gitea                                                     #
 ############################################################
-Github()
+Gitea()
 {
    echo "Installing secret..."
-    kubectl apply -f private/github.yaml
-    kubectl apply -f private/main.key
+    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
+    kubectl apply -f "private/${CLUSTER}/main.key"
 }

 ############################################################
@@ -29,17 +37,22 @@ Github()
 ############################################################
 ArgoCd()
 {
+    # Pre-create ConfigMap for repo-server env (must exist before Helm upgrade)
+    kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
+    kubectl apply -f cluster-resources/argocd-repo-server-config.yaml
+
    # install argocd
    echo "Installing ArgoCD..."
-    CLUSTER_NAME="${CLUSTER_NAME:-dev-fd-no-svg1}"
    helm upgrade --install argocd argo-cd \
            --repo https://argoproj.github.io/argo-helm \
+            --version "7.8.0" \
            --namespace argocd --create-namespace \
-            --values infra/values/argocd-values.yaml \
-            --set notifications.context.clusterName="$CLUSTER_NAME" \
+            --values infra/values/base/argocd-values.yaml \
+            --values "infra/values/${CLUSTER}/argocd-values.yaml" \
+            --set notifications.context.clusterName="${clusterName}" \
            --timeout 60s --atomic

-    kubectl apply -f _app-of-apps.yaml -n argocd
+    kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }

 Bootstrap
@@ -0,0 +1,83 @@
+# CronJob: syncs OIDC client secret from registrar-managed
+# argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
+# Runs every 2 min. No-ops if source secret doesn't exist yet
+# (safe for fresh deploys before Keycloak is up).
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
+  verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-oidc-sync
+subjects:
+- kind: ServiceAccount
+  name: argocd-oidc-sync
+  namespace: argocd
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+spec:
+  schedule: "*/2 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        spec:
+          serviceAccountName: argocd-oidc-sync
+          restartPolicy: Never
+          containers:
+          - name: sync
+            image: bitnami/kubectl:latest
+            command: ["/bin/sh", "-c"]
+            args:
+            - |
+              set -e
+
+              # Exit gracefully if source secret doesn't exist yet
+              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
+                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
+                exit 0
+              fi
+
+              # Read current OIDC client secret
+              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
+                -o jsonpath='{.data.client-secret}' | base64 -d)
+
+              # Read current value in argocd-secret (if any)
+              CURRENT=$(kubectl get secret argocd-secret -n argocd \
+                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")
+
+              # Only patch if changed
+              if [ "$NEW_SECRET" = "$CURRENT" ]; then
+                echo "oidc.clientSecret already up to date"
+                exit 0
+              fi
+
+              kubectl patch secret argocd-secret -n argocd --type merge \
+                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
+              echo "Patched argocd-secret with oidc.clientSecret"
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-repo-server-config
+  namespace: argocd
+data:
+  # Disable git submodule checkout - submodules (e.g. shared-prompts)
+  # are not needed for K8s manifest generation
+  ARGOCD_GIT_MODULES_ENABLED: "false"
@@ -0,0 +1,88 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: gitea-backup
+  namespace: gitea
+spec:
+  schedule: "0 3 * * *"   # daily at 03:00 UTC
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      activeDeadlineSeconds: 1800
+      template:
+        spec:
+          restartPolicy: Never
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+          # Must run on the same node as Gitea to share the RWO volume
+          affinity:
+            podAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                - labelSelector:
+                    matchLabels:
+                      app.kubernetes.io/name: gitea
+                  topologyKey: kubernetes.io/hostname
+          initContainers:
+            - name: gitea-dump
+              image: gitea/gitea:1.25.4
+              command:
+                - sh
+                - -c
+                - |
+                  gitea dump \
+                    -c /data/gitea/conf/app.ini \
+                    -f /backup/gitea-dump.zip \
+                    -t /tmp/gitea-dump && \
+                  echo "Dump completed: $(ls -lh /backup/gitea-dump.zip)"
+              volumeMounts:
+                - name: data
+                  mountPath: /data
+                  readOnly: true
+                - name: backup
+                  mountPath: /backup
+                - name: tmp
+                  mountPath: /tmp/gitea-dump
+          containers:
+            - name: upload
+              image: minio/mc:latest
+              env:
+                - name: HOME
+                  value: /tmp
+              command:
+                - sh
+                - -c
+                - |
+                  mc alias set s3 "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}"
+
+                  TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+                  KEY="gitea-dump-${TIMESTAMP}.zip"
+                  echo "Uploading ${KEY}..."
+                  mc cp /backup/gitea-dump.zip "s3/${S3_BUCKET}/${KEY}" && \
+                  echo "Upload complete."
+
+                  # Prune backups older than 7 days
+                  echo "Pruning backups older than 7 days..."
+                  mc rm --older-than 7d --force "s3/${S3_BUCKET}/" 2>&1 || true
+                  echo "Pruning complete."
+              envFrom:
+                - secretRef:
+                    name: gitea-backup-s3
+              volumeMounts:
+                - name: backup
+                  mountPath: /backup
+                  readOnly: true
+          volumes:
+            - name: data
+              persistentVolumeClaim:
+                claimName: gitea-shared-storage
+            - name: backup
+              emptyDir:
+                sizeLimit: 5Gi
+            - name: tmp
+              emptyDir:
+                sizeLimit: 5Gi
@@ -0,0 +1,13 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: gitea-ssh
+  namespace: gitea
+spec:
+  entryPoints:
+    - giteassh
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: gitea-ssh
+          port: 22
@@ -0,0 +1,37 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: deny-external-egress
+  namespace: trivy-system
+  labels:
+    app.kubernetes.io/managed-by: argocd
+    app.kubernetes.io/part-of: network-policies
+spec:
+  endpointSelector: {}
+  egress:
+    # Allow DNS resolution
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+            - port: "53"
+              protocol: TCP
+
+    # Allow cluster-internal traffic (RFC1918)
+    - toCIDR:
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+        - 192.168.0.0/16
+
+    # Allow Trivy vulnerability DB downloads (ghcr.io OCI registry)
+    - toFQDNs:
+        - matchName: ghcr.io
+        - matchName: pkg-containers.githubusercontent.com
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
@@ -10,7 +10,7 @@ metadata:
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
-      Injects an auth sidecar container into Pods annotated with policies.forteapps.io/auth: "true". Supports three auth modes controlled by the policies.forteapps.io/auth-type annotation: "token" (default), "oidc", and "mcp". In token mode the sidecar reads credentials from a mounted Secret volume. In OIDC mode the sidecar uses OpenID Connect with authority and client-id provided via required annotations (policies.forteapps.io/auth-oidc-authority and policies.forteapps.io/auth-oidc-client-id) and secrets from an auth-oidc Secret. In MCP mode the sidecar implements OAuth 2.0 for MCP servers per RFC 9728 (Protected Resource Metadata) and RFC 7591 (Dynamic Client Registration), configured via policies.forteapps.io/auth-mcp-resource and policies.forteapps.io/auth-mcp-authority annotations. A NetworkPolicy is generated to restrict ingress to the sidecar port only.
+      Injects an auth sidecar container into Pods annotated with policies.forteapps.io/auth: "true". Supports three auth modes controlled by the policies.forteapps.io/auth-type annotation: "token" (default), "oidc", and "mcp". In token mode the sidecar reads credentials from a mounted Secret volume. In OIDC mode the sidecar uses OpenID Connect with authority and client-id provided via required annotations (policies.forteapps.io/auth-oidc-authority and policies.forteapps.io/auth-oidc-client-id) and secrets from an auth-oidc Secret. In MCP mode the sidecar implements OAuth 2.0 for MCP servers per RFC 9728 (Protected Resource Metadata) and RFC 7591 (Dynamic Client Registration), configured via policies.forteapps.io/auth-mcp-resource and policies.forteapps.io/auth-mcp-authority annotations. The sidecar port defaults to 9001 and can be overridden via the policies.forteapps.io/auth-port annotation. A NetworkPolicy is generated to restrict ingress to the sidecar port only.
 spec:
  background: false
  rules:
@@ -119,21 +119,26 @@ spec:
    - name: appPort
      variable:
        jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000`
+    - name: sidecarPort
+      variable:
+        jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-port" || '9001')
    mutate:
      patchStrategicMerge:
        spec:
          containers:
          - name: authn
-            image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'ghcr.io/snothub/stunning-memory' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}"
+            image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'git.forteapps.net/forte/auth-sidecar' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}"
            ports:
-            - containerPort: 8080
+            - containerPort: "{{ sidecarPort }}"
              name: auth
              protocol: TCP
            env:
            - name: AUTH_LISTEN_ADDR
-              value: ":8080"
+              value: ":{{ sidecarPort }}"
            - name: AUTH_UPSTREAM_URL
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-upstream-url\" || join('', ['http://localhost:', to_string(appPort)]) }}"
+            - name: AUTH_PUBLIC_PATHS
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}"
            - name: AUTH_TOKEN_FILE
              value: "/etc/auth/tokens"
            - name: AUTH_MODE
@@ -152,13 +157,13 @@ spec:
            readinessProbe:
              httpGet:
                path: /healthz
-                port: 8080
+                port: "{{ sidecarPort }}"
              initialDelaySeconds: 2
              periodSeconds: 5
            livenessProbe:
              httpGet:
                path: /healthz
-                port: 8080
+                port: "{{ sidecarPort }}"
              initialDelaySeconds: 5
              periodSeconds: 10
            securityContext:
@@ -195,22 +200,25 @@ spec:
    - name: appPort
      variable:
        jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000`
+    - name: sidecarPort
+      variable:
+        jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-port" || '9001')
    mutate:
      patchStrategicMerge:
        spec:
          containers:
          - name: authn
-            image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'ghcr.io/snothub/stunning-memory' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}"
+            image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'git.forteapps.net/forte/auth-sidecar' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}"
            imagePullPolicy: Always
            ports:
-            - containerPort: 8080
+            - containerPort: "{{ sidecarPort }}"
              name: auth
              protocol: TCP
            env:
            - name: AUTH_MODE
              value: "oidc"
            - name: AUTH_LISTEN_ADDR
-              value: ":8080"
+              value: ":{{ sidecarPort }}"
            - name: AUTH_LOG_LEVEL
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-log-level\" || 'info' }}"
            - name: AUTH_UPSTREAM_URL
@@ -225,6 +233,8 @@ spec:
              value: "{{ regex_replace_all('https?://[^/]*', request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-callback-path\", '') }}"
            - name: AUTH_OIDC_SCOPES
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-scopes\" || 'openid,profile,email'  }}"
+            - name: AUTH_PUBLIC_PATHS
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}"
            - name: AUTH_OIDC_COOKIE_SECRET
              valueFrom:
                secretKeyRef:
@@ -233,8 +243,8 @@ spec:
            - name: AUTH_OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: auth-oidc
-                  key: client-secret
+                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
+                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
            resources:
              limits:
                cpu: 50m
@@ -245,13 +255,13 @@ spec:
            readinessProbe:
              httpGet:
                path: /healthz
-                port: 8080
+                port: "{{ sidecarPort }}"
              initialDelaySeconds: 2
              periodSeconds: 5
            livenessProbe:
              httpGet:
                path: /healthz
-                port: 8080
+                port: "{{ sidecarPort }}"
              initialDelaySeconds: 5
              periodSeconds: 10
            securityContext:
@@ -283,22 +293,25 @@ spec:
    - name: appPort
      variable:
        jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000`
+    - name: sidecarPort
+      variable:
+        jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-port" || '9001')
    mutate:
      patchStrategicMerge:
        spec:
          containers:
          - name: authn
-            image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'ghcr.io/snothub/stunning-memory' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}"
+            image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'git.forteapps.net/forte/auth-sidecar' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}"
            imagePullPolicy: Always
            ports:
-            - containerPort: 8080
+            - containerPort: "{{ sidecarPort }}"
              name: auth
              protocol: TCP
            env:
            - name: AUTH_MODE
              value: "mcp"
            - name: AUTH_LISTEN_ADDR
-              value: ":8080"
+              value: ":{{ sidecarPort }}"
            - name: AUTH_LOG_LEVEL
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-log-level\" || 'info' }}"
            - name: AUTH_UPSTREAM_URL
@@ -307,8 +320,10 @@ spec:
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-resource\" }}"
            - name: AUTH_MCP_AUTHORIZATION_SERVERS
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-authority\" }}"
+            - name: AUTH_PUBLIC_PATHS
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}"
            - name: AUTH_MCP_SCOPES_SUPPORTED
-              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'read,write'  }}"
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'profile'  }}"
            resources:
              limits:
                cpu: 50m
@@ -319,13 +334,106 @@ spec:
            readinessProbe:
              httpGet:
                path: /healthz
-                port: 8080
+                port: "{{ sidecarPort }}"
              initialDelaySeconds: 2
              periodSeconds: 5
            livenessProbe:
              httpGet:
                path: /healthz
-                port: 8080
+                port: "{{ sidecarPort }}"
+              initialDelaySeconds: 5
+              periodSeconds: 10
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities:
+                drop:
+                - ALL
+  - name: inject-sidecar-oauth
+    skipBackgroundRequests: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+          annotations:
+            policies.forteapps.io/auth: "true"
+            policies.forteapps.io/auth-type: "oauth"
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - kyverno
+          - argocd
+          - cert-manager
+          - monitoring
+    context:
+    - name: appPort
+      variable:
+        jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000`
+    - name: sidecarPort
+      variable:
+        jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-port" || '9001')
+    mutate:
+      patchStrategicMerge:
+        spec:
+          containers:
+          - name: authn
+            image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'git.forteapps.net/forte/auth-sidecar' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}"
+            imagePullPolicy: Always
+            ports:
+            - containerPort: "{{ sidecarPort }}"
+              name: auth
+              protocol: TCP
+            env:
+            - name: AUTH_MODE
+              value: "oauth"
+            - name: AUTH_LISTEN_ADDR
+              value: ":{{ sidecarPort }}"
+            - name: AUTH_LOG_LEVEL
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-log-level\" || 'info' }}"
+            - name: AUTH_UPSTREAM_URL
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-upstream-url\" || join('', ['http://localhost:', to_string(appPort)]) }}"
+            - name: AUTH_OAUTH_AUTHORITY
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-authority\" }}"
+            - name: AUTH_OAUTH_CLIENT_ID
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-client-id\" }}"
+            - name: AUTH_OAUTH_SCOPES
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-scopes\" || 'openid,profile,email'  }}"
+            - name: AUTH_OAUTH_DELEGATION_ENABLED
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-delegation-enabled\" || 'false'  }}"
+            - name: AUTH_OAUTH_DELEGATION_CLIENT_ID
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-delegation-client-id\" || ''  }}"
+            - name: AUTH_OAUTH_DELEGATION_SCOPES
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-delegation-scopes\" || ''  }}"
+            - name: AUTH_OAUTH_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-credentials-secret\" || 'auth-oauth' }}"
+                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-credentials-secret-key\" || 'client-secret' }}"
+            - name: AUTH_OAUTH_DELEGATION_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: auth-oauth
+                  key: delegation-client-secret
+            resources:
+              limits:
+                cpu: 50m
+                memory: 64Mi
+              requests:
+                cpu: 10m
+                memory: 32Mi
+            readinessProbe:
+              httpGet:
+                path: /healthz
+                port: "{{ sidecarPort }}"
+              initialDelaySeconds: 2
+              periodSeconds: 5
+            livenessProbe:
+              httpGet:
+                path: /healthz
+                port: "{{ sidecarPort }}"
              initialDelaySeconds: 5
              periodSeconds: 10
            securityContext:
@@ -358,6 +466,10 @@ spec:
        operator: In
        value:
        - CREATE
+    context:
+    - name: sidecarPort
+      variable:
+        jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-port" || '9001')
    generate:
      synchronize: false
      apiVersion: networking.k8s.io/v1
@@ -376,5 +488,5 @@ spec:
          - Ingress
          ingress:
          - ports:
-            - port: 8080
+            - port: "{{ sidecarPort }}"
              protocol: TCP
@@ -1,71 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: require-deployment-owner
-spec:
-  validationFailureAction: Audit
-  background: false
-  rules:
-  - name: check-pod-owner-is-replicaset-from-deployment
-    skipBackgroundRequests: true
-    match:
-      any:
-      - resources:
-          kinds:
-          - Pod
-    exclude:
-      any:
-      - resources:
-          namespaces:
-          - kube-system
-          - kyverno
-          - cert-manager
-          - monitoring
-          - argocd
-          - traefik-system
-    context:
-    - name: ownerReplicaSet
-      apiCall:
-        method: GET
-        urlPath: "/apis/apps/v1/namespaces/{{request.namespace}}/replicasets/{{request.object.metadata.ownerReferences[0].name}}"
-        jmesPath: "@"
-    preconditions:
-      all:
-      - key: "{{ request.object.metadata.ownerReferences || `[]` | [?kind=='ReplicaSet'] | length(@) }}"
-        operator: GreaterThanOrEquals
-        value: 1
-    validate:
-      allowExistingViolations: true
-      message: "Pods must be created through a Deployment resource."
-      deny:
-        conditions:
-          any:
-          - key: "{{ownerReplicaSet.metadata.ownerReferences[0].kind}}"
-            operator: NotEquals
-            value: Deployment
-  - name: deny-pods-without-replicaset-owner
-    match:
-      any:
-      - resources:
-          kinds:
-          - Pod
-    exclude:
-      any:
-      - resources:
-          namespaces:
-          - kube-system
-          - kyverno
-          - cert-manager
-          - monitoring
-          - argocd
-          - traefik-system
-    skipBackgroundRequests: true
-    validate:
-      allowExistingViolations: true
-      message: "Direct pod creation is not allowed. Pods must come from a Deployment managed by ArgoCD."
-      deny:
-        conditions:
-          all:
-          - key: "{{ request.object.metadata.ownerReferences || `[]` | [?kind=='ReplicaSet'] | length(@) }}"
-            operator: LessThan
-            value: 1
@@ -0,0 +1,37 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: keycloak-client-config-cloner
+spec:
+  rules:
+  - name: clone-client-config-to-keycloak
+    skipBackgroundRequests: false
+    match:
+      any:
+      - resources:
+          kinds:
+          - Secret
+          selector:
+            matchLabels:
+              keycloak.forteapps.net/client-config: "true"
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - keycloak
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: "{{request.object.metadata.name}}"
+      namespace: keycloak
+      synchronize: true
+      data:
+        metadata:
+          labels:
+            keycloak.forteapps.net/client-config: "true"
+            keycloak.forteapps.net/source-namespace: "{{request.object.metadata.namespace}}"
+          annotations:
+            keycloak.forteapps.net/source-name: "{{request.object.metadata.name}}"
+            keycloak.forteapps.net/source-namespace: "{{request.object.metadata.namespace}}"
+        data: "{{request.object.data}}"
+        type: "{{request.object.type}}"
@@ -16,7 +16,6 @@ spec:
      - resources:
          namespaces:
          - kube-system
-          - trivy-system
          - monitoring
          - argocd
          - cert-manager
@@ -1,20 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: snothub-repo-creds
-  namespace: argocd
-spec:
-  encryptedData:
-    sshPrivateKey: AgCBd+i8jXBDwvWM0YC9OWvNTKyynVpW6hF0F3aH0GXBIYxzFo1g9kMajE/Ce3bTl8DiVs7VGzPdI6lmJtSC3+fVMm4wavDGrUUbhUHSR/HnEqq51NVjxU1Uj+VRz550z9r6gB0VLAcYqN0WLKd/4Qn7tvQOmKsaXMd5jsIYpSB8nZK87awZ5niFmT8DIKu2DOzoDBeN7Yqrf1aELq3m3kaDxGcDMYSglB0xRU3fF8FYr5inCic1eTrCUdfIwnrBSublNxI9FrGnlylRC40XCPxNpy6zyoQt7yeJTNgRSvtfceqXAwh25mcvga+BfDBTLPQ0EDbCoNDnE9EyMUa4kWcXBTFZ1Qx5NGRz8HAjWoYDbuNOonl9ik5dvv9UKKA+/04ZEuPjsbdkBq9xKuowx0zLL1IVv/jeuViFdvNY6LKNu/hLwMn8aMlTLlIkB+1fsIqV7Vkva9Vk7IXNz575lMwIGUTo1dsK9FQ5+uIe2bsRnY8RJ3lpyndZQ1HDPh7P7KZLZPH8fUuAHH1UF74njMQyve79zCRcisBAewpXdq4UsYAYUQOluS1Ak+sFcIdQ0jHjfklGCcJnTvMyO7obIsPQSv39/bsCqQX6uisrTzcb0s7wnbzhcxf1gm7IyZMIhi2Vub3GoLCIMnb6ViO8k+itLUa5eZpoEeg+BpP1mgL7O2nVfrZYgueULgMSvN89ct/THITsFAR8614An3DCHSnZLv5ZmY7yC6rmO405IlrnjvfFqEt9MdqTgR7uTYDSdI7UjIFJp3rchzikF1pSDMu/siKmD/Vi9+S0KqBcSENz7EUppVuYIk0aRBqHZ9Awoe0qPIjp1AMg947FjIYXzkGk3Kz0P85fGwkktyfHNZdIrXvpDAIP2739Mr7Hde+EHpuajrhuBgozfless5PqLFfGWFnt5COW2HrdSrvrY56MXuJUfiV0nq3eEhCju9f/cA41VbxfO0Hj+KMCjxiL+MCgIt1eWD24P7GQHb0D7+JiuwqgcH0ZqXRaKFYSOJ3/U1o9RRX9v5yebNTm8ErQTSnIN5bNRgE+t8CrTulGVcpaL/rW+XW8cO8MXLC/R4eeNwVjoiK4yXSHpSjf5dF9MZ6bS6SSZPMOa2besEzzQIj0c/EkUsp/GmIF1utDbJVI2VZLFGklwRo92OJs3URXNCqbzzgte43Y9dJp2VdWyi3Zx32pXVWaNdOzeifVOASP7ags7Kbdfvoaa5CmTu17iRUHCOv6164/KFeDCfY=
-    type: AgCIKe+SzLHIp+6gjOVbD7wcpZkeg5UwgXabFjtonavkPbzX+txHWN7IH2HbDmd7TdpgGFiqMGFSQC8mOVXnj+Pw1XnI8trH6wavvKjQ1SsRWteB8o7lGe2PcG2h2v5yW2vk5rrmuB0ehogeJez3ynlk508HguRtidzxnKdZyc6SHOh2hbWq1clspJicREsHlz3Rfn7upOSUyFmx+Tilfnjuom5FFYGBNZt0aEjaW5S7fjcYJBTEerjGjTz3vUs2DK3C5ymyCKKasA628fVZ20uIZhmn5NUGGK6bKDusFOQhYjRnxRYwS2fToBHiVfC8wo7bWW8ZwOrbguvedJU2q9pwjKvXy9upw8Ra3EcYzXASqwI6rqUQv6htGqzTYtVkRsdVxaQqITc3FYrhKIroru4Iup4xYtcVojppz0+HQxiv5WtxosVtfXXX4Zj4spr9ThoZgzLe3ebILEIK3wJNmK/AxV80NXq7JOI6gaiLK/fbm7gd9G7oW9VuM50OJELDmR4jU2k1KSx6sD5lB+c+Ajp1iw+iS9ETD/je93+eyBRKGM9fqP0+DpNsJBBlVLuWK/BwidBN186pFi4DlMzo13Wd0zYKQce4NVrf5s4f7T01KeBU+nnvvcuI+rW7tsY3R18zgP9D9uX2E5066qJQdrFov2YuXwovS4hCQDttIfz9YoGUKKQ3PObWUVynhtBptoGbhRw=
-    url: AgCjVnAWNarZplxbAurz++eBiKXIuYUcoleDcsrMdwdflBOOf6ayguCr7CDHzUbuKFnlNKoFvIvjUOqFb1v5Yy4iWju3ajvlo+ncEIezxetYOmQSft3nSeOD3+RCZn4Qf4K2C1D113IyPCo7T2h01KuVLWOItfuWuVwFDpLTvmKfTRAs8eP1L4ohvAcY0/J5mAmi7tXV2hN1r9R2MEuvHOusujtrRqewXHhzBksSb9/wxilruU/BHQAhYKeKHzi7QoIOeXJTnGEYxuTvskwKQhschIOIBPAOLaUbgKkuHuDIf8y1Gv2b8ENu5uNvTb/ZD43jtmx9P4pS+Hwc7OW411TrkRO7XbV7qo/PqYGYpkKYDK4g7ONGnzrsmXbSmip34vXll/jAknY61QQ6D6JbbONw/psX72p+ZFvOedhlKbHRuUnDYXyQgKFWBODLb63RaMYai79qbv8mJcwDLJaPXYXpwLumHeZX91uPPjahxfvOe8VoryTpvHIbxJO85VJJ1q+7uyFy6h7LVLhifYSbb+M55p/e5Ds5gNcgUv6npPUHdbf0yjYbT1tXGjhaqk4Tx93WoOKPQ/j+nPB41akooY0YfL/ZTDzr2iCMByrx/uPQz3JE+m7VrH5BZyYjj9sSASVsULabJGFiSuGpD+u/lcUNJW+WHQetMEU7+wNo/WB3E5iG9J8qPSPFcTiTslEa8cvGPNtNgyCQ2PphlinscQsvcAQ+ALtEd1dWXPhIGbF8udK6Wx6NYt8=
-  template:
-    metadata:
-      creationTimestamp: null
-      labels:
-        argocd.argoproj.io/secret-type: repository
-      name: snothub-repo-creds
-      namespace: argocd
-    type: Opaque
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: dev-aks                     # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/aks-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/aks-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-dev/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
+cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-aks                    # → infra/values/aks-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/aks-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/aks-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/aks-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-prod/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
+cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: dev-eks                     # → infra/values/eks-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/eks-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/eks-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/eks-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8"                # → infra/values/eks-dev/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
+cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-eks                    # → infra/values/eks-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/eks-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/eks-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/eks-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8"                # → infra/values/eks-prod/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
+cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: dev-gke                     # → infra/values/gke-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/gke-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/gke-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/gke-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-dev/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
+cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-gke                    # → infra/values/gke-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/gke-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/gke-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/gke-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-prod/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
+cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: dev-fd-no-svg1              # → infra/values/upc-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: forteapps.net                    # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.forteapps.net     # → infra/values/upc-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.forteapps.net         # → infra/values/upc-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.forteapps.net       # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host)
+dotaiUiDomain: kubemcpui.forteapps.net   # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
+letsencryptEmail: danijels@gmail.com     # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "172.16.1.0/24"             # → infra/values/upc-dev/traefik-values.yaml (ports.*.trustedIPs)
+cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-fd-no-svg1             # → infra/values/upc-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: fortedigital.com                 # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.fortedigital.com  # → infra/values/upc-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.fortedigital.com      # → infra/values/upc-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.fortedigital.com    # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host)
+dotaiUiDomain: kubemcpui.fortedigital.com # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
+letsencryptEmail: danijel.simeunovic@fortedigital.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "172.16.1.0/24"             # → infra/values/upc-prod/traefik-values.yaml (ports.*.trustedIPs)
+cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations
@@ -0,0 +1,32 @@
+{
+  "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.16.0/.schema/devbox.schema.json",
+  "packages": [
+    "kubectl@1.33.2",
+    "kubernetes-helm@3.18.4",
+    "k9s@0.50.7",
+    "kubeseal@0.30.0",
+    "argocd@2.14.11",
+    "kubecm@0.33.1",
+    "kubectl-tree@0.4.3",
+    "kind@0.29.0",
+    "kustomize@5.7.0",
+    "kyverno@1.14.3",
+    "syft@1.29.0",
+    "grype@0.92.2",
+    "traefik@3.6.7",
+    "claude-code@latest",
+    "go@latest",
+    "dotnet-sdk@latest",
+    "opentofu@1.11.6"
+  ],
+  "shell": {
+    "init_hook": [
+      "echo 'Welcome to devbox!' > /dev/null"
+    ],
+    "scripts": {
+      "test": [
+        "echo \"Error: no test specified\" && exit 1"
+      ]
+    }
+  }
+}
@@ -9,6 +9,7 @@
 - [Updating an Existing Application](#updating-an-existing-application)
 - [Working with Secrets](#working-with-secrets)
 - [Enabling Authentication for Applications](#enabling-authentication-for-applications)
+- [Adding a New Keycloak Client](#adding-a-new-keycloak-client)
 - [Troubleshooting](#troubleshooting)
 - [Best Practices](#best-practices)

@@ -89,21 +90,21 @@ If you do need cluster access, install:

 You'll need read/write access to these repositories:

-1. **sturdy-adventure** (Config repo)
+1. **launchpad** (Config repo)
   ```bash
-   git clone https://github.com/fortedigital/sturdy-adventure.git
-   cd sturdy-adventure
+   git clone https://git.forteapps.net/Forte/launchpad.git
+   cd launchpad
   ```

-2. **helm-values** (Values repo)
+2. **helm-prod-values** (Values repo)
   ```bash
-   git clone git@github.com:fortedigital/helm-values.git
-   cd helm-values
+   git clone https://git.forteapps.net/Forte/helm-prod-values.git
+   cd helm-prod-values
   ```

 3. **forte-helm** (Chart repo - read-only for most developers)
   ```bash
-   git clone https://github.com/snothub/forte-helm.git
+   git clone https://git.forteapps.net/Forte/forte-helm.git
   cd forte-helm
   ```

@@ -132,9 +133,9 @@ mkdir -p ~/dev/k8s
 cd ~/dev/k8s

 # Clone repositories
-git clone https://github.com/fortedigital/sturdy-adventure.git launchpad
-git clone git@github.com:fortedigital/helm-values.git helm-prod-values
-git clone https://github.com/snothub/forte-helm.git forte-helm
+git clone https://git.forteapps.net/Forte/launchpad.git launchpad
+git clone https://git.forteapps.net/Forte/helm-prod-values helm-prod-values
+git clone https://git.forteapps.net/Forte/forte-helm forte-helm

 # Your folder structure:
 # ~/dev/k8s/
@@ -174,13 +175,13 @@ npm run dev
 │  - GitHub Actions builds image                                  │
 │  - Pushes to container registry (GHCR, Docker Hub)              │
 │  - Tags with version (e.g., v2.0.4)                             │
-│  - Updates helm-values repository with new tag                  │
+│  - Updates helm-prod-values repository with new tag                  │
 └─────────────────────────────────────────────────────────────────┘
                            │
                            ▼
 ┌─────────────────────────────────────────────────────────────────┐
 │  Step 3: GitOps Sync (Automated)                                │
-│  - ArgoCD detects change in helm-values                         │
+│  - ArgoCD detects change in helm-prod-values                         │
 │  - Pulls updated configuration                                  │
 │  - Syncs to Kubernetes cluster                                  │
 │  - Sends Slack notification on success/failure                  │
@@ -200,8 +201,8 @@ Our setup uses three repositories:
 | Repository | Purpose | Who Edits | How Often |
 |------------|---------|-----------|-----------|
 | **forte-helm** | Helm chart templates (generic, reusable) | Platform engineers | ❌ Rarely |
-| **helm-values** | Application configuration (image tag, env vars) | Developers / CI pipelines | ✅ Sometimes |
-| **sturdy-adventure** | ArgoCD Applications (what gets deployed) | Platform / DevOps engineers | ✅ Per new app |
+| **helm-prod-values** | Application configuration (image tag, env vars) | Developers / CI pipelines | ✅ Sometimes |
+| **launchpad** | ArgoCD Applications (what gets deployed) | Platform / DevOps engineers | ✅ Per new app |

 ### Example: Deploying "myapp"

@@ -222,7 +223,7 @@ spec:
      value: {{ .Values.app.port }}
 ```

-#### Repository: `helm-values` (Your App Config)
+#### Repository: `helm-prod-values` (Your App Config)
 ```yaml
 # myapp/values.yaml
 # Your app's specific configuration
@@ -236,7 +237,7 @@ app:
    value: https://api.example.com
 ```

-#### Repository: `sturdy-adventure` (ArgoCD Application)
+#### Repository: `launchpad` (ArgoCD Application)
 ```yaml
 # apps/myapp.yaml
 # Tells ArgoCD to deploy your app
@@ -247,13 +248,13 @@ metadata:
  namespace: argocd
 spec:
  sources:
-  - repoURL: https://github.com/snothub/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
    path: forteapp
    helm:
      valueFiles:
      - $values/myapp/values.yaml

-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
    ref: values

  destination:
@@ -315,10 +316,10 @@ Ensure your app repository has:
             docker build -t ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }} .
             docker push ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }}

-         - name: Update helm-values
+         - name: Update helm-prod-values
           run: |
-             git clone git@github.com:fortedigital/helm-values.git
-             cd helm-values
+             git clone git@github.com:fortedigital/helm-prod-values.git
+             cd helm-prod-values
             mkdir -p hello-world
             cat > hello-world/values.yaml <<EOF
             app:
@@ -333,7 +334,7 @@ Ensure your app repository has:

 ### Step 2: Create Helm Values

-Create a folder in `helm-values` repository:
+Create a folder in `helm-prod-values` repository:

 ```bash
 cd ~/dev/k8s/helm-prod-values
@@ -386,7 +387,7 @@ git push

 ### Step 3: Create ArgoCD Application Manifest

-In the `sturdy-adventure` repository, create `apps/hello-world.yaml`:
+In the `launchpad` repository, create `apps/hello-world.yaml`:

 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -411,7 +412,7 @@ spec:

  sources:
  # Source 1: Helm chart templates
-  - repoURL: https://github.com/snothub/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
    path: forteapp
    targetRevision: HEAD
    helm:
@@ -419,7 +420,7 @@ spec:
      - $values/hello-world/values.yaml

  # Source 2: Helm values
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
    targetRevision: HEAD
    ref: values

@@ -527,7 +528,7 @@ git push origin main
 2. ✅ Builds new Docker image
 3. ✅ Tags with new version (e.g., `v20260316-143022`)
 4. ✅ Pushes to container registry
-5. ✅ Updates `helm-values/myapp/values.yaml` with new tag
+5. ✅ Updates `helm-prod-values/myapp/values.yaml` with new tag
 6. ✅ ArgoCD detects change
 7. ✅ Syncs new version to cluster
 8. ✅ Sends Slack notification
@@ -653,21 +654,11 @@ kubectl create secret generic myapp-credentials \

 #### Step 2: Seal the Secret

-Get the public certificate (one-time setup):
-
-```bash
-# Fetch public cert from cluster
-kubeseal --fetch-cert \
-  --controller-name=sealed-secrets-controller \
-  --controller-namespace=kube-system \
-  > pub-cert.pem
-```
-
 Seal your secret:

 ```bash
 kubeseal --format=yaml \
-  --cert=pub-cert.pem \
+  --namespace=myapp \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
 ```
@@ -682,7 +673,7 @@ git push

 #### Step 4: Reference Secret in Application

-Update your `helm-values/myapp/values.yaml`:
+Update your `helm-prod-values/myapp/values.yaml`:

 ```yaml
 app:
@@ -710,7 +701,7 @@ kubectl create secret generic myapp-credentials \

 # 2. Seal it
 kubeseal --format=yaml \
-  --cert=pub-cert.pem \
+  --namespace=myapp \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml

@@ -790,7 +781,7 @@ Three authentication modes are supported:
 #### Step 1: Configure Helm Values

 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 auth:
  enabled: true
  type: token                    # Token mode (default)
@@ -912,7 +903,7 @@ rm private/myapp-auth-oidc.yaml
 #### Step 3: Configure Helm Values

 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 auth:
  enabled: true
  type: oidc                     # OIDC mode
@@ -961,6 +952,46 @@ User sees application (authenticated)

 ---

+### Accessing Authenticated User Information
+
+The auth sidecar handles all authentication before requests reach your application. Your app never sees unauthenticated traffic — the sidecar returns 401 or redirects to the IdP first.
+
+After successful authentication, the sidecar forwards the request to your application with user identity injected as HTTP headers:
+
+| Header | Description | Available in |
+|--------|-------------|-------------|
+| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
+| `X-Auth-Email` | User email address | OIDC |
+| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
+| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if scope includes `groups`) |
+| `X-Auth-Token` | The validated access token | All modes |
+
+**Your application reads these headers — no auth library needed:**
+
+```javascript
+// Express.js example
+app.get('/profile', (req, res) => {
+  const user = req.headers['x-auth-user'];
+  const email = req.headers['x-auth-email'];
+  res.json({ user, email });
+});
+```
+
+```python
+# Flask example
+@app.route('/profile')
+def profile():
+    user = request.headers.get('X-Auth-User')
+    email = request.headers.get('X-Auth-Email')
+    return jsonify(user=user, email=email)
+```
+
+**Why this is safe**: The Kyverno-generated NetworkPolicy restricts ingress to the sidecar port only. Traffic cannot bypass the sidecar to reach the application port directly, so the `X-Auth-*` headers can be trusted unconditionally.
+
+**Key principle**: Your application is zero-trust-unaware by design. It reads headers and renders UI. All authentication complexity lives in the sidecar and Kyverno policy.
+
+---
+
 ### Authentication Configuration Reference

 #### Helm Values Schema
@@ -1025,7 +1056,7 @@ policies.forteapps.io/auth-upstream-url: "http://localhost:3000"
 #### Sidecar Configuration

 The auth sidecar container:
- **Image**: `ghcr.io/snothub/stunning-memory:latest`
+- **Image**: `ghcr.io/fortedigital/auth-sidecar:latest`
 - **Port**: 8080
 - **Resources**: 10m CPU / 32Mi memory (requests), 50m CPU / 64Mi memory (limits)
 - **Health checks**: `/healthz` endpoint
@@ -1048,7 +1079,7 @@ policies.forteapps.io/auth-image-version: "v1.2.3"
 #### Example 1: Internal API with Token Auth

 ```yaml
-# helm-values/internal-api/values.yaml
+# helm-prod-values/internal-api/values.yaml
 app:
  image:
    repository: ghcr.io/company/internal-api
@@ -1076,7 +1107,7 @@ curl -H "Authorization: Bearer d4f88f..." \
 #### Example 2: User-Facing App with OIDC

 ```yaml
-# helm-values/web-app/values.yaml
+# helm-prod-values/web-app/values.yaml
 app:
  image:
    repository: ghcr.io/company/web-app
@@ -1111,7 +1142,7 @@ kubectl create secret generic auth-oidc \
 #### Example 3: MCP Server with OAuth 2.0

 ```yaml
-# helm-values/mcp-server/values.yaml
+# helm-prod-values/mcp-server/values.yaml
 app:
  image:
    repository: ghcr.io/company/mcp-server
@@ -1135,7 +1166,7 @@ The MCP auth mode implements RFC 9728 (OAuth 2.0 Protected Resource Metadata) fo
 #### Example 4: Disabling Authentication

 ```yaml
-# helm-values/public-api/values.yaml
+# helm-prod-values/public-api/values.yaml
 auth:
  enabled: false                 # No authentication

@@ -1247,6 +1278,202 @@ kubectl logs -n myapp <pod-name> -c authn

 ---

+## Adding a New Keycloak Client
+
+There are two ways to add an OIDC client, depending on your use case:
+
+| Method | Best for | Who edits the infra repo? |
+|--------|----------|--------------------------|
+| **Self-service** (recommended) | New apps that deploy their own resources | App developer — no infra changes needed |
+| **Legacy (realm JSON)** | Existing clients already defined in forte-realm.json (e.g., Gitea) | Platform engineer |
+
+Both methods are served by the **Keycloak Client Registrar** CronJob, which runs every 2 minutes.
+
+### Self-Service OIDC Client Registration
+
+This is the recommended flow for new applications. Your app deploys a labeled config Secret in its own namespace; the platform handles everything else.
+
+#### How It Works
+
+1. You deploy a Secret with label `keycloak.forteapps.net/client-config: "true"` containing a `client.json` definition
+2. A **Kyverno ClusterPolicy** (`keycloak-client-config-cloner`) clones it to the `keycloak` namespace
+3. The **Client Registrar CronJob** picks it up within 2 minutes:
+   - Registers (or updates) the client in Keycloak
+   - Fetches the auto-generated client secret
+   - Creates a credential Secret in your app's namespace
+   - Annotates the config Secret with sync status
+
+#### Step 1: Create the Config Secret
+
+Deploy this Secret in your application's namespace (e.g., as part of your Helm chart or Kustomize overlay):
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-myapp
+  namespace: myapp
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "myapp",
+      "name": "My Application",
+      "redirectUris": ["https://myapp.forteapps.net/*"],
+      "webOrigins": ["https://myapp.forteapps.net"],
+      "defaultClientScopes": ["openid", "email", "profile"],
+      "protocolMappers": [],
+      "secret": {
+        "namespace": "myapp",
+        "name": "myapp-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }
+```
+
+**`client.json` fields**:
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| `clientId` | Yes | Keycloak client ID |
+| `name` | Yes | Display name in Keycloak |
+| `redirectUris` | Yes | Allowed redirect URIs |
+| `webOrigins` | Yes | Allowed web origins (CORS) |
+| `defaultClientScopes` | No | Scopes (default: `["openid", "email", "profile"]`) |
+| `protocolMappers` | No | Custom claim mappers (default: `[]`) |
+| `secret.namespace` | No | Namespace for the credential Secret (default: source namespace) |
+| `secret.name` | No | Name of the credential Secret (default: `<clientId>-oidc-credentials`) |
+| `secret.keys.clientId` | No | Key name for client ID in credential Secret (default: `client-id`) |
+| `secret.keys.clientSecret` | No | Key name for client secret in credential Secret (default: `client-secret`) |
+
+#### Step 2: Reference the Credential Secret
+
+In your application's deployment config, reference the credential Secret that the registrar creates:
+
+```yaml
+env:
+- name: OIDC_CLIENT_ID
+  valueFrom:
+    secretKeyRef:
+      name: myapp-oidc-credentials
+      key: client-id
+- name: OIDC_CLIENT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: myapp-oidc-credentials
+      key: client-secret
+```
+
+#### Step 3: Deploy and Wait
+
+Commit and push your changes. The credential Secret will appear within 2 minutes:
+
+```bash
+# Watch for the credential Secret to be created
+kubectl get secret myapp-oidc-credentials -n myapp -w
+
+# Check registrar logs
+kubectl logs -n keycloak job/$(kubectl get jobs -n keycloak --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[-1].metadata.name}')
+
+# Check sync status on the config Secret
+kubectl get secret keycloak-client-myapp -n keycloak -o jsonpath='{.metadata.annotations}'
+```
+
+#### Change Detection
+
+The registrar computes a SHA-256 hash of `client.json` and stores it as an annotation. On subsequent runs, it skips processing if:
+- The hash hasn't changed, AND
+- The credential Secret already exists in the target namespace
+
+To force a re-sync, update any field in `client.json` (e.g., add a trailing space to `name`).
+
+### Legacy Method: Realm JSON
+
+Existing clients (like Gitea) are defined directly in `forte-realm.json` inside `keycloak-values.yaml`. The registrar syncs their secrets via client attributes.
+
+#### Step 1: Add Client to Realm Config
+
+In `infra/values/base/keycloak-values.yaml`, add a new entry to the `clients` array in `forte-realm.json`:
+
+```json
+{
+  "clientId": "myapp",
+  "name": "My Application",
+  "enabled": true,
+  "protocol": "openid-connect",
+  "clientAuthenticatorType": "client-secret",
+  "standardFlowEnabled": true,
+  "directAccessGrantsEnabled": false,
+  "publicClient": false,
+  "redirectUris": ["https://myapp.forteapps.net/*"],
+  "webOrigins": ["https://myapp.forteapps.net"],
+  "defaultClientScopes": ["openid", "email", "profile"],
+  "attributes": {
+    "k8s.secret.sync": "true",
+    "k8s.secret.namespace": "myapp",
+    "k8s.secret.name": "myapp-oidc-credentials",
+    "k8s.secret.client-id-key": "key",
+    "k8s.secret.client-secret-key": "secret"
+  }
+}
+```
+
+**Important**:
+- Do **NOT** include a `"secret"` field — Keycloak generates one automatically
+- The `attributes` block tells the registrar where to create the K8s Secret
+- Set `client-id-key` / `client-secret-key` to match what the consuming app expects (defaults: `client-id` / `client-secret`)
+
+#### Step 2: Reference the Secret in Your Application
+
+```yaml
+existingSecret: myapp-oidc-credentials
+```
+
+#### Step 3: Commit and Push
+
+```bash
+cd ~/dev/k8s/launchpad
+git add infra/values/base/keycloak-values.yaml
+git commit -m "Add myapp Keycloak client with auto-sync"
+git push
+```
+
+ArgoCD will sync the Keycloak config, and the registrar CronJob will pick up the new client within 2 minutes.
+
+#### Legacy Sync Attribute Reference
+
+| Attribute | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
+| `k8s.secret.namespace` | Yes | — | Target K8s namespace for the secret |
+| `k8s.secret.name` | Yes | — | Name of the K8s Secret to create |
+| `k8s.secret.client-id-key` | No | `client-id` | Field name for the client ID in the K8s Secret |
+| `k8s.secret.client-secret-key` | No | `client-secret` | Field name for the client secret in the K8s Secret |
+
+### Retrieving Secrets for External Deployments
+
+The registrar always writes a **central copy** of every synced secret to the `secrets` namespace, in addition to the target namespace. This allows operators to retrieve client credentials for applications deployed outside this cluster:
+
+```bash
+# View the central copy
+kubectl get secret gitea-oidc-credentials -n secrets -o yaml
+
+# Extract the client secret for use elsewhere
+kubectl get secret myapp-oidc-credentials -n secrets \
+  -o jsonpath='{.data.client-secret}' | base64 -d
+```
+
+### Registrar Behavior Notes
+
+- The registrar runs as a CronJob every 2 minutes (`concurrencyPolicy: Forbid`)
+- If the target namespace doesn't exist, the target write is skipped with a warning (the central copy still happens)
+- A central copy is **always** written to the `secrets` namespace for every synced client
+- The registrar uses the `keycloak-credentials` secret for admin authentication
+- Created secrets have the label `app.kubernetes.io/managed-by: keycloak-client-registrar`
+
+---
+
 ## Troubleshooting

 ### Application Not Deploying
@@ -1303,7 +1530,7 @@ kubectl exec -n myapp <pod-name> -- env
 # Check if secrets exist
 kubectl get secrets -n myapp

-# Increase resources in helm-values
+# Increase resources in helm-prod-values
 vim ~/dev/k8s/helm-prod-values/myapp/values.yaml
 ```

@@ -1452,7 +1679,7 @@ If you're stuck:
 ### Configuration Management

 ✅ **DO**:
- Keep configuration in `helm-values` repository
+- Keep configuration in `helm-prod-values` repository
 - Use environment variables for config
 - Document what each value does
 - Use reasonable resource limits
@@ -1579,4 +1806,4 @@ Now that you understand the basics:
 - Docs: [Full documentation index](README.md)
 - Help: Contact platform team

-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-16
@@ -12,16 +12,16 @@

 ## Overview

-This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where Git repositories serve as the single source of truth for both infrastructure and application deployments. The cluster is running on **UpCloud Managed Kubernetes** but is designed to be cloud-agnostic.
+This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where Git repositories serve as the single source of truth for both infrastructure and application deployments. The cluster setup is **cloud-agnostic**, with ready-to-use configurations for **UpCloud**, **AWS EKS**, **Azure AKS**, and **GCP GKE**.

 ### Key Characteristics
 - **Environment**: Production (internal use only)
- **Cluster Type**: Single cluster, single environment
+- **Cluster Type**: Multi-cloud, multi-cluster via Kustomize overlays (UpCloud, AWS, Azure, GCP)
 - **GitOps Tool**: ArgoCD
 - **Deployment Pattern**: App-of-Apps
 - **Secret Management**: Sealed Secrets (kubeseal)
 - **Ingress**: Traefik with Let's Encrypt TLS
- **Monitoring**: Prometheus + Grafana + Loki + Fluent-Bit
+- **Monitoring**: Prometheus + Grafana + Loki + Tempo + Fluent-Bit
 - **Policy Engine**: Kyverno
 - **Notifications**: Slack integration for sync status

@@ -47,14 +47,14 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
         │                            │                          │
         │                            │                          │
         └────────► Update image tag ─┴──────────────────────────┘
-                    in helm-values                               │
+                    in helm-prod-values                               │
                                                                 │
                                                                 ▼
                                           ┌────────────────────────────────┐
                                           │   Config Repository            │
                                           │   (ArgoCD Applications)        │
-                                           │   github.com/snothub/          │
-                                           │   sturdy-adventure             │
+                                           │   git.forteapps.net/Forte/     │
+                                           │   launchpad                    │
                                           └────────────────────────────────┘
                                                        │
                                                        │
@@ -62,8 +62,8 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
                                                        │
                                                        ▼
                                           ┌────────────────────────────────┐
-                                           │   Kubernetes Cluster           │
-                                           │   (UpCloud Managed)            │
+                                           │   Kubernetes Clusters          │
+                                           │   (UpCloud, AWS, Azure, GCP)    │
                                           │                                │
                                           │  ┌──────────────────────────┐  │
                                           │  │    ArgoCD                │  │
@@ -83,6 +83,7 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
                                           │  │  - Prometheus            │  │
                                           │  │  - Grafana               │  │
                                           │  │  - Loki                  │  │
+                                           │  │  - Tempo                 │  │
                                           │  │  - Fluent-Bit            │  │
                                           │  └──────────────────────────┘  │
                                           │                                │
@@ -108,87 +109,78 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
 ## Repository Structure

 ### 1. **Config Repository** (Current Repo)
-**Repository**: `https://github.com/fortedigital/sturdy-adventure.git`
+**Repository**: `https://git.forteapps.net/Forte/launchpad`
 **Purpose**: GitOps configuration - ArgoCD Applications and cluster resources
 **Location**: `C:\dev\k8s\launchpad`

 ```
-sturdy-adventure/
+launchpad/
 ├── bootstrap.sh                      # Cluster initialization script
-├── _app-of-apps.yaml                 # Root ArgoCD Application (App-of-Apps pattern)
+├── _app-of-apps-upc-dev.yaml        # Root ArgoCD Application (upc-dev cluster)
+├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
 │
-├── infra/                            # Infrastructure ArgoCD Applications
-│   ├── enterprise-apps.yaml          # Parent app managing all apps in apps/
-│   ├── cluster-resources-application.yaml
-│   ├── traefik-application.yaml
-│   ├── cert-manager-application.yaml
-│   ├── kyverno.yaml
-│   ├── kyverno-policies.yaml
-│   ├── prometheus.yaml
-│   ├── grafana.yaml
-│   ├── loki.yaml
-│   ├── fluent-bit.yaml
-│   ├── trivy.yaml
-│   ├── sealedsecrets.yaml
-│   ├── secrets.yaml
+├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
+│   ├── base/                         # Base Application manifests (upc-dev defaults)
+│   │   ├── kustomization.yaml
+│   │   ├── traefik-application.yaml
+│   │   ├── keycloak.yaml
+│   │   ├── grafana.yaml
+│   │   ├── gitea.yaml
+│   │   ├── gitea-actions.yaml
+│   │   ├── tempo.yaml
+│   │   ├── renovate.yaml
+│   │   ├── ...                       # All other Application manifests
+│   │   └── secrets.yaml
+│   ├── overlays/                     # Per-cluster Kustomize overrides
+│   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
+│   │   ├── upc-prod/                # UpCloud Prod (patches value paths)
+│   │   ├── eks-dev/                  # AWS EKS Dev
+│   │   ├── eks-prod/                # AWS EKS Prod
+│   │   ├── aks-dev/               # Azure AKS Dev
+│   │   ├── aks-prod/              # Azure AKS Prod
+│   │   ├── gke-dev/                 # GCP GKE Dev
+│   │   └── gke-prod/               # GCP GKE Prod
+│   ├── dashboards/                   # Grafana dashboard ConfigMaps
 │   └── values/                       # Helm value overrides for infra
-│       ├── argocd-values.yaml
-│       ├── prometheus-values.yaml
-│       ├── grafana-values.yaml
-│       ├── loki-values.yaml
-│       └── fluent-bit-values.yaml
+│       ├── base/                     # Cloud-agnostic shared values
+│       ├── upc-{dev,prod}/           # UpCloud: storage class, LB, pricing
+│       ├── aws-{dev,prod}/           # AWS: gp3, NLB, CUR pricing
+│       ├── aks-{dev,prod}/         # Azure: managed-csi-premium, Standard LB
+│       └── gcp-{dev,prod}/           # GCP: premium-rwo, L4 LB
 │
-├── apps/                             # Business Application ArgoCD manifests
-│   ├── mcp10x.yaml                   # MCP 10X application
-│   ├── musicman.yaml                 # Music Man application
-│   ├── dot-ai-stack.yaml             # Dot AI Stack
-│   └── argo-mcp.yaml                 # ArgoCD MCP server
+├── apps/                             # Business Application ArgoCD manifests (Kustomize)
+│   ├── base/                         # Base app manifests
+│   │   ├── kustomization.yaml
+│   │   ├── dot-ai-stack.yaml
+│   │   └── ...
+│   └── overlays/
+│       ├── upc-dev/                  # Uses base as-is
+│       └── upc-prod/                # Patches value paths
 │
 ├── cluster-resources/                # Cluster-wide Kubernetes resources
-│   ├── cert-manager-namespace.yaml
-│   ├── secrets-namespace.yaml
-│   ├── letsencrypt-issuer.yaml       # Let's Encrypt ClusterIssuer
-│   ├── kyverno-config.yaml
-│   ├── argocd-notifications-secret-sealed.yaml
-│   ├── snothub-repo-credentials-sealed.yaml
-│   ├── forte10x-repo-credentials-sealed.yaml
-│   ├── mcp10x-repo-credentials-sealed.yaml
+│   ├── ...
 │   └── policies/                     # Kyverno policies
-│       ├── deployment-verifier.yaml
-│       ├── label-checker.yaml
-│       ├── bare-pod-cleaner.yaml
-│       ├── replicaset-cleaner.yaml
-│       ├── default-ns-blocker.yaml
-│       ├── secret-cloner.yaml
-│       └── auth-sidecar-injector.yaml
 │
-├── secrets/                          # Application secrets (sealed)
-│   ├── argocd-mcp-credentials.yaml
-│   ├── dot-ai-secrets.yaml
-│   ├── mcp10x-credentials-sealed.yaml
-│   └── musicman-credentials.yaml
+├── secrets/                          # Application secrets (sealed, per-cluster)
+│   └── upc-dev/                      # Secrets for upc-dev cluster
 │
 ├── private/                          # Local-only files (NOT in Git)
-│   ├── *.yaml                        # Unsealed secrets
-│   └── *.sh                          # Helper scripts
 │
 └── docs/                             # Documentation
-    ├── GITOPS-ARCHITECTURE.md        # This file
-    ├── DEVELOPER-GUIDE.md
-    ├── OPERATIONS-RUNBOOK.md
-    └── REFERENCE.md
 ```

 **Key Points**:
- `_app-of-apps.yaml` is the root Application that ArgoCD monitors
- `infra/enterprise-apps.yaml` auto-discovers all apps in `apps/` folder
+- `_app-of-apps-upc-dev.yaml` and `_app-of-apps-upc-prod.yaml` are the per-cluster root Applications
+- Kustomize overlays in `infra/overlays/` render base Applications with per-cluster patches
+- Helm values are split: `values/base/` (shared) + `values/upc-dev/` or `values/upc-prod/` (cluster-specific)
+- `apps/` follows the same base/overlays pattern for business applications
 - Changes pushed to this repo trigger automatic syncs in ArgoCD
 - `private/` folder contains local-only files (Git-ignored)

 ---

 ### 2. **Helm Charts Repository**
-**Repository**: `https://github.com/snothub/forte-helm`
+**Repository**: `https://git.forteapps.net/Forte/forte-helm`
 **Purpose**: Reusable Helm chart templates for Forte applications
 **Location**: `C:\dev\k8s\forte-helm`

@@ -222,7 +214,7 @@ forte-helm/
 ---

 ### 3. **Helm Values Repository**
-**Repository**: `git@github.com:fortedigital/helm-values.git`
+**Repository**: `git@github.com:fortedigital/helm-prod-values.git`
 **Purpose**: Environment-specific configuration for each application
 **Location**: `C:\dev\k8s\helm-prod-values`

@@ -232,8 +224,6 @@ helm-prod-values/
 │   └── values.yaml                   # MCP 10X configuration
 ├── musicman/
 │   └── values.yaml                   # Music Man configuration
-├── mcpcoder/
-│   └── values.yaml                   # MCP Coder configuration
 └── argocd-mcp/
    └── values.yaml                   # ArgoCD MCP configuration
 ```
@@ -283,7 +273,7 @@ app-repository/
 2. Build Docker image
 3. Tag with version (e.g., `v2.0.4`)
 4. Push to container registry (GHCR, Docker Hub, etc.)
-5. Update image tag in `helm-values` repository
+5. Update image tag in `helm-prod-values` repository
 6. ArgoCD detects change and syncs automatically

 ---
@@ -293,7 +283,7 @@ app-repository/
 ### The App-of-Apps Pattern

 ```
-_app-of-apps.yaml (Root)
+_app-of-apps-{cluster}.yaml (Root, per cluster — e.g. upc-dev, eks-prod, gke-dev)
    │
    ├── infrastructure-apps (manages infra/)
    │   ├── cluster-resources-application
@@ -302,6 +292,7 @@ _app-of-apps.yaml (Root)
    │   ├── kyverno
    │   ├── prometheus
    │   ├── grafana
+    │   ├── tempo
    │   └── ... (other infra apps)
    │
    └── enterprise-apps (manages apps/)
@@ -312,10 +303,10 @@ _app-of-apps.yaml (Root)
 ```

 **How It Works**:
-1. Bootstrap script installs ArgoCD and applies `_app-of-apps.yaml`
-2. ArgoCD creates the root Application which monitors `infra/` folder
-3. Each YAML in `infra/` becomes a child Application
-4. `enterprise-apps.yaml` monitors `apps/` folder and auto-discovers applications
+1. Bootstrap script installs ArgoCD and applies `_app-of-apps-upc-dev.yaml` (or `upc-prod`)
+2. ArgoCD creates the root Application which monitors the appropriate `infra/overlays/` folder
+3. Kustomize renders base Applications with cluster-specific patches
+4. `enterprise-apps` Application monitors the cluster's `apps/overlays/` folder
 5. ArgoCD continuously syncs (every 60s) and auto-heals drift

 ### Sync Waves & Ordering
@@ -343,13 +334,13 @@ Applications like `mcp10x` and `musicman` use multiple sources:
 ```yaml
 spec:
  sources:
-  - repoURL: https://github.com/snothub/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
    path: forteapp                     # Helm chart templates
    helm:
      valueFiles:
      - $values/mcp10x/values.yaml     # Reference to second source

-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
    targetRevision: HEAD
    ref: values                        # Named reference
 ```
@@ -360,6 +351,43 @@ spec:
 - Easy to update all apps by changing the chart
 - Environment-specific values isolated in separate repo

+### Multi-Cluster Pattern
+
+Kustomize overlays enable deploying the same Applications across clusters with different configurations:
+
+```yaml
+# infra/base/ contains default (upc-dev) Applications
+# Helm values are layered: base + cluster-specific
+valueFiles:
+- $values/infra/values/base/traefik-values.yaml    # Shared config
+- $values/infra/values/upc-dev/traefik-values.yaml  # Cluster-specific
+
+# infra/overlays/upc-prod/kustomization.yaml patches the second valueFile
+patches:
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/traefik-values.yaml
+```
+
+Cloud-specific values (storage classes, load balancer annotations, cost model) are isolated in per-cluster value files. Base values are fully cloud-agnostic:
+
+| Cloud | Storage Class | Load Balancer | OpenCost Provider |
+|-------|--------------|---------------|-------------------|
+| **UpCloud** | `upcloud-block-storage-maxiops` | UpCloud LB (ProxyProtocol v2) | Custom pricing |
+| **AWS EKS** | `gp3` (EBS CSI) | NLB (ProxyProtocol v2) | AWS CUR |
+| **Azure AKS** | `managed-csi-premium` | Standard LB (`externalTrafficPolicy: Local`) | Azure Billing API |
+| **GCP GKE** | `premium-rwo` (PD CSI) | L4 passthrough NLB | GCP Cloud Billing |
+
+**Benefits**:
+- Single source of truth for Application definitions
+- Cluster-specific values isolated per overlay
+- Easy to add new clusters by creating a new overlay
+- Base values shared across all clusters reduce duplication
+
 ---

 ## CI/CD Pipeline
@@ -389,8 +417,8 @@ jobs:

      - name: Update Helm values
        run: |
-          git clone git@github.com:fortedigital/helm-values.git
-          cd helm-values/app
+          git clone git@github.com:fortedigital/helm-prod-values.git
+          cd helm-prod-values/app
          sed -i "s/tag: .*/tag: $VERSION/" values.yaml
          git commit -am "Update app to $VERSION"
          git push
@@ -402,12 +430,12 @@ jobs:

 1. **Config Repo Change**:
   - Developer updates `apps/myapp.yaml`
-   - Pushes to `sturdy-adventure` repo
+   - Pushes to `launchpad` repo
   - ArgoCD detects change (60s reconciliation)
   - Syncs application to cluster

 2. **Helm Values Change**:
-   - CI/CD updates `helm-values/myapp/values.yaml`
+   - CI/CD updates `helm-prod-values/myapp/values.yaml`
   - ArgoCD detects change
   - Pulls new Helm chart with updated values
   - Applies to cluster
@@ -489,7 +517,6 @@ git commit -m "Add app credentials"
 **Private Repository Credentials** stored as SealedSecrets:

 ```yaml
-# cluster-resources/snothub-repo-credentials-sealed.yaml
 # cluster-resources/forte10x-repo-credentials-sealed.yaml
 ```

@@ -528,8 +555,9 @@ annotations:
 1. **Prometheus**: Metrics collection and storage
 2. **Grafana**: Metrics visualization and dashboards
 3. **Loki**: Log aggregation
-4. **Fluent-Bit**: Log shipping from pods to Loki
-5. **Trivy**: Container vulnerability scanning
+4. **Tempo**: Distributed tracing (OTLP)
+5. **Fluent-Bit**: Log shipping from pods to Loki
+6. **Trivy**: Container vulnerability scanning

 ### Slack Notifications

@@ -558,7 +586,7 @@ Notifications include:

 **Rebuild Process**:
 1. Provision new Kubernetes cluster
-2. Clone `sturdy-adventure` repository
+2. Clone `launchpad` repository
 3. Run `./bootstrap.sh`
 4. ArgoCD installs and syncs all applications
 5. Manually recreate unsealed secrets and seal them
@@ -614,7 +642,7 @@ Notifications include:
 ✅ **DO**:
 - Follow the `forteapp` chart pattern
 - Use semantic versioning for image tags
- Update helm-values via CI/CD
+- Update helm-prod-values via CI/CD
 - Test locally with Docker Compose
 - Document environment variables

@@ -635,6 +663,6 @@ Notifications include:

 ---

-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-22
 **Maintained By**: Platform Team
 **Questions?**: Contact #platform-support on Slack
@@ -37,7 +37,7 @@ Bootstrap a new cluster from scratch:

 #### Prerequisites

-1. **Kubernetes cluster running** (UpCloud or any K8s cluster)
+1. **Kubernetes cluster running** (UpCloud, AWS EKS, Azure AKS, GCP GKE, or any K8s cluster)
 2. **kubectl configured** with admin access
 3. **Repositories cloned** locally

@@ -51,14 +51,16 @@ kubectl get nodes

 ```bash
 # 1. Clone config repository
-git clone https://github.com/fortedigital/sturdy-adventure.git
-cd sturdy-adventure
+git clone https://git.forteapps.net/Forte/launchpad
+cd launchpad

-# 2. Set cluster name (optional)
-export CLUSTER_NAME="prod-cluster-01"
+# 2. Run bootstrap script with cluster target
+# Available clusters: upc-dev, upc-prod, eks-dev, eks-prod,
+#                     aks-dev, aks-prod, gke-dev, gke-prod
+./bootstrap.sh upc-dev

-# 3. Run bootstrap script
-./bootstrap.sh
+# Cluster config is loaded from clusters/<cluster>.yaml
+# (cloudProvider, trustedIPs, domain, etc.)
 ```

 **What Happens:**
@@ -85,7 +87,8 @@ kubectl get applications -n argocd

 1. **Configure DNS** for ingress domains:
   - `argocd.127.0.0.1.nip.io` (local dev)
-   - `*.forteapps.net` (production)
+   - `*.forteapps.net` (dev)
+   - `*.fortedigital.com` (production)

 2. **Verify Let's Encrypt certificates**:
   ```bash
@@ -107,7 +110,7 @@ kubectl get applications -n argocd

 ### ArgoCD Repository Access Setup

-ArgoCD needs SSH access to private Git repositories to pull manifests and Helm values. This section covers setting up deploy keys for GitHub repositories.
+ArgoCD needs SSH access to private Git repositories to pull manifests and Helm values. This section covers setting up deploy keys for Gitea repositories.

 #### Why Deploy Keys?

@@ -119,7 +122,7 @@ ArgoCD needs SSH access to private Git repositories to pull manifests and Helm v
 #### Prerequisites

 - kubectl access to the cluster
- Write access to the GitHub repository
+- Write access to the Gitea repository
 - ArgoCD installed and running

 #### Setup Procedure
@@ -130,25 +133,25 @@ Generate a dedicated SSH key for ArgoCD without a passphrase (required for autom

 ```bash
 # Generate ED25519 key (recommended - smaller and more secure)
-ssh-keygen -t ed25519 -C "argocd-deploy-key-sturdy-adventure" -f argocd-deploy-key -N ""
+ssh-keygen -t ed25519 -C "argocd-deploy-key-launchpad" -f argocd-deploy-key -N ""

 # Or RSA key if ED25519 is not supported
-ssh-keygen -t rsa -b 4096 -C "argocd-deploy-key-sturdy-adventure" -f argocd-deploy-key -N ""
+ssh-keygen -t rsa -b 4096 -C "argocd-deploy-key-launchpad" -f argocd-deploy-key -N ""
 ```

 This creates two files:
 - `argocd-deploy-key` - Private key (keep secret)
- `argocd-deploy-key.pub` - Public key (add to GitHub)
+- `argocd-deploy-key.pub` - Public key (add to Gitea)

-**Step 2: Add Public Key to GitHub**
+**Step 2: Add Public Key to Gitea**

 1. Copy the public key:
   ```bash
   cat argocd-deploy-key.pub
   ```

-2. Go to GitHub repository settings:
-   - Navigate to: `https://github.com/fortedigital/sturdy-adventure/settings/keys`
+2. Go to Gitea repository settings:
+   - Navigate to: `https://git.forteapps.net/Forte/launchpad/settings/keys`
   - Or: Repository → Settings → Deploy keys

 3. Click **"Add deploy key"**
@@ -157,90 +160,45 @@ This creates two files:
   - ☐ Allow write access (leave unchecked - read-only is sufficient)
   - Click **"Add key"**

-4. Repeat for the `helm-values` repository if it's private:
+4. Repeat for the `helm-prod-values` repository if it's private:
   ```bash
-   # Generate separate key for helm-values repo
-   ssh-keygen -t ed25519 -C "argocd-deploy-key-helm-values" -f argocd-helm-values-key -N ""
+   # Generate separate key for helm-prod-values repo
+   ssh-keygen -t ed25519 -C "argocd-deploy-key-helm-prod-values" -f argocd-helm-prod-values-key -N ""

-   # Add to: https://github.com/fortedigital/helm-values/settings/keys
+   # Add to: https://git.forteapps.net/Forte/helm-prod-values/settings/keys
   ```

 **Step 3: Create Kubernetes Secret**

 Add the private key to ArgoCD as a repository secret:

+Save the following file in private/ (gitignored) folder as secret.yaml
 ```bash
-# Create secret for sturdy-adventure repository
-kubectl create secret generic repo-sturdy-adventure \
-  --from-file=sshPrivateKey=argocd-deploy-key \
-  --namespace=argocd \
-  --dry-run=client -o yaml | kubectl apply -f -
-
-# Label it for ArgoCD to recognize
-kubectl label secret repo-sturdy-adventure \
-  -n argocd \
-  argocd.argoproj.io/secret-type=repository
-
-# Add repository annotations
-kubectl annotate secret repo-sturdy-adventure \
-  -n argocd \
-  managed-by=argocd.argoproj.io
+  apiVersion: v1
+  kind: Secret
+  metadata:
+    name: forte-helm-repo
+    namespace: argocd
+    labels:
+      argocd.argoproj.io/secret-type: repository
+  stringData:
+    type: git
+    url: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    sshPrivateKey: |
+      <paste your private key here>
+    project: default
 ```
-
-Alternatively, create a complete repository secret with all metadata:
-
+Seal the secret using `kubeseal` command 
 ```bash
-kubectl apply -f - <<EOF
-apiVersion: v1
-kind: Secret
-metadata:
-  name: repo-sturdy-adventure
-  namespace: argocd
-  labels:
-    argocd.argoproj.io/secret-type: repository
-  annotations:
-    managed-by: argocd.argoproj.io
-type: Opaque
-stringData:
-  type: git
-  url: git@github.com:fortedigital/sturdy-adventure.git
-  sshPrivateKey: |
-$(cat argocd-deploy-key | sed 's/^/    /')
-EOF
+kubeseal --format=yaml \
+  --namespace=argocd \
+  < private/secret.yaml \
+  > secrets/forte-helm-repo-secret-sealed.yaml
 ```

 **Step 4: Register Repository in ArgoCD**

-Add the repository to ArgoCD's configuration:
-
-```bash
-# Via kubectl (recommended for GitOps)
-kubectl apply -f - <<EOF
-apiVersion: v1
-kind: Secret
-metadata:
-  name: repo-sturdy-adventure
-  namespace: argocd
-  labels:
-    argocd.argoproj.io/secret-type: repository
-type: Opaque
-stringData:
-  type: git
-  url: git@github.com:fortedigital/sturdy-adventure.git
-  sshPrivateKey: |
-$(cat argocd-deploy-key | sed 's/^/    /')
-  insecure: "false"
-  enableLfs: "false"
-EOF
-
-# Or via ArgoCD UI
-# 1. Open ArgoCD UI: kubectl port-forward svc/argocd-server -n argocd 8080:443
-# 2. Navigate to: Settings → Repositories → Connect Repo
-# 3. Connection Method: Via SSH
-# 4. Repository URL: git@github.com:fortedigital/sturdy-adventure.git
-# 5. SSH private key: Paste private key content
-# 6. Click "Connect"
-```
+Check in secrets/forte-helm-repo-secret-sealed.yaml and let Argo sync and create the secret.

 **Step 5: Verify Repository Access**

@@ -252,7 +210,7 @@ kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=repository
 # Settings → Repositories → Should show "Successful" status

 # Test by creating an application
-kubectl apply -f _app-of-apps.yaml
+kubectl apply -f _app-of-apps-upc-dev.yaml   # or _app-of-apps-upc-prod.yaml

 # Check application sync status
 kubectl get applications -n argocd
@@ -272,7 +230,7 @@ metadata:
 spec:
  project: default
  source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: main
    path: cluster-resources
  destination:
@@ -315,15 +273,15 @@ rm /tmp/test-repo-access.yaml
   # Generate new key
   ssh-keygen -t ed25519 -C "argocd-deploy-key-$(date +%Y%m)" -f argocd-new-key -N ""

-   # Add new public key to GitHub (keep old key for now)
+   # Add new public key to Gitea (keep old key for now)

   # Update Kubernetes secret
-   kubectl create secret generic repo-sturdy-adventure \
+   kubectl create secret generic repo-launchpad \
     --from-file=sshPrivateKey=argocd-new-key \
     --namespace=argocd \
     --dry-run=client -o yaml | kubectl apply -f -

-   # Test access, then remove old deploy key from GitHub
+   # Test access, then remove old deploy key from Gitea

   # Clean up
   shred -u argocd-new-key
@@ -334,8 +292,8 @@ rm /tmp/test-repo-access.yaml
   # List all repository secrets
   kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=repository

-   # Review deploy keys in GitHub
-   # Visit: https://github.com/fortedigital/sturdy-adventure/settings/keys
+   # Review deploy keys in Gitea
+   # Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
   ```

 4. **Use Different Keys per Repository**
@@ -349,27 +307,27 @@ rm /tmp/test-repo-access.yaml

 ```bash
 # Check if secret exists
-kubectl get secret repo-sturdy-adventure -n argocd
+kubectl get secret repo-launchpad -n argocd

 # Verify secret has correct label
-kubectl get secret repo-sturdy-adventure -n argocd -o yaml | grep argocd.argoproj.io/secret-type
+kubectl get secret repo-launchpad -n argocd -o yaml | grep argocd.argoproj.io/secret-type

 # Check ArgoCD application controller logs
 kubectl logs -n argocd deployment/argocd-application-controller | grep -i "permission denied"

-# Verify deploy key is added to GitHub
-# Visit: https://github.com/fortedigital/sturdy-adventure/settings/keys
+# Verify deploy key is added to Gitea
+# Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
 ```

 **Issue: "Host key verification failed"**

 ```bash
-# Add GitHub to known_hosts
+# Add Gitea to known_hosts
 kubectl exec -n argocd deployment/argocd-repo-server -- \
-  ssh-keyscan github.com >> ~/.ssh/known_hosts
+  ssh-keyscan git.forteapps.net >> ~/.ssh/known_hosts

 # Or disable strict host key checking (less secure)
-kubectl patch secret repo-sturdy-adventure -n argocd \
+kubectl patch secret repo-launchpad -n argocd \
  --type merge \
  -p '{"stringData":{"insecure":"true"}}'
 ```
@@ -381,7 +339,7 @@ kubectl patch secret repo-sturdy-adventure -n argocd \
 kubectl logs -n argocd deployment/argocd-repo-server

 # Refresh repository connection
-kubectl delete secret repo-sturdy-adventure -n argocd
+kubectl delete secret repo-launchpad -n argocd
 # Recreate secret (see Step 3 above)

 # Restart ArgoCD components
@@ -391,34 +349,34 @@ kubectl rollout restart deployment argocd-application-controller -n argocd

 #### Multiple Repository Setup

-For the three-repository pattern (sturdy-adventure, forte-helm, helm-values):
+For the three-repository pattern (launchpad, forte-helm, helm-prod-values):

 ```bash
-# 1. sturdy-adventure (main config repo)
-ssh-keygen -t ed25519 -C "argocd-sturdy-adventure" -f key-sturdy -N ""
-# Add key-sturdy.pub to: https://github.com/fortedigital/sturdy-adventure/settings/keys
+# 1. launchpad (main config repo)
+ssh-keygen -t ed25519 -C "argocd-launchpad" -f key-sturdy -N ""
+# Add key-sturdy.pub to: https://git.forteapps.net/Forte/launchpad/settings/keys

-# 2. helm-values (private values repo)
-ssh-keygen -t ed25519 -C "argocd-helm-values" -f key-helm-values -N ""
-# Add key-helm-values.pub to: https://github.com/fortedigital/helm-values/settings/keys
+# 2. helm-prod-values (private values repo)
+ssh-keygen -t ed25519 -C "argocd-helm-prod-values" -f key-helm-prod-values -N ""
+# Add key-helm-prod-values.pub to: https://git.forteapps.net/Forte/helm-prod-values/settings/keys

-# 3. forte-helm is public - no key needed (use HTTPS)
+# 3. forte-helm (private helm charts repo)

 # Create secrets
-kubectl create secret generic repo-sturdy-adventure \
+kubectl create secret generic repo-launchpad \
  --from-file=sshPrivateKey=key-sturdy \
  --namespace=argocd --dry-run=client -o yaml | \
  kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
  kubectl apply -f -

-kubectl create secret generic repo-helm-values \
-  --from-file=sshPrivateKey=key-helm-values \
+kubectl create secret generic repo-helm-prod-values \
+  --from-file=sshPrivateKey=key-helm-prod-values \
  --namespace=argocd --dry-run=client -o yaml | \
  kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
  kubectl apply -f -

 # Clean up keys
-shred -u key-sturdy key-helm-values
+shred -u key-sturdy key-helm-prod-values
 ```

 #### Converting HTTPS to SSH
@@ -430,12 +388,12 @@ If you're currently using HTTPS and want to switch to SSH:

 # 2. Update all Application manifests
 # Change from:
-#   repoURL: https://github.com/fortedigital/sturdy-adventure.git
+#   repoURL: https://git.forteapps.net/Forte/launchpad
 # To:
-#   repoURL: git@github.com:fortedigital/sturdy-adventure.git
+#   repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git

 # 3. Update and commit
-find . -name "*.yaml" -type f -exec sed -i 's|https://github.com/fortedigital/|git@github.com:fortedigital/|g' {} +
+find . -name "*.yaml" -type f -exec sed -i 's|https://git.forteapps.net/Forte/|git@git.forteapps.net:Forte/|g' {} +

 git add .
 git commit -m "Switch from HTTPS to SSH for repository access"
@@ -539,7 +497,7 @@ spec:
 See [Developer Guide](DEVELOPER-GUIDE.md#deploying-your-first-application) for detailed steps.

 **Quick checklist:**
- [ ] Create `helm-values/myapp/values.yaml`
+- [ ] Create `helm-prod-values/myapp/values.yaml`
 - [ ] Create `apps/myapp.yaml` in config repo
 - [ ] Create SealedSecret if needed
 - [ ] Commit and push changes
@@ -604,7 +562,7 @@ kubectl scale deployment myapp -n myapp --replicas=3

 #### GitOps Scaling

-Update `helm-values/myapp/values.yaml`:
+Update `helm-prod-values/myapp/values.yaml`:

 ```yaml
 app:
@@ -618,7 +576,7 @@ Commit and push - ArgoCD will sync.
 Enable Horizontal Pod Autoscaler:

 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 app:
  hpa:
    enabled: true
@@ -667,7 +625,7 @@ kubectl rollout undo deployment myapp -n myapp
 #### Option 3: Change Image Tag

 ```bash
-# Edit helm-values
+# Edit helm-prod-values
 cd ~/dev/k8s/helm-prod-values
 vim myapp/values.yaml

@@ -687,7 +645,7 @@ git push
 #### Update Resource Limits

 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 app:
  resources:
    requests:
@@ -701,7 +659,7 @@ app:
 #### Enable Database

 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 db:
  enabled: true
  persistence:
@@ -999,6 +957,33 @@ curl -G -s 'http://localhost:3100/loki/api/v1/query_range' \
  --data-urlencode 'start=1h' | jq
 ```

+### Tempo Traces
+
+```bash
+# Port forward to Tempo query API
+kubectl port-forward -n monitoring svc/tempo 3200:3200
+
+# Access: http://localhost:3200
+```
+
+**Query traces via Grafana:**
+1. Open Grafana → Explore
+2. Select Tempo datasource
+3. Use TraceQL or search by service name
+
+**Verify Traefik is sending traces:**
+```bash
+# Check Traefik logs for OTLP export errors
+kubectl logs -n traefik-system -l app.kubernetes.io/name=traefik | grep -i "traces export"
+
+# Check Tempo is receiving data
+kubectl logs -n monitoring -l app.kubernetes.io/name=tempo | grep "receiver"
+```
+
+**Trace-to-log correlation:**
+- Click a trace span in Grafana → linked Loki logs appear (by namespace, pod, container)
+- Trace-to-metrics links to Prometheus by service name
+
 ### Fluent-Bit Log Shipping

 Verify Fluent-Bit is shipping logs:
@@ -1279,13 +1264,21 @@ spec:

 ### Backup Strategy

-**Current State**: No automated backups
+**Current State**: Gitea daily backups to S3-compatible storage

-**What Needs Backup**:
- ❌ Cluster state (not backed up - recreate via GitOps)
- ❌ Persistent volumes (currently not critical)
- ✅ Git repositories (GitHub provides backup)
- ⚠️ Secrets (sealed secrets in Git, unseal keys need safekeeping)
+**What Is Backed Up**:
+- ✅ Gitea repositories + database: Daily CronJob (`cluster-resources/gitea-backup-cronjob.yaml`) uploads to S3-compatible storage with 7-day retention
+- ✅ Git repositories: Full cluster config recoverable from Git
+- ⚠️ Secrets: Sealed secrets in Git; unseal keys need safekeeping
+
+**What Is NOT Backed Up**:
+- ❌ Cluster state (recreate via GitOps)
+- ❌ Other persistent volumes (Prometheus, Loki, Tempo data)
+
+**Per-cloud backup scripts** (manual restore helpers):
+- UpCloud/AWS: `scripts/gitea-backup.sh` / `scripts/gitea-backup-eks.sh` (MinIO CLI, S3-compatible)
+- Azure: `scripts/gitea-backup-aks.sh` (Azure CLI + Blob Storage)
+- GCP: `scripts/gitea-backup-gke.sh` (gsutil + GCS)

 ### Cluster Rebuild

@@ -1370,13 +1363,13 @@ kubectl get deployment argocd-server -n argocd \
  -o jsonpath='{.spec.template.spec.containers[0].image}'

 # Update version in values
-vim infra/values/argocd-values.yaml
+vim infra/values/base/argocd-values.yaml

 # Or upgrade via Helm directly
 helm upgrade argocd argo-cd \
  --repo https://argoproj.github.io/argo-helm \
  --namespace argocd \
-  --values infra/values/argocd-values.yaml \
+  --values infra/values/base/argocd-values.yaml \
  --version 6.0.0  # New version

 # Verify
@@ -1387,6 +1380,9 @@ kubectl get pods -n argocd

 ```bash
 # UpCloud: Upgrade via control panel or CLI
+# AWS EKS: eksctl upgrade cluster / AWS Console
+# Azure AKS: az aks upgrade / Azure Portal
+# GCP GKE: gcloud container clusters upgrade / Cloud Console

 # After upgrade, verify cluster
 kubectl version
@@ -1472,8 +1468,8 @@ kubectl top pods --all-namespaces --sort-by=cpu
 Example: Adding Redis

 ```bash
-# 1. Create application manifest
-cat > infra/redis-application.yaml <<EOF
+# 1. Create application manifest in base/
+cat > infra/base/redis-application.yaml <<EOF
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -1483,15 +1479,17 @@ metadata:
    argocd.argoproj.io/sync-wave: "1"
 spec:
  project: default
-  source:
-    repoURL: https://charts.bitnami.com/bitnami
+  sources:
+  - repoURL: https://charts.bitnami.com/bitnami
    chart: redis
    targetRevision: 18.0.0
    helm:
-      values: |
-        auth:
-          enabled: true
-          password: changeme
+      releaseName: redis
+      valueFiles:
+      - \$values/infra/values/base/redis-values.yaml
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: redis
@@ -1503,30 +1501,54 @@ spec:
    - CreateNamespace=true
 EOF

-# 2. Commit and push
-git add infra/redis-application.yaml
+# 2. Add to base kustomization
+# Edit infra/base/kustomization.yaml and add: - redis-application.yaml
+
+# 3. Create base values file
+cat > infra/values/base/redis-values.yaml <<EOF
+auth:
+  enabled: true
+EOF
+
+# 4. Commit and push
+git add infra/base/redis-application.yaml infra/values/base/redis-values.yaml infra/base/kustomization.yaml
 git commit -m "Add Redis infrastructure component"
 git push

-# 3. ArgoCD will auto-sync within 60 seconds
+# 5. ArgoCD will auto-sync within 60 seconds
 ```

-### Multi-Cluster Setup (Future)
+### Multi-Cluster Setup

-For multi-cluster deployments:
+The repository supports multiple clusters across multiple clouds via Kustomize overlays:

-```yaml
-# Different destinations per environment
-# dev-cluster
-destination:
-  server: https://dev.k8s.example.com
-  namespace: myapp
+**Active clusters:**
+- **upc-dev** (default): `infra/overlays/upc-dev/` — uses base Applications as-is
+- **upc-prod**: `infra/overlays/upc-prod/` — patches value file paths from `upc-dev` to `upc-prod`

-# prod-cluster
-destination:
-  server: https://prod.k8s.example.com
-  namespace: myapp
-```
+**Cloud-ready templates (fill in `clusters/*.yaml` before use):**
+- **eks-dev** / **eks-prod**: AWS EKS with NLB, gp3 storage, AWS CUR pricing
+- **aks-dev** / **aks-prod**: Azure AKS with Standard LB, managed-csi-premium storage
+- **gke-dev** / **gke-prod**: GCP GKE with L4 LB, premium-rwo storage
+
+Each cluster has its own:
+- Root app-of-apps: `_app-of-apps-{cluster}.yaml`
+- Cluster config: `clusters/{cluster}.yaml` (domain, trustedIPs, cloudProvider)
+- Kustomize overlay: `infra/overlays/{cluster}/kustomization.yaml`
+- Helm value overrides: `infra/values/{cluster}/` (traefik, gitea, opencost)
+- Sealed secrets: `secrets/{cluster}/` (as needed)
+- Apps overlay: `apps/overlays/{cluster}/`
+
+Cloud-specific values handled per-cluster:
+
+| Concern | UpCloud | AWS EKS | Azure AKS | GCP GKE |
+|---------|---------|---------|-----------|---------|
+| **Storage class** | `upcloud-block-storage-maxiops` | `gp3` | `managed-csi-premium` | `premium-rwo` |
+| **Load balancer** | UpCloud LB + ProxyProtocol v2 | NLB + ProxyProtocol v2 | Standard LB + `externalTrafficPolicy: Local` | L4 passthrough NLB |
+| **Cost monitoring** | Custom pricing | AWS CUR | Azure Billing API | GCP Cloud Billing |
+| **Backup storage** | UpCloud S3-compat | AWS S3 (native) | Azure Blob Storage | GCS |
+
+To add a new cluster, create a new overlay directory (e.g., `infra/overlays/eks-staging/`) with patches that swap the value file paths, and a matching `clusters/eks-staging.yaml`.

 ### Blue-Green Deployments

@@ -1570,7 +1592,7 @@ git push
 kubectl scale deployment myapp -n myapp --replicas=0

 # Update Git
-vim helm-values/myapp/values.yaml
+vim helm-prod-values/myapp/values.yaml
 # Set replicaCount: 0
 git commit -am "Scale down myapp for maintenance"
 git push
@@ -1643,7 +1665,7 @@ echo "Remember to delete: $SECRET_FILE"

 - [ ] Application code repository created
 - [ ] Dockerfile created and tested
- [ ] GitHub Actions workflow configured
+- [ ] Gitea Actions workflow configured
 - [ ] Helm values created in `helm-prod-values/`
 - [ ] ArgoCD application manifest created in `apps/`
 - [ ] Secrets created and sealed
@@ -1669,6 +1691,6 @@ echo "Remember to delete: $SECRET_FILE"

 ---

-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-22
 **Maintained By**: Platform Team
 **Emergency Contact**: #platform-support on Slack
@@ -180,7 +180,7 @@ Reference for:
                            │
                            ▼
 ┌──────────────────────────────────────────────────────────────┐
-│               Kubernetes Cluster (UpCloud)                    │
+│          Kubernetes Clusters (UpCloud, AWS, Azure, GCP)       │
 │  ┌──────────────────────────────────────────────────────┐    │
 │  │  Infrastructure: Traefik, Cert-Manager, Kyverno     │    │
 │  ├──────────────────────────────────────────────────────┤    │
@@ -194,7 +194,7 @@ Reference for:
 ### Key Technologies

 - **GitOps**: ArgoCD
- **Kubernetes**: UpCloud Managed Kubernetes
+- **Kubernetes**: Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE)
 - **Ingress**: Traefik v2
 - **Certificates**: Cert-Manager + Let's Encrypt
 - **Policies**: Kyverno
@@ -299,11 +299,16 @@ docs/
 ## 🔄 Documentation Versions

 **Current Version**: 1.0.0
-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-22
 **Maintained By**: Platform Team

 ### Changelog

+- **v1.1.0 (2026-04-22)**: Multi-cloud support
+  - Cloud-agnostic base values (storage, LB, pricing moved to per-cluster overlays)
+  - Added AWS EKS, Azure AKS, GCP GKE configurations
+  - Per-cloud backup scripts
+  - Updated all documentation
 - **v1.0.0 (2026-03-16)**: Initial comprehensive documentation release
  - GitOps Architecture guide
  - Developer Onboarding guide
@@ -48,10 +48,10 @@ spec:
        resources:
          requests:
            cpu: 50m
-            memory: 64Mi
+            memory: 128Mi
          limits:
            cpu: 100m
-            memory: 128Mi
+            memory: 256Mi

        # Service account
        serviceAccount:
@@ -15,9 +15,11 @@ spec:
  project: default

  source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    path: cluster-resources
+    directory:
+      exclude: 'network'

  destination:
    server: https://kubernetes.default.svc
@@ -16,9 +16,9 @@ metadata:
 spec:
  project: default
  source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    path: apps
+    path: apps/overlays/upc-dev
  destination:
    server: https://kubernetes.default.svc
    namespace: apps
@@ -21,9 +21,9 @@ spec:
    helm:
      releaseName: fluent-bit
      valueFiles:
-      - $values/infra/values/fluent-bit-values.yaml
+      - $values/infra/values/base/fluent-bit-values.yaml

-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values

@@ -0,0 +1,48 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea-actions
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+  labels:
+    app.kubernetes.io/name: gitea-actions
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://dl.gitea.com/charts
+    chart: actions
+    targetRevision: "0.0.5"
+    helm:
+      releaseName: gitea-actions
+      valueFiles:
+      - $values/infra/values/base/gitea-actions-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: gitea
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
@@ -0,0 +1,53 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: gitea
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://dl.gitea.com/charts
+    chart: gitea
+    targetRevision: "12.5.0"
+    helm:
+      releaseName: gitea
+      valueFiles:
+      - $values/infra/values/base/gitea-values.yaml
+      - $values/infra/values/upc-dev/gitea-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: gitea
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
+  - group: v1
+    kind: Secret
+    jsonPointers:
+    - /data/postgres-password
@@ -0,0 +1,34 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: grafana-dashboards
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+  labels:
+    app.kubernetes.io/name: grafana-dashboards
+    app.kubernetes.io/part-of: monitoring
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/dashboards
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
@@ -21,9 +21,10 @@ spec:
    helm:
      releaseName: grafana
      valueFiles:
-      - $values/infra/values/grafana-values.yaml
+      - $values/infra/values/base/grafana-values.yaml
+      - $values/infra/values/upc-dev/grafana-values.yaml

-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values

@@ -0,0 +1,48 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: karpor
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: karpor
+    app.kubernetes.io/part-of: developer-portal
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://kusionstack.github.io/charts
+    chart: karpor
+    targetRevision: "0.7.6"
+    helm:
+      releaseName: karpor
+      valueFiles:
+      - $values/infra/values/base/karpor-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: karpor
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
@@ -15,15 +15,16 @@ spec:
  project: default

  sources:
-  - repoURL: https://charts.bitnami.com/bitnami
+  - repoURL: registry-1.docker.io/bitnamicharts
    chart: keycloak
    targetRevision: "25.2.0"
    helm:
      releaseName: keycloak
      valueFiles:
-      - $values/infra/values/keycloak-values.yaml
+      - $values/infra/values/base/keycloak-values.yaml
+      - $values/infra/values/upc-dev/keycloak-values.yaml

-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values

@@ -40,3 +41,13 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: batch
+    kind: CronJob
+    jsonPointers:
+    - /spec/jobTemplate/spec/template/spec/containers/0/args
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- traefik-application.yaml
+- keycloak.yaml
+- grafana.yaml
+- cert-manager-application.yaml
+- kyverno.yaml
+- sealedsecrets.yaml
+- prometheus.yaml
+- loki.yaml
+- fluent-bit.yaml
+- enterprise-apps.yaml
+- cluster-resources-application.yaml
+- kyverno-policies.yaml
+- secrets.yaml
+- gitea.yaml
+- gitea-actions.yaml
+- opencost.yaml
+- renovate.yaml
+- tempo.yaml
+- grafana-dashboards.yaml
+- karpor.yaml
@@ -15,7 +15,7 @@ spec:
  project: default

  source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    path: cluster-resources/policies

@@ -39,6 +39,10 @@ spec:
    targetRevision: v3.7.0 # Update to latest stable version
    helm:
      releaseName: kyverno
+      valuesObject:
+        grafana:
+          enabled: true
+          namespace: monitoring

  destination:
    server: https://kubernetes.default.svc
@@ -21,9 +21,9 @@ spec:
    helm:
      releaseName: loki
      valueFiles:
-      - $values/infra/values/loki-values.yaml
+      - $values/infra/values/base/loki-values.yaml

-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values

@@ -40,3 +40,9 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: opencost
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: opencost
+    app.kubernetes.io/part-of: monitoring
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://opencost.github.io/opencost-helm-chart
+    chart: opencost
+    targetRevision: "1.42.0"
+    helm:
+      releaseName: opencost
+      valueFiles:
+      - $values/infra/values/base/opencost-values.yaml
+      - $values/infra/values/upc-dev/opencost-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
@@ -21,9 +21,9 @@ spec:
    helm:
      releaseName: prometheus
      valueFiles:
-      - $values/infra/values/prometheus-values.yaml
+      - $values/infra/values/base/prometheus-values.yaml

-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values

@@ -0,0 +1,42 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: renovate
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+  labels:
+    app.kubernetes.io/name: renovate
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: ghcr.io/renovatebot/charts
+    chart: renovate
+    targetRevision: "46.109.0"
+    helm:
+      releaseName: renovate
+      valueFiles:
+      - $values/infra/values/base/renovate-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: renovate
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
@@ -17,8 +17,8 @@ metadata:
 spec:
  project: default
  source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
-    path: secrets
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    path: secrets/overlays/upc-dev
  destination:
    server: https://kubernetes.default.svc
    namespace: secrets
@@ -0,0 +1,48 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tempo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: tempo
+    app.kubernetes.io/part-of: monitoring
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://grafana.github.io/helm-charts
+    chart: tempo
+    targetRevision: "1.24.4"
+    helm:
+      releaseName: tempo
+      valueFiles:
+      - $values/infra/values/base/tempo-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
@@ -0,0 +1,51 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik-system
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: traefik
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://traefik.github.io/charts
+    chart: traefik
+    targetRevision: "28.0.0"
+    helm:
+      releaseName: traefik
+      valueFiles:
+      - $values/infra/values/base/traefik-values.yaml
+      - $values/infra/values/upc-dev/traefik-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: traefik-system
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
@@ -0,0 +1,148 @@
+{
+  "annotations": {
+    "list": []
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "links": [],
+  "panels": [
+    {
+      "title": "Log Volume",
+      "type": "timeseries",
+      "gridPos": {
+        "h": 6,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "datasource": {
+        "type": "loki",
+        "uid": "loki"
+      },
+      "targets": [
+        {
+          "expr": "sum(count_over_time({namespace=\"dot-ai\"} [1m])) by (pod)",
+          "legendFormat": "{{pod}}",
+          "refId": "A"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "drawStyle": "bars",
+            "fillOpacity": 50,
+            "stacking": {
+              "mode": "normal"
+            }
+          }
+        },
+        "overrides": []
+      }
+    },
+    {
+      "title": "Logs by Pod",
+      "type": "logs",
+      "gridPos": {
+        "h": 16,
+        "w": 24,
+        "x": 0,
+        "y": 6
+      },
+      "datasource": {
+        "type": "loki",
+        "uid": "loki"
+      },
+      "targets": [
+        {
+          "expr": "{namespace=\"dot-ai\", pod=~\"$pod\"} | json log=\"log\", message=\"message\", msg=\"msg\", level=\"level\", stream=\"stream\" | label_format level=`{{if .level}}{{.level}}{{else if eq .stream \"stderr\"}}error{{else}}info{{end}}` | line_format `{{.pod}}  |{{or .message .msg .log}}`",
+          "refId": "A"
+        }
+      ],
+      "options": {
+        "showTime": true,
+        "showLabels": false,
+        "showCommonLabels": false,
+        "wrapLogMessage": true,
+        "prettifyLogMessage": false,
+        "enableLogDetails": true,
+        "sortOrder": "Descending",
+        "dedupStrategy": "none",
+        "displayedFields": [
+          "pod",
+          "level"
+        ]
+      }
+    },
+    {
+      "title": "Errors & Warnings",
+      "type": "logs",
+      "gridPos": {
+        "h": 10,
+        "w": 24,
+        "x": 0,
+        "y": 22
+      },
+      "datasource": {
+        "type": "loki",
+        "uid": "loki"
+      },
+      "targets": [
+        {
+          "expr": "{namespace=\"dot-ai\", pod=~\"$pod\"} | json log=\"log\", message=\"message\", msg=\"msg\", level=\"level\", stream=\"stream\" | label_format level=`{{if .level}}{{.level}}{{else if eq .stream \"stderr\"}}error{{else}}info{{end}}` | level=~`error|warn|warning|fatal|panic` | line_format `{{.pod}}  |{{or .message .msg .log}}`",
+          "refId": "A"
+        }
+      ],
+      "options": {
+        "showTime": true,
+        "showLabels": false,
+        "showCommonLabels": false,
+        "wrapLogMessage": true,
+        "prettifyLogMessage": false,
+        "enableLogDetails": true,
+        "sortOrder": "Descending",
+        "dedupStrategy": "none",
+        "displayedFields": [
+          "pod",
+          "level"
+        ]
+      }
+    }
+  ],
+  "schemaVersion": 39,
+  "tags": [
+    "dot-ai",
+    "logs",
+    "loki"
+  ],
+  "templating": {
+    "list": [
+      {
+        "name": "pod",
+        "type": "query",
+        "datasource": {
+          "type": "loki",
+          "uid": "loki"
+        },
+        "query": {
+          "label": "pod",
+          "stream": "{namespace=\"dot-ai\"}",
+          "type": 1
+        },
+        "includeAll": true,
+        "multi": true,
+        "current": {
+          "selected": true,
+          "text": "All",
+          "value": "$__all"
+        }
+      }
+    ]
+  },
+  "time": {
+    "from": "now-1h",
+    "to": "now"
+  },
+  "title": "dot-ai Logs",
+  "uid": "dot-ai-logs"
+}
@@ -0,0 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: monitoring
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    grafana_dashboard: "1"
+
+configMapGenerator:
+- name: grafana-dashboard-traefik-loki
+  files:
+  - traefik-loki.json
+- name: grafana-dashboard-dot-ai-logs
+  files:
+  - dot-ai-logs.json
+- name: grafana-dashboard-opencost
+  files:
+  - opencost.json
+- name: grafana-dashboard-pod-security
+  files:
+  - pod-security.json
@@ -0,0 +1,399 @@
+{
+  "annotations": {
+    "list": []
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 1,
+  "links": [],
+  "panels": [
+    {
+      "title": "Enforced Denials",
+      "description": "Pods rejected by Pod Security Standards (enforce mode)",
+      "type": "stat",
+      "datasource": { "type": "prometheus" },
+      "gridPos": { "h": 5, "w": 6, "x": 0, "y": 0 },
+      "targets": [
+        {
+          "expr": "sum(increase(pod_security_evaluations_total{decision=\"deny\", mode=\"enforce\"}[$__range])) or vector(0)",
+          "refId": "A"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "noValue": "0",
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              { "value": null, "color": "green" },
+              { "value": 1, "color": "red" }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "reduceOptions": { "calcs": ["lastNotNull"] },
+        "colorMode": "background",
+        "textMode": "auto"
+      }
+    },
+    {
+      "title": "Audit Violations",
+      "description": "Pods that violate audit-level policy (allowed but logged)",
+      "type": "stat",
+      "datasource": { "type": "prometheus" },
+      "gridPos": { "h": 5, "w": 6, "x": 6, "y": 0 },
+      "targets": [
+        {
+          "expr": "sum(increase(pod_security_evaluations_total{decision=\"deny\", mode=\"audit\"}[$__range])) or vector(0)",
+          "refId": "A"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "noValue": "0",
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              { "value": null, "color": "green" },
+              { "value": 1, "color": "orange" }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "reduceOptions": { "calcs": ["lastNotNull"] },
+        "colorMode": "background",
+        "textMode": "auto"
+      }
+    },
+    {
+      "title": "Warnings",
+      "description": "Pods that triggered warn-level policy (allowed with warning)",
+      "type": "stat",
+      "datasource": { "type": "prometheus" },
+      "gridPos": { "h": 5, "w": 6, "x": 12, "y": 0 },
+      "targets": [
+        {
+          "expr": "sum(increase(pod_security_evaluations_total{decision=\"deny\", mode=\"warn\"}[$__range])) or vector(0)",
+          "refId": "A"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "noValue": "0",
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              { "value": null, "color": "green" },
+              { "value": 1, "color": "yellow" }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "reduceOptions": { "calcs": ["lastNotNull"] },
+        "colorMode": "background",
+        "textMode": "auto"
+      }
+    },
+    {
+      "title": "Total Evaluations",
+      "description": "All pod security evaluations across all modes",
+      "type": "stat",
+      "datasource": { "type": "prometheus" },
+      "gridPos": { "h": 5, "w": 6, "x": 18, "y": 0 },
+      "targets": [
+        {
+          "expr": "sum(increase(pod_security_evaluations_total[$__range])) or vector(0)",
+          "refId": "A"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "noValue": "0",
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              { "value": null, "color": "blue" }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "reduceOptions": { "calcs": ["lastNotNull"] },
+        "colorMode": "background",
+        "textMode": "auto"
+      }
+    },
+    {
+      "title": "Violation Rate by Mode",
+      "description": "Rate of policy violations over time, grouped by enforcement mode",
+      "type": "timeseries",
+      "datasource": { "type": "prometheus" },
+      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 5 },
+      "targets": [
+        {
+          "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=\"enforce\"}[5m]))",
+          "legendFormat": "enforce (denied)",
+          "refId": "A"
+        },
+        {
+          "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=\"audit\"}[5m]))",
+          "legendFormat": "audit",
+          "refId": "B"
+        },
+        {
+          "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=\"warn\"}[5m]))",
+          "legendFormat": "warn",
+          "refId": "C"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 2,
+            "fillOpacity": 15,
+            "pointSize": 5,
+            "showPoints": "auto"
+          },
+          "unit": "ops"
+        },
+        "overrides": [
+          {
+            "matcher": { "id": "byName", "options": "enforce (denied)" },
+            "properties": [{ "id": "color", "value": { "fixedColor": "red", "mode": "fixed" } }]
+          },
+          {
+            "matcher": { "id": "byName", "options": "audit" },
+            "properties": [{ "id": "color", "value": { "fixedColor": "orange", "mode": "fixed" } }]
+          },
+          {
+            "matcher": { "id": "byName", "options": "warn" },
+            "properties": [{ "id": "color", "value": { "fixedColor": "yellow", "mode": "fixed" } }]
+          }
+        ]
+      }
+    },
+    {
+      "title": "Violations by Policy Level",
+      "description": "Violation rate grouped by the PSS level that was violated",
+      "type": "timeseries",
+      "datasource": { "type": "prometheus" },
+      "gridPos": { "h": 8, "w": 12, "x": 12, "y": 5 },
+      "targets": [
+        {
+          "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\"}[5m])) by (policy_level)",
+          "legendFormat": "{{ policy_level }}",
+          "refId": "A"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 2,
+            "fillOpacity": 15,
+            "pointSize": 5,
+            "showPoints": "auto"
+          },
+          "unit": "ops"
+        },
+        "overrides": [
+          {
+            "matcher": { "id": "byName", "options": "restricted" },
+            "properties": [{ "id": "color", "value": { "fixedColor": "yellow", "mode": "fixed" } }]
+          },
+          {
+            "matcher": { "id": "byName", "options": "baseline" },
+            "properties": [{ "id": "color", "value": { "fixedColor": "orange", "mode": "fixed" } }]
+          },
+          {
+            "matcher": { "id": "byName", "options": "privileged" },
+            "properties": [{ "id": "color", "value": { "fixedColor": "red", "mode": "fixed" } }]
+          }
+        ]
+      }
+    },
+    {
+      "title": "Enforced Denials by Namespace",
+      "description": "Pods blocked per namespace (enforce mode only)",
+      "type": "timeseries",
+      "datasource": { "type": "prometheus" },
+      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 13 },
+      "targets": [
+        {
+          "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=\"enforce\"}[5m])) by (resource_namespace)",
+          "legendFormat": "{{ resource_namespace }}",
+          "refId": "A"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "drawStyle": "bars",
+            "lineWidth": 1,
+            "fillOpacity": 80,
+            "stacking": { "mode": "normal" }
+          },
+          "unit": "ops"
+        },
+        "overrides": []
+      }
+    },
+    {
+      "title": "Audit + Warn Violations by Namespace",
+      "description": "Non-enforced violations per namespace — candidates for tightening",
+      "type": "timeseries",
+      "datasource": { "type": "prometheus" },
+      "gridPos": { "h": 8, "w": 12, "x": 12, "y": 13 },
+      "targets": [
+        {
+          "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=~\"audit|warn\"}[5m])) by (resource_namespace)",
+          "legendFormat": "{{ resource_namespace }}",
+          "refId": "A"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "drawStyle": "bars",
+            "lineWidth": 1,
+            "fillOpacity": 80,
+            "stacking": { "mode": "normal" }
+          },
+          "unit": "ops"
+        },
+        "overrides": []
+      }
+    },
+    {
+      "title": "Violations Breakdown",
+      "description": "Detailed breakdown of all policy violations",
+      "type": "table",
+      "datasource": { "type": "prometheus" },
+      "gridPos": { "h": 10, "w": 24, "x": 0, "y": 21 },
+      "targets": [
+        {
+          "expr": "sum(increase(pod_security_evaluations_total{decision=\"deny\"}[$__range])) by (resource_namespace, policy_level, mode, request_operation) > 0",
+          "format": "table",
+          "instant": true,
+          "refId": "A"
+        }
+      ],
+      "transformations": [
+        {
+          "id": "organize",
+          "options": {
+            "excludeByName": { "Time": true },
+            "renameByName": {
+              "resource_namespace": "Namespace",
+              "policy_level": "Policy Level",
+              "mode": "Mode",
+              "request_operation": "Operation",
+              "Value": "Violations"
+            },
+            "indexByName": {
+              "resource_namespace": 0,
+              "policy_level": 1,
+              "mode": 2,
+              "request_operation": 3,
+              "Value": 4
+            }
+          }
+        },
+        {
+          "id": "sortBy",
+          "options": {
+            "fields": {},
+            "sort": [
+              { "field": "Violations", "desc": true }
+            ]
+          }
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {},
+        "overrides": [
+          {
+            "matcher": { "id": "byName", "options": "Mode" },
+            "properties": [
+              {
+                "id": "mappings",
+                "value": [
+                  { "type": "value", "options": { "enforce": { "text": "Enforce", "color": "red" }, "audit": { "text": "Audit", "color": "orange" }, "warn": { "text": "Warn", "color": "yellow" } } }
+                ]
+              }
+            ]
+          },
+          {
+            "matcher": { "id": "byName", "options": "Violations" },
+            "properties": [
+              {
+                "id": "custom.cellOptions",
+                "value": { "type": "color-background", "mode": "gradient" }
+              },
+              {
+                "id": "thresholds",
+                "value": {
+                  "mode": "absolute",
+                  "steps": [
+                    { "value": null, "color": "transparent" },
+                    { "value": 1, "color": "orange" },
+                    { "value": 100, "color": "red" }
+                  ]
+                }
+              }
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "title": "Exemptions",
+      "description": "Pods exempted from policy evaluation",
+      "type": "timeseries",
+      "datasource": { "type": "prometheus" },
+      "gridPos": { "h": 8, "w": 24, "x": 0, "y": 31 },
+      "targets": [
+        {
+          "expr": "sum(rate(pod_security_exemptions_total[5m])) by (request_namespace)",
+          "legendFormat": "{{ request_namespace }}",
+          "refId": "A"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 2,
+            "fillOpacity": 10
+          },
+          "unit": "ops"
+        },
+        "overrides": []
+      }
+    }
+  ],
+  "schemaVersion": 39,
+  "tags": [
+    "security",
+    "pod-security",
+    "pss",
+    "compliance"
+  ],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-24h",
+    "to": "now"
+  },
+  "title": "Pod Security Violations",
+  "uid": "pod-security-violations"
+}
@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/traefik-values.yaml
+
+# Keycloak: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/keycloak-values.yaml
+
+# Grafana: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/grafana-values.yaml
+
+# Gitea: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/gitea-values.yaml
+
+# OpenCost: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/opencost-values.yaml
+
+# Secrets: change path to aks-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/aks-dev
+
+# Enterprise-apps: point to aks-dev overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/aks-dev
@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/traefik-values.yaml
+
+# Keycloak: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/grafana-values.yaml
+
+# Gitea: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/opencost-values.yaml
+
+# Secrets: change path to aks-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/aks-prod
+
+# Enterprise-apps: point to aks-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/aks-prod
@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/traefik-values.yaml
+
+# Keycloak: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/keycloak-values.yaml
+
+# Grafana: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/grafana-values.yaml
+
+# Gitea: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/gitea-values.yaml
+
+# OpenCost: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/opencost-values.yaml
+
+# Secrets: change path to eks-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/eks-dev
+
+# Enterprise-apps: point to eks-dev overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/eks-dev
@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/traefik-values.yaml
+
+# Keycloak: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/grafana-values.yaml
+
+# Gitea: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/opencost-values.yaml
+
+# Secrets: change path to eks-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/eks-prod
+
+# Enterprise-apps: point to eks-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/eks-prod
@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/traefik-values.yaml
+
+# Keycloak: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/keycloak-values.yaml
+
+# Grafana: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/grafana-values.yaml
+
+# Gitea: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/gitea-values.yaml
+
+# OpenCost: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/opencost-values.yaml
+
+# Secrets: change path to gke-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/gke-dev
+
+# Enterprise-apps: point to gke-dev overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/gke-dev
@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/traefik-values.yaml
+
+# Keycloak: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/grafana-values.yaml
+
+# Gitea: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/opencost-values.yaml
+
+# Secrets: change path to gke-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/gke-prod
+
+# Enterprise-apps: point to gke-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/gke-prod
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+# No patches needed — base already has "upc-dev" paths
+# upc-dev is the default/base cluster
@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → upc-prod in valueFiles
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/traefik-values.yaml
+
+# Keycloak: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/grafana-values.yaml
+
+# Gitea: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/opencost-values.yaml
+
+# Secrets: change path to upc-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/overlays/upc-prod
+
+# Enterprise-apps: point to upc-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/upc-prod
@@ -1,130 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: traefik-system
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
---
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: traefik
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: traefik
-    app.kubernetes.io/part-of: platform
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: https://traefik.github.io/charts
-    chart: traefik
-    targetRevision: "28.0.0"
-
-    helm:
-      values: |
-        providers:
-          kubernetesIngress:
-            publishedService: # Fixes ArgoCD health checks for LoadBalancer services
-              enabled: true
-        deployment:
-          replicas: 2
-
-        ingressRoute:
-          dashboard:
-            enabled: true
-            # Optional: specify entrypoint
-            entrypoint: traefik
-
-        api:
-          dashboard: true
-          debug: false
-
-        service:
-          type: LoadBalancer
-          annotations:
-            traefik.ingress.kubernetes.io/router.entrypoints: websecure
-            traefik.ingress.kubernetes.io/router.priority: "42"
-            traefik.ingress.kubernetes.io/router.tls: "true"
-            service.beta.kubernetes.io/upcloud-load-balancer-config: |
-              {
-                  "frontends": [
-                      {
-                          "name": "web",
-                          "mode": "tcp"
-                      },
-                      {
-                          "name": "websecure",
-                          "mode": "tcp"
-                      }
-                  ],
-                  "backends": [
-                      {
-                          "name": "web",
-                          "properties": {
-                              "outbound_proxy_protocol": "v2"
-                          }
-                      },
-                      {
-                          "name": "websecure",
-                          "properties": {
-                              "outbound_proxy_protocol": "v2"
-                          }
-                      }
-                  ]
-              }
-
-        ingressClass:
-          enabled: true
-          isDefaultClass: true
-
-        # Configure entry points
-        ports:
-          metrics:
-            expose: 
-              default: true
-            observability:
-              accessLogs: true
-              metrics: true
-              tracing: true
-              traceVerbosity: detailed
-          web:
-            proxyProtocol:
-              trustedIPs: "172.16.1.0/24"
-            forwardedHeaders:
-              trustedIPs: "172.16.1.0/24"
-            http:
-              redirections:
-                entrypoint:
-                  to: websecure
-                  scheme: https
-
-          websecure:
-            proxyProtocol:
-              trustedIPs: "172.16.1.0/24"
-            forwardedHeaders:
-              trustedIPs: "172.16.1.0/24"
-            observability:
-              accessLogs: true
-              metrics: true
-              tracing: true
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: traefik-system
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
@@ -1,67 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: trivy-system
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
---
-
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: trivy-operator
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  labels:
-    app.kubernetes.io/name: trivy-operator
-    app.kubernetes.io/part-of: platform
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: https://aquasecurity.github.io/helm-charts
-    chart: trivy-operator
-    targetRevision: 0.31.0
-    helm:
-      releaseName: trivy-operator
-      valuesObject:
-        operator:
-          targetNamespaces: ""
-          excludeNamespaces: "argocd,trivy-system,kube-system,monitoring,kyverno,cert-manager"
-          scanJobsInSameNamespace: true
-          metricsVulnIdEnabled: true
-          metricsImageInfo: true
-        trivy:
-          ignoreUnfixed: false
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: trivy-system
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-    retry:
-      limit: 5
-      backoff:
-        duration: 5s
-        factor: 2
-        maxDuration: 3m
-
-  ignoreDifferences:
-  - group: apiextensions.k8s.io
-    kind: CustomResourceDefinition
-    jsonPointers:
-    - /metadata/labels
-    - /metadata/annotations
-    - /metadata/finalizers
@@ -0,0 +1,7 @@
+# AKS-specific: Azure managed disk storage class
+persistence:
+  storageClass: managed-csi-premium
+postgresql:
+  primary:
+    persistence:
+      storageClass: managed-csi-premium
@@ -0,0 +1,4 @@
+# AKS-specific: Grafana hostname
+ingress:
+  hosts:
+  - grafana.forteapps.net
@@ -0,0 +1,3 @@
+# AKS-specific: Keycloak hostname
+ingress:
+  hostname: id.forteapps.net
@@ -0,0 +1,8 @@
+# AKS-specific: Azure pricing via Cloud Billing API
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    azure:
+      secretName: opencost-azure-billing
@@ -0,0 +1,11 @@
+# AKS-specific: Azure Load Balancer for Traefik
+service:
+  annotations:
+    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
+ports:
+  web:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
@@ -0,0 +1,7 @@
+# AKS-specific: Azure managed disk storage class (prod)
+persistence:
+  storageClass: managed-csi-premium
+postgresql:
+  primary:
+    persistence:
+      storageClass: managed-csi-premium
@@ -0,0 +1,4 @@
+# AKS-specific: Grafana hostname (prod)
+ingress:
+  hosts:
+  - grafana.fortedigital.com
@@ -0,0 +1,3 @@
+# AKS-specific: Keycloak hostname (prod)
+ingress:
+  hostname: id.fortedigital.com
@@ -0,0 +1,8 @@
+# AKS-specific: Azure pricing via Cloud Billing API (prod)
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    azure:
+      secretName: opencost-azure-billing
@@ -0,0 +1,12 @@
+# AKS-specific: Azure Load Balancer for Traefik (prod)
+service:
+  annotations:
+    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
+    service.beta.kubernetes.io/azure-load-balancer-internal: "false"
+ports:
+  web:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
@@ -1,89 +0,0 @@
-global:
-  domain: argocd.127.0.0.1.nip.io
-configs:
-  secret:
-    createSecret: true
-    argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
-  cm:
-    application.resourceTrackingMethod: annotation
-    timeout.reconciliation: 60s
-    admin.enabled: "true"
-    repositories: |
-      - type: git
-        url: https://github.com/snothub
-        name: github-repo
-  params:
-    "server.insecure": true
-server:
-  ingress:
-    enabled: false
-    ingressClassName: nginx
-  extraArgs:
-  - --insecure
-
-notifications:
-  # Don't create secret via Helm - using SealedSecret instead
-  secret:
-    create: false
-
-  # Shared context variables available in all templates
-  context:
-    clusterName: "dev-fd-no-svg1"
-
-  # Define notification templates
-  templates:
-    template.app-syncing: |
-      webhook:
-        slack:
-          method: POST
-          body: |
-            {
-              "payload": "🖥️ {{ .context.clusterName }}: 🔄 *{{ .app.metadata.name }}* is syncing...\n📦 Revision: {{ .app.status.sync.revision | substr 0 7 }}"
-            }
-    template.app-sync-succeeded: |
-      webhook:
-        slack:
-          method: POST
-          body: |
-            {
-              "payload": "🖥️ {{ .context.clusterName }}: ✅ *{{ .app.metadata.name }}* sync succeeded\n📦 Revision: {{ .app.status.sync.revision | substr 0 7 }}{{ range .app.status.summary.images }}\n🏷️  Image: {{ . }}{{ end }}"
-            }
-    template.app-sync-failed: |
-      webhook:
-        slack:
-          method: POST
-          body: |
-            {
-              "payload": "🖥️ {{ .context.clusterName }}: ❌ *{{ .app.metadata.name }}* sync failed\n📦 Revision: {{ .app.status.sync.revision | substr 0 7 }}\n⚠️  Message: {{ .app.status.operationState.message }}"
-            }
-    template.app-degraded: |
-      webhook:
-        slack:
-          method: POST
-          body: |
-            {
-              "payload": "🖥️ {{ .context.clusterName }}: ⚠️ *{{ .app.metadata.name }}* is degraded\n🏥 Health: {{ .app.status.health.status }}\n💬 Message: {{ .app.status.health.message }}"
-            }
-
-  # Define notification triggers
-  triggers:
-    trigger.on-sync-running: |
-      - when: app.status.operationState.phase in ['Running']
-        send: [app-syncing]
-    trigger.on-sync-succeeded: |
-      - when: app.status.operationState.phase in ['Succeeded']
-        send: [app-sync-succeeded]
-    trigger.on-sync-failed: |
-      - when: app.status.operationState.phase in ['Failed']
-        send: [app-sync-failed]
-    trigger.on-degraded: |
-      - when: app.status.health.status == 'Degraded'
-        send: [app-degraded]
-
-  # Define notification services (webhook for Slack)
-  notifiers:
-    service.webhook.slack: |
-      url: $slack-webhook-url
-      headers:
-      - name: Content-Type
-        value: application/json
@@ -0,0 +1,148 @@
+configs:
+  secret:
+    createSecret: true
+    argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
+    # oidc.clientSecret managed by argocd-oidc-sync CronJob
+    # (reads from argocd-oidc-credentials, patches argocd-secret)
+  ssh:
+    knownHosts: |
+      [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
+  cm:
+    application.resourceTrackingMethod: annotation
+    timeout.reconciliation: 60s
+    # Admin login disabled — SSO only. Break-glass: kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
+    admin.enabled: "false"
+    url: https://argocd.forteapps.net
+    oidc.config: |
+      name: Forte SSO
+      issuer: https://id.forteapps.net/realms/forte
+      clientID: argocd
+      clientSecret: $oidc.clientSecret
+      requestedScopes: ["openid", "email", "profile"]
+  rbac:
+    # Base RBAC — org-wide roles shared across all clusters.
+    # Per-cluster policies go in infra/values/<cluster>/argocd-values.yaml
+    # as configs.rbac.policy.<cluster>.csv (ArgoCD concatenates all policy.*.csv keys)
+    policy.csv: |
+      # Platform administrators — full control
+      g, ArgoCD Admins, role:admin
+
+      # Read-only viewers — see all, change nothing
+      g, ArgoCD Viewers, role:readonly
+
+      # --- Per-team roles (scoped to default project app names) ---
+      # Observability team — manage monitoring stack
+      p, role:observability, applications, get, default/prometheus, allow
+      p, role:observability, applications, get, default/loki, allow
+      p, role:observability, applications, get, default/fluent-bit, allow
+      p, role:observability, applications, get, default/tempo, allow
+      p, role:observability, applications, get, default/grafana, allow
+      p, role:observability, applications, get, default/grafana-dashboards, allow
+      p, role:observability, applications, get, default/opencost, allow
+      p, role:observability, applications, sync, default/prometheus, allow
+      p, role:observability, applications, sync, default/loki, allow
+      p, role:observability, applications, sync, default/fluent-bit, allow
+      p, role:observability, applications, sync, default/tempo, allow
+      p, role:observability, applications, sync, default/grafana, allow
+      p, role:observability, applications, sync, default/grafana-dashboards, allow
+      p, role:observability, applications, sync, default/opencost, allow
+      p, role:observability, logs, get, default/*, allow
+      g, Observability Team, role:observability
+
+      # Dev tools team — manage gitea, renovate, karpor
+      p, role:devtools, applications, get, default/gitea, allow
+      p, role:devtools, applications, get, default/gitea-actions, allow
+      p, role:devtools, applications, get, default/renovate, allow
+      p, role:devtools, applications, get, default/karpor, allow
+      p, role:devtools, applications, sync, default/gitea, allow
+      p, role:devtools, applications, sync, default/gitea-actions, allow
+      p, role:devtools, applications, sync, default/renovate, allow
+      p, role:devtools, applications, sync, default/karpor, allow
+      p, role:devtools, logs, get, default/*, allow
+      g, Dev Tools Team, role:devtools
+
+      # App developers — manage enterprise apps only
+      p, role:app-dev, applications, get, default/enterprise-apps, allow
+      p, role:app-dev, applications, sync, default/enterprise-apps, allow
+      p, role:app-dev, applications, action, default/enterprise-apps, allow
+      p, role:app-dev, logs, get, default/enterprise-apps, allow
+      g, App Developers, role:app-dev
+
+    # Deny users not in any declared KC group
+    policy.default: ""
+    scopes: '[groups]'
+  params:
+    "server.insecure": true
+    "reposerver.enable.git.submodule": "false"
+server:
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls: true
+  extraArgs:
+  - --insecure
+
+notifications:
+  # Don't create secret via Helm - using SealedSecret instead
+  secret:
+    create: false
+
+  # Define notification templates
+  templates:
+    template.app-syncing: |
+      webhook:
+        slack:
+          method: POST
+          body: |
+            {
+              "payload": "🖥️ {{ .context.clusterName }}: 🔄 *{{ .app.metadata.name }}* is syncing...\n📦 Revision: {{ .app.status.sync.revision | default `n/a` | substr 0 7 }}"
+            }
+    template.app-sync-succeeded: |
+      webhook:
+        slack:
+          method: POST
+          body: |
+            {
+              "payload": "🖥️ {{ .context.clusterName }}: ✅ *{{ .app.metadata.name }}* sync succeeded\n📦 Revision: {{ .app.status.sync.revision | default `n/a` | substr 0 7 }}{{ range .app.status.summary.images }}\n🏷️  Image: {{ . }}{{ end }}"
+            }
+    template.app-sync-failed: |
+      webhook:
+        slack:
+          method: POST
+          body: |
+            {
+              "payload": "🖥️ {{ .context.clusterName }}: ❌ *{{ .app.metadata.name }}* sync failed\n📦 Revision: {{ .app.status.sync.revision | default `n/a` | substr 0 7 }}\n⚠️  Message: {{ .app.status.operationState.message }}"
+            }
+    template.app-degraded: |
+      webhook:
+        slack:
+          method: POST
+          body: |
+            {
+              "payload": "🖥️ {{ .context.clusterName }}: ⚠️ *{{ .app.metadata.name }}* is degraded\n🏥 Health: {{ .app.status.health.status }}\n📦 Revision: {{ .app.status.sync.revision | default `n/a` | substr 0 7 }}{{ range .app.status.summary.images }}\n🏷️  Image: {{ . }}{{ end }}"
+            }
+
+  # Define notification triggers
+  triggers:
+    trigger.on-sync-running: |
+      - when: app.status.operationState.phase in ['Running']
+        send: [app-syncing]
+    trigger.on-sync-succeeded: |
+      - when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'
+        send: [app-sync-succeeded]
+    trigger.on-sync-failed: |
+      - when: app.status.operationState.phase in ['Failed']
+        send: [app-sync-failed]
+    trigger.on-degraded: |
+      - when: app.status.health.status == 'Degraded'
+        send: [app-degraded]
+
+  # Define notification services (webhook for Slack)
+  notifiers:
+    service.webhook.slack: |
+      url: $slack-webhook-url
+      headers:
+      - name: Content-Type
+        value: application/json
@@ -0,0 +1,11 @@
+dot-ai:
+  ingress:
+    enabled: true
+    className: traefik
+dot-ai-ui:
+  uiAuth:
+    secretRef:
+      name: dot-ai-secrets
+  ingress:
+    enabled: true
+    className: traefik
@@ -48,7 +48,8 @@ config:
        Match kube.*
        Host loki-gateway.monitoring.svc.cluster.local
        Port 80
-        Labels job=fluent-bit, namespace=$kubernetes['namespace_name'], pod=$kubernetes['pod_name'], container=$kubernetes['container_name']
+        Labels job=fluent-bit, namespace=$kubernetes['namespace_name'], pod=$kubernetes['pod_name'], container=$kubernetes['container_name'], stream=$stream
+        Auto_Kubernetes_Labels Off
        Line_Format json

    [OUTPUT]
@@ -0,0 +1,36 @@
+## Gitea Act Runner - Helm values
+## Chart: actions v0.0.5 (https://dl.gitea.com/charts)
+
+enabled: true
+
+giteaRootURL: https://git.forteapps.net
+
+existingSecret: gitea-runner-token
+existingSecretKey: token
+
+statefulset:
+  replicas: 3
+
+  resources:
+    requests:
+      cpu: 250m
+      memory: 256Mi
+    limits:
+      cpu: "1"
+      memory: 1Gi
+
+  actRunner:
+    config: |
+      log:
+        level: info
+      cache:
+        enabled: false
+      container:
+        require_docker: true
+        docker_timeout: 300s
+      runner:
+        labels:
+          - "ubuntu-latest:docker://catthehacker/ubuntu:act-22.04"
+          - "ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04"
+  dind:
+    rootless: false
@@ -0,0 +1,182 @@
+# Gitea Helm Chart Values
+# Host: git.forteapps.net
+# Chart: gitea v12.5.0 (app v1.25.4)
+# Repo: https://dl.gitea.com/charts
+
+# -- Admin account (password from sealed secret)
+gitea:
+  admin:
+    existingSecret: gitea-credentials
+    email: admin@forteapps.net
+
+  # -- Gitea app.ini configuration
+  config:
+    APP_NAME: "Forte Git"
+
+    server:
+      DOMAIN: git.forteapps.net
+      ROOT_URL: https://git.forteapps.net
+      SSH_DOMAIN: git.forteapps.net
+      SSH_PORT: 2222
+      LFS_START_SERVER: true
+      ENABLE_GITEA_PAGES: true
+      ENABLE_BASIC_AUTH_CHALLENGE: true
+
+    service:
+      DISABLE_REGISTRATION: false
+      DEFAULT_ALLOW_CREATE_ORGANIZATION: false
+      REQUIRE_SIGNIN_VIEW: false
+      ALLOW_ONLY_EXTERNAL_REGISTRATION: true
+      ENABLE_BASIC_AUTHENTICATION: true
+      ENABLE_PASSWORD_SIGNIN_FORM: false
+      AUTO_WATCH_ON_CHANGES: false
+      AUTO_WATCH_NEW_REPOS: false
+      ENABLE_NOTIFY_MAIL: false
+      ENABLE_TIMETRACKING: false
+
+    openid:
+      ENABLE_OPENID_SIGNIN: false
+      ENABLE_OPENID_SIGNUP: false
+
+    oauth2:
+      ENABLED: true
+      ENABLE_AUTO_REGISTRATION: true
+      USERNAME: email
+
+    session:
+      PROVIDER: db
+
+    cache:
+      ADAPTER: memory
+
+    database:
+      DB_TYPE: postgres
+
+    metrics:
+      ENABLED: true
+
+    repository:
+      DEFAULT_BRANCH: main
+      DEFAULT_PRIVATE: last
+
+    actions:
+      ENABLED: true
+
+    packages:
+      ENABLED: true
+
+    indexer:
+      ISSUE_INDEXER_TYPE: bleve
+      REPO_INDEXER_ENABLED: true
+
+    mailer:
+      ENABLED: true
+      PROTOCOL: smtp+starttls
+      SMTP_ADDR: smtp.office365.com
+      SMTP_PORT: 587
+      FROM: "noreply@fortedigital.com"
+
+    admin:
+      DEFAULT_EMAIL_NOTIFICATIONS: onmention
+
+  # -- SMTP credentials injected from secret (USER and PASSWD)
+  additionalConfigFromEnvs:
+  - name: GITEA__mailer__USER
+    valueFrom:
+      secretKeyRef:
+        name: gitea-smtp-secret
+        key: username
+  - name: GITEA__mailer__PASSWD
+    valueFrom:
+      secretKeyRef:
+        name: gitea-smtp-secret
+        key: password
+  # -- OIDC authentication via Forte
+  oauth:
+  - name: "Forte"
+    provider: "openidConnect"
+    existingSecret: gitea-oidc-credentials
+    key: gitea
+    autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
+    scopes: "email profile organization"
+    groupClaimName: "groups"
+    adminGroup: ""
+    restrictedGroup: ""
+  # -- Prometheus metrics (scraped via annotations, no ServiceMonitor CRD needed)
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+
+# -- Ingress via Traefik with Let's Encrypt TLS
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  hosts:
+  - host: git.forteapps.net
+    paths:
+    - path: /
+      pathType: Prefix
+  tls:
+  - secretName: gitea-tls
+    hosts:
+    - git.forteapps.net
+
+# -- Git repository storage
+persistence:
+  enabled: true
+  size: 10Gi
+  accessModes:
+  - ReadWriteOnce
+
+# -- Recreate strategy to avoid Multi-Attach errors with RWO volumes
+strategy:
+  type: Recreate
+
+# -- Pod resources
+resources:
+  requests:
+    cpu: 100m
+    memory: 256Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
+
+# -- Embedded PostgreSQL (Bitnami subchart)
+# Password auto-generated by the subchart; Gitea chart auto-wires the connection.
+postgresql:
+  enabled: true
+  auth:
+    username: gitea
+    database: gitea
+  primary:
+    persistence:
+      enabled: true
+      size: 8Gi
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+
+# -- Disable PostgreSQL HA (using single-instance postgresql above)
+postgresql-ha:
+  enabled: false
+
+# -- Disable Redis cluster (use in-memory cache instead)
+redis-cluster:
+  enabled: false
+
+# -- Disable test pod
+test:
+  enabled: false
+
+# -- SSH service (ClusterIP, exposed externally via Traefik TCP IngressRoute on port 2222)
+service:
+  ssh:
+    type: ClusterIP
+    port: 22
@@ -0,0 +1,107 @@
+ingress:
+  enabled: true
+  ingressClassName: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  tls:
+  - secretName: grafana-tls
+    hosts:
+    - grafana.forteapps.net
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 128Mi
+  limits:
+    cpu: 100m
+    memory: 256Mi
+
+adminUser: admin
+adminPassword: "forte"
+
+envFromSecrets:
+- name: grafana-oidc-credentials
+
+grafana.ini:
+  server:
+    root_url: https://grafana.forteapps.net
+  auth.generic_oauth:
+    enabled: true
+    name: Forte SSO
+    allow_sign_up: true
+    client_id: ${client-id}
+    client_secret: ${client-secret}
+    scopes: openid email profile
+    auth_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/auth
+    token_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/token
+    api_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/userinfo
+    role_attribute_path: "contains(resource_access.grafana.roles[*], 'Admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor' || 'Viewer'"
+    role_attribute_strict: true
+    allow_assign_grafana_admin: true
+    auto_login: true
+  auth:
+    disable_login_form: true
+
+datasources:
+  datasources.yaml:
+    apiVersion: 1
+    datasources:
+    - name: Prometheus
+      type: prometheus
+      url: http://prometheus-server.monitoring.svc.cluster.local
+      access: proxy
+      isDefault: true
+    - name: Loki
+      type: loki
+      uid: loki
+      url: http://loki-gateway.monitoring.svc.cluster.local
+      access: proxy
+    - name: Tempo
+      type: tempo
+      uid: tempo
+      url: http://tempo.monitoring.svc.cluster.local:3200
+      access: proxy
+      jsonData:
+        tracesToLogsV2:
+          datasourceUid: loki
+          tags:
+          - key: namespace
+          - key: pod
+          - key: container
+        tracesToMetrics:
+          datasourceUid: Prometheus
+          tags:
+          - key: service.name
+            value: service
+        nodeGraph:
+          enabled: true
+        serviceMap:
+          datasourceUid: Prometheus
+
+sidecar:
+  dashboards:
+    enabled: true
+    label: grafana_dashboard
+    labelValue: "1"
+    folder: /tmp/dashboards
+    provider:
+      foldersFromFilesStructure: false
+
+dashboardProviders:
+  dashboardproviders.yaml:
+    apiVersion: 1
+    providers:
+    - name: 'default'
+      orgId: 1
+      folder: ''
+      type: file
+      disableDeletion: false
+      editable: true
+      options:
+        path: /var/lib/grafana/dashboards/default
+dashboards:
+  default:
+    kubernetes:
+      gnetId: 15758
+      revision: 1
+      datasource: Prometheus
@@ -0,0 +1,44 @@
+# Karpor - Kubernetes Visualization & Intelligence Tool
+# Helm chart: https://github.com/KusionStack/charts/tree/master/charts/karpor
+
+# Let the ArgoCD Application manage the namespace
+namespaceEnabled: false
+
+server:
+  replicas: 1
+  port: 7443
+  resources:
+    requests:
+      cpu: 250m
+      memory: 256Mi
+    limits:
+      cpu: 500m
+      memory: 1Gi
+
+syncer:
+  replicas: 1
+  port: 7443
+  resources:
+    requests:
+      cpu: 250m
+      memory: 256Mi
+    limits:
+      cpu: 500m
+      memory: 1Gi
+
+elasticsearch:
+  replicas: 1
+  port: 9200
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2Gi
+    limits:
+      cpu: "2"
+      memory: 4Gi
+
+etcd:
+  replicas: 1
+  port: 2379
+  persistence:
+    size: 5Gi
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
danijel.simeunovic	85d150d3d4	rbac	2026-04-27 11:03:12 +02:00
danijel.simeunovic	cc9c9049eb	ignore diff	2026-04-26 23:55:55 +02:00
danijel.simeunovic	9f6c5105af	netpol all remove	2026-04-25 16:04:13 +02:00
danijel.simeunovic	45e502d74d	argocd tls	2026-04-25 11:49:17 +02:00
danijel.simeunovic	167d893233	clean scopes gitea	2026-04-24 20:18:02 +02:00
danijel.simeunovic	8b9ffee242	socpes	2026-04-24 20:14:28 +02:00
danijel.simeunovic	4069e255a8	org scope	2026-04-24 20:05:01 +02:00
danijel.simeunovic	3b1f498616	Update infra/values/base/keycloak-values.yaml	2026-04-24 17:40:15 +00:00
danijel.simeunovic	cc47bf6b9f	grafana access	2026-04-24 15:49:47 +02:00
danijel.simeunovic	c1d61398f0	SSO grafana	2026-04-24 15:45:50 +02:00
danijel.simeunovic	ece4a8d199	grafana tls	2026-04-24 15:39:46 +02:00
danijel.simeunovic	03c47ad109	remove trivy	2026-04-24 15:24:58 +02:00
danijel.simeunovic	3095741590	clear KC scopes	2026-04-24 15:13:58 +02:00
danijel.simeunovic	d7ba859e61	no openid	2026-04-24 15:09:10 +02:00
danijel.simeunovic	07eb9b7051	optional scopes	2026-04-24 15:05:07 +02:00
danijel.simeunovic	a911ff64c3	kc scopes	2026-04-24 15:03:14 +02:00
danijel.simeunovic	9e13560e5e	basic scope	2026-04-24 14:40:32 +02:00
danijel.simeunovic	3d84acb278	DEFAULT_EMAIL_NOTIFICATIONS	2026-04-24 14:25:29 +02:00
danijel.simeunovic	fde81c6ec6	dbox	2026-04-24 13:42:52 +02:00
thomas.solbjor	8648269e55	Update secrets/base/kustomization.yaml	2026-04-24 11:25:38 +00:00
thomas.solbjor	84fe4cbe7c	ts-mcp-secrets-sealed.yaml	2026-04-24 13:15:00 +02:00
danijel.simeunovic	38158be0a8	doc	2026-04-24 12:55:50 +02:00
danijel.simeunovic	202e84badc	doc	2026-04-24 12:54:26 +02:00
danijel.simeunovic	a6df75de93	dbox	2026-04-24 12:38:50 +02:00
danijel.simeunovic	4f4f544100	k	2026-04-24 10:58:20 +02:00
danijel.simeunovic	8d4b6493a0	mm	2026-04-24 10:57:53 +02:00
gitea_admin	8505481291	feature/multi-cloud (#14 ) Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com> Reviewed-on: #14	2026-04-24 08:48:53 +00:00
danijel.simeunovic	65598c9297	karpor diffs	2026-04-24 09:47:52 +02:00
danijel.simeunovic	3f0f70699b	karpor	2026-04-24 09:43:16 +02:00
danijel.simeunovic	06522b2f19	ts-mcp	2026-04-23 14:44:33 +02:00
danijel.simeunovic	4c65035485	ns	2026-04-23 14:11:45 +02:00
danijel.simeunovic	84f4bebc08	ts-mcp	2026-04-23 13:41:51 +02:00
danijel.simeunovic	5394b2c714	ts-mcp	2026-04-23 13:40:33 +02:00
danijel.simeunovic	c4e586a7be	ts-mcp	2026-04-23 13:38:47 +02:00
danijel.simeunovic	1fa070b041	argo	2026-04-23 13:35:42 +02:00
danijel.simeunovic	9c905355e3	argocd known host	2026-04-23 13:28:34 +02:00
danijel.simeunovic	6b1115ec28	argocd disable submodule	2026-04-23 13:09:02 +02:00
danijel.simeunovic	2fb276a62c	ts-mcp	2026-04-23 13:02:00 +02:00
danijel.simeunovic	3efe1b68ef	auth doc	2026-04-23 10:05:15 +02:00
danijel.simeunovic	5df104beec	sp	2026-04-22 13:54:51 +02:00
danijel.simeunovic	0ecfee3cf8	prompts	2026-04-22 13:51:38 +02:00
danijel.simeunovic	c88938adb5	feature/ai-review (#7 ) Co-authored-by: gitea_admin <admin@forteapps.net> Reviewed-on: #7 Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com> Co-committed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>	2026-04-22 09:30:02 +00:00
danijel.simeunovic	d05a16840e	pr trigger	2026-04-22 09:11:40 +02:00
danijel.simeunovic	d7c7242aa1	submodule	2026-04-22 09:10:38 +02:00
danijel.simeunovic	3bf9fa7837	pr label	2026-04-22 08:48:05 +02:00
danijel.simeunovic	d2596568f2	version tag	2026-04-21 15:17:52 +02:00
danijel.simeunovic	2a3539350b	AI-review (#6 ) Co-authored-by: gitea_admin <admin@forteapps.net> Reviewed-on: #6 Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com> Co-committed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>	2026-04-21 08:20:41 +00:00
danijel.simeunovic	f97b613c12	remove unneeded yml	2026-04-20 22:46:44 +02:00
danijel.simeunovic	9c7db11470	remove unneeded yml	2026-04-20 22:45:53 +02:00
danijel.simeunovic	723072bd1e	cleanup	2026-04-19 13:47:29 +02:00
danijel.simeunovic	046b78446b	add opencost	2026-04-19 13:41:44 +02:00
danijel.simeunovic	56a1b49d10	missing manifest	2026-04-19 13:39:26 +02:00
danijel.simeunovic	d557eb1865	revert	2026-04-19 13:28:40 +02:00
danijel.simeunovic	a51ed84124	Merge branch 'main' of https://git.forteapps.net/Forte/launchpad	2026-04-19 13:28:03 +02:00
danijel.simeunovic	73e253a579	traefik	2026-04-19 13:27:59 +02:00
danijel.simeunovic	d7c1341eab	don't sync users with cron job	2026-04-19 11:43:47 +02:00
danijel.simeunovic	eed53006c1	docs	2026-04-18 23:12:18 +02:00
danijel.simeunovic	395ca70c2a	prod values	2026-04-18 23:02:02 +02:00
danijel.simeunovic	ea04ec20c9	remove docs wf	2026-04-18 20:54:48 +02:00
danijel.simeunovic	03a0d7c9ae	feature/multicluster Deploy Gitea Pages / build-and-deploy (push) Failing after 5s Details Co-authored-by: Danijel Simeunovic <danijel.simeunovic@trumf.no> Reviewed-on: #4 Reviewed-by: gitea_admin <admin@forteapps.net>	2026-04-18 18:14:00 +00:00
danijel.simeunovic	72a65f0e06	client cloner (#3 ) Deploy Gitea Pages / build-and-deploy (push) Failing after 7s Details Reviewed-on: #3 Reviewed-by: gitea_admin <admin@forteapps.net> Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com> Co-committed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>	2026-04-17 13:42:44 +00:00
danijel.simeunovic	44fc242ae8	doc Deploy Gitea Pages / build-and-deploy (push) Failing after 7s Details	2026-04-17 11:43:50 +02:00
danijel.simeunovic	b2f601e950	doc Deploy Gitea Pages / build-and-deploy (push) Failing after 6s Details	2026-04-17 11:42:46 +02:00
danijel.simeunovic	f8b17cc030	log level info renovate	2026-04-17 10:59:52 +02:00
danijel.simeunovic	6639d0e3ff	renovate prs Deploy Gitea Pages / build-and-deploy (push) Failing after 5m15s Details	2026-04-17 09:58:52 +02:00
danijel.simeunovic	4485731ab5	smtp+starttls	2026-04-16 15:57:59 +02:00
danijel.simeunovic	439b8516f0	smtps auth	2026-04-16 15:46:54 +02:00
danijel.simeunovic	0eccd2d439	smtp auth	2026-04-16 15:43:10 +02:00
danijel.simeunovic	3e1029a557	mail notification	2026-04-16 15:39:51 +02:00
danijel.simeunovic	61c2801e0a	smtp	2026-04-16 15:32:10 +02:00
gitea_admin	8902a0e51e	Merge pull request 'SMTP config Gitea' (#2 ) from feature/smtp into main Reviewed-on: #2	2026-04-16 13:17:28 +00:00
danijel.simeunovic	4486279eab	smtp config	2026-04-16 15:13:18 +02:00
danijel.simeunovic	020dfeffd4	client secret fixes Deploy Gitea Pages / build-and-deploy (push) Failing after 6m6s Details	2026-04-16 15:04:27 +02:00
danijel.simeunovic	7e10954a8f	client secret bootstrapping Deploy Gitea Pages / build-and-deploy (push) Failing after 39m32s Details	2026-04-16 13:55:13 +02:00
danijel.simeunovic	88c29565b6	smtp	2026-04-16 10:42:35 +02:00
danijel.simeunovic	87ee0588a7	renovate pr targets	2026-04-15 16:33:58 +02:00
danijel.simeunovic	db8a1de797	10x repo PRs	2026-04-15 13:46:13 +02:00
danijel.simeunovic	177150e069	gitea protocol mapper Deploy Gitea Pages / build-and-deploy (push) Failing after 7s Details	2026-04-15 13:27:14 +02:00
danijel.simeunovic	c63a9242f0	renovate loglevel	2026-04-14 12:44:47 +02:00
danijel.simeunovic	1d43ecddad	renovate daily and more mem	2026-04-14 12:26:46 +02:00
danijel.simeunovic	a702a16155	renovate token	2026-04-14 12:17:53 +02:00
danijel.simeunovic	8b403736a9	secret renovate	2026-04-14 12:14:43 +02:00
danijel.simeunovic	0e8524b84a	renovate Deploy Gitea Pages / build-and-deploy (push) Failing after 6s Details	2026-04-14 12:05:14 +02:00
danijel.simeunovic	58ccc9fd2e	Merge branch 'main' of https://git.forteapps.net/Forte/launchpad	2026-04-14 10:53:49 +02:00
danijel.simeunovic	08d870d44c	oauth fix	2026-04-14 10:53:45 +02:00
gitea_admin	2b7d441803	Update infra/gitea.yaml ignoreDifferences	2026-04-14 08:33:47 +00:00
gitea_admin	e74a8cb9d8	Update infra/values/gitea-values.yaml ENABLE_BASIC_AUTH_CHALLENGE: true	2026-04-14 08:23:09 +00:00
danijel.simeunovic	f5166b3797	readme	2026-04-13 16:08:30 +02:00
danijel.simeunovic	18fb0ca3da	repo names fix Deploy Gitea Pages / build-and-deploy (push) Failing after 6s Details	2026-04-13 16:08:01 +02:00
danijel.simeunovic	4abd528b19	launchpad	2026-04-13 15:55:25 +02:00
danijel.simeunovic	a9a3e0e8ab	Merge branch 'main' of https://git.forteapps.net/Forte/launchpad Deploy Gitea Pages / build-and-deploy (push) Failing after 6s Details	2026-04-13 15:54:23 +02:00
danijel.simeunovic	827213c883	migration	2026-04-13 15:54:14 +02:00
gitea_admin	02d5b3eb5a	Update .github/workflows/docs.yml	2026-04-09 09:11:16 +00:00
gitea_admin	f90833711d	Update .github/workflows/docs.yml	2026-04-09 09:05:12 +00:00
gitea_admin	1c6a0a1b2f	Update .github/workflows/docs.yml	2026-04-09 09:02:58 +00:00
gitea_admin	665e4020ba	Update .github/workflows/docs.yml	2026-04-09 09:01:37 +00:00
gitea_admin	643c0aaf9b	Update .github/workflows/docs.yml	2026-04-09 09:00:24 +00:00
gitea_admin	61184f6fdf	Update .github/workflows/docs.yml	2026-04-09 08:58:00 +00:00
gitea_admin	84698ab743	Update .github/workflows/docs.yml	2026-04-09 08:54:15 +00:00
snothub	cb548ee09a	gitea actions	2026-04-08 12:56:07 +02:00
snothub	9f130a8dc4	gitea runner token	2026-04-08 12:51:11 +02:00
snothub	ab136ea8f2	gitea recreate	2026-04-08 12:44:56 +02:00
snothub	b3d4a26a07	gitea runners	2026-04-08 12:40:13 +02:00
snothub	5e205944c6	kc creds	2026-04-08 12:21:37 +02:00
snothub	463a96054d	kyverno policy remove	2026-04-08 12:12:09 +02:00
snothub	118cae656a	gitea pg	2026-04-08 12:04:13 +02:00
snothub	2e725ffcdd	gitea	2026-04-08 12:00:15 +02:00
snothub	dcfa104948	disable results cache	2026-04-07 10:26:27 +02:00
snothub	43699b9bbd	MkDocs	2026-04-04 17:46:08 +02:00
snothub	97aeba8275	docs	2026-04-04 17:30:16 +02:00
snothub	f7897bc2bf	kc resources	2026-04-02 22:56:18 +02:00
snothub	b281556808	mcp def scope	2026-04-02 22:45:15 +02:00
snothub	010d29ff11	argo notifications	2026-03-29 21:44:25 +02:00
snothub	369d5453e0	notification fix	2026-03-29 21:07:26 +02:00
snothub	212dc66fab	PSS dash	2026-03-29 16:20:48 +02:00
snothub	38433f62ce	del mcpcoder	2026-03-29 15:20:27 +02:00
snothub	ede14d9ec6	degraded message fix	2026-03-29 14:57:30 +02:00
snothub	9edbe3d0ef	argocd status sync update	2026-03-29 14:53:55 +02:00
snothub	e199b00137	dash opt	2026-03-27 14:25:34 +01:00
snothub	ce5094c1c8	egress	2026-03-27 11:49:03 +01:00
snothub	5e8448cfd2	dashboards json	2026-03-27 09:05:06 +01:00
snothub	875db6721e	keycloak resource lowering	2026-03-26 18:34:10 +01:00
snothub	87cd2401c5	resource lowering on monitoring	2026-03-26 18:31:28 +01:00
snothub	e938bf2467	new grafana dash	2026-03-26 16:04:32 +01:00
snothub	ca8127802b	doc	2026-03-26 15:25:14 +01:00
snothub	1609f6afde	exclude trivy-system from kyverno policies	2026-03-26 13:34:00 +01:00
snothub	c33abcc357	default port	2026-03-26 13:26:31 +01:00
snothub	8029b7816d	rename annotation	2026-03-26 13:25:53 +01:00
snothub	5640a5ca4a	sidecar port	2026-03-26 13:24:06 +01:00
snothub	b9d8470a52	oauth env sidecar	2026-03-26 11:48:28 +01:00
danijel.simeunovic	279bc8b273	traefik default time span	2026-03-23 13:11:28 +01:00
danijel.simeunovic	c914498590	line format	2026-03-23 12:27:58 +01:00
danijel.simeunovic	5d8437bd01	filter logs	2026-03-23 12:24:27 +01:00
danijel.simeunovic	684b35c009	service graph	2026-03-23 12:16:44 +01:00
danijel.simeunovic	db8fb09fe1	sm	2026-03-23 12:10:31 +01:00
danijel.simeunovic	7a204e367c	time ranges	2026-03-23 11:55:00 +01:00
danijel.simeunovic	bdfada0838	opencost disable ui	2026-03-23 11:49:30 +01:00
danijel.simeunovic	7269eb3121	title	2026-03-23 11:42:25 +01:00
danijel.simeunovic	fca94cde94	fix	2026-03-23 11:41:13 +01:00
danijel.simeunovic	161dc52d4a	refresh	2026-03-23 11:07:52 +01:00
danijel.simeunovic	76b39241c1	oc yaml indenting	2026-03-23 10:50:44 +01:00
danijel.simeunovic	f50f03d8e0	typo	2026-03-23 10:44:46 +01:00
danijel.simeunovic	4266327d35	rates fix	2026-03-23 10:41:21 +01:00
danijel.simeunovic	8f71d159ff	currency and rates	2026-03-23 10:36:02 +01:00
danijel.simeunovic	f8ecc54b86	panel	2026-03-23 09:39:34 +01:00
danijel.simeunovic	b1b75c77c5	cost values	2026-03-23 09:37:44 +01:00
danijel.simeunovic	c2aa680a0f	opencost grafana json	2026-03-23 09:23:16 +01:00
danijel.simeunovic	d0ab490eb5	datasource	2026-03-22 16:01:04 +01:00
danijel.simeunovic	fd0e578131	opencost scraping	2026-03-22 15:51:11 +01:00
danijel.simeunovic	c6bc723b8a	opencost scrapes	2026-03-22 00:17:12 +01:00
danijel.simeunovic	1983c80f15	opencost	2026-03-21 23:55:33 +01:00
danijel.simeunovic	5dc12cfaa2	new api token	2026-03-21 23:36:33 +01:00
danijel.simeunovic	258ece5f85	dot ai secrets	2026-03-21 23:32:32 +01:00
danijel.simeunovic	2f88b2d16c	svc graph fix	2026-03-20 14:41:10 +01:00
danijel.simeunovic	b4ffae5078	service graph	2026-03-20 14:31:52 +01:00
danijel.simeunovic	7aa69f6a7f	cleanup	2026-03-20 14:29:32 +01:00
danijel.simeunovic	d394dfd55e	host fix	2026-03-20 14:23:46 +01:00
danijel.simeunovic	f728f9dbd3	Tempo doc	2026-03-20 14:22:14 +01:00
danijel.simeunovic	7522b88cfb	fix tempo	2026-03-20 14:19:55 +01:00
danijel.simeunovic	afb39f99a7	Grafana Tempo	2026-03-20 14:04:20 +01:00
danijel.simeunovic	e4f8f2c071	traefik grafana dash	2026-03-20 13:46:13 +01:00
danijel.simeunovic	2ecd0c8a44	traefik metrics	2026-03-20 13:32:06 +01:00
danijel.simeunovic	3c81fd1e3a	cleanup	2026-03-20 13:11:38 +01:00
danijel.simeunovic	b665faaa7b	sidecar image ref	2026-03-20 13:06:11 +01:00
danijel.simeunovic	5071110c72	repo url fix	2026-03-20 13:02:48 +01:00
danijel.simeunovic	016e70a998	argocd repo secret	2026-03-20 12:59:13 +01:00
Danijel Simeunovic	8b1931fa9d	traefik access logging	2026-03-20 11:12:48 +01:00
Danijel Simeunovic	ec4082de93	otel	2026-03-20 11:09:42 +01:00
Danijel Simeunovic	d50b790082	otel	2026-03-20 11:08:04 +01:00
Danijel Simeunovic	29e644510c	traefik tracing	2026-03-20 10:57:18 +01:00
Danijel Simeunovic	3264f879b0	fortedigital/forte-helm	2026-03-20 09:42:32 +01:00
Danijel Simeunovic	36460b5cac	kcprom	2026-03-19 20:28:42 +01:00
Danijel Simeunovic	4c0ec63ec3	apikey	2026-03-19 12:51:07 +01:00
Danijel Simeunovic	2b71f63740	dot-ai	2026-03-19 12:46:51 +01:00
Danijel Simeunovic	0de4e381c7	mm secret	2026-03-19 10:38:02 +01:00
Danijel Simeunovic	2c0b6b5ea9	authn: public paths	2026-03-18 22:41:12 +01:00