Add renovate.json

2026-04-14 10:19:10 +00:00
81 changed files with 574 additions and 1755 deletions
--- a/.gitea/workflows/ai-review.yaml
+++ b/.gitea/workflows/ai-review.yaml
@@ -1,41 +0,0 @@
 name: AI Code Review
 on:
  pull_request:
    types: [ opened, synchronize, reopened ]
 jobs:
  ai-review:
    runs-on: ubuntu-latest
    env:
      AI_REVIEW_CONFIG_FILE_YAML: ./shared-prompts/iac/.ai-review.yaml
      # VCS configuration
      VCS__PROVIDER: GITEA
      VCS__PIPELINE__OWNER: ${{ github.repository_owner }}
      VCS__PIPELINE__REPO: ${{ github.event.repository.name }}
      VCS__PIPELINE__PULL_NUMBER: ${{ github.event.pull_request.number }}
      VCS__HTTP_CLIENT__API_URL: https://git.forteapps.net/api/v1
      VCS__HTTP_CLIENT__API_TOKEN: ${{ secrets.AI_REVIEW_TOKEN }}
      # LLM configuration
      LLM__PROVIDER: CLAUDE
      LLM__META__MODEL: claude-sonnet-4-20250514
      LLM__HTTP_CLIENT__API_URL: https://api.anthropic.com
      LLM__HTTP_CLIENT__API_TOKEN: ${{ secrets.ANTHROPIC_API_KEY }}
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      with:
        submodules: true
        fetch-depth: 0
    - name: Run inline review
      uses: docker://nikitafilonov/ai-review:latest
      with:
        args: ai-review run-inline
    - name: Run summary review
      uses: docker://nikitafilonov/ai-review:latest
      with:
        args: ai-review run-summary
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -0,0 +1,34 @@
 name: Deploy Gitea Pages
 on:
  push:
    branches: [ main ]
    paths:
    - 'docs/**'
    - 'mkdocs.yml'
  workflow_dispatch:
 jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: Install dependencies
      run: |
        apt-get update -qq
        apt-get install -y -qq python3-pip
        pip3 install --break-system-packages mkdocs mkdocs-material
    - run: mkdocs build
    - name: Deploy to Gitea Pages
      run: |
        cd site
        git init
        git config user.name "gitea-actions"
        git config user.email "actions@forteapps.net"
        git add .
        git commit -m "Deploy docs"
        git push --force "https://x-token:${{ secrets.GITEA_TOKEN }}@git.forteapps.net/Forte/launchpad.git" HEAD:gitea-pages
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +0,0 @@
 [submodule "shared-prompts"]
 	path = shared-prompts
 	url = https://git.forteapps.net/Forte/ai-review-prompts.git
--- a/README.md
+++ b/README.md
@@ -83,26 +83,20 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ├── bootstrap.sh                # Cluster initialization script
 ├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
 │
-├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
+├── infra/                     # Infrastructure ArgoCD Applications
-│   ├── base/                  # Base ArgoCD Application manifests (EU defaults)
+│   ├── enterprise-apps.yaml   # Manages all apps in apps/ folder
-│   │   ├── kustomization.yaml
+│   ├── traefik-application.yaml
-│   │   ├── traefik-application.yaml
+│   ├── cert-manager-application.yaml
-│   │   ├── keycloak.yaml
+│   ├── kyverno.yaml
-│   │   ├── grafana.yaml
+│   ├── prometheus.yaml
-│   │   ├── gitea.yaml
+│   ├── grafana.yaml
-│   │   ├── gitea-actions.yaml
+│   ├── loki.yaml
-│   │   ├── tempo.yaml
+│   ├── tempo.yaml
-│   │   ├── renovate.yaml
+│   ├── fluent-bit.yaml
-│   │   ├── ...                # All other Application manifests
+│   ├── trivy.yaml
-│   │   └── secrets.yaml
+│   ├── sealedsecrets.yaml
-│   ├── overlays/              # Per-cluster overrides
+│   ├── renovate.yaml
 │   │   ├── upc-dev/           # UpCloud Dev cluster (uses base as-is)
 │   │   └── upc-prod/         # UpCloud Prod cluster (patches value paths)
 │   ├── dashboards/            # Grafana dashboard ConfigMaps
 │   └── values/                # Helm value overrides
 │       ├── base/              # Shared values (all clusters)
 │       ├── upc-dev/           # UpCloud Dev-specific values
 │       └── upc-prod/         # UpCloud Prod-specific values
 │
 ├── apps/                      # Business Applications
 │   ├── mcp10x.yaml
@@ -146,12 +140,12 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 |------------|---------|-----------|-----------|
 | **[launchpad](https://git.forteapps.net/Forte/launchpad)** (this repo) | ArgoCD Applications, cluster resources | Platform / DevOps engineers | ✅ Often |
 | **[forte-helm](https://git.forteapps.net/Forte/forte-helm)** | Generic Helm chart templates | Platform engineers | ❌ Rarely |
-| **[helm-prod-values](ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git)** | App-specific configuration & versions | Developers / CI pipelines | ✅ Sometimes |
+| **[helm-values](ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git)** | App-specific configuration & versions | Developers / CI pipelines | ✅ Sometimes |
 ### GitOps Workflow
 ```
-Developer commits code → CI/CD builds image → Updates helm-prod-values → ArgoCD syncs → Deployed to cluster
+Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD syncs → Deployed to cluster
 ```
 **Learn more**: [GitOps Architecture - GitOps Workflow](docs/GITOPS-ARCHITECTURE.md#gitops-workflow)
@@ -166,7 +160,7 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A
 **Quick version**:
 1. Create `apps/myapp.yaml` (ArgoCD Application manifest)
-2. Create `helm-prod-values/myapp/values.yaml` (configuration)
+2. Create `helm-values/myapp/values.yaml` (configuration)
 3. Create sealed secrets if needed
 4. Commit and push - ArgoCD auto-syncs!
@@ -175,8 +169,8 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A
 **See detailed guide**: [Developer Guide - Updating an Existing Application](docs/DEVELOPER-GUIDE.md#updating-an-existing-application)
 **Quick version**:
- **Update code**: Push to app repo → CI/CD updates image tag in helm-prod-values
+- **Update code**: Push to app repo → CI/CD updates image tag in helm-values
- **Update config**: Edit `helm-prod-values/myapp/values.yaml` → commit → push
+- **Update config**: Edit `helm-values/myapp/values.yaml` → commit → push
 ### Manage Secrets
@@ -204,7 +198,7 @@ git push
 **Quick version**:
 ```yaml
-# In helm-prod-values/myapp/values.yaml
+# In helm-values/myapp/values.yaml
 # Token-based auth (simple)
 auth:
@@ -361,12 +355,12 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts
 ### App-of-Apps Pattern
-`_app-of-apps.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{upc-dev,upc-prod}/` render the base Applications with per-cluster patches (e.g., swapping value file paths from `upc-dev` to `upc-prod`).
+`_app-of-apps.yaml` is the root Application that manages all other Applications in `infra/`. Each YAML in `infra/` becomes a child Application managed by ArgoCD.
 ### Multi-Source Pattern
 Applications reference both:
 1. **Helm charts** from `forte-helm` (templates)
-2. **Values** from `helm-prod-values` (configuration)
+2. **Values** from `helm-values` (configuration)
 This separates reusable templates from environment-specific config.
@@ -435,7 +429,7 @@ Applications deploy in order using `argocd.argoproj.io/sync-wave`:
 ### Adding a New Application
 1. Read [Developer Guide - Deploying Your First Application](docs/DEVELOPER-GUIDE.md#deploying-your-first-application)
 2. Create ArgoCD Application manifest in `apps/`
-3. Create Helm values in `helm-prod-values/`
+3. Create Helm values in `helm-values/`
 4. Create sealed secrets if needed
 5. Commit and push - ArgoCD handles the rest!
@@ -460,14 +454,14 @@ Documentation lives in `docs/`. To update:
 ### Current Environment
 - **Provider**: UpCloud Managed Kubernetes
 - **Environment**: Production (internal use only)
- **Clusters**: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays
+- **Cluster**: Single cluster
 - **Auth**: Disabled for ArgoCD (internal access)
 - **Backup**: None (cluster rebuildable via GitOps)
 ### Known Limitations
 - No automated backups (yet)
 - Secret rotation not automated
- Multi-cluster limited to upc-dev and upc-prod environments
+- Single cluster (no multi-cluster setup)
 - DNS management is manual
 **Future improvements**: See [Operations Runbook - Disaster Recovery](docs/OPERATIONS-RUNBOOK.md#disaster-recovery)
@@ -485,8 +479,8 @@ Documentation lives in `docs/`. To update:
 - [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
 ### Related Repositories
- [forte-helm](https://git.forteapps.net/Forte/forte-helm) - Helm chart templates
+- [forte-helm](https://github.com/fortedigital/forte-helm) - Helm chart templates
- [helm-prod-values](git@github.com:fortedigital/helm-prod-values.git) - Application values
+- [helm-values](git@github.com:fortedigital/helm-values.git) - Application values
 ---
--- a/_app-of-apps-upc-prod.yaml
+++ b/_app-of-apps-upc-prod.yaml
@@ -1,32 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: monitoring
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: infrastructure-apps
  namespace: argocd
  labels:
    app.kubernetes.io/name: infrastructure-apps
    app.kubernetes.io/part-of: platform
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: git@github.com:fortedigital/sturdy-adventure.git
    targetRevision: HEAD
    path: infra/overlays/upc-prod
  destination:
    server: https://kubernetes.default.svc
    namespace: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
--- a/_app-of-apps-upc-dev.yaml
+++ b/_app-of-apps-upc-dev.yaml
@@ -20,7 +20,7 @@ spec:
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    path: infra/overlays/upc-dev
+    path: infra
  destination:
    server: https://kubernetes.default.svc
    namespace: default
--- a/apps/base/argo-mcp.yaml
+++ b/apps/base/argo-mcp.yaml
--- a/apps/base/kustomization.yaml
+++ b/apps/base/kustomization.yaml
@@ -1,7 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - dot-ai-stack.yaml
 - mcp10x.yaml
 - musicman.yaml
 - argo-mcp.yaml
--- a/apps/base/dot-ai-stack.yaml
+++ b/apps/base/dot-ai-stack.yaml
@@ -27,19 +27,29 @@ metadata:
 spec:
  project: default
-  sources:
+  source:
-  - repoURL: ghcr.io/vfarcic/dot-ai-stack/charts
+    repoURL: ghcr.io/vfarcic/dot-ai-stack/charts
    chart: dot-ai-stack
    targetRevision: "0.56.0"
    helm:
      releaseName: dot-ai-stack
-      valueFiles:
+      values: |
-      - $values/infra/values/base/dot-ai-stack-values.yaml
+        dot-ai:
-      - $values/infra/values/upc-dev/dot-ai-stack-values.yaml
+          ingress:
-
+            enabled: true
-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+            className: traefik
-    targetRevision: HEAD
+            host: kubemcp.forteapps.net
-    ref: values
+          webUI:
            baseUrl: http://kubemcpui.forteapps.net
        dot-ai-ui:
          uiAuth:
            secretRef:
              name: dot-ai-secrets
          ingress:
            enabled: true
            className: traefik
            host: kubemcpui.forteapps.net
  destination:
    server: https://kubernetes.default.svc
--- a/apps/base/mcp10x.yaml
+++ b/apps/base/mcp10x.yaml
--- a/apps/base/musicman.yaml
+++ b/apps/base/musicman.yaml
--- a/apps/overlays/upc-dev/kustomization.yaml
+++ b/apps/overlays/upc-dev/kustomization.yaml
@@ -1,7 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/apps/overlays/upc-prod/kustomization.yaml
+++ b/apps/overlays/upc-prod/kustomization.yaml
@@ -1,14 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 patches:
 # dot-ai-stack: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: dot-ai-stack
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/dot-ai-stack-values.yaml
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -2,14 +2,7 @@
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
-CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod)}"
+echo "running $0..."
 echo "running $0 for cluster: ${CLUSTER}..."
 # Source cluster config
 eval $(yq -r 'to_entries[] | "export \(.key)=\"\(.value)\""' "clusters/${CLUSTER}.yaml")
 echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
 ############################################################
 # Bootstrap                                                     #
@@ -17,17 +10,17 @@ echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
 Bootstrap()
 {
    ArgoCd
-#    Gitea
+#    Github
 }
 ############################################################
-# Gitea                                                     #
+# Github                                                     #
 ############################################################
-Gitea()
+Github()
 {
    echo "Installing secret..."
-    kubectl apply -f private/gitea-repo-main.yaml
+    kubectl apply -f private/github.yaml
    kubectl apply -f private/main.key
 }
@@ -38,15 +31,15 @@ ArgoCd()
 {
    # install argocd
    echo "Installing ArgoCD..."
    CLUSTER_NAME="${CLUSTER_NAME:-dev-fd-no-svg1}"
    helm upgrade --install argocd argo-cd \
            --repo https://argoproj.github.io/argo-helm \
            --namespace argocd --create-namespace \
-            --values infra/values/base/argocd-values.yaml \
+            --values infra/values/argocd-values.yaml \
-            --values "infra/values/${CLUSTER}/argocd-values.yaml" \
+            --set notifications.context.clusterName="$CLUSTER_NAME" \
            --set notifications.context.clusterName="${clusterName}" \
            --timeout 60s --atomic
-    kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
+    kubectl apply -f _app-of-apps.yaml -n argocd
 }
-# Bootstrap
+Bootstrap
--- a/cluster-resources/policies/auth-sidecar-injector.yaml
+++ b/cluster-resources/policies/auth-sidecar-injector.yaml
@@ -243,8 +243,8 @@ spec:
            - name: AUTH_OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
+                  name: auth-oidc
-                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
+                  key: client-secret
            resources:
              limits:
                cpu: 50m
@@ -410,8 +410,8 @@ spec:
            - name: AUTH_OAUTH_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-credentials-secret\" || 'auth-oauth' }}"
+                  name: auth-oauth
-                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-credentials-secret-key\" || 'client-secret' }}"
+                  key: client-secret
            - name: AUTH_OAUTH_DELEGATION_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
--- a/cluster-resources/policies/keycloak-client-cloner.yaml
+++ b/cluster-resources/policies/keycloak-client-cloner.yaml
@@ -1,37 +0,0 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: keycloak-client-config-cloner
 spec:
  rules:
  - name: clone-client-config-to-keycloak
    skipBackgroundRequests: false
    match:
      any:
      - resources:
          kinds:
          - Secret
          selector:
            matchLabels:
              keycloak.forteapps.net/client-config: "true"
    exclude:
      any:
      - resources:
          namespaces:
          - keycloak
    generate:
      apiVersion: v1
      kind: Secret
      name: "{{request.object.metadata.name}}"
      namespace: keycloak
      synchronize: true
      data:
        metadata:
          labels:
            keycloak.forteapps.net/client-config: "true"
            keycloak.forteapps.net/source-namespace: "{{request.object.metadata.namespace}}"
          annotations:
            keycloak.forteapps.net/source-name: "{{request.object.metadata.name}}"
            keycloak.forteapps.net/source-namespace: "{{request.object.metadata.namespace}}"
        data: "{{request.object.data}}"
        type: "{{request.object.type}}"
--- a/clusters/upc-dev.yaml
+++ b/clusters/upc-dev.yaml
@@ -1,10 +0,0 @@
 clusterName: dev-fd-no-svg1
 domain: forteapps.net
 argocdDomain: argocd.127.0.0.1.nip.io
 grafanaDomain: grafana.forteapps.net
 keycloakDomain: id.forteapps.net
 dotaiDomain: kubemcp.forteapps.net
 dotaiUiDomain: kubemcpui.forteapps.net
 letsencryptEmail: danijels@gmail.com
 trustedIPs: "172.16.1.0/24"
 cloudProvider: upcloud
--- a/clusters/upc-prod.yaml
+++ b/clusters/upc-prod.yaml
@@ -1,10 +0,0 @@
 clusterName: prod-fd-no-svg1
 domain: fortedigital.com
 argocdDomain: argocd.127.0.0.1.nip.io
 grafanaDomain: grafana.fortedigital.com
 keycloakDomain: id.fortedigital.com
 dotaiDomain: kubemcp.fortedigital.com
 dotaiUiDomain: kubemcpui.fortedigital.com
 letsencryptEmail: danijel.simeunovic@fortedigital.com
 trustedIPs: "172.16.1.0/24"
 cloudProvider: upcloud
--- a/docs/DEVELOPER-GUIDE.md
+++ b/docs/DEVELOPER-GUIDE.md
@@ -9,7 +9,6 @@
 - [Updating an Existing Application](#updating-an-existing-application)
 - [Working with Secrets](#working-with-secrets)
 - [Enabling Authentication for Applications](#enabling-authentication-for-applications)
 - [Adding a New Keycloak Client](#adding-a-new-keycloak-client)
 - [Troubleshooting](#troubleshooting)
 - [Best Practices](#best-practices)
@@ -96,10 +95,10 @@ You'll need read/write access to these repositories:
   cd launchpad
   ```
-2. **helm-prod-values** (Values repo)
+2. **helm-values** (Values repo)
   ```bash
   git clone https://git.forteapps.net/Forte/helm-prod-values.git
-   cd helm-prod-values
+   cd helm-values
   ```
 3. **forte-helm** (Chart repo - read-only for most developers)
@@ -175,13 +174,13 @@ npm run dev
 │  - GitHub Actions builds image                                  │
 │  - Pushes to container registry (GHCR, Docker Hub)              │
 │  - Tags with version (e.g., v2.0.4)                             │
-│  - Updates helm-prod-values repository with new tag                  │
+│  - Updates helm-values repository with new tag                  │
 └─────────────────────────────────────────────────────────────────┘
                            │
                            ▼
 ┌─────────────────────────────────────────────────────────────────┐
 │  Step 3: GitOps Sync (Automated)                                │
-│  - ArgoCD detects change in helm-prod-values                         │
+│  - ArgoCD detects change in helm-values                         │
 │  - Pulls updated configuration                                  │
 │  - Syncs to Kubernetes cluster                                  │
 │  - Sends Slack notification on success/failure                  │
@@ -201,7 +200,7 @@ Our setup uses three repositories:
 | Repository | Purpose | Who Edits | How Often |
 |------------|---------|-----------|-----------|
 | **forte-helm** | Helm chart templates (generic, reusable) | Platform engineers | ❌ Rarely |
-| **helm-prod-values** | Application configuration (image tag, env vars) | Developers / CI pipelines | ✅ Sometimes |
+| **helm-values** | Application configuration (image tag, env vars) | Developers / CI pipelines | ✅ Sometimes |
 | **launchpad** | ArgoCD Applications (what gets deployed) | Platform / DevOps engineers | ✅ Per new app |
 ### Example: Deploying "myapp"
@@ -223,7 +222,7 @@ spec:
      value: {{ .Values.app.port }}
 ```
-#### Repository: `helm-prod-values` (Your App Config)
+#### Repository: `helm-values` (Your App Config)
 ```yaml
 # myapp/values.yaml
 # Your app's specific configuration
@@ -248,13 +247,13 @@ metadata:
  namespace: argocd
 spec:
  sources:
-  - repoURL: https://git.forteapps.net/Forte/forte-helm
+  - repoURL: https://github.com/fortedigital/forte-helm
    path: forteapp
    helm:
      valueFiles:
      - $values/myapp/values.yaml
-  - repoURL: git@github.com:fortedigital/helm-prod-values.git
+  - repoURL: git@github.com:fortedigital/helm-values.git
    ref: values
  destination:
@@ -316,10 +315,10 @@ Ensure your app repository has:
             docker build -t ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }} .
             docker push ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }}
-         - name: Update helm-prod-values
+         - name: Update helm-values
           run: |
-             git clone git@github.com:fortedigital/helm-prod-values.git
+             git clone git@github.com:fortedigital/helm-values.git
-             cd helm-prod-values
+             cd helm-values
             mkdir -p hello-world
             cat > hello-world/values.yaml <<EOF
             app:
@@ -334,7 +333,7 @@ Ensure your app repository has:
 ### Step 2: Create Helm Values
-Create a folder in `helm-prod-values` repository:
+Create a folder in `helm-values` repository:
 ```bash
 cd ~/dev/k8s/helm-prod-values
@@ -412,7 +411,7 @@ spec:
  sources:
  # Source 1: Helm chart templates
-  - repoURL: https://git.forteapps.net/Forte/forte-helm
+  - repoURL: https://github.com/fortedigital/forte-helm
    path: forteapp
    targetRevision: HEAD
    helm:
@@ -420,7 +419,7 @@ spec:
      - $values/hello-world/values.yaml
  # Source 2: Helm values
-  - repoURL: git@github.com:fortedigital/helm-prod-values.git
+  - repoURL: git@github.com:fortedigital/helm-values.git
    targetRevision: HEAD
    ref: values
@@ -528,7 +527,7 @@ git push origin main
 2. ✅ Builds new Docker image
 3. ✅ Tags with new version (e.g., `v20260316-143022`)
 4. ✅ Pushes to container registry
-5. ✅ Updates `helm-prod-values/myapp/values.yaml` with new tag
+5. ✅ Updates `helm-values/myapp/values.yaml` with new tag
 6. ✅ ArgoCD detects change
 7. ✅ Syncs new version to cluster
 8. ✅ Sends Slack notification
@@ -683,7 +682,7 @@ git push
 #### Step 4: Reference Secret in Application
-Update your `helm-prod-values/myapp/values.yaml`:
+Update your `helm-values/myapp/values.yaml`:
 ```yaml
 app:
@@ -791,7 +790,7 @@ Three authentication modes are supported:
 #### Step 1: Configure Helm Values
 ```yaml
-# In helm-prod-values/myapp/values.yaml
+# In helm-values/myapp/values.yaml
 auth:
  enabled: true
  type: token                    # Token mode (default)
@@ -913,7 +912,7 @@ rm private/myapp-auth-oidc.yaml
 #### Step 3: Configure Helm Values
 ```yaml
-# In helm-prod-values/myapp/values.yaml
+# In helm-values/myapp/values.yaml
 auth:
  enabled: true
  type: oidc                     # OIDC mode
@@ -1049,7 +1048,7 @@ policies.forteapps.io/auth-image-version: "v1.2.3"
 #### Example 1: Internal API with Token Auth
 ```yaml
-# helm-prod-values/internal-api/values.yaml
+# helm-values/internal-api/values.yaml
 app:
  image:
    repository: ghcr.io/company/internal-api
@@ -1077,7 +1076,7 @@ curl -H "Authorization: Bearer d4f88f..." \
 #### Example 2: User-Facing App with OIDC
 ```yaml
-# helm-prod-values/web-app/values.yaml
+# helm-values/web-app/values.yaml
 app:
  image:
    repository: ghcr.io/company/web-app
@@ -1112,7 +1111,7 @@ kubectl create secret generic auth-oidc \
 #### Example 3: MCP Server with OAuth 2.0
 ```yaml
-# helm-prod-values/mcp-server/values.yaml
+# helm-values/mcp-server/values.yaml
 app:
  image:
    repository: ghcr.io/company/mcp-server
@@ -1136,7 +1135,7 @@ The MCP auth mode implements RFC 9728 (OAuth 2.0 Protected Resource Metadata) fo
 #### Example 4: Disabling Authentication
 ```yaml
-# helm-prod-values/public-api/values.yaml
+# helm-values/public-api/values.yaml
 auth:
  enabled: false                 # No authentication
@@ -1248,202 +1247,6 @@ kubectl logs -n myapp <pod-name> -c authn
 ---
 ## Adding a New Keycloak Client
 There are two ways to add an OIDC client, depending on your use case:
 | Method | Best for | Who edits the infra repo? |
 |--------|----------|--------------------------|
 | **Self-service** (recommended) | New apps that deploy their own resources | App developer — no infra changes needed |
 | **Legacy (realm JSON)** | Existing clients already defined in forte-realm.json (e.g., Gitea) | Platform engineer |
 Both methods are served by the **Keycloak Client Registrar** CronJob, which runs every 2 minutes.
 ### Self-Service OIDC Client Registration
 This is the recommended flow for new applications. Your app deploys a labeled config Secret in its own namespace; the platform handles everything else.
 #### How It Works
 1. You deploy a Secret with label `keycloak.forteapps.net/client-config: "true"` containing a `client.json` definition
 2. A **Kyverno ClusterPolicy** (`keycloak-client-config-cloner`) clones it to the `keycloak` namespace
 3. The **Client Registrar CronJob** picks it up within 2 minutes:
   - Registers (or updates) the client in Keycloak
   - Fetches the auto-generated client secret
   - Creates a credential Secret in your app's namespace
   - Annotates the config Secret with sync status
 #### Step 1: Create the Config Secret
 Deploy this Secret in your application's namespace (e.g., as part of your Helm chart or Kustomize overlay):
 ```yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: keycloak-client-myapp
  namespace: myapp
  labels:
    keycloak.forteapps.net/client-config: "true"
 stringData:
  client.json: |
    {
      "clientId": "myapp",
      "name": "My Application",
      "redirectUris": ["https://myapp.forteapps.net/*"],
      "webOrigins": ["https://myapp.forteapps.net"],
      "defaultClientScopes": ["openid", "email", "profile"],
      "protocolMappers": [],
      "secret": {
        "namespace": "myapp",
        "name": "myapp-oidc-credentials",
        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
      }
    }
 ```
 **`client.json` fields**:
 | Field | Required | Description |
 |-------|----------|-------------|
 | `clientId` | Yes | Keycloak client ID |
 | `name` | Yes | Display name in Keycloak |
 | `redirectUris` | Yes | Allowed redirect URIs |
 | `webOrigins` | Yes | Allowed web origins (CORS) |
 | `defaultClientScopes` | No | Scopes (default: `["openid", "email", "profile"]`) |
 | `protocolMappers` | No | Custom claim mappers (default: `[]`) |
 | `secret.namespace` | No | Namespace for the credential Secret (default: source namespace) |
 | `secret.name` | No | Name of the credential Secret (default: `<clientId>-oidc-credentials`) |
 | `secret.keys.clientId` | No | Key name for client ID in credential Secret (default: `client-id`) |
 | `secret.keys.clientSecret` | No | Key name for client secret in credential Secret (default: `client-secret`) |
 #### Step 2: Reference the Credential Secret
 In your application's deployment config, reference the credential Secret that the registrar creates:
 ```yaml
 env:
 - name: OIDC_CLIENT_ID
  valueFrom:
    secretKeyRef:
      name: myapp-oidc-credentials
      key: client-id
 - name: OIDC_CLIENT_SECRET
  valueFrom:
    secretKeyRef:
      name: myapp-oidc-credentials
      key: client-secret
 ```
 #### Step 3: Deploy and Wait
 Commit and push your changes. The credential Secret will appear within 2 minutes:
 ```bash
 # Watch for the credential Secret to be created
 kubectl get secret myapp-oidc-credentials -n myapp -w
 # Check registrar logs
 kubectl logs -n keycloak job/$(kubectl get jobs -n keycloak --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[-1].metadata.name}')
 # Check sync status on the config Secret
 kubectl get secret keycloak-client-myapp -n keycloak -o jsonpath='{.metadata.annotations}'
 ```
 #### Change Detection
 The registrar computes a SHA-256 hash of `client.json` and stores it as an annotation. On subsequent runs, it skips processing if:
 - The hash hasn't changed, AND
 - The credential Secret already exists in the target namespace
 To force a re-sync, update any field in `client.json` (e.g., add a trailing space to `name`).
 ### Legacy Method: Realm JSON
 Existing clients (like Gitea) are defined directly in `forte-realm.json` inside `keycloak-values.yaml`. The registrar syncs their secrets via client attributes.
 #### Step 1: Add Client to Realm Config
 In `infra/values/base/keycloak-values.yaml`, add a new entry to the `clients` array in `forte-realm.json`:
 ```json
 {
  "clientId": "myapp",
  "name": "My Application",
  "enabled": true,
  "protocol": "openid-connect",
  "clientAuthenticatorType": "client-secret",
  "standardFlowEnabled": true,
  "directAccessGrantsEnabled": false,
  "publicClient": false,
  "redirectUris": ["https://myapp.forteapps.net/*"],
  "webOrigins": ["https://myapp.forteapps.net"],
  "defaultClientScopes": ["openid", "email", "profile"],
  "attributes": {
    "k8s.secret.sync": "true",
    "k8s.secret.namespace": "myapp",
    "k8s.secret.name": "myapp-oidc-credentials",
    "k8s.secret.client-id-key": "key",
    "k8s.secret.client-secret-key": "secret"
  }
 }
 ```
 **Important**:
 - Do **NOT** include a `"secret"` field — Keycloak generates one automatically
 - The `attributes` block tells the registrar where to create the K8s Secret
 - Set `client-id-key` / `client-secret-key` to match what the consuming app expects (defaults: `client-id` / `client-secret`)
 #### Step 2: Reference the Secret in Your Application
 ```yaml
 existingSecret: myapp-oidc-credentials
 ```
 #### Step 3: Commit and Push
 ```bash
 cd ~/dev/k8s/launchpad
 git add infra/values/base/keycloak-values.yaml
 git commit -m "Add myapp Keycloak client with auto-sync"
 git push
 ```
 ArgoCD will sync the Keycloak config, and the registrar CronJob will pick up the new client within 2 minutes.
 #### Legacy Sync Attribute Reference
 | Attribute | Required | Default | Description |
 |-----------|----------|---------|-------------|
 | `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
 | `k8s.secret.namespace` | Yes | — | Target K8s namespace for the secret |
 | `k8s.secret.name` | Yes | — | Name of the K8s Secret to create |
 | `k8s.secret.client-id-key` | No | `client-id` | Field name for the client ID in the K8s Secret |
 | `k8s.secret.client-secret-key` | No | `client-secret` | Field name for the client secret in the K8s Secret |
 ### Retrieving Secrets for External Deployments
 The registrar always writes a **central copy** of every synced secret to the `secrets` namespace, in addition to the target namespace. This allows operators to retrieve client credentials for applications deployed outside this cluster:
 ```bash
 # View the central copy
 kubectl get secret gitea-oidc-credentials -n secrets -o yaml
 # Extract the client secret for use elsewhere
 kubectl get secret myapp-oidc-credentials -n secrets \
  -o jsonpath='{.data.client-secret}' | base64 -d
 ```
 ### Registrar Behavior Notes
 - The registrar runs as a CronJob every 2 minutes (`concurrencyPolicy: Forbid`)
 - If the target namespace doesn't exist, the target write is skipped with a warning (the central copy still happens)
 - A central copy is **always** written to the `secrets` namespace for every synced client
 - The registrar uses the `keycloak-credentials` secret for admin authentication
 - Created secrets have the label `app.kubernetes.io/managed-by: keycloak-client-registrar`
 ---
 ## Troubleshooting
 ### Application Not Deploying
@@ -1500,7 +1303,7 @@ kubectl exec -n myapp <pod-name> -- env
 # Check if secrets exist
 kubectl get secrets -n myapp
-# Increase resources in helm-prod-values
+# Increase resources in helm-values
 vim ~/dev/k8s/helm-prod-values/myapp/values.yaml
 ```
@@ -1649,7 +1452,7 @@ If you're stuck:
 ### Configuration Management
 ✅ **DO**:
- Keep configuration in `helm-prod-values` repository
+- Keep configuration in `helm-values` repository
 - Use environment variables for config
 - Document what each value does
 - Use reasonable resource limits
@@ -1776,4 +1579,4 @@ Now that you understand the basics:
 - Docs: [Full documentation index](README.md)
 - Help: Contact platform team
-**Last Updated**: 2026-04-16
+**Last Updated**: 2026-03-16
--- a/docs/GITOPS-ARCHITECTURE.md
+++ b/docs/GITOPS-ARCHITECTURE.md
@@ -16,7 +16,7 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
 ### Key Characteristics
 - **Environment**: Production (internal use only)
- **Cluster Type**: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays
+- **Cluster Type**: Single cluster, single environment
 - **GitOps Tool**: ArgoCD
 - **Deployment Pattern**: App-of-Apps
 - **Secret Management**: Sealed Secrets (kubeseal)
@@ -47,7 +47,7 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
         │                            │                          │
         │                            │                          │
         └────────► Update image tag ─┴──────────────────────────┘
-                    in helm-prod-values                               │
+                    in helm-values                               │
                                                                 │
                                                                 ▼
                                           ┌────────────────────────────────┐
@@ -62,8 +62,8 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
                                                        │
                                                        ▼
                                           ┌────────────────────────────────┐
-                                           │   Kubernetes Clusters          │
+                                           │   Kubernetes Cluster           │
-                                           │   (UpCloud: upc-dev, upc-prod) │
+                                           │   (UpCloud Managed)            │
                                           │                                │
                                           │  ┌──────────────────────────┐  │
                                           │  │    ArgoCD                │  │
@@ -116,75 +116,81 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
 ```
 launchpad/
 ├── bootstrap.sh                      # Cluster initialization script
-├── _app-of-apps-upc-dev.yaml        # Root ArgoCD Application (upc-dev cluster)
+├── _app-of-apps.yaml                 # Root ArgoCD Application (App-of-Apps pattern)
 ├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
 │
-├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
+├── infra/                            # Infrastructure ArgoCD Applications
-│   ├── base/                         # Base Application manifests (upc-dev defaults)
+│   ├── enterprise-apps.yaml          # Parent app managing all apps in apps/
-│   │   ├── kustomization.yaml
+│   ├── cluster-resources-application.yaml
-│   │   ├── traefik-application.yaml
+│   ├── traefik-application.yaml
-│   │   ├── keycloak.yaml
+│   ├── cert-manager-application.yaml
-│   │   ├── grafana.yaml
+│   ├── kyverno.yaml
-│   │   ├── gitea.yaml
+│   ├── kyverno-policies.yaml
-│   │   ├── gitea-actions.yaml
+│   ├── prometheus.yaml
-│   │   ├── tempo.yaml
+│   ├── grafana.yaml
-│   │   ├── renovate.yaml
+│   ├── loki.yaml
-│   │   ├── ...                       # All other Application manifests
+│   ├── tempo.yaml
-│   │   └── secrets.yaml
+│   ├── fluent-bit.yaml
-│   ├── overlays/                     # Per-cluster overrides
+│   ├── trivy.yaml
-│   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
+│   ├── sealedsecrets.yaml
-│   │   └── upc-prod/                # UpCloud Prod (patches value paths)
+│   ├── secrets.yaml
 │   ├── dashboards/                   # Grafana dashboard ConfigMaps
 │   └── values/                       # Helm value overrides for infra
-│       ├── base/                     # Shared values (all clusters)
+│       ├── argocd-values.yaml
-│       │   ├── traefik-values.yaml
+│       ├── prometheus-values.yaml
-│       │   ├── keycloak-values.yaml
+│       ├── grafana-values.yaml
-│       │   ├── grafana-values.yaml
+│       ├── loki-values.yaml
-│       │   ├── prometheus-values.yaml
+│       ├── tempo-values.yaml
-│       │   ├── gitea-values.yaml
+│       └── fluent-bit-values.yaml
 │       │   └── ...
 │       ├── upc-dev/                  # upc-dev cluster-specific values
 │       │   ├── traefik-values.yaml
 │       │   ├── keycloak-values.yaml
 │       │   └── grafana-values.yaml
 │       └── upc-prod/                # upc-prod cluster-specific values
 │           ├── traefik-values.yaml
 │           ├── keycloak-values.yaml
 │           └── grafana-values.yaml
 │
-├── apps/                             # Business Application ArgoCD manifests (Kustomize)
+├── apps/                             # Business Application ArgoCD manifests
-│   ├── base/                         # Base app manifests
+│   ├── mcp10x.yaml                   # MCP 10X application
-│   │   ├── kustomization.yaml
+│   ├── musicman.yaml                 # Music Man application
-│   │   ├── dot-ai-stack.yaml
+│   ├── dot-ai-stack.yaml             # Dot AI Stack
-│   │   └── ...
+│   └── argo-mcp.yaml                 # ArgoCD MCP server
 │   └── overlays/
 │       ├── upc-dev/                  # Uses base as-is
 │       └── upc-prod/                # Patches value paths
 │
 ├── cluster-resources/                # Cluster-wide Kubernetes resources
-│   ├── ...
+│   ├── cert-manager-namespace.yaml
 │   ├── secrets-namespace.yaml
 │   ├── letsencrypt-issuer.yaml       # Let's Encrypt ClusterIssuer
 │   ├── kyverno-config.yaml
 │   ├── argocd-notifications-secret-sealed.yaml
 │   ├── forte10x-repo-credentials-sealed.yaml
 │   ├── mcp10x-repo-credentials-sealed.yaml
 │   └── policies/                     # Kyverno policies
 │       ├── deployment-verifier.yaml
 │       ├── label-checker.yaml
 │       ├── bare-pod-cleaner.yaml
 │       ├── replicaset-cleaner.yaml
 │       ├── default-ns-blocker.yaml
 │       ├── secret-cloner.yaml
 │       └── auth-sidecar-injector.yaml
 │
-├── secrets/                          # Application secrets (sealed, per-cluster)
+├── secrets/                          # Application secrets (sealed)
-│   └── upc-dev/                      # Secrets for upc-dev cluster
+│   ├── argocd-mcp-credentials.yaml
 │   ├── dot-ai-secrets.yaml
 │   ├── mcp10x-credentials-sealed.yaml
 │   └── musicman-credentials.yaml
 │
 ├── private/                          # Local-only files (NOT in Git)
 │   ├── *.yaml                        # Unsealed secrets
 │   └── *.sh                          # Helper scripts
 │
 └── docs/                             # Documentation
    ├── GITOPS-ARCHITECTURE.md        # This file
    ├── DEVELOPER-GUIDE.md
    ├── OPERATIONS-RUNBOOK.md
    └── REFERENCE.md
 ```
 **Key Points**:
- `_app-of-apps-upc-dev.yaml` and `_app-of-apps-upc-prod.yaml` are the per-cluster root Applications
+- `_app-of-apps.yaml` is the root Application that ArgoCD monitors
- Kustomize overlays in `infra/overlays/` render base Applications with per-cluster patches
+- `infra/enterprise-apps.yaml` auto-discovers all apps in `apps/` folder
 - Helm values are split: `values/base/` (shared) + `values/upc-dev/` or `values/upc-prod/` (cluster-specific)
 - `apps/` follows the same base/overlays pattern for business applications
 - Changes pushed to this repo trigger automatic syncs in ArgoCD
 - `private/` folder contains local-only files (Git-ignored)
 ---
 ### 2. **Helm Charts Repository**
-**Repository**: `https://git.forteapps.net/Forte/forte-helm`
+**Repository**: `https://github.com/fortedigital/forte-helm`
 **Purpose**: Reusable Helm chart templates for Forte applications
 **Location**: `C:\dev\k8s\forte-helm`
@@ -218,7 +224,7 @@ forte-helm/
 ---
 ### 3. **Helm Values Repository**
-**Repository**: `git@github.com:fortedigital/helm-prod-values.git`
+**Repository**: `git@github.com:fortedigital/helm-values.git`
 **Purpose**: Environment-specific configuration for each application
 **Location**: `C:\dev\k8s\helm-prod-values`
@@ -228,6 +234,8 @@ helm-prod-values/
 │   └── values.yaml                   # MCP 10X configuration
 ├── musicman/
 │   └── values.yaml                   # Music Man configuration
 ├── mcpcoder/
 │   └── values.yaml                   # MCP Coder configuration
 └── argocd-mcp/
    └── values.yaml                   # ArgoCD MCP configuration
 ```
@@ -277,7 +285,7 @@ app-repository/
 2. Build Docker image
 3. Tag with version (e.g., `v2.0.4`)
 4. Push to container registry (GHCR, Docker Hub, etc.)
-5. Update image tag in `helm-prod-values` repository
+5. Update image tag in `helm-values` repository
 6. ArgoCD detects change and syncs automatically
 ---
@@ -287,7 +295,7 @@ app-repository/
 ### The App-of-Apps Pattern
 ```
-_app-of-apps-{upc-dev,upc-prod}.yaml (Root, per cluster)
+_app-of-apps.yaml (Root)
    │
    ├── infrastructure-apps (manages infra/)
    │   ├── cluster-resources-application
@@ -307,10 +315,10 @@ _app-of-apps-{upc-dev,upc-prod}.yaml (Root, per cluster)
 ```
 **How It Works**:
-1. Bootstrap script installs ArgoCD and applies `_app-of-apps-upc-dev.yaml` (or `upc-prod`)
+1. Bootstrap script installs ArgoCD and applies `_app-of-apps.yaml`
-2. ArgoCD creates the root Application which monitors the appropriate `infra/overlays/` folder
+2. ArgoCD creates the root Application which monitors `infra/` folder
-3. Kustomize renders base Applications with cluster-specific patches
+3. Each YAML in `infra/` becomes a child Application
-4. `enterprise-apps` Application monitors the cluster's `apps/overlays/` folder
+4. `enterprise-apps.yaml` monitors `apps/` folder and auto-discovers applications
 5. ArgoCD continuously syncs (every 60s) and auto-heals drift
 ### Sync Waves & Ordering
@@ -338,13 +346,13 @@ Applications like `mcp10x` and `musicman` use multiple sources:
 ```yaml
 spec:
  sources:
-  - repoURL: https://git.forteapps.net/Forte/forte-helm
+  - repoURL: https://github.com/fortedigital/forte-helm
    path: forteapp                     # Helm chart templates
    helm:
      valueFiles:
      - $values/mcp10x/values.yaml     # Reference to second source
-  - repoURL: git@github.com:fortedigital/helm-prod-values.git
+  - repoURL: git@github.com:fortedigital/helm-values.git
    targetRevision: HEAD
    ref: values                        # Named reference
 ```
@@ -355,34 +363,6 @@ spec:
 - Easy to update all apps by changing the chart
 - Environment-specific values isolated in separate repo
 ### Multi-Cluster Pattern
 Kustomize overlays enable deploying the same Applications across clusters with different configurations:
 ```yaml
 # infra/base/ contains default (upc-dev) Applications
 # Helm values are layered: base + cluster-specific
 valueFiles:
 - $values/infra/values/base/traefik-values.yaml    # Shared config
 - $values/infra/values/upc-dev/traefik-values.yaml  # Cluster-specific
 # infra/overlays/upc-prod/kustomization.yaml patches the second valueFile
 patches:
 - target:
    kind: Application
    name: traefik
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/traefik-values.yaml
 ```
 **Benefits**:
 - Single source of truth for Application definitions
 - Cluster-specific values isolated per overlay
 - Easy to add new clusters by creating a new overlay
 - Base values shared across all clusters reduce duplication
 ---
 ## CI/CD Pipeline
@@ -412,8 +392,8 @@ jobs:
      - name: Update Helm values
        run: |
-          git clone git@github.com:fortedigital/helm-prod-values.git
+          git clone git@github.com:fortedigital/helm-values.git
-          cd helm-prod-values/app
+          cd helm-values/app
          sed -i "s/tag: .*/tag: $VERSION/" values.yaml
          git commit -am "Update app to $VERSION"
          git push
@@ -430,7 +410,7 @@ jobs:
   - Syncs application to cluster
 2. **Helm Values Change**:
-   - CI/CD updates `helm-prod-values/myapp/values.yaml`
+   - CI/CD updates `helm-values/myapp/values.yaml`
   - ArgoCD detects change
   - Pulls new Helm chart with updated values
   - Applies to cluster
@@ -637,7 +617,7 @@ Notifications include:
 ✅ **DO**:
 - Follow the `forteapp` chart pattern
 - Use semantic versioning for image tags
- Update helm-prod-values via CI/CD
+- Update helm-values via CI/CD
 - Test locally with Docker Compose
 - Document environment variables
--- a/docs/OPERATIONS-RUNBOOK.md
+++ b/docs/OPERATIONS-RUNBOOK.md
@@ -85,8 +85,7 @@ kubectl get applications -n argocd
 1. **Configure DNS** for ingress domains:
   - `argocd.127.0.0.1.nip.io` (local dev)
-   - `*.forteapps.net` (dev)
+   - `*.forteapps.net` (production)
   - `*.fortedigital.com` (production)
 2. **Verify Let's Encrypt certificates**:
   ```bash
@@ -108,7 +107,7 @@ kubectl get applications -n argocd
 ### ArgoCD Repository Access Setup
-ArgoCD needs SSH access to private Git repositories to pull manifests and Helm values. This section covers setting up deploy keys for Gitea repositories.
+ArgoCD needs SSH access to private Git repositories to pull manifests and Helm values. This section covers setting up deploy keys for GitHub repositories.
 #### Why Deploy Keys?
@@ -120,7 +119,7 @@ ArgoCD needs SSH access to private Git repositories to pull manifests and Helm v
 #### Prerequisites
 - kubectl access to the cluster
- Write access to the Gitea repository
+- Write access to the GitHub repository
 - ArgoCD installed and running
 #### Setup Procedure
@@ -139,16 +138,16 @@ ssh-keygen -t rsa -b 4096 -C "argocd-deploy-key-launchpad" -f argocd-deploy-key
 This creates two files:
 - `argocd-deploy-key` - Private key (keep secret)
- `argocd-deploy-key.pub` - Public key (add to Gitea)
+- `argocd-deploy-key.pub` - Public key (add to GitHub)
-**Step 2: Add Public Key to Gitea**
+**Step 2: Add Public Key to GitHub**
 1. Copy the public key:
   ```bash
   cat argocd-deploy-key.pub
   ```
-2. Go to Gitea repository settings:
+2. Go to GitHub repository settings:
   - Navigate to: `https://git.forteapps.net/Forte/launchpad/settings/keys`
   - Or: Repository → Settings → Deploy keys
@@ -158,12 +157,12 @@ This creates two files:
   - ☐ Allow write access (leave unchecked - read-only is sufficient)
   - Click **"Add key"**
-4. Repeat for the `helm-prod-values` repository if it's private:
+4. Repeat for the `helm-values` repository if it's private:
   ```bash
-   # Generate separate key for helm-prod-values repo
+   # Generate separate key for helm-values repo
-   ssh-keygen -t ed25519 -C "argocd-deploy-key-helm-prod-values" -f argocd-helm-prod-values-key -N ""
+   ssh-keygen -t ed25519 -C "argocd-deploy-key-helm-values" -f argocd-helm-values-key -N ""
-   # Add to: https://git.forteapps.net/Forte/helm-prod-values/settings/keys
+   # Add to: https://github.com/fortedigital/helm-values/settings/keys
   ```
 **Step 3: Create Kubernetes Secret**
@@ -208,7 +207,7 @@ kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=repository
 # Settings → Repositories → Should show "Successful" status
 # Test by creating an application
-kubectl apply -f _app-of-apps-upc-dev.yaml   # or _app-of-apps-upc-prod.yaml
+kubectl apply -f _app-of-apps.yaml
 # Check application sync status
 kubectl get applications -n argocd
@@ -271,7 +270,7 @@ rm /tmp/test-repo-access.yaml
   # Generate new key
   ssh-keygen -t ed25519 -C "argocd-deploy-key-$(date +%Y%m)" -f argocd-new-key -N ""
-   # Add new public key to Gitea (keep old key for now)
+   # Add new public key to GitHub (keep old key for now)
   # Update Kubernetes secret
   kubectl create secret generic repo-launchpad \
@@ -279,7 +278,7 @@ rm /tmp/test-repo-access.yaml
     --namespace=argocd \
     --dry-run=client -o yaml | kubectl apply -f -
-   # Test access, then remove old deploy key from Gitea
+   # Test access, then remove old deploy key from GitHub
   # Clean up
   shred -u argocd-new-key
@@ -290,7 +289,7 @@ rm /tmp/test-repo-access.yaml
   # List all repository secrets
   kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=repository
-   # Review deploy keys in Gitea
+   # Review deploy keys in GitHub
   # Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
   ```
@@ -313,16 +312,16 @@ kubectl get secret repo-launchpad -n argocd -o yaml | grep argocd.argoproj.io/se
 # Check ArgoCD application controller logs
 kubectl logs -n argocd deployment/argocd-application-controller | grep -i "permission denied"
-# Verify deploy key is added to Gitea
+# Verify deploy key is added to GitHub
 # Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
 ```
 **Issue: "Host key verification failed"**
 ```bash
-# Add Gitea to known_hosts
+# Add GitHub to known_hosts
 kubectl exec -n argocd deployment/argocd-repo-server -- \
-  ssh-keyscan git.forteapps.net >> ~/.ssh/known_hosts
+  ssh-keyscan github.com >> ~/.ssh/known_hosts
 # Or disable strict host key checking (less secure)
 kubectl patch secret repo-launchpad -n argocd \
@@ -347,16 +346,16 @@ kubectl rollout restart deployment argocd-application-controller -n argocd
 #### Multiple Repository Setup
-For the three-repository pattern (launchpad, forte-helm, helm-prod-values):
+For the three-repository pattern (launchpad, forte-helm, helm-values):
 ```bash
 # 1. launchpad (main config repo)
 ssh-keygen -t ed25519 -C "argocd-launchpad" -f key-sturdy -N ""
 # Add key-sturdy.pub to: https://git.forteapps.net/Forte/launchpad/settings/keys
-# 2. helm-prod-values (private values repo)
+# 2. helm-values (private values repo)
-ssh-keygen -t ed25519 -C "argocd-helm-prod-values" -f key-helm-prod-values -N ""
+ssh-keygen -t ed25519 -C "argocd-helm-values" -f key-helm-values -N ""
-# Add key-helm-prod-values.pub to: https://git.forteapps.net/Forte/helm-prod-values/settings/keys
+# Add key-helm-values.pub to: https://github.com/fortedigital/helm-values/settings/keys
 # 3. forte-helm (private helm charts repo)
@@ -367,14 +366,14 @@ kubectl create secret generic repo-launchpad \
  kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
  kubectl apply -f -
-kubectl create secret generic repo-helm-prod-values \
+kubectl create secret generic repo-helm-values \
-  --from-file=sshPrivateKey=key-helm-prod-values \
+  --from-file=sshPrivateKey=key-helm-values \
  --namespace=argocd --dry-run=client -o yaml | \
  kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
  kubectl apply -f -
 # Clean up keys
-shred -u key-sturdy key-helm-prod-values
+shred -u key-sturdy key-helm-values
 ```
 #### Converting HTTPS to SSH
@@ -391,7 +390,7 @@ If you're currently using HTTPS and want to switch to SSH:
 #   repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
 # 3. Update and commit
-find . -name "*.yaml" -type f -exec sed -i 's|https://git.forteapps.net/Forte/|git@git.forteapps.net:Forte/|g' {} +
+find . -name "*.yaml" -type f -exec sed -i 's|https://github.com/fortedigital/|git@github.com:fortedigital/|g' {} +
 git add .
 git commit -m "Switch from HTTPS to SSH for repository access"
@@ -495,7 +494,7 @@ spec:
 See [Developer Guide](DEVELOPER-GUIDE.md#deploying-your-first-application) for detailed steps.
 **Quick checklist:**
- [ ] Create `helm-prod-values/myapp/values.yaml`
+- [ ] Create `helm-values/myapp/values.yaml`
 - [ ] Create `apps/myapp.yaml` in config repo
 - [ ] Create SealedSecret if needed
 - [ ] Commit and push changes
@@ -560,7 +559,7 @@ kubectl scale deployment myapp -n myapp --replicas=3
 #### GitOps Scaling
-Update `helm-prod-values/myapp/values.yaml`:
+Update `helm-values/myapp/values.yaml`:
 ```yaml
 app:
@@ -574,7 +573,7 @@ Commit and push - ArgoCD will sync.
 Enable Horizontal Pod Autoscaler:
 ```yaml
-# In helm-prod-values/myapp/values.yaml
+# In helm-values/myapp/values.yaml
 app:
  hpa:
    enabled: true
@@ -623,7 +622,7 @@ kubectl rollout undo deployment myapp -n myapp
 #### Option 3: Change Image Tag
 ```bash
-# Edit helm-prod-values
+# Edit helm-values
 cd ~/dev/k8s/helm-prod-values
 vim myapp/values.yaml
@@ -643,7 +642,7 @@ git push
 #### Update Resource Limits
 ```yaml
-# In helm-prod-values/myapp/values.yaml
+# In helm-values/myapp/values.yaml
 app:
  resources:
    requests:
@@ -657,7 +656,7 @@ app:
 #### Enable Database
 ```yaml
-# In helm-prod-values/myapp/values.yaml
+# In helm-values/myapp/values.yaml
 db:
  enabled: true
  persistence:
@@ -1267,7 +1266,7 @@ spec:
 **What Needs Backup**:
 - ❌ Cluster state (not backed up - recreate via GitOps)
 - ❌ Persistent volumes (currently not critical)
- ✅ Git repositories (Gitea provides backup)
+- ✅ Git repositories (GitHub provides backup)
 - ⚠️ Secrets (sealed secrets in Git, unseal keys need safekeeping)
 ### Cluster Rebuild
@@ -1353,13 +1352,13 @@ kubectl get deployment argocd-server -n argocd \
  -o jsonpath='{.spec.template.spec.containers[0].image}'
 # Update version in values
-vim infra/values/base/argocd-values.yaml
+vim infra/values/argocd-values.yaml
 # Or upgrade via Helm directly
 helm upgrade argocd argo-cd \
  --repo https://argoproj.github.io/argo-helm \
  --namespace argocd \
-  --values infra/values/base/argocd-values.yaml \
+  --values infra/values/argocd-values.yaml \
  --version 6.0.0  # New version
 # Verify
@@ -1455,8 +1454,8 @@ kubectl top pods --all-namespaces --sort-by=cpu
 Example: Adding Redis
 ```bash
-# 1. Create application manifest in base/
+# 1. Create application manifest
-cat > infra/base/redis-application.yaml <<EOF
+cat > infra/redis-application.yaml <<EOF
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -1466,17 +1465,15 @@ metadata:
    argocd.argoproj.io/sync-wave: "1"
 spec:
  project: default
-  sources:
+  source:
-  - repoURL: https://charts.bitnami.com/bitnami
+    repoURL: https://charts.bitnami.com/bitnami
    chart: redis
    targetRevision: 18.0.0
    helm:
-      releaseName: redis
+      values: |
-      valueFiles:
+        auth:
-      - \$values/infra/values/base/redis-values.yaml
+          enabled: true
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+          password: changeme
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: redis
@@ -1488,37 +1485,30 @@ spec:
    - CreateNamespace=true
 EOF
-# 2. Add to base kustomization
+# 2. Commit and push
-# Edit infra/base/kustomization.yaml and add: - redis-application.yaml
+git add infra/redis-application.yaml
 # 3. Create base values file
 cat > infra/values/base/redis-values.yaml <<EOF
 auth:
  enabled: true
 EOF
 # 4. Commit and push
 git add infra/base/redis-application.yaml infra/values/base/redis-values.yaml infra/base/kustomization.yaml
 git commit -m "Add Redis infrastructure component"
 git push
-# 5. ArgoCD will auto-sync within 60 seconds
+# 3. ArgoCD will auto-sync within 60 seconds
 ```
-### Multi-Cluster Setup
+### Multi-Cluster Setup (Future)
-The repository supports multiple clusters via Kustomize overlays:
+For multi-cluster deployments:
- **upc-dev** (default): `infra/overlays/upc-dev/` — uses base Applications as-is
+```yaml
- **upc-prod**: `infra/overlays/upc-prod/` — patches value file paths from `upc-dev` to `upc-prod`
+# Different destinations per environment
 # dev-cluster
 destination:
  server: https://dev.k8s.example.com
  namespace: myapp
-Each cluster has its own:
+# prod-cluster
- Root app-of-apps file: `_app-of-apps-upc-dev.yaml` / `_app-of-apps-upc-prod.yaml`
+destination:
- Cluster-specific Helm values: `infra/values/upc-dev/` / `infra/values/upc-prod/`
+  server: https://prod.k8s.example.com
- Sealed secrets: `secrets/upc-dev/` (others as needed)
+  namespace: myapp
- Apps overlay: `apps/overlays/upc-dev/` / `apps/overlays/upc-prod/`
+```
 To add a new cluster, create a new overlay directory (e.g., `infra/overlays/upc-staging/`) with patches that swap the value file paths.
 ### Blue-Green Deployments
@@ -1562,7 +1552,7 @@ git push
 kubectl scale deployment myapp -n myapp --replicas=0
 # Update Git
-vim helm-prod-values/myapp/values.yaml
+vim helm-values/myapp/values.yaml
 # Set replicaCount: 0
 git commit -am "Scale down myapp for maintenance"
 git push
@@ -1635,7 +1625,7 @@ echo "Remember to delete: $SECRET_FILE"
 - [ ] Application code repository created
 - [ ] Dockerfile created and tested
- [ ] Gitea Actions workflow configured
+- [ ] GitHub Actions workflow configured
 - [ ] Helm values created in `helm-prod-values/`
 - [ ] ArgoCD application manifest created in `apps/`
 - [ ] Secrets created and sealed
--- a/docs/README.md
+++ b/docs/README.md
@@ -180,7 +180,7 @@ Reference for:
                            │
                            ▼
 ┌──────────────────────────────────────────────────────────────┐
-│          Kubernetes Clusters (UpCloud: upc-dev, upc-prod)     │
+│               Kubernetes Cluster (UpCloud)                    │
 │  ┌──────────────────────────────────────────────────────┐    │
 │  │  Infrastructure: Traefik, Cert-Manager, Kyverno     │    │
 │  ├──────────────────────────────────────────────────────┤    │
@@ -194,7 +194,7 @@ Reference for:
 ### Key Technologies
 - **GitOps**: ArgoCD
- **Kubernetes**: UpCloud Managed Kubernetes (multi-cluster: upc-dev, upc-prod)
+- **Kubernetes**: UpCloud Managed Kubernetes
 - **Ingress**: Traefik v2
 - **Certificates**: Cert-Manager + Let's Encrypt
 - **Policies**: Kyverno
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -21,7 +21,7 @@
 |-----------|-------|
 | **Provider** | UpCloud Managed Kubernetes |
 | **Environment** | Production (internal use) |
-| **Cluster Count** | Multi-cluster (upc-dev, upc-prod) |
+| **Cluster Count** | Single cluster |
 | **GitOps Tool** | ArgoCD |
 | **Ingress Controller** | Traefik v2 |
 | **Certificate Management** | Cert-Manager + Let's Encrypt |
@@ -71,8 +71,7 @@ Internet
 ```
 launchpad/
 ├── bootstrap.sh                   # Cluster initialization script
-├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
+├── _app-of-apps.yaml              # Root ArgoCD Application
 ├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
 │
 ├── infra/                         # Infrastructure applications
 │   ├── cluster-resources-application.yaml
@@ -124,7 +123,6 @@ launchpad/
 │       ├── replicaset-cleaner.yaml
 │       ├── default-ns-blocker.yaml
 │       ├── secret-cloner.yaml
 │       ├── keycloak-client-cloner.yaml
 │       └── auth-sidecar-injector.yaml
 │
 ├── secrets/                       # Application secrets (sealed)
@@ -157,15 +155,15 @@ ArgoCd() {
  helm upgrade --install argocd argo-cd \
    --repo https://argoproj.github.io/argo-helm \
    --namespace argocd --create-namespace \
-    --values infra/values/base/argocd-values.yaml \
+    --values infra/values/argocd-values.yaml \
    --set notifications.context.clusterName="$CLUSTER_NAME" \
    --timeout 60s --atomic
-  kubectl apply -f _app-of-apps-upc-dev.yaml -n argocd   # or _app-of-apps-upc-prod.yaml
+  kubectl apply -f _app-of-apps.yaml -n argocd
 }
 ```
-**`_app-of-apps-upc-dev.yaml`** / **`_app-of-apps-upc-prod.yaml`**
+**`_app-of-apps.yaml`**
 ```yaml
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -190,7 +188,7 @@ spec:
 ### Helm Charts Repository: `forte-helm`
-**URL**: `https://git.forteapps.net/Forte/forte-helm`
+**URL**: `https://github.com/fortedigital/forte-helm`
 #### Chart: `forteapp`
@@ -337,18 +335,20 @@ configmap: []                    # Application ConfigMap key-value pairs
 ---
-### Helm Values Repository: `helm-prod-values`
+### Helm Values Repository: `helm-values`
-**URL**: `https://git.forteapps.net/Forte/helm-prod-values.git`
+**URL**: `https://github.com/fortedigital/helm-values.git`
 #### Structure
 ```
-helm-prod-values/
+helm-values/
 ├── mcp10x/
 │   └── values.yaml
 ├── musicman/
 │   └── values.yaml
 ├── mcpcoder/
 │   └── values.yaml
 └── argocd-mcp/
    └── values.yaml
 ```
@@ -524,14 +524,14 @@ spec:
  # Multi-source configuration
  sources:
-  - repoURL: https://git.forteapps.net/Forte/forte-helm
+  - repoURL: https://github.com/fortedigital/forte-helm
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
      - $values/<app-name>/values.yaml
-  - repoURL: git@github.com:fortedigital/helm-prod-values.git
+  - repoURL: git@github.com:fortedigital/helm-values.git
    targetRevision: HEAD
    ref: values
@@ -614,7 +614,7 @@ retry:
 **Configuration**:
 ```yaml
-# infra/base/traefik-application.yaml
+# infra/traefik-application.yaml
 replicas: 2
 service:
@@ -789,7 +789,7 @@ persistence:
 **Configuration**:
 ```yaml
-# infra/base/gitea.yaml + infra/values/base/gitea-values.yaml
+# infra/gitea.yaml + infra/values/gitea-values.yaml
 ingress:
  host: git.forteapps.net
  tls: cert-manager (letsencrypt-prod)
@@ -813,21 +813,14 @@ postgresql:
  persistence: 8Gi (upcloud-block-storage-maxiops)
 ```
-**Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`). Protocol mapper: `email_verified` hardcoded claim (`true`, boolean) on ID token, Access token, and Userinfo.
+**Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`)
 **External User Sync**: Disabled (`cron.sync_external_users.ENABLED: false`). This Gitea cron job is designed for LDAP and deactivates OIDC-only users because it cannot enumerate them — causing "Sign-in prohibited" errors after the sync runs.
 **Email Notifications**: Enabled (`ENABLE_NOTIFY_MAIL: true`). SMTP credentials injected via `gitea-smtp-secret` using `additionalConfigFromEnvs` with `GITEA__mailer__USER` / `GITEA__mailer__PASSWD` environment variables.
 **Endpoints**:
 - Web UI: `https://git.forteapps.net`
 - SSH: port 22 (ClusterIP)
 - Metrics: `/metrics` (Prometheus scrape)
-**Secrets**:
+**Secrets**: `gitea-credentials` (SealedSecret) containing `admin-password`, `postgres-password`, `secret` (OIDC client secret)
 - `gitea-credentials` (SealedSecret) — admin password
 - `gitea-oidc-credentials` (registrar-managed) — OIDC client ID + secret
 - `gitea-smtp-secret` (SealedSecret) — SMTP username + password
 ### Gitea Actions Runners
@@ -839,7 +832,7 @@ postgresql:
 **Configuration**:
 ```yaml
-# infra/base/gitea-actions.yaml + infra/values/base/gitea-actions-values.yaml
+# infra/gitea-actions.yaml + infra/values/gitea-actions-values.yaml
 replicaCount: 3
 runner:
@@ -876,197 +869,6 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes
 ### AI Code Review (ai-review)
 **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
 **Trigger**: `pull_request` events (`opened`, `synchronize`)
 **Runner**: `ubuntu-latest` (container: `nikitafilonov/ai-review:latest`)
 **Purpose**: Automated AI-powered code review on pull requests using Claude (Anthropic). Posts inline comments on changed lines and a PR summary comment highlighting infrastructure impact.
 **Architecture**:
 - Uses [xai-review](https://github.com/nicktechnologies/xai-review) Docker image
 - Shared configuration and prompts live in the `shared-prompts` Git submodule (→ `Forte/ai-review-prompts`)
 - Review mode: `ONLY_ADDED_WITH_CONTEXT` — reviews only new/changed lines plus surrounding context (token-efficient)
 - Agent mode: disabled (one-shot review, no multi-turn reasoning)
 - LLM: Claude Sonnet (`claude-sonnet-4-20250514`)
 **Shared Prompts Structure** (submodule: `Forte/ai-review-prompts`):
 ```
 shared-prompts/
  base/
    security.md          # org-wide security rules (all profiles)
  iac/
    .ai-review.yaml      # IaC/GitOps profile config
    inline.md            # inline review prompt
    summary.md           # PR summary prompt
  # future profiles: backend/, frontend/, etc.
 ```
 **Configuration** (`shared-prompts/iac/.ai-review.yaml`):
 ```yaml
 llm:
  provider: CLAUDE
  model: claude-sonnet-4-20250514
 vcs:
  provider: GITEA
 review:
  mode: ONLY_ADDED_WITH_CONTEXT
 agent:
  enabled: false
 prompt:
  inline_prompt_files:            # concatenated in order
    - ./shared-prompts/base/security.md
    - ./shared-prompts/iac/inline.md
  summary_prompt_files:
    - ./shared-prompts/iac/summary.md
 ignore:
  - "*.sealed.yaml"
  - "*.lock"
  - "docs/**"
 ```
 **Custom Prompts** (IaC profile):
 - `shared-prompts/base/security.md` — org-wide security rules, concatenated before every inline review prompt
 - `shared-prompts/iac/inline.md` — IaC-specific inline review (YAML, Helm, K8s manifests, shell scripts), max 7 comments
 - `shared-prompts/iac/summary.md` — PR summary: affected services/namespaces, infrastructure impact, security flags
 **Prompt composition**: ai-review does not support Jinja includes. Instead, list multiple files under `inline_prompt_files` / `summary_prompt_files` — they are concatenated in order with double newlines.
 **Adding a new profile**: Create a new directory (e.g., `backend/`) with its own `.ai-review.yaml`, `inline.md`, and `summary.md`. The `inline_prompt_files` list should include `base/security.md` first, then the profile-specific prompt. Reference it in the consuming repo's workflow: `AI_REVIEW_CONFIG_FILE_YAML=./shared-prompts/backend/.ai-review.yaml`
 **Required Secrets** (configure in Gitea repo or org settings):
 | Secret | Purpose |
 |--------|---------|
 | `ANTHROPIC_API_KEY` | Claude API key (from Anthropic console) |
 | `AI_REVIEW_TOKEN` | Gitea API token with `write:issue` + `read:repository` scopes (use a bot/service account) |
 **Setup Steps**:
 1. Create a Gitea bot/service account and generate an API token with `write:issue` + `read:repository` scopes
 2. Add `AI_REVIEW_TOKEN` secret in Gitea repo settings → Actions → Secrets
 3. Add `ANTHROPIC_API_KEY` secret with your Anthropic API key
 4. Ensure the `shared-prompts` submodule is initialized (`git submodule update --init`)
 5. Push the workflow file — it triggers automatically on PR creation/update
 **Verification**:
 - Open a PR with infrastructure changes → workflow runs → inline comments + summary appear
 - Check Gitea Actions tab for workflow run status and logs
 - Monitor Anthropic usage dashboard for token consumption
 ### Keycloak Client Registrar
 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
 **Namespace**: `keycloak`
 **Schedule**: `*/2 * * * *` (every 2 minutes)
 **Purpose**: Handles two responsibilities:
 1. **Legacy sync** — extracts secrets from Keycloak clients with `k8s.secret.sync: "true"` attribute (same as former PostSync syncer)
 2. **Self-service registration** — processes config Secrets (cloned by Kyverno) to register new OIDC clients and sync their credentials
 **How It Works**:
 *Legacy path (existing clients like Gitea):*
 1. Authenticates to Keycloak Admin API using admin credentials from `keycloak-credentials` secret
 2. Queries all clients in the `forte` realm
 3. Filters clients with `k8s.secret.sync: "true"` attribute
 4. For each matching client, retrieves the auto-generated secret via Keycloak Admin API
 5. Creates/updates a K8s Secret in the target namespace (from `k8s.secret.namespace` attribute)
 6. Always writes a central copy to the `secrets` namespace
 *Self-service path (new clients):*
 1. Lists Secrets in `keycloak` namespace with label `keycloak.forteapps.net/client-config=true`
 2. For each config Secret, parses `client.json` and computes a config hash
 3. Skips if hash matches annotation and credential Secret already exists
 4. Creates or updates the Keycloak client via Admin API
 5. Fetches the generated client secret
 6. Upserts credential Secret in target namespace + central `secrets` namespace
 7. Annotates config Secret with sync status, config hash, and timestamp
 **Resources**:
 - `ServiceAccount`: `keycloak-client-registrar` (namespace: `keycloak`)
 - `ClusterRole`: `keycloak-client-registrar` (secrets: get/list/create/update/patch; namespaces: get/list)
 - `ClusterRoleBinding`: `keycloak-client-registrar`
 - `CronJob`: `keycloak-client-registrar`
 **Kyverno Policy**: `keycloak-client-config-cloner` — clones labeled Secrets from app namespaces to `keycloak` namespace (see [Kyverno Policies](#kyverno-policies))
 **Legacy Client Attributes** (set in `forte-realm.json`):
 | Attribute | Required | Default | Description |
 |-----------|----------|---------|-------------|
 | `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
 | `k8s.secret.namespace` | Yes | — | Target K8s namespace |
 | `k8s.secret.name` | Yes | — | Name of the K8s Secret |
 | `k8s.secret.client-id-key` | No | `client-id` | Field name for client ID in the Secret |
 | `k8s.secret.client-secret-key` | No | `client-secret` | Field name for client secret in the Secret |
 **Self-Service Config Secret Schema**:
 ```yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: keycloak-client-<app>
  namespace: <app-namespace>
  labels:
    keycloak.forteapps.net/client-config: "true"
 stringData:
  client.json: |
    {
      "clientId": "<app>",
      "name": "<App Name>",
      "redirectUris": ["https://<app>.forteapps.net/*"],
      "webOrigins": ["https://<app>.forteapps.net"],
      "defaultClientScopes": ["openid", "email", "profile"],
      "protocolMappers": [],
      "secret": {
        "namespace": "<app-namespace>",
        "name": "<app>-oidc-credentials",
        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
      }
    }
 ```
 **Created Credential Secret Format**:
 ```yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: <target-name>
  namespace: <target-namespace>
  labels:
    app.kubernetes.io/managed-by: keycloak-client-registrar
 type: Opaque
 data:
  <client-id-key>: <base64-encoded client ID>
  <client-secret-key>: <base64-encoded client secret>
 ```
 **Config Secret Annotations** (set by registrar):
 | Annotation | Description |
 |-----------|-------------|
 | `keycloak.forteapps.net/config-hash` | SHA-256 hash of client.json for change detection |
 | `keycloak.forteapps.net/sync-status` | `synced` or `error` |
 | `keycloak.forteapps.net/last-sync` | ISO 8601 timestamp of last successful sync |
 **Verification**:
 ```bash
 # Check CronJob status
 kubectl get cronjobs -n keycloak
 # View latest registrar logs
 kubectl logs -n keycloak job/$(kubectl get jobs -n keycloak --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[-1].metadata.name}')
 # Verify created secret
 kubectl get secret <name> -n <namespace> -o yaml
 # Check config Secret annotations (self-service)
 kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.annotations}'
 ```
 **See**: [Developer Guide - Adding a New Keycloak Client](DEVELOPER-GUIDE.md#adding-a-new-keycloak-client)
 ### Renovate
 **Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`)
@@ -1078,9 +880,9 @@ kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.ann
 **Configuration**:
 ```yaml
-# infra/base/renovate.yaml + infra/values/base/renovate-values.yaml
+# infra/renovate.yaml + infra/values/renovate-values.yaml
 cronjob:
-  schedule: "@daily"
+  schedule: "@hourly"
  concurrencyPolicy: Forbid
 renovate:
@@ -1089,24 +891,12 @@ renovate:
    endpoint: https://git.forteapps.net
    autodiscover: true
    gitAuthor: "Renovate Bot <renovate@forteapps.net>"
    packageRules:
      - matchRepositories: ["**/10x"]
        assignees: ["edvard.unsvag"]
        reviewers: ["edvard.unsvag"]
      - matchRepositories: ["**/auth-sidecar"]
        assignees: ["danijel.simeunovic"]
        reviewers: ["danijel.simeunovic"]
      - matchRepositories: ["**/forte-helm"]
        assignees: ["danijel.simeunovic"]
        reviewers: ["danijel.simeunovic"]
 resources:
-  requests: { cpu: 500m, memory: 1Gi }
+  requests: { cpu: 250m, memory: 512Mi }
-  limits: { cpu: "2", memory: 4Gi }
+  limits: { cpu: "1", memory: 1Gi }
 ```
 **Note**: Assignees and reviewers are only applied at PR creation time. Existing PRs must be closed and recreated for new assignment rules to take effect.
 **Secrets**: `renovate-env` (SealedSecret in `secrets` namespace, cloned by Kyverno) containing:
 - `RENOVATE_TOKEN` — Gitea PAT with repo write + issue write permissions
 - `RENOVATE_GITHUB_COM_TOKEN` — GitHub PAT (public_repo read-only) for changelog fetching
@@ -1157,19 +947,6 @@ spec:
 **Label Requirement**: Secrets must have `allowedToBeCloned: "true"`
 ### Keycloak Client Config Cloner
 **File**: `cluster-resources/policies/keycloak-client-cloner.yaml`
 **Purpose**: Clones Secrets labeled `keycloak.forteapps.net/client-config: "true"` from app namespaces to the `keycloak` namespace. This allows apps to declare their OIDC client configuration in their own namespace, which the [Keycloak Client Registrar](#keycloak-client-registrar) then processes.
 **Trigger**: Any Secret with label `keycloak.forteapps.net/client-config: "true"` created outside the `keycloak` namespace.
 **Behavior**:
 - Generates a copy of the Secret in the `keycloak` namespace with the same name
 - Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
 - `synchronize: true` — changes to the source Secret are reflected in the clone
 ### Default Namespace Blocker
 **File**: `cluster-resources/policies/default-ns-blocker.yaml`
@@ -1751,6 +1528,6 @@ team: platform
 ---
-**Last Updated**: 2026-04-16
+**Last Updated**: 2026-04-14
 **Maintained By**: Platform Team
 **Version**: 1.0.0
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -1,24 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - traefik-application.yaml
 - keycloak.yaml
 - grafana.yaml
 - cert-manager-application.yaml
 - kyverno.yaml
 - sealedsecrets.yaml
 - prometheus.yaml
 - loki.yaml
 - fluent-bit.yaml
 - trivy.yaml
 - enterprise-apps.yaml
 - cluster-resources-application.yaml
 - kyverno-policies.yaml
 - secrets.yaml
 - gitea.yaml
 - gitea-actions.yaml
 - opencost.yaml
 - renovate.yaml
 - tempo.yaml
 - grafana-dashboards.yaml
 - network-policies-application.yaml
--- a/infra/base/traefik-application.yaml
+++ b/infra/base/traefik-application.yaml
@@ -1,51 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: traefik-system
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: traefik
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  labels:
    app.kubernetes.io/name: traefik
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: https://traefik.github.io/charts
    chart: traefik
    targetRevision: "28.0.0"
    helm:
      releaseName: traefik
      valueFiles:
      - $values/infra/values/base/traefik-values.yaml
      - $values/infra/values/upc-dev/traefik-values.yaml
  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: traefik-system
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
--- a/infra/base/cert-manager-application.yaml
+++ b/infra/base/cert-manager-application.yaml
--- a/infra/base/cluster-resources-application.yaml
+++ b/infra/base/cluster-resources-application.yaml
--- a/infra/base/enterprise-apps.yaml
+++ b/infra/base/enterprise-apps.yaml
@@ -18,7 +18,7 @@ spec:
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    path: apps/overlays/upc-dev
+    path: apps
  destination:
    server: https://kubernetes.default.svc
    namespace: apps
--- a/infra/base/fluent-bit.yaml
+++ b/infra/base/fluent-bit.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: fluent-bit
      valueFiles:
-      - $values/infra/values/base/fluent-bit-values.yaml
+      - $values/infra/values/fluent-bit-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/gitea-actions.yaml
+++ b/infra/base/gitea-actions.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: gitea-actions
      valueFiles:
-      - $values/infra/values/base/gitea-actions-values.yaml
+      - $values/infra/values/gitea-actions-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/gitea.yaml
+++ b/infra/base/gitea.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: gitea
      valueFiles:
-      - $values/infra/values/base/gitea-values.yaml
+      - $values/infra/values/gitea-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/grafana-dashboards.yaml
+++ b/infra/base/grafana-dashboards.yaml
--- a/infra/base/grafana.yaml
+++ b/infra/base/grafana.yaml
@@ -21,8 +21,7 @@ spec:
    helm:
      releaseName: grafana
      valueFiles:
-      - $values/infra/values/base/grafana-values.yaml
+      - $values/infra/values/grafana-values.yaml
      - $values/infra/values/upc-dev/grafana-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/keycloak.yaml
+++ b/infra/base/keycloak.yaml
@@ -21,8 +21,7 @@ spec:
    helm:
      releaseName: keycloak
      valueFiles:
-      - $values/infra/values/base/keycloak-values.yaml
+      - $values/infra/values/keycloak-values.yaml
      - $values/infra/values/upc-dev/keycloak-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
@@ -41,9 +40,3 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: batch
    kind: CronJob
    jsonPointers:
    - /spec/jobTemplate/spec/template/spec/containers/0/args
--- a/infra/base/kyverno-policies.yaml
+++ b/infra/base/kyverno-policies.yaml
--- a/infra/base/kyverno.yaml
+++ b/infra/base/kyverno.yaml
--- a/infra/base/loki.yaml
+++ b/infra/base/loki.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: loki
      valueFiles:
-      - $values/infra/values/base/loki-values.yaml
+      - $values/infra/values/loki-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/network-policies-application.yaml
+++ b/infra/base/network-policies-application.yaml
--- a/infra/base/opencost.yaml
+++ b/infra/base/opencost.yaml
@@ -21,9 +21,9 @@ spec:
    helm:
      releaseName: opencost
      valueFiles:
-      - $values/infra/values/base/opencost-values.yaml
+      - $values/infra/values/opencost-values.yaml
-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -1,7 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/infra/overlays/upc-prod/kustomization.yaml
+++ b/infra/overlays/upc-prod/kustomization.yaml
@@ -1,50 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 patches:
 # Traefik: swap upc-dev → upc-prod in valueFiles
 - target:
    kind: Application
    name: traefik
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/traefik-values.yaml
 # Keycloak: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: grafana
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/grafana-values.yaml
 # Secrets: change path to upc-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/upc-prod
 # Enterprise-apps: point to upc-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/upc-prod
--- a/infra/base/prometheus.yaml
+++ b/infra/base/prometheus.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: prometheus
      valueFiles:
-      - $values/infra/values/base/prometheus-values.yaml
+      - $values/infra/values/prometheus-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/renovate.yaml
+++ b/infra/base/renovate.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: renovate
      valueFiles:
-      - $values/infra/values/base/renovate-values.yaml
+      - $values/infra/values/renovate-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/sealedsecrets.yaml
+++ b/infra/base/sealedsecrets.yaml
--- a/infra/base/secrets.yaml
+++ b/infra/base/secrets.yaml
@@ -18,7 +18,7 @@ spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    path: secrets/upc-dev
+    path: secrets
  destination:
    server: https://kubernetes.default.svc
    namespace: secrets
--- a/infra/base/tempo.yaml
+++ b/infra/base/tempo.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: tempo
      valueFiles:
-      - $values/infra/values/base/tempo-values.yaml
+      - $values/infra/values/tempo-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/traefik-application.yaml
+++ b/infra/traefik-application.yaml
@@ -0,0 +1,159 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: traefik-system
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: traefik
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  labels:
    app.kubernetes.io/name: traefik
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://traefik.github.io/charts
    chart: traefik
    targetRevision: "28.0.0"
    helm:
      values: |
        metrics:
          addInternals: true
        tracing:
          otlp:
            enabled: true
        logs:
          general:
            level: DEBUG
          access:
            format: json
            enabled: true
        additionalArguments:
          - "--tracing.otlp.http.endpoint=http://tempo.monitoring.svc.cluster.local:4318/v1/traces"
        providers:
          kubernetesIngress:
            publishedService: # Fixes ArgoCD health checks for LoadBalancer services
              enabled: true
        deployment:
          replicas: 2
        ingressRoute:
          dashboard:
            enabled: true
            # Optional: specify entrypoint
            entrypoint: traefik
        api:
          dashboard: true
          debug: false
        service:
          type: LoadBalancer
          annotations:
            traefik.ingress.kubernetes.io/router.entrypoints: websecure
            traefik.ingress.kubernetes.io/router.priority: "42"
            traefik.ingress.kubernetes.io/router.tls: "true"
            service.beta.kubernetes.io/upcloud-load-balancer-config: |
              {
                  "frontends": [
                      {
                          "name": "web",
                          "mode": "tcp"
                      },
                      {
                          "name": "websecure",
                          "mode": "tcp"
                      },
                      {
                          "name": "giteassh",
                          "mode": "tcp"
                      }
                  ],
                  "backends": [
                      {
                          "name": "web",
                          "properties": {
                              "outbound_proxy_protocol": "v2"
                          }
                      },
                      {
                          "name": "websecure",
                          "properties": {
                              "outbound_proxy_protocol": "v2"
                          }
                      },
                      {
                          "name": "giteassh"
                      }
                  ]
              }
        ingressClass:
          enabled: true
          isDefaultClass: true
        # Configure entry points
        ports:
          metrics:
            expose: 
              default: true
            observability:
              accessLogs: true
              metrics: true
              tracing: true
              traceVerbosity: detailed
          web:
            proxyProtocol:
              trustedIPs: "172.16.1.0/24"
            forwardedHeaders:
              trustedIPs: "172.16.1.0/24"
            http:
              redirections:
                entrypoint:
                  to: websecure
                  scheme: https
          websecure:
            proxyProtocol:
              trustedIPs: "172.16.1.0/24"
            forwardedHeaders:
              trustedIPs: "172.16.1.0/24"
            observability:
              accessLogs: true
              metrics: true
              tracing: true
          giteassh:
            port: 2222
            expose:
              default: true
            exposedPort: 2222
            protocol: TCP
  destination:
    server: https://kubernetes.default.svc
    namespace: traefik-system
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
--- a/infra/base/trivy.yaml
+++ b/infra/base/trivy.yaml
--- a/infra/values/base/argocd-values.yaml
+++ b/infra/values/base/argocd-values.yaml
@@ -1,3 +1,5 @@
 global:
  domain: argocd.127.0.0.1.nip.io
 configs:
  secret:
    createSecret: true
@@ -20,6 +22,10 @@ notifications:
  secret:
    create: false
  # Shared context variables available in all templates
  context:
    clusterName: "dev-fd-no-svg1"
  # Define notification templates
  templates:
    template.app-syncing: |
--- a/infra/values/base/dot-ai-stack-values.yaml
+++ b/infra/values/base/dot-ai-stack-values.yaml
@@ -1,11 +0,0 @@
 dot-ai:
  ingress:
    enabled: true
    className: traefik
 dot-ai-ui:
  uiAuth:
    secretRef:
      name: dot-ai-secrets
  ingress:
    enabled: true
    className: traefik
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -1,456 +0,0 @@
 # Bitnami Keycloak Helm Chart Values
 # Chart version: 25.2.0
 image:
  repository: bitnamilegacy/keycloak
 production: true
 proxyHeaders: xforwarded
 auth:
  adminUser: admin
  existingSecret: keycloak-credentials
  passwordSecretKey: admin-password
 ingress:
  enabled: true
  tls: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
 metrics:
  enabled: true
  prometheusRule:
    namespace: monitoring
    enabled: true
 resources:
  requests:
    cpu: 250m
    memory: 512Mi
  limits:
    cpu: 500m
    memory: 1Gi
 postgresql:
  enabled: true
  image:
    repository: bitnamilegacy/postgresql
  auth:
    existingSecret: keycloak-credentials
    secretKeys:
      adminPasswordKey: postgres-password
      userPasswordKey: password
    username: bn_keycloak
    database: bitnami_keycloak
  primary:
    persistence:
      size: 8Gi
 keycloakConfigCli:
  enabled: true
  image:
    repository: bitnamilegacy/keycloak-config-cli
  configuration:
    forte-realm.json: |
      {
        "realm": "forte",
        "enabled": true,
        "displayName": "Forte",
        "sslRequired": "external",
        "registrationAllowed": false,
        "loginWithEmailAllowed": true,
        "resetPasswordAllowed": true,
        "rememberMe": true,
        "clients": [
          {
            "clientId": "gitea",
            "name": "Gitea",
            "enabled": true,
            "protocol": "openid-connect",
            "clientAuthenticatorType": "client-secret",
            "standardFlowEnabled": true,
            "directAccessGrantsEnabled": false,
            "publicClient": false,
            "redirectUris": ["https://git.forteapps.net/*"],
            "webOrigins": ["https://git.forteapps.net"],
            "defaultClientScopes": ["openid", "email", "profile"],
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "gitea",
              "k8s.secret.name": "gitea-oidc-credentials",
              "k8s.secret.client-id-key": "key",
              "k8s.secret.client-secret-key": "secret"
            },
            "protocolMappers": [
              {
                "name": "email_verified",
                "protocol": "openid-connect",
                "protocolMapper": "oidc-hardcoded-claim-mapper",
                "config": {
                  "claim.name": "email_verified",
                  "claim.value": "true",
                  "jsonType.label": "boolean",
                  "id.token.claim": "true",
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
              }
            ]
          }
        ]
      }
 extraDeploy:
 # -- ServiceAccount for the client registrar CronJob
 - apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: keycloak-client-registrar
    namespace: keycloak
 # -- ClusterRole granting access to secrets and namespaces
 - apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: keycloak-client-registrar
  rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "create", "update", "patch"]
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list"]
 # -- ClusterRoleBinding for the registrar ServiceAccount
 - apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: keycloak-client-registrar
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: keycloak-client-registrar
  subjects:
  - kind: ServiceAccount
    name: keycloak-client-registrar
    namespace: keycloak
 # -- CronJob: registers Keycloak clients and syncs secrets
 - apiVersion: batch/v1
  kind: CronJob
  metadata:
    name: keycloak-client-registrar
    namespace: keycloak
  spec:
    schedule: "*/2 * * * *"
    concurrencyPolicy: Forbid
    successfulJobsHistoryLimit: 1
    failedJobsHistoryLimit: 3
    jobTemplate:
      spec:
        backoffLimit: 3
        template:
          spec:
            serviceAccountName: keycloak-client-registrar
            restartPolicy: Never
            containers:
            - name: registrar
              image: alpine:3.20
              command: ["/bin/sh", "-c"]
              args:
              - |
                set -e
                apk add --no-cache curl jq > /dev/null 2>&1
                KEYCLOAK_URL="http://keycloak:80"
                REALM="forte"
                K8S_API="https://kubernetes.default.svc"
                SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
                CA_CERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
                CENTRAL_NS="secrets"
                # --- Authenticate to Keycloak Admin API ---
                ADMIN_USER="admin"
                ADMIN_PASS=$(cat /secrets/admin-password)
                echo "Authenticating to Keycloak..."
                TOKEN=$(curl -sf -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
                  -d "client_id=admin-cli" \
                  -d "username=${ADMIN_USER}" \
                  -d "password=${ADMIN_PASS}" \
                  -d "grant_type=password" | jq -r '.access_token')
                if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
                  echo "ERROR: Failed to authenticate to Keycloak"
                  exit 1
                fi
                # --- Helper functions ---
                # Upsert a K8s Secret: try PUT (update), fall back to POST (create)
                upsert_secret() {
                  local ns="$1" name="$2" manifest="$3"
                  local code
                  code=$(curl -sf -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/json" \
                    -X PUT -d "$manifest" \
                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}")
                  if [ "$code" = "200" ]; then
                    echo "  Updated secret '${ns}/${name}'"
                  elif [ "$code" = "404" ]; then
                    code=$(curl -sf -o /dev/null -w "%{http_code}" \
                      --cacert "$CA_CERT" \
                      -H "Authorization: Bearer ${SA_TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X POST -d "$manifest" \
                      "${K8S_API}/api/v1/namespaces/${ns}/secrets")
                    if [ "$code" = "201" ]; then
                      echo "  Created secret '${ns}/${name}'"
                    else
                      echo "  ERROR: Failed to create secret '${ns}/${name}' (HTTP ${code})"
                      return 1
                    fi
                  else
                    echo "  ERROR: Failed to update secret '${ns}/${name}' (HTTP ${code})"
                    return 1
                  fi
                }
                # Build a credential Secret JSON manifest
                build_credential_secret() {
                  local ns="$1" name="$2" id_key="$3" secret_key="$4" b64_id="$5" b64_secret="$6"
                  cat <<MANIFEST
                {
                  "apiVersion": "v1",
                  "kind": "Secret",
                  "metadata": {
                    "name": "${name}",
                    "namespace": "${ns}",
                    "labels": {
                      "app.kubernetes.io/managed-by": "keycloak-client-registrar"
                    }
                  },
                  "type": "Opaque",
                  "data": {
                    "${id_key}": "${b64_id}",
                    "${secret_key}": "${b64_secret}"
                  }
                }
                MANIFEST
                }
                # Sync credentials to target + central namespace
                sync_credentials() {
                  local client_id="$1" client_uuid="$2" target_ns="$3" target_name="$4" id_key="$5" secret_key="$6"
                  # Get the client secret from Keycloak
                  local secret_value
                  secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
                    | jq -r '.value')
                  if [ -z "$secret_value" ] || [ "$secret_value" = "null" ]; then
                    echo "  WARNING: No secret found for client '${client_id}', skipping"
                    return 0
                  fi
                  local b64_id b64_secret
                  b64_id=$(printf '%s' "$client_id" | base64 | tr -d '\n')
                  b64_secret=$(printf '%s' "$secret_value" | base64 | tr -d '\n')
                  # Write to target namespace (if it exists)
                  local ns_status
                  ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    "${K8S_API}/api/v1/namespaces/${target_ns}")
                  if [ "$ns_status" = "200" ]; then
                    local manifest
                    manifest=$(build_credential_secret "$target_ns" "$target_name" "$id_key" "$secret_key" "$b64_id" "$b64_secret")
                    upsert_secret "$target_ns" "$target_name" "$manifest" || return 1
                  else
                    echo "  WARNING: Namespace '${target_ns}' does not exist, skipping target"
                  fi
                  # Always write a central copy to the secrets namespace
                  local central_manifest
                  central_manifest=$(build_credential_secret "$CENTRAL_NS" "$target_name" "$id_key" "$secret_key" "$b64_id" "$b64_secret")
                  upsert_secret "$CENTRAL_NS" "$target_name" "$central_manifest" || return 1
                }
                # Annotate a K8s Secret with sync status
                annotate_secret() {
                  local ns="$1" name="$2" key="$3" value="$4"
                  local patch
                  patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
                  curl -sf -o /dev/null \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/strategic-merge-patch+json" \
                    -X PATCH -d "$patch" \
                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}"
                }
                # =============================================
                # LEGACY PATH — sync existing realm clients
                # =============================================
                echo "=== Legacy sync: clients with k8s.secret.sync=true ==="
                CLIENTS=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                  "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
                SYNC_CLIENTS=$(echo "$CLIENTS" | jq -c '[.[] | select(.attributes["k8s.secret.sync"] == "true")]')
                COUNT=$(echo "$SYNC_CLIENTS" | jq 'length')
                echo "Found ${COUNT} legacy client(s) with sync enabled"
                echo "$SYNC_CLIENTS" | jq -c '.[]' | while read -r CLIENT; do
                  CLIENT_ID=$(echo "$CLIENT" | jq -r '.clientId')
                  CLIENT_UUID=$(echo "$CLIENT" | jq -r '.id')
                  TARGET_NS=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.namespace"]')
                  TARGET_NAME=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.name"]')
                  ID_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-id-key"] // "client-id"')
                  SECRET_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-secret-key"] // "client-secret"')
                  echo "Processing legacy client '${CLIENT_ID}' -> '${TARGET_NS}/${TARGET_NAME}' (keys: ${ID_KEY}, ${SECRET_KEY})"
                  sync_credentials "$CLIENT_ID" "$CLIENT_UUID" "$TARGET_NS" "$TARGET_NAME" "$ID_KEY" "$SECRET_KEY"
                done
                # =============================================
                # NEW PATH — self-service config Secrets
                # =============================================
                echo ""
                echo "=== Self-service: config Secrets with label keycloak.forteapps.net/client-config=true ==="
                CONFIG_SECRETS=$(curl -sf \
                  --cacert "$CA_CERT" \
                  -H "Authorization: Bearer ${SA_TOKEN}" \
                  "${K8S_API}/api/v1/namespaces/keycloak/secrets?labelSelector=keycloak.forteapps.net/client-config=true")
                CONFIG_COUNT=$(echo "$CONFIG_SECRETS" | jq '.items | length')
                echo "Found ${CONFIG_COUNT} config Secret(s) to process"
                echo "$CONFIG_SECRETS" | jq -c '.items[]' | while read -r CONFIG_SECRET; do
                  CONFIG_NAME=$(echo "$CONFIG_SECRET" | jq -r '.metadata.name')
                  SOURCE_NS=$(echo "$CONFIG_SECRET" | jq -r '.metadata.annotations["keycloak.forteapps.net/source-namespace"] // .metadata.labels["keycloak.forteapps.net/source-namespace"] // "unknown"')
                  # Decode client.json from the Secret data
                  CLIENT_JSON_B64=$(echo "$CONFIG_SECRET" | jq -r '.data["client.json"] // empty')
                  if [ -z "$CLIENT_JSON_B64" ]; then
                    echo "WARNING: Config Secret '${CONFIG_NAME}' missing client.json field, skipping"
                    continue
                  fi
                  CLIENT_JSON=$(printf '%s' "$CLIENT_JSON_B64" | base64 -d)
                  CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId')
                  echo "Processing self-service client '${CLIENT_ID}' from config '${CONFIG_NAME}'"
                  # Compute config hash for change detection
                  CONFIG_HASH=$(printf '%s' "$CLIENT_JSON" | sha256sum | cut -d' ' -f1)
                  EXISTING_HASH=$(echo "$CONFIG_SECRET" | jq -r '.metadata.annotations["keycloak.forteapps.net/config-hash"] // ""')
                  # Extract secret delivery config from client.json
                  CRED_NS=$(echo "$CLIENT_JSON" | jq -r '.secret.namespace // "'"${SOURCE_NS}"'"')
                  CRED_NAME=$(echo "$CLIENT_JSON" | jq -r '.secret.name // "'"${CLIENT_ID}"'-oidc-credentials"')
                  CRED_ID_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientId // "client-id"')
                  CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"')
                  # Check if credential Secret already exists in target namespace
                  CRED_EXISTS=$(curl -sf -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")
                  # Skip if hash matches and credential Secret exists
                  if [ "$CONFIG_HASH" = "$EXISTING_HASH" ] && [ "$CRED_EXISTS" = "200" ]; then
                    echo "  No changes detected, skipping"
                    continue
                  fi
                  # Build Keycloak client representation (strip our secret delivery config)
                  KC_CLIENT=$(echo "$CLIENT_JSON" | jq '{
                    clientId: .clientId,
                    name: .name,
                    enabled: true,
                    protocol: "openid-connect",
                    clientAuthenticatorType: "client-secret",
                    standardFlowEnabled: true,
                    directAccessGrantsEnabled: false,
                    publicClient: false,
                    redirectUris: .redirectUris,
                    webOrigins: .webOrigins,
                    defaultClientScopes: .defaultClientScopes,
                    protocolMappers: (.protocolMappers // [])
                  }')
                  # Check if client already exists
                  EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
                    | jq -r '.[0].id // empty')
                  if [ -n "$EXISTING" ]; then
                    echo "  Updating existing Keycloak client (uuid: ${EXISTING})"
                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X PUT -d "$KC_CLIENT" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}")
                    if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "200" ]; then
                      echo "  ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                      continue
                    fi
                    CLIENT_UUID="$EXISTING"
                  else
                    echo "  Creating new Keycloak client '${CLIENT_ID}'"
                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X POST -d "$KC_CLIENT" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
                    if [ "$HTTP_CODE" != "201" ]; then
                      echo "  ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                      continue
                    fi
                    # Fetch the newly created client's UUID
                    CLIENT_UUID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
                      | jq -r '.[0].id')
                  fi
                  # Sync credentials to target namespace
                  sync_credentials "$CLIENT_ID" "$CLIENT_UUID" "$CRED_NS" "$CRED_NAME" "$CRED_ID_KEY" "$CRED_SECRET_KEY"
                  # Annotate config Secret with hash and sync status
                  annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/config-hash" "$CONFIG_HASH"
                  annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "synced"
                  TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
                  annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/last-sync" "$TIMESTAMP"
                  echo "  Synced successfully"
                done
                echo ""
                echo "Client registrar run complete"
              volumeMounts:
              - name: keycloak-credentials
                mountPath: /secrets
                readOnly: true
              resources:
                requests:
                  cpu: 50m
                  memory: 64Mi
                limits:
                  cpu: 200m
                  memory: 128Mi
            volumes:
            - name: keycloak-credentials
              secret:
                secretName: keycloak-credentials
                items:
                - key: admin-password
                  path: admin-password
--- a/infra/values/base/renovate-values.yaml
+++ b/infra/values/base/renovate-values.yaml
@@ -1,45 +0,0 @@
 cronjob:
  schedule: "@daily"
  concurrencyPolicy: Forbid
 renovate:
  config: |
    {
      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
      "platform": "gitea",
      "endpoint": "https://git.forteapps.net",
      "autodiscover": true,
      "gitAuthor": "Renovate Bot <renovate@forteapps.net>",
      "packageRules": [
        {
          "matchRepositories": ["**/10x"],
          "assignees": ["edvard.unsvag"],
          "reviewers": ["edvard.unsvag"]
        },
        {
          "matchRepositories": ["**/auth-sidecar"],
          "assignees": ["danijel.simeunovic"],
          "reviewers": ["danijel.simeunovic"]
        },
        {
          "matchRepositories": ["**/forte-helm"],
          "assignees": ["danijel.simeunovic"],
          "reviewers": ["danijel.simeunovic"]
        }
      ]
    }
 envFrom:
 - secretRef:
    name: renovate-env
 env:
  LOG_LEVEL: info
 resources:
  requests:
    cpu: 500m
    memory: 1Gi
  limits:
    cpu: "2"
    memory: 4Gi
--- a/infra/values/base/traefik-values.yaml
+++ b/infra/values/base/traefik-values.yaml
@@ -1,75 +0,0 @@
 providers:
  kubernetesIngress:
    publishedService: # Fixes ArgoCD health checks for LoadBalancer services
      enabled: true
  kubernetesCRD:
    allowCrossNamespace: true
 deployment:
  replicas: 2
 ingressRoute:
  dashboard:
    enabled: true
    # Optional: specify entrypoint
    entrypoint: traefik
 api:
  dashboard: true
  debug: false
 service:
  type: LoadBalancer
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.priority: "42"
    traefik.ingress.kubernetes.io/router.tls: "true"
 ingressClass:
  enabled: true
  isDefaultClass: true
 # Configure entry points
 ports:
  metrics:
    expose:
      default: true
    observability:
      accessLogs: true
      metrics: true
      tracing: true
      traceVerbosity: detailed
  web:
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https
  websecure:
    observability:
      accessLogs: true
      metrics: true
      tracing: true
  gitea-ssh:
    port: 2222
    expose:
      default: true
    exposedPort: 2222
    protocol: TCP
 # -- IngressRouteTCP for Gitea SSH (cross-namespace to gitea/gitea-ssh service)
 extraObjects:
 - apiVersion: traefik.io/v1alpha1
  kind: IngressRouteTCP
  metadata:
    name: gitea-ssh
  spec:
    entryPoints:
    - gitea-ssh
    routes:
    - match: HostSNI(`*`)
      services:
      - name: gitea-ssh
        namespace: gitea
        port: 22
--- a/infra/values/base/fluent-bit-values.yaml
+++ b/infra/values/base/fluent-bit-values.yaml
--- a/infra/values/base/gitea-actions-values.yaml
+++ b/infra/values/base/gitea-actions-values.yaml
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -29,7 +29,6 @@ gitea:
      ALLOW_ONLY_EXTERNAL_REGISTRATION: true
      ENABLE_BASIC_AUTHENTICATION: true
      ENABLE_PASSWORD_SIGNIN_FORM: false
      ENABLE_NOTIFY_MAIL: true
    openid:
      ENABLE_OPENID_SIGNIN: false
@@ -66,33 +65,11 @@ gitea:
      ISSUE_INDEXER_TYPE: bleve
      REPO_INDEXER_ENABLED: true
    mailer:
      ENABLED: true
      PROTOCOL: smtp+starttls
      SMTP_ADDR: smtp.office365.com
      SMTP_PORT: 587
      FROM: "noreply@fortedigital.com"
    admin:
      DEFAULT_EMAIL_NOTIFICATIONS: enabled
  # -- SMTP credentials injected from secret (USER and PASSWD)
  additionalConfigFromEnvs:
  - name: GITEA__mailer__USER
    valueFrom:
      secretKeyRef:
        name: gitea-smtp-secret
        key: username
  - name: GITEA__mailer__PASSWD
    valueFrom:
      secretKeyRef:
        name: gitea-smtp-secret
        key: password
  # -- OIDC authentication via Forte
  oauth:
  - name: "Forte"
    provider: "openidConnect"
-    existingSecret: gitea-oidc-credentials
+    existingSecret: gitea-credentials
    key: gitea
    autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
    scopes: "openid email profile organization"
--- a/infra/values/base/grafana-values.yaml
+++ b/infra/values/base/grafana-values.yaml
@@ -1,5 +1,7 @@
 ingress:
  enabled: true
  hosts:
  - grafana.127.0.0.1.nip.io
 resources:
  requests:
    cpu: 50m
--- a/infra/values/keycloak-values.yaml
+++ b/infra/values/keycloak-values.yaml
@@ -0,0 +1,84 @@
 # Bitnami Keycloak Helm Chart Values
 # Host: id.forteapps.net
 # Chart version: 25.2.0
 image:
  repository: bitnamilegacy/keycloak
 production: true
 proxyHeaders: xforwarded
 auth:
  adminUser: admin
  existingSecret: keycloak-credentials
  passwordSecretKey: admin-password
 ingress:
  enabled: true
  hostname: id.forteapps.net
  tls: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
 metrics:
  enabled: true
  prometheusRule:
    namespace: monitoring
    enabled: true
 resources:
  requests:
    cpu: 250m
    memory: 512Mi
  limits:
    cpu: 500m
    memory: 1Gi
 postgresql:
  enabled: true
  image:
    repository: bitnamilegacy/postgresql
  auth:
    existingSecret: keycloak-credentials
    secretKeys:
      adminPasswordKey: postgres-password
      userPasswordKey: password
    username: bn_keycloak
    database: bitnami_keycloak
  primary:
    persistence:
      size: 8Gi
 keycloakConfigCli:
  enabled: true
  image:
    repository: bitnamilegacy/keycloak-config-cli
  configuration:
    forte-realm.json: |
      {
        "realm": "forte",
        "enabled": true,
        "displayName": "Forte",
        "sslRequired": "external",
        "registrationAllowed": false,
        "loginWithEmailAllowed": true,
        "resetPasswordAllowed": true,
        "rememberMe": true,
        "clients": [
          {
            "clientId": "gitea",
            "name": "Gitea",
            "enabled": true,
            "protocol": "openid-connect",
            "clientAuthenticatorType": "client-secret",
            "secret": "382ed413580cb79d0f54813e5da87007b28fe766a8903d378b9e1c266405a784",
            "standardFlowEnabled": true,
            "directAccessGrantsEnabled": false,
            "publicClient": false,
            "redirectUris": ["https://git.forteapps.net/*"],
            "webOrigins": ["https://git.forteapps.net"],
            "defaultClientScopes": ["openid", "email", "profile"]
          }
        ]
      }
--- a/infra/values/base/loki-values.yaml
+++ b/infra/values/base/loki-values.yaml
--- a/infra/values/base/opencost-values.yaml
+++ b/infra/values/base/opencost-values.yaml
--- a/infra/values/base/prometheus-values.yaml
+++ b/infra/values/base/prometheus-values.yaml
--- a/infra/values/renovate-values.yaml
+++ b/infra/values/renovate-values.yaml
@@ -0,0 +1,28 @@
 cronjob:
  schedule: "@hourly"
  concurrencyPolicy: Forbid
 renovate:
  config: |
    {
      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
      "platform": "gitea",
      "endpoint": "https://git.forteapps.net",
      "autodiscover": true,
      "gitAuthor": "Renovate Bot <renovate@forteapps.net>"
    }
 envFrom:
 - secretRef:
    name: renovate-env
 env:
  LOG_LEVEL: debug
 resources:
  requests:
    cpu: 250m
    memory: 512Mi
  limits:
    cpu: "1"
    memory: 1Gi
--- a/infra/values/base/tempo-values.yaml
+++ b/infra/values/base/tempo-values.yaml
--- a/infra/values/upc-dev/argocd-values.yaml
+++ b/infra/values/upc-dev/argocd-values.yaml
@@ -1,5 +0,0 @@
 global:
  domain: argocd.127.0.0.1.nip.io
 notifications:
  context:
    clusterName: "dev-fd-eu-no-svg1"
--- a/infra/values/upc-dev/dot-ai-stack-values.yaml
+++ b/infra/values/upc-dev/dot-ai-stack-values.yaml
@@ -1,8 +0,0 @@
 dot-ai:
  ingress:
    host: kubemcp.forteapps.net
  webUI:
    baseUrl: http://kubemcpui.forteapps.net
 dot-ai-ui:
  ingress:
    host: kubemcpui.forteapps.net
--- a/infra/values/upc-dev/grafana-values.yaml
+++ b/infra/values/upc-dev/grafana-values.yaml
@@ -1,3 +0,0 @@
 ingress:
  hosts:
  - grafana.forteapps.net
--- a/infra/values/upc-dev/keycloak-values.yaml
+++ b/infra/values/upc-dev/keycloak-values.yaml
@@ -1,2 +0,0 @@
 ingress:
  hostname: id.forteapps.net
--- a/infra/values/upc-dev/traefik-values.yaml
+++ b/infra/values/upc-dev/traefik-values.yaml
@@ -1,47 +0,0 @@
 service:
  annotations:
    service.beta.kubernetes.io/upcloud-load-balancer-config: |
      {
          "frontends": [
              {
                  "name": "web",
                  "mode": "tcp"
              },
              {
                  "name": "websecure",
                  "mode": "tcp"
              },
              {
                  "name": "gitea-ssh",
                  "mode": "tcp"
              }
          ],
          "backends": [
              {
                  "name": "web",
                  "properties": {
                      "outbound_proxy_protocol": "v2"
                  }
              },
              {
                  "name": "websecure",
                  "properties": {
                      "outbound_proxy_protocol": "v2"
                  }
              },
              {
                  "name": "gitea-ssh"
              }
          ]
      }
 ports:
  web:
    proxyProtocol:
      trustedIPs: "172.16.1.0/24"
    forwardedHeaders:
      trustedIPs: "172.16.1.0/24"
  websecure:
    proxyProtocol:
      trustedIPs: "172.16.1.0/24"
    forwardedHeaders:
      trustedIPs: "172.16.1.0/24"
--- a/infra/values/upc-prod/argocd-values.yaml
+++ b/infra/values/upc-prod/argocd-values.yaml
@@ -1,5 +0,0 @@
 global:
  domain: argocd.fortedigital.com
 notifications:
  context:
    clusterName: "prod-fd-no-svg1"
--- a/infra/values/upc-prod/dot-ai-stack-values.yaml
+++ b/infra/values/upc-prod/dot-ai-stack-values.yaml
@@ -1,8 +0,0 @@
 dot-ai:
  ingress:
    host: kubemcp.fortedigital.com
  webUI:
    baseUrl: http://kubemcpui.fortedigital.com
 dot-ai-ui:
  ingress:
    host: kubemcpui.fortedigital.com
--- a/infra/values/upc-prod/grafana-values.yaml
+++ b/infra/values/upc-prod/grafana-values.yaml
@@ -1,3 +0,0 @@
 ingress:
  hosts:
  - grafana.fortedigital.com
--- a/infra/values/upc-prod/keycloak-values.yaml
+++ b/infra/values/upc-prod/keycloak-values.yaml
@@ -1,2 +0,0 @@
 ingress:
  hostname: id.fortedigital.com
--- a/infra/values/upc-prod/traefik-values.yaml
+++ b/infra/values/upc-prod/traefik-values.yaml
@@ -1,13 +0,0 @@
 service:
  annotations: {}
 ports:
  web:
    proxyProtocol:
      trustedIPs: "10.0.0.0/16"
    forwardedHeaders:
      trustedIPs: "10.0.0.0/16"
  websecure:
    proxyProtocol:
      trustedIPs: "10.0.0.0/16"
    forwardedHeaders:
      trustedIPs: "10.0.0.0/16"
--- a/renovate.json
+++ b/renovate.json
@@ -0,0 +1,3 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
 }
--- a/secrets/upc-dev/argocd-mcp-credentials.yaml
+++ b/secrets/upc-dev/argocd-mcp-credentials.yaml
--- a/secrets/upc-dev/argocdmcp-auth-oidc-sealed.yaml
+++ b/secrets/upc-dev/argocdmcp-auth-oidc-sealed.yaml
--- a/secrets/upc-dev/forte10x-app-credentials-sealed.yaml
+++ b/secrets/upc-dev/forte10x-app-credentials-sealed.yaml
--- a/secrets/gitea-smtp-secret-sealed.yaml
+++ b/secrets/gitea-smtp-secret-sealed.yaml
@@ -1,19 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: gitea-smtp-secret
  namespace: gitea
 spec:
  encryptedData:
    password: AgBMuISQeA41mtBIOo686sND2EO12Jv7BIogL5G7xxt7wKfIk88dQrU74vs+fv3OtPce2Ra63QkR6po31M9fZkoiYba5yqJtEOc6em3y0ZxM/UzavbRvHwrvsWEYqmHBnkCUjcJijdGbSX+rHyGsXLfZO0gOjqXO379Zl1fzmV4p3F5REXFQm6HorVtWX/LOSRj9GDW76l6KgPR/A+CbtAx8Cq0m3D3fyiaVLEReP3uOgBOo70APHj9Yp56EcgOtVa1pEgCxR4ctXeS4t/EliWcHc/JT4TBdRBRDYPKLfME6FvJxjLjaSZcWxtJrJzCv3+vA5LlfObuHY31aSDRqYwO4VBCPhf3Aa6Z5UXgUnmAtJRhHa9pKSSjW48jgNb1jDPIkQn5XgB2/twJ+gX3inAkrTQ82JJ75Rz7XWC8KmYkOtkgXgU2buCa4nIfPeXOr5qvutyywxV1Ge1nK0fQYneQZVFXlHTbAQXBJMpVvJoJ+G3xGjm1904/iBGkVKmNrQwaABUsGBC6ZIHGOTa45GBqrg3ODU2Gr61SCYxv6m3pMU1msR7QYne0oqLCVD8mLDaeSeiQI4ZY9u4ddsVwM6l2BFrT6+3IQuYPBgOoodzDVlCgmA7hoekhpak9vZ0loSHaWDXdNt75SemAjsQfwCO5sSEkr+wbCJEQpXh5p38RMZKTuOh3nYEGQEx/MQNl3VD4FarK/zOJM9EO9IkqdM4LnqVo3zPX4KAPosS1PPKS8
    username: AgBF6MiaI1x2xQOUoF4NUh4MeFF64Db3vywcEO0FdJ0U9EirVFMsBSSiqJLy8ok43ha72s+/RLBNHiSSRKX1UMWwwCsfs+LQJNh9EetgHRxoyqkHiqRMX5V2acU2scdPE/FCFQFOYzAjweup+kP8xNu1WKuDtPBRiAgBNDfW59ihFi9TgOJQ2AnDHottjm5CNaWsbTOSgZrXqzCEChfHu5K0W9cty9ENHYqnYDfcm/zPLYeUPW0gVN5GJq3lPo9vZjM7T2JnwryjOkBaPCRCzHOpRF3bMrArFrjbUlH6gdI0APf4CzGLMMKol/jTMG2tLBseaNQHfbz6p1vFYExCL60gSN46fzh10zIWaIC2O+SgoLLOizkQZWf/v86cdRerBSl6PFmbRUO18XUQ4SyR/WPM71HD1jeLnUZjKtkOu+fqQKlv8kBSELHGqiURNYDnbmUA1LQpdNkDnMkRS+uzQ3XwWCSQBAn+u9wh69kg1oPVEN60Nc4KpNwFIg25aycGkP3cMklfl3/u9nr5KruwtJe+hl2ynSk8zeEFWWQrBki7+88CH9aWVW/GTA8Ho7Fz+gp4ZUdUA0WhH2LRAQIN945pvJIkHm/AYAhH6pZiXdBzYeguPY5VEf6hDVM1sa39aSZzs81cj0YHxbjR/BoBxbUAa9xW7JYH2rcIqXDhJB4zq2H++8e0eABsdQC3tMmE1eQA51d0yg8+2fX+CRkcvMCmI3VjS/mdirrtnctv
  template:
    metadata:
      creationTimestamp: null
      labels:
        allowedToBeCloned: "true"
      name: gitea-smtp-secret
      namespace: gitea
    type: Opaque
--- a/secrets/upc-dev/keycloak-credentials-sealed.yaml
+++ b/secrets/upc-dev/keycloak-credentials-sealed.yaml
--- a/secrets/upc-dev/musicman-credentials.yaml
+++ b/secrets/upc-dev/musicman-credentials.yaml
--- a/secrets/upc-dev/dot-ai-secrets.yaml
+++ b/secrets/upc-dev/dot-ai-secrets.yaml
@@ -1,18 +0,0 @@
 # SealedSecret created after namespace (sync-wave: 0)
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: dot-ai-secrets
  namespace: dot-ai
 spec:
  encryptedData:
    anthropic-api-key: AgASIRVNs7kIvZ/XwFJ4j9TJ05TW4YlFNzi2lx+6URlvzjTkMignK+y4/HD3wTK37BkIonnOXf/DGJcMgqgxOrHBVu9tLkSamve5qgf+SOZ8jxaqpLX2e5hdmHrgMp7rVWKiOoxM+bvu8Gdve3eMwXX8Eazj7W7vi430LsvW4BmPrQp+A9SOP+hwMlV5r+P5pUogC3hddt5KoSwpgnpOb8fRGlLDpc548eDNBJrhsAZiiFqc8+CycHX6idxWzlWOTPR05LBs7YrTIP/LUXWdyq6UG8yB5D0c9JNndnGo6kSfJxdaxCNO7GhMAOmo4CitzYn/zhICwuHPLKwUYQBcEHVpFxgub0U9fY7s4i0SAH9aF1kk8yqHWaCicHzi6B3AxMZYr+knS5vVNB+uGZmSKgZ7QNE1bF6E4Gg5bXRwk7OVQhuJSBzxVNDoXoJ6stL8ejU+MP5FtI792FxZbNDImu3kqor/t9wB49ZeB9Ngks2yvtlSrQ3G2lxJaOgNBPmKYhAX95JFI3xUSHOMa18ftn+aXmEQTXOHtM/IT8A95gUvIKz8Hrt03CwgZ8E+3lcsjAVsfNjqn/erqV+xi93OYOL6o9ivmTIem3MzsqjKuQ57HKaghnd+Ygdt/WfotRBSgZtCweOkZBV0XKxI1RmCQXk6dce8x4T7FDEeaSQwkc4yZ77LfQJnyVgU1rds9Hqv0RbymHK8JCQEMMb6PcK+Ow068fdj4NP27HkuYMB5JdPp682KIRwGznN2d3+QPXRd/ZHshnixudY7CLirlZl9xD0HssfSBI+uCrFEAln8D93UYbn7trF5gkKWYQsQ07CVZ5Z1qXieqwJWjHRY+oY=
    auth-token: AgB65rUY3yJuTTLbGyrCtJPZp8UyEOr+kznSMGvUaZ9PoHq+kIEhazRdVKHa/WGvMWuc4x+XYRuIGj+2KiooyilUPrLcE3bz9fUOAFbRw3+iUh3WAgwK+f3eBUG6/0OoFw+GJ583IRidDW1t2BchMxSM1m+3vmQoF24qj7k9j/lWPsnX2IX3DhM0SomD1xmG+LsQMo2e4vQXB0BxhVDIQ621JTrvUPYzYx0NlPqZO/MtR1JWYS7WBTvegvgeBKLxfy9KLnqsuzu7rc2t9BYt7TRqvBg/prrKPdSV6Ei4GOZq+AcG15iOKXhsj8SxejPpM0QDemFTRQkdfz+k8ms4/SM0eylr5fEaa99TMTvjYGCfjJJyRcVm5Ef/XdmXiM3OI1u+9QNPiqXh1zmtp0yQMZ7nRE70kKQ2MHVhEmSUkBjovybIzLk4OL1v0FGDDqa1BN9KmNEBlo8H7DqXzfamVoNPyuuO625B3HgSeR3Udq8hngy9W/wiolmMNSc9C6vBA0HzE7Mkq79fHh/ruTi5zOJLfyEP7KQQqlNKfEtDFQfabaV9ERthQjuUs8ZIrdfCTOyQkrmmGY/sH5yodLRSYSEpHFrhPepwHS7lGzbVucW3Fn34D4OxJXyXQQObZKybLV7g6Oglf2Pdn11CEu/4+19RlykuOlm1dlj852a5NWWmmX319laLGlEd1BpG4cZyc9UZud68dGumwzrUupUMTLlJx8bR5rLgqaMpQMluwvq8MQbBXm4ySOcQ2jQhjw==
    openai-api-key: AgBc4cSrd0riSxKPrp7AqrNYMDAZJTe3aCjTOwEb5pS/KARkgoEGz+0ZhLXa2bcCsPlQzqRzZ1c1cUCnBACkp1xoMfhSOoIJUWJQHRgZx5kEDhNIE/M8PQe8es7jYsW7/ui6iK8uj3Ljk21r8l/ctnP/KiKyML4553el28Ya7XsPQynRvpVexFC4BoJw50nkauLnvl3in0cKmEVAkMWorUP3Etapaj4DWkCQQ22RPN0xGNo9yiIUEAVE+uTRFNKGEHMIvJzgB291FJQtG/WoN/Sy/DeoZkUYndA7CbfFgiz9sq3GqJwyqTM+Ikzw6VCQ3TVWYO/6+yaEzT1NZ/rw00YhDyFoH+yGTkX5lrSUo8lGf3T9OODTdSS1203xtj4dhGbY70sPGMxDfucnO6piVcuRfh9bWg1VX+MTjqpBQE1J0DKJanhoh6lKbPOJhRbi0TIoCz1a3btbbKLDq2YJl7FXA3QNdBsR4qVJ3xmgWlH/eTUskCE2YxDzHmkxgZN2mL22SfeUJYtDRswRG0UGc6pvg2xrR0iEDB0UbH4FQK46fWv8aiOejteLlAAyA9HNA8yi73rTEjq55wpO19/MYj+6oUGEHpFaJje77INTHAKpdbfkp8iKotNXFYLM2hsjyau+x/AFjg87kEdIUVVHHLVMDhOq6NO+foM0nFOIv4lr2Yjl15+ImMSTEfcBr+nWaomnb9G8i5ptqz9bMHbxAcHpzWUBH9SZhzrCWZNDzOm2X2K6mpXhg4WX7VJMoIJk/f+bxTTKnWBawdnpCdbdG5GYQh7usqjPuELFYRTsx+6Tqoddp4KIEyMMxO81XObiN5vEBg74ygunxrjKNg5FoOkUA79YvcGBVVU1FNRl3d8IslXFqhEOT35nxGBB0T7ZORii34tZ2E551NkIo1WbCwilD3Dlgw==
    ui-auth-token: AgDStP4jHhMehx/SAv5x2aQrJwChnWq8WhV/LVTSuuCSSy9kFQGa3Izyl21sMhLKUgrlS030GH50lbku+IY90S+MSBfaCq0Xb8qwohfH+qJulMRgljoU8r58/3ZsaBzbGJjiNMgBCwGlvuK85t3R3662ftwikahWqLfwAahi12L0llUDNyG9UB0Os3oR2CVAt83+YB07YspCWRzwuOz9D1SgOL/g/JF2hoL43pDD65BqYKdEuLFInJZx1Ul68V/FPmJK1gmJb/Kv8pgtk0sGTzxbbTdIQ1Ugf6+8//CWEq6GsMeEZG9VwExL/KYqobnbqd02FRgSSvWybhWLjiALLQvAFtce6FR6bur0rsariyogGjYCuXYdRnhf7QnB6NopwplhFP37Qf6E4q2pJTJ6Fzv0xq+XlfzNkn9Jvebrdkk/5CThW+wPAfx8r1VIySqBsYnPO/ZQDkfQ5ocX6fmzZ1iCg+0NI24k2YwCeMZtEAGpKEtejS0BLvqrilUG6Oz9sHCGHro4Bv5B/jzUjGbye0DSDj1f6c2RcpqMiUxfPvydJIcJGhrTx8sZS3qhEWME7kwjJCZpHEzfdv0weSJbgVGBSh9e1wjZxxeJGXuZKdFzdhpNEWP4uScGW0UnRDwxZzHMsLjS/W30mQmwmgJVTKdPl6VQrvdq7m4AC6+/d7iXlHazieC1KpBme4hWzO+/h7qRw1P5Va/ZWZtnGs8476J8hIojRtOJ/CdWwVLUa0gHo4CYnempIMwCIS3GtA==
  template:
    metadata:
      creationTimestamp: null
      name: dot-ai-secrets
      namespace: dot-ai