vault migration

Co-authored-by: Copilot <copilot@github.com>

.gitattributes

@@ -0,0 +1,2 @@
+# Force LF line endings for shell scripts
+*.sh text eol=lf

README.md

@@ -57,11 +57,11 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 
 ### What's Inside
 
-- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Vault, Vault Secrets Operator, Homepage (platform dashboard)
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
 - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
-- **Secrets**: Sealed Secrets for secure Git storage
+- **Secrets**: Vault Secrets Operator (VSO) syncs secrets from HashiCorp Vault to K8s
 
 ### Key Features
 
@@ -84,43 +84,51 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
 │
 ├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
-│   ├── base/                  # Base ArgoCD Application manifests (EU defaults)
+│   ├── base/                  # Base ArgoCD Application manifests (one dir per component)
-│   │   ├── kustomization.yaml
+│   │   ├── kustomization.yaml # Aggregates all component subdirectories
-│   │   ├── traefik-application.yaml
+│   │   ├── traefik-application/
-│   │   ├── keycloak.yaml
+│   │   │   ├── kustomization.yaml
-│   │   ├── grafana.yaml
+│   │   │   └── traefik-application.yaml
-│   │   ├── gitea.yaml
+│   │   ├── keycloak/
-│   │   ├── gitea-actions.yaml
+│   │   │   ├── kustomization.yaml
-│   │   ├── tempo.yaml
+│   │   │   └── keycloak.yaml
-│   │   ├── renovate.yaml
+│   │   ├── grafana/
-│   │   ├── ...                # All other Application manifests
+│   │   ├── prometheus/
-│   │   └── secrets.yaml
+│   │   ├── ...               # Each component in its own subdirectory
+│   │   └── secrets/
 │   ├── overlays/              # Per-cluster overrides (Kustomize)
-│   │   ├── upc-dev/           # UpCloud Dev (uses base as-is)
+│   │   ├── upc-dev/           # UpCloud Dev — includes all base components
-│   │   ├── upc-prod/         # UpCloud Prod (patches value paths)
+│   │   ├── upc-prod/         # UpCloud Prod — all components + patches
-│   │   ├── aws-dev/           # AWS EKS Dev
+│   │   ├── aks-dev/          # Azure AKS Dev — selective components only
-│   │   ├── aws-prod/         # AWS EKS Prod
+│   │   ├── aks-prod/         # Azure AKS Prod
-│   │   ├── azure-dev/        # Azure AKS Dev
+│   │   ├── eks-dev/           # AWS EKS Dev
-│   │   ├── azure-prod/       # Azure AKS Prod
+│   │   ├── eks-prod/         # AWS EKS Prod
-│   │   ├── gcp-dev/          # GCP GKE Dev
+│   │   ├── gke-dev/          # GCP GKE Dev
-│   │   └── gcp-prod/         # GCP GKE Prod
+│   │   └── gke-prod/         # GCP GKE Prod
 │   ├── dashboards/            # Grafana dashboard ConfigMaps
 │   └── values/                # Helm value overrides
 │       ├── base/              # Shared cloud-agnostic values
 │       ├── upc-dev/           # UpCloud Dev (storage, LB, pricing)
 │       ├── upc-prod/         # UpCloud Prod
-│       ├── aws-dev/           # AWS EKS Dev
+│       ├── eks-dev/           # AWS EKS Dev
-│       ├── aws-prod/         # AWS EKS Prod
+│       ├── eks-prod/         # AWS EKS Prod
-│       ├── azure-dev/        # Azure AKS Dev
+│       ├── aks-dev/        # Azure AKS Dev
-│       ├── azure-prod/       # Azure AKS Prod
+│       ├── aks-prod/       # Azure AKS Prod
-│       ├── gcp-dev/          # GCP GKE Dev
+│       ├── gke-dev/          # GCP GKE Dev
-│       └── gcp-prod/         # GCP GKE Prod
+│       └── gke-prod/         # GCP GKE Prod
 │
-├── apps/                      # Business Applications
+├── apps/                      # Business Applications (Kustomize, same pattern as infra)
-│   ├── mcp10x.yaml
+│   ├── base/                  # One subdirectory per app
-│   ├── musicman.yaml
+│   │   ├── kustomization.yaml
-│   ├── dot-ai-stack.yaml
+│   │   ├── musicman/
-│   └── argo-mcp.yaml
+│   │   ├── mcp10x/
+│   │   ├── dot-ai-stack/
+│   │   ├── ts-mcp/
+│   │   └── argo-mcp/
+│   └── overlays/              # Per-cluster: cherry-pick or include all
+│       ├── upc-dev/           # All apps
+│       ├── upc-prod/         # All apps + patches
+│       └── aks-dev/          # Selective apps only
 │
 ├── cluster-resources/         # Cluster-wide Kubernetes resources
 │   ├── letsencrypt-issuer.yaml
@@ -179,7 +187,7 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A
 **Quick version**:
 1. Create `apps/myapp.yaml` (ArgoCD Application manifest)
 2. Create `helm-prod-values/myapp/values.yaml` (configuration)
-3. Create sealed secrets if needed
+3. Write secrets to Vault and create VaultStaticSecret CRD if needed
 4. Commit and push - ArgoCD auto-syncs!
 
 ### Update an Existing Application
@@ -192,22 +200,18 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A
 
 ### Manage Secrets
 
-**See detailed guide**: [Developer Guide - Working with Secrets](docs/DEVELOPER-GUIDE.md#working-with-secrets)
+**See detailed guide**: [Vault Secrets Operator Reference](docs/vault-secrets-operator.md)
 
 ```bash
-# Create plain secret
+# 1. Write secret to Vault
-kubectl create secret generic myapp-creds \
+vault kv put kv/myapp/myapp-creds KEY=value
-  --from-literal=KEY=value \
-  --dry-run=client -o yaml > private/myapp-creds.yaml
 
-# Seal it
+# 2. Create VaultStaticSecret CRD (one-time, commit to git)
-kubeseal --format=yaml --cert=pub-cert.pem \
+# See docs/vault-secrets-operator.md for CRD template
-  < private/myapp-creds.yaml > secrets/myapp-creds-sealed.yaml
 
-# Commit sealed version
+# 3. Rotate secrets — no git commit needed!
-git add secrets/myapp-creds-sealed.yaml
+vault kv put kv/myapp/myapp-creds KEY=new-value
-git commit -m "Add myapp credentials"
+# VSO picks up changes within 30 seconds
-git push
 ```
 
 ### Enable Authentication
@@ -320,7 +324,7 @@ kubectl patch application myapp -n argocd \
 ## 🔐 Security
 
 ### Secret Management
-- ✅ Sealed Secrets for Git storage
+- ✅ Vault Secrets Operator (VSO) for secret management
 - ✅ Kyverno auto-clones secrets to namespaces
 - ❌ Never commit plain secrets
 
@@ -347,7 +351,8 @@ kubectl patch application myapp -n argocd \
 | **Traefik** | Ingress controller | `traefik` | 2 |
 | **Cert-Manager** | TLS certificates | `cert-manager` | 1 |
 | **Kyverno** | Policy engine | `kyverno` | 1 |
-| **Sealed Secrets** | Secret encryption | `kube-system` | 1 |
+| **Vault** | Secret storage | `vault` | 1 |
+| **Vault Secrets Operator** | Secret sync (Vault → K8s) | `vault-secrets-operator-system` | 1 |
 | **Prometheus** | Metrics | `monitoring` | 1 |
 | **Grafana** | Dashboards | `monitoring` | 1 |
 | **Loki** | Logs | `monitoring` | 1 |
@@ -355,7 +360,6 @@ kubectl patch application myapp -n argocd \
 | **Fluent-Bit** | Log shipping | `monitoring` | DaemonSet |
 | **OpenCost** | Cost monitoring | `monitoring` | 1 |
 | **Renovate** | Dependency updates | `renovate` | CronJob |
-| **Trivy** | Vulnerability scanning | `trivy-system` | 1 |
 
 **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components)
 
@@ -373,7 +377,7 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts
 
 ### App-of-Apps Pattern
-`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{cluster}/` render the base Applications with per-cluster patches (e.g., swapping value file paths). Supported clusters: `upc-dev`, `upc-prod`, `aws-dev`, `aws-prod`, `azure-dev`, `azure-prod`, `gcp-dev`, `gcp-prod`.
+`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Each component in `infra/base/` lives in its own subdirectory (e.g., `infra/base/grafana/`). Overlays can either include **all** components (via `../../base`) or **cherry-pick** specific ones (via `../../base/grafana`, `../../base/prometheus`, etc.). Per-cluster patches swap Helm value file paths. Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
 
 ### Multi-Source Pattern
 Applications reference both:
@@ -448,7 +452,7 @@ Applications deploy in order using `argocd.argoproj.io/sync-wave`:
 1. Read [Developer Guide - Deploying Your First Application](docs/DEVELOPER-GUIDE.md#deploying-your-first-application)
 2. Create ArgoCD Application manifest in `apps/`
 3. Create Helm values in `helm-prod-values/`
-4. Create sealed secrets if needed
+4. Write secrets to Vault and create VaultStaticSecret CRD if needed
 5. Commit and push - ArgoCD handles the rest!
 
 ### Modifying Infrastructure
@@ -492,7 +496,8 @@ Documentation lives in `docs/`. To update:
 - [Traefik Documentation](https://doc.traefik.io/traefik/)
 - [Cert-Manager Documentation](https://cert-manager.io/docs/)
 - [Grafana Tempo Documentation](https://grafana.com/docs/tempo/)
-- [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
+- [Vault Secrets Operator](https://developer.hashicorp.com/vault/docs/platform/k8s/vso)
+- [HashiCorp Vault](https://developer.hashicorp.com/vault/docs)
 
 ### Related Repositories
 - [forte-helm](https://git.forteapps.net/Forte/forte-helm) - Helm chart templates

_app-of-apps-aks-dev.yaml

@@ -18,9 +18,9 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
-    path: infra/overlays/aws-dev
+    path: infra/overlays/aks-dev
   destination:
     server: https://kubernetes.default.svc
     namespace: default

_app-of-apps-aks-prod.yaml

@@ -18,9 +18,9 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
-    path: infra/overlays/azure-prod
+    path: infra/overlays/aks-prod
   destination:
     server: https://kubernetes.default.svc
     namespace: default

_app-of-apps-eks-dev.yaml

@@ -18,9 +18,9 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
-    path: infra/overlays/aws-prod
+    path: infra/overlays/eks-dev
   destination:
     server: https://kubernetes.default.svc
     namespace: default

_app-of-apps-eks-prod.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/eks-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-gcp-dev.yaml

@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: infrastructure-apps
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: infrastructure-apps
-    app.kubernetes.io/part-of: platform
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
-    targetRevision: HEAD
-    path: infra/overlays/gcp-dev
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true

_app-of-apps-gcp-prod.yaml

@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: infrastructure-apps
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: infrastructure-apps
-    app.kubernetes.io/part-of: platform
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
-    targetRevision: HEAD
-    path: infra/overlays/gcp-prod
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true

_app-of-apps-gke-dev.yaml

@@ -18,9 +18,9 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
-    path: infra/overlays/azure-dev
+    path: infra/overlays/gke-dev
   destination:
     server: https://kubernetes.default.svc
     namespace: default

_app-of-apps-gke-prod.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/gke-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-upc-prod.yaml

@@ -18,7 +18,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
     path: infra/overlays/upc-prod
   destination:

apps/base/argo-mcp/argocd-mcp-credentials-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: argocd-mcp-credentials
+  namespace: argocd-mcp
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd-mcp/argocd-mcp-credentials
+  destination:
+    name: argocd-mcp-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/argo-mcp/auth-oidc-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: auth-oidc
+  namespace: argocd-mcp
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd-mcp/auth-oidc
+  destination:
+    name: auth-oidc
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/argo-mcp/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- argo-mcp.yaml
+- vault-auth.yaml
+- auth-oidc-vault.yaml
+- argocd-mcp-credentials-vault.yaml
+# Removed: argocdmcp-auth-oidc-sealed.yaml, argocd-mcp-credentials.yaml (migrated to VSO)

apps/base/argo-mcp/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-argocd-mcp
+  namespace: argocd-mcp
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: argocd-mcp
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-argocd-mcp
+    serviceAccount: vault-auth-argocd-mcp
+    audiences:
+    - vault

apps/base/dot-ai-stack/dot-ai-secrets-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: dot-ai-secrets
+  namespace: dot-ai
+spec:
+  type: kv-v2
+  mount: kv
+  path: dot-ai/dot-ai-secrets
+  destination:
+    name: dot-ai-secrets
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/dot-ai-stack/dot-ai-stack.yaml

@@ -37,7 +37,7 @@ spec:
       - $values/infra/values/base/dot-ai-stack-values.yaml
       - $values/infra/values/upc-dev/dot-ai-stack-values.yaml
 
-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
     ref: values
 

apps/base/dot-ai-stack/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- dot-ai-stack.yaml
+- vault-auth.yaml
+- dot-ai-secrets-vault.yaml
+# Removed: dot-ai-secrets.yaml (migrated to VSO)

apps/base/dot-ai-stack/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-dot-ai
+  namespace: dot-ai
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: dot-ai
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-dot-ai
+    serviceAccount: vault-auth-dot-ai
+    audiences:
+    - vault

apps/base/kustomization.yaml

@@ -1,7 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- dot-ai-stack.yaml
+- dot-ai-stack
-- mcp10x.yaml
+- mcp10x
-- musicman.yaml
+- musicman
-- argo-mcp.yaml
+- ts-mcp
+- argo-mcp

apps/base/mcp10x/app-credentials-vault.yaml

@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: app-credentials
+  namespace: mcp10x
+spec:
+  type: kv-v2
+  mount: kv
+  path: mcp10x/app-credentials
+  destination:
+    name: app-credentials
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/mcp10x/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- mcp10x.yaml
+- vault-auth.yaml
+- app-credentials-vault.yaml
+# Removed: forte10x-app-credentials-sealed.yaml (migrated to VSO)

apps/base/mcp10x/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-mcp10x
+  namespace: mcp10x
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: mcp10x
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-mcp10x
+    serviceAccount: vault-auth-mcp10x
+    audiences:
+    - vault

apps/base/musicman/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- musicman.yaml
+- vault-auth.yaml
+- musicman-credentials-vault.yaml
+# Removed: musicman-credentials.yaml (migrated to VSO)

apps/base/musicman/musicman-credentials-vault.yaml

@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: musicman-credentials
+  namespace: music-man
+spec:
+  type: kv-v2
+  mount: kv
+  path: music-man/musicman-credentials
+  destination:
+    name: musicman-credentials
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/musicman/musicman-credentials.yaml

@@ -4,6 +4,8 @@ metadata:
   creationTimestamp: null
   name: musicman-credentials
   namespace: music-man
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
 spec:
   encryptedData:
     DATABASE_URL: AgBGLu8Rw9z9WMo3uX7fezN7tOVlEsmWtikFlyBxuSuQ1dCv6KTCePkwxJx4LuKvaHXlwdWl5yP8wQxMJP0BNJ1wewFb9zeUkP1YuCz4MrfuXq1zrecIr86R5hNbPiOb66e/4oOTCY/z3QREX9WjZdLJV/PCyBz8MP0D51pgWXpM6CBdhwpFbHSALyJk89+q44c9KkRxAUG2OLnesMeRe9nXJt5ariUCl9Qd2POIjx2hSNII1l0KbTcjI9hCf91DYM6poqKYYQUpnrjKv3LJwWS79I2b56+iTtroH3usIRgaiwgtFt2INm+8gwLBmC4xxKJ5VAjjYB/3dcN9XeboXvj0NB05P9jS3e77imUFANIB9coeaNlcvRWxwGCewYMp8+7RT7jPVA41/+aT/zT74tq9WhkKvgrr1It9/5fRnXtFEkhZg5bBcYCChzooarHkiwKlA3Wo0CrFsDPqy89oZrnwMRnVqKWBf79koZV4l7uCA0do9ojf55lTy8mt3mKQkwfqK9UdzZNbYzH0/Fk6gxlSxANOOqe7kt6VPywYUBnh6JS5U+kdTgNeSrFy/xqLFz28fXuikSJvLEouSFu66MeT+6uvYEmdfdLeh7quW/n+p7QTok3v3kRYJ/1Dl8ZtgvM7e8F/J5bLcacj394AJ/bBt+RIDa+XBjNNPrWKcWt/mkudZ25F/84G+hNxYQv7PIbhYfA1JTuHmQSoF+xah5QhKpyNpI3+knJmJj/4MhPKLnTuebg0xfbPevm2CU9fSa4sPIqmSvSGtqlXODvCfDSFEYzWfyfXV5Tys1NGAt04V8fl9A9UxULUm510NCeD0jzFeeYm3ZJiyavA5xF6hXCHoqLE

apps/base/musicman/musicman.yaml

@@ -36,13 +36,8 @@ spec:
     automated:
       prune: true
       selfHeal: true
-      allowEmpty: false
-
     syncOptions:
     - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=false
-    - Replace=false
     retry:
       limit: 5
       backoff:

apps/base/musicman/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-music-man
+  namespace: music-man
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: music-man
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-music-man
+    serviceAccount: vault-auth-music-man
+    audiences:
+    - vault

apps/base/ts-mcp/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ts-mcp.yaml
+- vault-auth.yaml
+- ts-mcp-secrets-vault.yaml
+# Removed: ts-mcp-secrets-sealed.yaml (migrated to VSO)

apps/base/ts-mcp/ts-mcp-secrets-sealed.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: ts-mcp-secrets
+  namespace: ts-mcp
+spec:
+  encryptedData:
+    AZURE_CLIENT_SECRET: AgCWj525+NHkZ8XG97hEe4RS0SDC0QIGDXmEvzSlIqJQ9XVZEeKxVuAYmJ+w/HH7zBXD3qlZISeOPKn3FbMEeRukmYK0d5PsH26tRUMPoMzwWCuQkZIQ83uX9Pz/wMiqW8aZFIxpdEiUgVdanxHSFoDRPC1VlSEtV9B9yN2MgXBID5s0oje5BM9ttc4WVRe6+9pMeaOC6u+YUgcfY7xPLetZfC9nQO4zn4jYhoQXfAddwMzNODvQNGPzIv6PXDXJweTwdmtGaxM6eDdcCJI/30bEV9prA5m6UlgTZ/Qp+onU70KdkBA9gM9tMMVUR6j/2sbWzqMP/rVaFLeUH1PjHv15n4EieWyuDyYEfmZNDFXc7O9RIK6P0jCIE+t3myxK2ZQ7cfXprdOSj94au0qP6leat0UUVoc9CFJHHtrNxXYWl7IYVhwvIQCMSgO2qoAXkdW4wKVJAcbJadJjoL2pWxzjaD4GgnUaAxWBANqZI2lD8CED4VfUVMB0ZUYRS/zvy/eqIGlT8WbzwTYFi3YDZRvAUIknxaWEavIG4x52d0FqTmFYY06W53fGYfBrUjJI54GWYyBpKdZTf7b/AlAN0+kwkk6OqsUWwWDqxR7LVCcPhjSIKd/THp+Tbq9z5TiPIHxOO9V60u51f8IoQrEgQfNov7CEGQZ8B9HUGObjNc5MhujzBJasMhrUcd2Ddk6KWk07B7223p/gIEM+81ZWQYUcc29+U/j1dQyRNZy/TC56ywe5DDBJSoGp
+  template:
+    metadata:
+      name: ts-mcp-secrets
+      namespace: ts-mcp

apps/base/ts-mcp/ts-mcp-secrets-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: ts-mcp-secrets
+  namespace: ts-mcp
+spec:
+  type: kv-v2
+  mount: kv
+  path: ts-mcp/ts-mcp-secrets
+  destination:
+    name: ts-mcp-secrets
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

apps/base/ts-mcp/ts-mcp.yaml

@@ -1,27 +1,37 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: secrets
+  name: ts-mcp
   namespace: argocd
   annotations:
-    argocd.argoproj.io/sync-wave: "2"
+    argocd.argoproj.io/sync-wave: "11"
     notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
     notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
     notifications.argoproj.io/subscribe.on-degraded.slack: ""
   labels:
-    app.kubernetes.io/name: secrets
+    app.kubernetes.io/name: ts-mcp
-    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/part-of: apps
     app.kubernetes.io/managed-by: argocd
   finalizers:
   - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
-  source:
+  sources:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
-    path: secrets/upc-dev
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/ts-mcp/values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
+    targetRevision: HEAD
+    ref: values
+
   destination:
     server: https://kubernetes.default.svc
-    namespace: secrets
+    namespace: ts-mcp
+
   syncPolicy:
     automated:
       prune: true

apps/base/ts-mcp/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-ts-mcp
+  namespace: ts-mcp
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: ts-mcp
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-ts-mcp
+    serviceAccount: vault-auth-ts-mcp
+    audiences:
+    - vault

apps/overlays/aks-dev/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base/musicman

apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml

@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dbunk-demo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
+  labels:
+    app.kubernetes.io/name: dbunk-demo
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/dbunk-demo/values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: dbunk-demo
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m

apps/overlays/upc-dev/dbunk-demo/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- dbunk-demo.yaml

apps/overlays/upc-dev/feedback/feedback.yaml

@@ -0,0 +1,53 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: feedback
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
+  labels:
+    app.kubernetes.io/name: feedback
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/feedback/values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: feedback
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates

apps/overlays/upc-dev/feedback/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- feedback.yaml

apps/overlays/upc-dev/kustomization.yaml

@@ -2,6 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
+- dbunk-demo
+- feedback
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster

bootstrap.sh

@@ -1,8 +1,9 @@
 #!/bin/zsh
+
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
 
-CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod)}"
+CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod|aks-dev|aks-prod|eks-dev|eks-prod|gke-dev|gke-prod)}"
 
 echo "running $0 for cluster: ${CLUSTER}..."
 
@@ -17,7 +18,7 @@ echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
 Bootstrap()
 {
     ArgoCd
-#    Gitea
+    Gitea
 }
 
 
@@ -27,8 +28,8 @@ Bootstrap()
 Gitea()
 {
     echo "Installing secret..."
-    kubectl apply -f private/gitea-repo-main.yaml
+    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
-    kubectl apply -f private/main.key
+    kubectl apply -f "private/${CLUSTER}/main.key"
 }
 
 ############################################################
@@ -36,10 +37,15 @@ Gitea()
 ############################################################
 ArgoCd()
 {
+    # Pre-create ConfigMap for repo-server env (must exist before Helm upgrade)
+    kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
+    kubectl apply -f cluster-resources/argocd-repo-server-config.yaml
+
     # install argocd
     echo "Installing ArgoCD..."
     helm upgrade --install argocd argo-cd \
             --repo https://argoproj.github.io/argo-helm \
+            --version "7.8.0" \
             --namespace argocd --create-namespace \
             --values infra/values/base/argocd-values.yaml \
             --values "infra/values/${CLUSTER}/argocd-values.yaml" \
@@ -49,4 +55,4 @@ ArgoCd()
     kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }
 
-# Bootstrap
+Bootstrap

cluster-resources/argocd-notifications-secret-vault.yaml

@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: argocd-notifications-secret
+  namespace: argocd
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd/argocd-notifications-secret
+  destination:
+    name: argocd-notifications-secret
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

cluster-resources/argocd-oidc-secret-sync.yaml

@@ -0,0 +1,83 @@
+# CronJob: syncs OIDC client secret from registrar-managed
+# argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
+# Runs every 2 min. No-ops if source secret doesn't exist yet
+# (safe for fresh deploys before Keycloak is up).
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
+  verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-oidc-sync
+subjects:
+- kind: ServiceAccount
+  name: argocd-oidc-sync
+  namespace: argocd
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+spec:
+  schedule: "*/2 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        spec:
+          serviceAccountName: argocd-oidc-sync
+          restartPolicy: Never
+          containers:
+          - name: sync
+            image: bitnami/kubectl:latest
+            command: ["/bin/sh", "-c"]
+            args:
+            - |
+              set -e
+
+              # Exit gracefully if source secret doesn't exist yet
+              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
+                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
+                exit 0
+              fi
+
+              # Read current OIDC client secret
+              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
+                -o jsonpath='{.data.client-secret}' | base64 -d)
+
+              # Read current value in argocd-secret (if any)
+              CURRENT=$(kubectl get secret argocd-secret -n argocd \
+                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")
+
+              # Only patch if changed
+              if [ "$NEW_SECRET" = "$CURRENT" ]; then
+                echo "oidc.clientSecret already up to date"
+                exit 0
+              fi
+
+              kubectl patch secret argocd-secret -n argocd --type merge \
+                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
+              echo "Patched argocd-secret with oidc.clientSecret"

cluster-resources/argocd-repo-server-config.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-repo-server-config
+  namespace: argocd
+data:
+  # Disable git submodule checkout - submodules (e.g. shared-prompts)
+  # are not needed for K8s manifest generation
+  ARGOCD_GIT_MODULES_ENABLED: "false"

cluster-resources/forte-helm-repo-vault.yaml

@@ -0,0 +1,16 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: forte-helm-repo
+  namespace: argocd
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd/forte-helm-repo
+  destination:
+    name: forte-helm-repo
+    create: true
+    labels:
+      argocd.argoproj.io/secret-type: repository
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

cluster-resources/forte10x-repo-credentials-vault.yaml

@@ -0,0 +1,17 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: forte10x-repo-creds
+  namespace: argocd
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd/forte10x-repo-creds
+  destination:
+    name: forte10x-repo-creds
+    create: true
+    type: Opaque
+    labels:
+      argocd.argoproj.io/secret-type: repository
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

cluster-resources/mcp10x-repo-credentials-vault.yaml

@@ -0,0 +1,17 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: mcp10x-repo-creds
+  namespace: argocd
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd/mcp10x-repo-creds
+  destination:
+    name: mcp10x-repo-creds
+    create: true
+    type: Opaque
+    labels:
+      argocd.argoproj.io/secret-type: repository
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

cluster-resources/policies/auth-sidecar-injector.yaml

@@ -245,6 +245,12 @@ spec:
                 secretKeyRef:
                   name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
                   key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
+            - name: AUTH_OIDC_IDP_HINT
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-idp-hint\" || '' }}"
+            - name: AUTH_OIDC_BROKER_ALIAS
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-alias\" || '' }}"
+            - name: AUTH_OIDC_BROKER_TOKEN_HEADER
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-token-header\" || '' }}"
             resources:
               limits:
                 cpu: 50m
@@ -324,6 +330,8 @@ spec:
               value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}"
             - name: AUTH_MCP_SCOPES_SUPPORTED
               value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'profile'  }}"
+            - name: AUTH_MCP_IDP_HINT
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-idp-hint\" || '' }}"
             resources:
               limits:
                 cpu: 50m

cluster-resources/policies/label-checker.yaml

@@ -26,7 +26,6 @@ spec:
           - monitoring
           - secrets
           - kyverno
-          - trivy-system
     match:
       any:
       - resources:

cluster-resources/policies/secret-cloner.yaml

@@ -16,7 +16,6 @@ spec:
       - resources:
           namespaces:
           - kube-system
-          - trivy-system
           - monitoring
           - argocd
           - cert-manager

cluster-resources/vault-auth-argocd.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-argocd
+  namespace: argocd
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: argocd
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-argocd
+    serviceAccount: vault-auth-argocd
+    audiences:
+    - vault

clusters/aks-dev.yaml

@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: k8s-launchpad # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com # → infra/values/aks-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com # → infra/values/aks-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-dev/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
+cloudProvider: azure # → determines overlay directory and cloud-specific LB/storage annotations

clusters/aks-prod.yaml

@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-aks                    # → infra/values/aks-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/aks-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/aks-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/aks-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-prod/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
+cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations

clusters/aws-dev.yaml

@@ -1,10 +0,0 @@
-clusterName: dev-eks                  # <- adjust to your EKS cluster name
-domain: example.com                   # <- adjust to your domain
-argocdDomain: argocd.example.com
-grafanaDomain: grafana.example.com
-keycloakDomain: id.example.com
-dotaiDomain: kubemcp.example.com
-dotaiUiDomain: kubemcpui.example.com
-letsencryptEmail: admin@example.com   # <- adjust
-trustedIPs: "10.0.0.0/8"             # <- adjust to your VPC CIDR
-cloudProvider: aws

clusters/aws-prod.yaml

@@ -1,10 +0,0 @@
-clusterName: prod-eks                 # <- adjust to your EKS cluster name
-domain: example.com                   # <- adjust to your domain
-argocdDomain: argocd.example.com
-grafanaDomain: grafana.example.com
-keycloakDomain: id.example.com
-dotaiDomain: kubemcp.example.com
-dotaiUiDomain: kubemcpui.example.com
-letsencryptEmail: admin@example.com   # <- adjust
-trustedIPs: "10.0.0.0/8"             # <- adjust to your VPC CIDR
-cloudProvider: aws

clusters/azure-dev.yaml

@@ -1,10 +0,0 @@
-clusterName: dev-aks                  # <- adjust to your AKS cluster name
-domain: example.com                   # <- adjust to your domain
-argocdDomain: argocd.example.com
-grafanaDomain: grafana.example.com
-keycloakDomain: id.example.com
-dotaiDomain: kubemcp.example.com
-dotaiUiDomain: kubemcpui.example.com
-letsencryptEmail: admin@example.com   # <- adjust
-trustedIPs: "10.0.0.0/8,168.63.129.16/32"  # <- VNet CIDR + Azure health probe
-cloudProvider: azure

clusters/azure-prod.yaml

@@ -1,10 +0,0 @@
-clusterName: prod-aks                 # <- adjust to your AKS cluster name
-domain: example.com                   # <- adjust to your domain
-argocdDomain: argocd.example.com
-grafanaDomain: grafana.example.com
-keycloakDomain: id.example.com
-dotaiDomain: kubemcp.example.com
-dotaiUiDomain: kubemcpui.example.com
-letsencryptEmail: admin@example.com   # <- adjust
-trustedIPs: "10.0.0.0/8,168.63.129.16/32"  # <- VNet CIDR + Azure health probe
-cloudProvider: azure

clusters/eks-dev.yaml

@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: dev-eks                     # → infra/values/eks-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/eks-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/eks-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/eks-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8"                # → infra/values/eks-dev/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
+cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations

clusters/eks-prod.yaml

@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-eks                    # → infra/values/eks-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/eks-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/eks-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/eks-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8"                # → infra/values/eks-prod/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
+cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations

clusters/gcp-dev.yaml

@@ -1,10 +0,0 @@
-clusterName: dev-gke                  # <- adjust to your GKE cluster name
-domain: example.com                   # <- adjust to your domain
-argocdDomain: argocd.example.com
-grafanaDomain: grafana.example.com
-keycloakDomain: id.example.com
-dotaiDomain: kubemcp.example.com
-dotaiUiDomain: kubemcpui.example.com
-letsencryptEmail: admin@example.com   # <- adjust
-trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"  # <- subnet CIDR + GCP health checks
-cloudProvider: gcp

clusters/gcp-prod.yaml

@@ -1,10 +0,0 @@
-clusterName: prod-gke                 # <- adjust to your GKE cluster name
-domain: example.com                   # <- adjust to your domain
-argocdDomain: argocd.example.com
-grafanaDomain: grafana.example.com
-keycloakDomain: id.example.com
-dotaiDomain: kubemcp.example.com
-dotaiUiDomain: kubemcpui.example.com
-letsencryptEmail: admin@example.com   # <- adjust
-trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"  # <- subnet CIDR + GCP health checks
-cloudProvider: gcp

clusters/gke-dev.yaml

@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: dev-gke                     # → infra/values/gke-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/gke-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/gke-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/gke-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-dev/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
+cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations

clusters/gke-prod.yaml

@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-gke                    # → infra/values/gke-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/gke-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/gke-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/gke-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-prod/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
+cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations

clusters/upc-dev.yaml

@@ -1,10 +1,12 @@
-clusterName: dev-fd-no-svg1
+# Cluster config reference — values must match the corresponding overlay files.
-domain: forteapps.net
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-argocdDomain: argocd.127.0.0.1.nip.io
+clusterName: dev-fd-no-svg1              # → infra/values/upc-dev/argocd-values.yaml (notifications.context.clusterName)
-grafanaDomain: grafana.forteapps.net
+domain: forteapps.net                    # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-keycloakDomain: id.forteapps.net
+argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-dev/argocd-values.yaml (global.domain)
-dotaiDomain: kubemcp.forteapps.net
+grafanaDomain: grafana.forteapps.net     # → infra/values/upc-dev/grafana-values.yaml (ingress.hosts)
-dotaiUiDomain: kubemcpui.forteapps.net
+keycloakDomain: id.forteapps.net         # → infra/values/upc-dev/keycloak-values.yaml (ingress.hostname)
-letsencryptEmail: danijels@gmail.com
+dotaiDomain: kubemcp.forteapps.net       # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host)
-trustedIPs: "172.16.1.0/24"
+dotaiUiDomain: kubemcpui.forteapps.net   # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
-cloudProvider: upcloud
+letsencryptEmail: danijels@gmail.com     # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "172.16.1.0/24"             # → infra/values/upc-dev/traefik-values.yaml (ports.*.trustedIPs)
+cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations

clusters/upc-prod.yaml

@@ -1,10 +1,12 @@
-clusterName: prod-fd-no-svg1
+# Cluster config reference — values must match the corresponding overlay files.
-domain: fortedigital.com
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-argocdDomain: argocd.127.0.0.1.nip.io
+clusterName: prod-fd-no-svg1             # → infra/values/upc-prod/argocd-values.yaml (notifications.context.clusterName)
-grafanaDomain: grafana.fortedigital.com
+domain: fortedigital.com                 # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-keycloakDomain: id.fortedigital.com
+argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-prod/argocd-values.yaml (global.domain)
-dotaiDomain: kubemcp.fortedigital.com
+grafanaDomain: grafana.fortedigital.com  # → infra/values/upc-prod/grafana-values.yaml (ingress.hosts)
-dotaiUiDomain: kubemcpui.fortedigital.com
+keycloakDomain: id.fortedigital.com      # → infra/values/upc-prod/keycloak-values.yaml (ingress.hostname)
-letsencryptEmail: danijel.simeunovic@fortedigital.com
+dotaiDomain: kubemcp.fortedigital.com    # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host)
-trustedIPs: "172.16.1.0/24"
+dotaiUiDomain: kubemcpui.fortedigital.com # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
-cloudProvider: upcloud
+letsencryptEmail: danijel.simeunovic@fortedigital.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "172.16.1.0/24"             # → infra/values/upc-prod/traefik-values.yaml (ports.*.trustedIPs)
+cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations

devbox.json

@@ -0,0 +1,32 @@
+{
+  "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.16.0/.schema/devbox.schema.json",
+  "packages": [
+    "kubectl@1.33.2",
+    "kubernetes-helm@3.18.4",
+    "k9s@0.50.7",
+    "kubeseal@0.30.0",
+    "argocd@2.14.11",
+    "kubecm@0.33.1",
+    "kubectl-tree@0.4.3",
+    "kind@0.29.0",
+    "kustomize@5.7.0",
+    "kyverno@1.14.3",
+    "syft@1.29.0",
+    "grype@0.92.2",
+    "traefik@3.6.7",
+    "claude-code@latest",
+    "go@latest",
+    "dotnet-sdk@latest",
+    "opentofu@1.11.6"
+  ],
+  "shell": {
+    "init_hook": [
+      "echo 'Welcome to devbox!' > /dev/null"
+    ],
+    "scripts": {
+      "test": [
+        "echo \"Error: no test specified\" && exit 1"
+      ]
+    }
+  }
+}

docs/DEVELOPER-GUIDE.md

@@ -60,18 +60,16 @@ If you do need cluster access, install:
    curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
    ```
 
-2. **kubeseal** - For sealing secrets
+2. **vault** CLI - For managing secrets in HashiCorp Vault
    ```bash
    # macOS
-   brew install kubeseal
+   brew install hashicorp/tap/vault
 
    # Windows
-   choco install kubeseal
+   choco install vault
 
    # Linux
-   wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/kubeseal-0.24.0-linux-amd64.tar.gz
+   # See https://developer.hashicorp.com/vault/install
-   tar -xvzf kubeseal-0.24.0-linux-amd64.tar.gz
-   sudo mv kubeseal /usr/local/bin/
    ```
 
 3. **Git** - Version control
@@ -634,125 +632,100 @@ git push
 
 ### Understanding Secret Management
 
-**NEVER commit plain secrets to Git.** We use **Sealed Secrets** to encrypt secrets before committing.
+Secrets are managed via **HashiCorp Vault** and synced to Kubernetes by the **Vault Secrets Operator (VSO)**. See [Vault Secrets Operator Reference](vault-secrets-operator.md) for full details.
+
+**NEVER commit plain secret values to Git.** Only VaultStaticSecret CRD manifests are committed.
 
 ### Creating a New Secret
 
-#### Step 1: Create Plain Secret Locally
+#### Step 1: Write Secret to Vault
 
 ```bash
-cd ~/dev/k8s/launchpad
+vault kv put kv/myapp/myapp-credentials \
-
+  API_KEY=your-secret-key-here \
-# Create secret in private/ folder (Git-ignored)
+  DB_PASSWORD=super-secret-password
-kubectl create secret generic myapp-credentials \
-  --from-literal=API_KEY=your-secret-key-here \
-  --from-literal=DB_PASSWORD=super-secret-password \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
 ```
 
-**DO NOT commit this file!** It's in `private/` which is Git-ignored.
+#### Step 2: Create VaultStaticSecret CRD
 
-#### Step 2: Seal the Secret
+Create a YAML file (e.g., `apps/base/myapp/myapp-credentials-vault.yaml`):
 
-Get the public certificate (one-time setup):
+```yaml
-
+apiVersion: secrets.hashicorp.com/v1beta1
-```bash
+kind: VaultStaticSecret
-# Fetch public cert from cluster
+metadata:
-kubeseal --fetch-cert \
+  name: myapp-credentials
-  --controller-name=sealed-secrets-controller \
+  namespace: myapp
-  --controller-namespace=kube-system \
+spec:
-  > pub-cert.pem
+  type: kv-v2
+  mount: kv
+  path: myapp/myapp-credentials
+  destination:
+    name: myapp-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
 ```
 
-Seal your secret:
+#### Step 3: Add VaultAuth (if new namespace)
+
+If this is a new namespace, also create a `vault-auth.yaml` with a ServiceAccount and VaultAuth CRD. See [VSO Reference](vault-secrets-operator.md#vaultauth) for template.
+
+#### Step 4: Commit and Push
 
 ```bash
-kubeseal --format=yaml \
+git add apps/base/myapp/myapp-credentials-vault.yaml
-  --cert=pub-cert.pem \
+git commit -m "Add myapp credentials (VSO)"
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
-```
-
-#### Step 3: Commit Sealed Secret
-
-```bash
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Add myapp credentials (sealed)"
 git push
 ```
 
-#### Step 4: Reference Secret in Application
+ArgoCD syncs the CRD, VSO creates the K8s Secret.
+
+#### Step 5: Reference Secret in Application
 
 Update your `helm-prod-values/myapp/values.yaml`:
 
 ```yaml
 app:
-  envSecretName: "myapp-credentials"  # References the SealedSecret
+  envSecretName: "myapp-credentials"  # VSO creates this K8s Secret
 ```
 
-Commit and push:
+### Updating / Rotating a Secret
+
+**No git commit needed** — just update in Vault:
+
 ```bash
-cd ~/dev/k8s/helm-prod-values
+vault kv put kv/myapp/myapp-credentials \
-git add myapp/values.yaml
+  API_KEY=new-key-here \
-git commit -m "Reference myapp credentials"
+  DB_PASSWORD=new-password
-git push
 ```
 
-### Updating a Secret
+VSO picks up changes within 30 seconds. Restart pods if they don't watch for secret updates:
-
-To update an existing secret:
 
 ```bash
-# 1. Create new version of secret
-kubectl create secret generic myapp-credentials \
-  --from-literal=API_KEY=new-key-here \
-  --from-literal=DB_PASSWORD=new-password \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
-
-# 2. Seal it
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
-
-# 3. Commit sealed version
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Update myapp credentials"
-git push
-
-# 4. Restart pods to pick up new secret
 kubectl rollout restart deployment myapp -n myapp
 ```
 
 ### Secret Best Practices
 
-✅ **DO**:
+- Write secrets to Vault via UI or CLI — never commit values to Git
-- Store secrets in `private/` folder locally
+- Use meaningful secret names matching the KV path convention: `kv/{namespace}/{secret-name}`
-- Always seal secrets before committing
-- Delete plain secrets after sealing
-- Use meaningful secret names
 - Document what each secret contains
-
+- Use Vault's versioning for audit trail
-❌ **DON'T**:
-- Commit plain secrets to Git
-- Share secrets via Slack/email
-- Hard-code secrets in code
-- Use the same secret across multiple environments
-- Store secrets in Docker images
 
 ### Where Secrets Are Stored
 
 ```
-┌─────────────────────────────────────────────────────────────┐
+┌──────────────────────────────────────────────────────────────────┐
-│  Location                │  Content           │  Committed?│
+│  Location                  │  Content                │  In Git? │
-├──────────────────────────┼────────────────────┼────────────┤
+├────────────────────────────┼─────────────────────────┼──────────┤
-│  private/                │  Plain secrets     │  ❌ NO      │
+│  Vault KV (kv/{ns}/{name}) │  Secret values          │  ❌ NO   │
-│  secrets/                │  Sealed secrets    │  ✅ YES     │
+│  VaultStaticSecret CRD     │  Sync config (no values)│  ✅ YES  │
-│  Kubernetes cluster      │  Unsealed secrets  │  N/A       │
+│  Kubernetes cluster        │  K8s Secret (synced)    │  N/A     │
-└─────────────────────────────────────────────────────────────┘
+└──────────────────────────────────────────────────────────────────┘
 ```
 
-**Sealed Secrets Controller** in the cluster decrypts sealed secrets automatically.
+**Vault Secrets Operator** syncs secrets from Vault to K8s automatically (30s refresh).
 
 ---
 
@@ -886,28 +859,13 @@ In your identity provider (e.g., Keycloak):
 #### Step 2: Create OIDC Secret
 
 ```bash
-# Create plain secret
+# Write OIDC secret to Vault
-kubectl create secret generic auth-oidc \
+vault kv put kv/myapp/auth-oidc \
-  --from-literal=client-secret=your-oidc-client-secret \
+  client-secret=your-oidc-client-secret \
-  --from-literal=cookie-secret=$(openssl rand -hex 32) \
+  cookie-secret=$(openssl rand -hex 32)
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
 
-# Seal it
+# Create VaultStaticSecret CRD (see docs/vault-secrets-operator.md for template)
-kubeseal --format=yaml \
+# Add to apps/base/myapp/auth-oidc-vault.yaml and commit
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-auth-oidc.yaml \
-  > secrets/myapp-auth-oidc-sealed.yaml
-
-# Commit sealed secret
-cd ~/dev/k8s/launchpad
-git add secrets/myapp-auth-oidc-sealed.yaml
-git commit -m "Add OIDC secrets for myapp"
-git push
-
-# Clean up
-rm private/myapp-auth-oidc.yaml
 ```
 
 #### Step 3: Configure Helm Values
@@ -962,6 +920,46 @@ User sees application (authenticated)
 
 ---
 
+### Accessing Authenticated User Information
+
+The auth sidecar handles all authentication before requests reach your application. Your app never sees unauthenticated traffic — the sidecar returns 401 or redirects to the IdP first.
+
+After successful authentication, the sidecar forwards the request to your application with user identity injected as HTTP headers:
+
+| Header | Description | Available in |
+|--------|-------------|-------------|
+| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
+| `X-Auth-Email` | User email address | OIDC |
+| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
+| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if scope includes `groups`) |
+| `X-Auth-Token` | The validated access token | All modes |
+
+**Your application reads these headers — no auth library needed:**
+
+```javascript
+// Express.js example
+app.get('/profile', (req, res) => {
+  const user = req.headers['x-auth-user'];
+  const email = req.headers['x-auth-email'];
+  res.json({ user, email });
+});
+```
+
+```python
+# Flask example
+@app.route('/profile')
+def profile():
+    user = request.headers.get('X-Auth-User')
+    email = request.headers.get('X-Auth-Email')
+    return jsonify(user=user, email=email)
+```
+
+**Why this is safe**: The Kyverno-generated NetworkPolicy restricts ingress to the sidecar port only. Traffic cannot bypass the sidecar to reach the application port directly, so the `X-Auth-*` headers can be trusted unconditionally.
+
+**Key principle**: Your application is zero-trust-unaware by design. It reads headers and renders UI. All authentication complexity lives in the sidecar and Kyverno policy.
+
+---
+
 ### Authentication Configuration Reference
 
 #### Helm Values Schema
@@ -1097,16 +1095,13 @@ ingress:
   host: web-app.forteapps.net
 ```
 
-**With sealed OIDC secret**:
+**With Vault OIDC secret**:
 ```bash
-# Create and seal secret
+# Write OIDC secret to Vault
-kubectl create secret generic auth-oidc \
+vault kv put kv/web-app/auth-oidc \
-  --from-literal=client-secret=super-secret-value \
+  client-secret=super-secret-value \
-  --from-literal=cookie-secret=$(openssl rand -hex 32) \
+  cookie-secret=$(openssl rand -hex 32)
-  --namespace=web-app \
+# Then create VaultStaticSecret CRD — see docs/vault-secrets-operator.md
-  --dry-run=client -o yaml | \
-  kubeseal --format=yaml --cert=pub-cert.pem --namespace=web-app \
-  > secrets/web-app-auth-oidc-sealed.yaml
 ```
 
 #### Example 3: MCP Server with OAuth 2.0
@@ -1234,7 +1229,7 @@ kubectl logs -n myapp <pod-name> -c authn
 - Use token auth for service-to-service communication
 - Rotate tokens and secrets regularly
 - Use strong random tokens (32+ bytes)
-- Store client secrets in SealedSecrets
+- Store client secrets in Vault
 - Test authentication before deploying to production
 - Document which tokens/users have access
 
@@ -1538,22 +1533,22 @@ curl http://localhost:8080
 
 #### Problem: Secret not found
 
-**Check if SealedSecret exists:**
+**Check VSO sync status:**
 ```bash
-kubectl get sealedsecret -n myapp
+kubectl get vaultstaticsecret -n myapp
 kubectl get secret -n myapp
 ```
 
 **Solutions:**
 ```bash
-# Check if secret is in Git
+# Check VaultAuth is authenticated
-ls -l secrets/myapp-credentials-sealed.yaml
+kubectl get vaultauth -n myapp
 
-# Re-apply sealed secret
+# Check VaultStaticSecret events
-kubectl apply -f secrets/myapp-credentials-sealed.yaml
+kubectl describe vaultstaticsecret myapp-credentials -n myapp
 
-# Check sealed-secrets-controller logs
+# Verify secret exists in Vault
-kubectl logs -n kube-system deployment/sealed-secrets-controller
+vault kv get kv/myapp/myapp-credentials
 ```
 
 #### Problem: Secret exists but pods can't access it
@@ -1664,7 +1659,7 @@ If you're stuck:
 ### Secret Management
 
 ✅ **DO**:
-- Use kubeseal for all secrets
+- Use Vault for all secrets (see docs/vault-secrets-operator.md)
 - Store plain secrets in password manager
 - Rotate secrets regularly
 - Use different secrets per environment
@@ -1716,16 +1711,9 @@ kubectl rollout restart deployment myapp -n myapp
 # Port-forward to service
 kubectl port-forward -n myapp service/myapp 8080:3000
 
-# Create secret
+# Write secret to Vault
-kubectl create secret generic myapp-credentials \
+vault kv put kv/myapp/myapp-credentials KEY=value
-  --from-literal=KEY=value \
+# Create VaultStaticSecret CRD — see docs/vault-secrets-operator.md
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
-
-# Seal secret
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
 ```
 
 ### Repository Locations

docs/GITOPS-ARCHITECTURE.md

@@ -120,42 +120,47 @@ launchpad/
 ├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
 │
 ├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
-│   ├── base/                         # Base Application manifests (upc-dev defaults)
+│   ├── base/                         # Base Application manifests (one dir per component)
-│   │   ├── kustomization.yaml
+│   │   ├── kustomization.yaml        # Aggregates all component subdirectories
-│   │   ├── traefik-application.yaml
+│   │   ├── traefik-application/
-│   │   ├── keycloak.yaml
+│   │   │   ├── kustomization.yaml
-│   │   ├── grafana.yaml
+│   │   │   └── traefik-application.yaml
-│   │   ├── gitea.yaml
+│   │   ├── keycloak/
-│   │   ├── gitea-actions.yaml
+│   │   │   ├── kustomization.yaml
-│   │   ├── tempo.yaml
+│   │   │   └── keycloak.yaml
-│   │   ├── renovate.yaml
+│   │   ├── grafana/
-│   │   ├── ...                       # All other Application manifests
+│   │   ├── prometheus/
-│   │   └── secrets.yaml
+│   │   ├── ...                       # Each component in its own subdirectory
+│   │   └── secrets/
 │   ├── overlays/                     # Per-cluster Kustomize overrides
-│   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
+│   │   ├── upc-dev/                  # UpCloud Dev — includes all (resources: ../../base)
-│   │   ├── upc-prod/                # UpCloud Prod (patches value paths)
+│   │   ├── upc-prod/                # UpCloud Prod — all + patches
-│   │   ├── aws-dev/                  # AWS EKS Dev
+│   │   ├── aks-dev/                 # Azure AKS Dev — selective components
-│   │   ├── aws-prod/                # AWS EKS Prod
+│   │   ├── aks-prod/               # Azure AKS Prod
-│   │   ├── azure-dev/               # Azure AKS Dev
+│   │   ├── eks-dev/                  # AWS EKS Dev
-│   │   ├── azure-prod/              # Azure AKS Prod
+│   │   ├── eks-prod/                # AWS EKS Prod
-│   │   ├── gcp-dev/                 # GCP GKE Dev
+│   │   ├── gke-dev/                 # GCP GKE Dev
-│   │   └── gcp-prod/               # GCP GKE Prod
+│   │   └── gke-prod/               # GCP GKE Prod
 │   ├── dashboards/                   # Grafana dashboard ConfigMaps
 │   └── values/                       # Helm value overrides for infra
 │       ├── base/                     # Cloud-agnostic shared values
 │       ├── upc-{dev,prod}/           # UpCloud: storage class, LB, pricing
 │       ├── aws-{dev,prod}/           # AWS: gp3, NLB, CUR pricing
-│       ├── azure-{dev,prod}/         # Azure: managed-csi-premium, Standard LB
+│       ├── aks-{dev,prod}/         # Azure: managed-csi-premium, Standard LB
 │       └── gcp-{dev,prod}/           # GCP: premium-rwo, L4 LB
 │
 ├── apps/                             # Business Application ArgoCD manifests (Kustomize)
-│   ├── base/                         # Base app manifests
+│   ├── base/                         # One subdirectory per app
 │   │   ├── kustomization.yaml
-│   │   ├── dot-ai-stack.yaml
+│   │   ├── musicman/
-│   │   └── ...
+│   │   ├── mcp10x/
+│   │   ├── dot-ai-stack/
+│   │   ├── ts-mcp/
+│   │   └── argo-mcp/
 │   └── overlays/
-│       ├── upc-dev/                  # Uses base as-is
+│       ├── upc-dev/                  # All apps (resources: ../../base)
-│       └── upc-prod/                # Patches value paths
+│       ├── upc-prod/                # All apps + patches
+│       └── aks-dev/                 # Selective apps only
 │
 ├── cluster-resources/                # Cluster-wide Kubernetes resources
 │   ├── ...
@@ -171,6 +176,8 @@ launchpad/
 
 **Key Points**:
 - `_app-of-apps-upc-dev.yaml` and `_app-of-apps-upc-prod.yaml` are the per-cluster root Applications
+- Each component in `base/` has its own subdirectory with a `kustomization.yaml`
+- Overlays can include **all** components (`resources: [../../base]`) or **cherry-pick** specific ones (`resources: [../../base/grafana, ../../base/prometheus]`)
 - Kustomize overlays in `infra/overlays/` render base Applications with per-cluster patches
 - Helm values are split: `values/base/` (shared) + `values/upc-dev/` or `values/upc-prod/` (cluster-specific)
 - `apps/` follows the same base/overlays pattern for business applications
@@ -283,7 +290,7 @@ app-repository/
 ### The App-of-Apps Pattern
 
 ```
-_app-of-apps-{cluster}.yaml (Root, per cluster — e.g. upc-dev, aws-prod, gcp-dev)
+_app-of-apps-{cluster}.yaml (Root, per cluster — e.g. upc-dev, eks-prod, gke-dev)
     │
     ├── infrastructure-apps (manages infra/)
     │   ├── cluster-resources-application
@@ -353,16 +360,30 @@ spec:
 
 ### Multi-Cluster Pattern
 
-Kustomize overlays enable deploying the same Applications across clusters with different configurations:
+Kustomize overlays enable deploying the same Applications across clusters with different configurations.
+
+Each component in `infra/base/` and `apps/base/` lives in its own subdirectory. Overlays define **which components to include** and optionally **patch** them:
 
 ```yaml
-# infra/base/ contains default (upc-dev) Applications
+# Option 1: Include ALL components (full cluster)
-# Helm values are layered: base + cluster-specific
+# infra/overlays/upc-dev/kustomization.yaml
-valueFiles:
+resources:
-- $values/infra/values/base/traefik-values.yaml    # Shared config
+- ../../base                    # Pulls in every component subdirectory
-- $values/infra/values/upc-dev/traefik-values.yaml  # Cluster-specific
 
-# infra/overlays/upc-prod/kustomization.yaml patches the second valueFile
+# Option 2: Cherry-pick specific components (lightweight cluster)
+# infra/overlays/aks-dev/kustomization.yaml
+resources:
+- ../../base/traefik-application
+- ../../base/grafana
+- ../../base/prometheus
+- ../../base/loki
+# Only listed components are deployed — others are excluded
+```
+
+Per-cluster patches swap Helm value file paths:
+
+```yaml
+# infra/overlays/upc-prod/kustomization.yaml
 patches:
 - target:
     kind: Application

docs/OPERATIONS-RUNBOOK.md

@@ -55,8 +55,8 @@ git clone https://git.forteapps.net/Forte/launchpad
 cd launchpad
 
 # 2. Run bootstrap script with cluster target
-# Available clusters: upc-dev, upc-prod, aws-dev, aws-prod,
+# Available clusters: upc-dev, upc-prod, eks-dev, eks-prod,
-#                     azure-dev, azure-prod, gcp-dev, gcp-prod
+#                     aks-dev, aks-prod, gke-dev, gke-prod
 ./bootstrap.sh upc-dev
 
 # Cluster config is loaded from clusters/<cluster>.yaml
@@ -188,13 +188,15 @@ Save the following file in private/ (gitignored) folder as secret.yaml
       <paste your private key here>
     project: default
 ```
-Seal the secret using `kubeseal` command 
+Write the secret to Vault:
 ```bash
-kubeseal --format=yaml \
+vault kv put kv/argocd/forte-helm-repo \
-  --namespace=argocd \
+  type=git \
-  < private/secret.yaml \
+  url=ssh://git@git.forteapps.net:2222/Forte/forte-helm.git \
-  > secrets/forte-helm-repo-secret-sealed.yaml
+  sshPrivateKey="$(cat private/ssh-key)" \
+  project=default
 ```
+Then create a VaultStaticSecret CRD with `argocd.argoproj.io/secret-type: repository` label.
 
 **Step 4: Register Repository in ArgoCD**
 
@@ -499,7 +501,7 @@ See [Developer Guide](DEVELOPER-GUIDE.md#deploying-your-first-application) for d
 **Quick checklist:**
 - [ ] Create `helm-prod-values/myapp/values.yaml`
 - [ ] Create `apps/myapp.yaml` in config repo
-- [ ] Create SealedSecret if needed
+- [ ] Write secrets to Vault and create VaultStaticSecret CRD if needed
 - [ ] Commit and push changes
 - [ ] Verify sync in Slack/ArgoCD
 - [ ] Configure DNS for domain
@@ -670,92 +672,61 @@ db:
 
 ## Secret Management
 
+Secrets are managed via **HashiCorp Vault** and synced to Kubernetes by the **Vault Secrets Operator (VSO)**. See [Vault Secrets Operator Reference](vault-secrets-operator.md) for full details.
+
 ### Creating Secrets
 
-#### Step 1: Get Public Certificate
+#### Step 1: Write to Vault
 
 ```bash
-# Fetch sealed-secrets public cert (one-time)
+# From literal values
-kubeseal --fetch-cert \
+vault kv put kv/myapp/myapp-credentials \
-  --controller-name=sealed-secrets-controller \
+  API_KEY=secret123 \
-  --controller-namespace=kube-system \
+  DB_PASSWORD=pass456
-  > pub-cert.pem
-
-# Save this certificate for future use
 ```
 
-#### Step 2: Create Plain Secret
+#### Step 2: Create VaultStaticSecret CRD
 
-```bash
+```yaml
-# Method 1: From literal values
+# apps/base/myapp/myapp-credentials-vault.yaml
-kubectl create secret generic myapp-credentials \
+apiVersion: secrets.hashicorp.com/v1beta1
-  --from-literal=API_KEY=secret123 \
+kind: VaultStaticSecret
-  --from-literal=DB_PASSWORD=pass456 \
+metadata:
-  --namespace=myapp \
+  name: myapp-credentials
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
+  namespace: myapp
-
+spec:
-# Method 2: From file
+  type: kv-v2
-kubectl create secret generic myapp-credentials \
+  mount: kv
-  --from-file=.env \
+  path: myapp/myapp-credentials
-  --namespace=myapp \
+  destination:
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
+    name: myapp-credentials
-
+    create: true
-# Method 3: From multiple files
+  refreshAfter: 30s
-kubectl create secret generic myapp-credentials \
+  vaultAuthRef: vault-auth
-  --from-file=api-key.txt \
-  --from-file=db-password.txt \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
 ```
 
-#### Step 3: Seal Secret
+#### Step 3: Commit CRD
 
 ```bash
-kubeseal --format=yaml \
+git add apps/base/myapp/myapp-credentials-vault.yaml
-  --cert=pub-cert.pem \
+git commit -m "Add myapp credentials (VSO)"
-  --namespace=myapp \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
-```
-
-#### Step 4: Commit Sealed Secret
-
-```bash
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Add myapp credentials"
 git push
-
-# Delete plain secret
-rm private/myapp-credentials.yaml
 ```
 
-### Updating Secrets
+ArgoCD syncs the CRD, VSO creates the K8s Secret automatically.
+
+### Updating / Rotating Secrets
+
+**No git commit needed** — just update in Vault:
 
 ```bash
-# 1. Create new version
+vault kv put kv/myapp/myapp-credentials \
-kubectl create secret generic myapp-credentials \
+  API_KEY=new-secret-key \
-  --from-literal=API_KEY=new-secret-key \
+  DB_PASSWORD=new-password
-  --from-literal=DB_PASSWORD=new-password \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
 
-# 2. Seal it
+# VSO picks up changes within 30 seconds
-kubeseal --format=yaml \
+# Restart pods if needed
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
-
-# 3. Commit
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Update myapp credentials"
-git push
-
-# 4. Restart pods to pick up new secret
 kubectl rollout restart deployment myapp -n myapp
-
-# 5. Delete plain secret
-rm private/myapp-credentials.yaml
 ```
 
 ### Viewing Secrets (Unsealed)
@@ -832,30 +803,13 @@ OIDC auth requires an `auth-oidc` Secret with two keys:
 CLIENT_SECRET="your-oidc-client-secret-from-provider"
 COOKIE_SECRET=$(openssl rand -hex 32)
 
-# Create plain secret
+# Write to Vault
-kubectl create secret generic auth-oidc \
+vault kv put kv/myapp/auth-oidc \
-  --from-literal=client-secret=$CLIENT_SECRET \
+  client-secret=$CLIENT_SECRET \
-  --from-literal=cookie-secret=$COOKIE_SECRET \
+  cookie-secret=$COOKIE_SECRET
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
 
-# Seal it
+# Create VaultStaticSecret CRD (one-time) and commit
-kubeseal --format=yaml \
+# See docs/vault-secrets-operator.md for CRD template
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-auth-oidc.yaml \
-  > secrets/myapp-auth-oidc-sealed.yaml
-
-# Apply sealed secret
-kubectl apply -f secrets/myapp-auth-oidc-sealed.yaml
-
-# Commit to Git
-git add secrets/myapp-auth-oidc-sealed.yaml
-git commit -m "Add OIDC secrets for myapp"
-git push
-
-# Clean up
-rm private/myapp-auth-oidc.yaml
 ```
 
 #### Rotating Authentication Secrets
@@ -882,16 +836,12 @@ kubectl rollout restart deployment myapp -n myapp
 # Rotate cookie secret (safe - invalidates existing sessions)
 NEW_COOKIE_SECRET=$(openssl rand -hex 32)
 
-# Recreate secret
+# Update in Vault — no git commit needed
-kubectl create secret generic auth-oidc \
+vault kv put kv/myapp/auth-oidc \
-  --from-literal=client-secret=$CLIENT_SECRET \
+  client-secret=$CLIENT_SECRET \
-  --from-literal=cookie-secret=$NEW_COOKIE_SECRET \
+  cookie-secret=$NEW_COOKIE_SECRET
-  --namespace=myapp \
-  --dry-run=client -o yaml | \
-  kubeseal --format=yaml --cert=pub-cert.pem --namespace=myapp | \
-  kubectl apply -f -
 
-# Restart to pick up new secret
+# VSO picks up within 30s. Restart pods to use new secret:
 kubectl rollout restart deployment myapp -n myapp
 ```
 
@@ -1276,9 +1226,9 @@ spec:
 - ❌ Other persistent volumes (Prometheus, Loki, Tempo data)
 
 **Per-cloud backup scripts** (manual restore helpers):
-- UpCloud/AWS: `scripts/gitea-backup.sh` / `scripts/gitea-backup-aws.sh` (MinIO CLI, S3-compatible)
+- UpCloud/AWS: `scripts/gitea-backup.sh` / `scripts/gitea-backup-eks.sh` (MinIO CLI, S3-compatible)
-- Azure: `scripts/gitea-backup-azure.sh` (Azure CLI + Blob Storage)
+- Azure: `scripts/gitea-backup-aks.sh` (Azure CLI + Blob Storage)
-- GCP: `scripts/gitea-backup-gcp.sh` (gsutil + GCS)
+- GCP: `scripts/gitea-backup-gke.sh` (gsutil + GCS)
 
 ### Cluster Rebuild
 
@@ -1342,13 +1292,11 @@ kubectl get applications -n argocd -w
                - pg_dump -U $DB_USER -d $DB_NAME > /backup/dump-$(date +%Y%m%d).sql
    ```
 
-3. **Sealed Secrets private key backup**
+3. **Vault backup**
    ```bash
-   # Backup sealed-secrets controller private key
+   # Vault data is stored on PVC — ensure PVC snapshots are configured
-   kubectl get secret -n kube-system sealed-secrets-key \
+   # For disaster recovery, maintain Vault unseal keys in a secure location
-     -o yaml > sealed-secrets-key-backup.yaml
+   # All secrets can be re-seeded from source if needed
-
-   # Store in secure location (password manager, vault)
    ```
 
 ---
@@ -1527,9 +1475,9 @@ The repository supports multiple clusters across multiple clouds via Kustomize o
 - **upc-prod**: `infra/overlays/upc-prod/` — patches value file paths from `upc-dev` to `upc-prod`
 
 **Cloud-ready templates (fill in `clusters/*.yaml` before use):**
-- **aws-dev** / **aws-prod**: AWS EKS with NLB, gp3 storage, AWS CUR pricing
+- **eks-dev** / **eks-prod**: AWS EKS with NLB, gp3 storage, AWS CUR pricing
-- **azure-dev** / **azure-prod**: Azure AKS with Standard LB, managed-csi-premium storage
+- **aks-dev** / **aks-prod**: Azure AKS with Standard LB, managed-csi-premium storage
-- **gcp-dev** / **gcp-prod**: GCP GKE with L4 LB, premium-rwo storage
+- **gke-dev** / **gke-prod**: GCP GKE with L4 LB, premium-rwo storage
 
 Each cluster has its own:
 - Root app-of-apps: `_app-of-apps-{cluster}.yaml`
@@ -1548,7 +1496,7 @@ Cloud-specific values handled per-cluster:
 | **Cost monitoring** | Custom pricing | AWS CUR | Azure Billing API | GCP Cloud Billing |
 | **Backup storage** | UpCloud S3-compat | AWS S3 (native) | Azure Blob Storage | GCS |
 
-To add a new cluster, create a new overlay directory (e.g., `infra/overlays/aws-staging/`) with patches that swap the value file paths, and a matching `clusters/aws-staging.yaml`.
+To add a new cluster, create a new overlay directory (e.g., `infra/overlays/eks-staging/`) with patches that swap the value file paths, and a matching `clusters/eks-staging.yaml`.
 
 ### Blue-Green Deployments
 
@@ -1668,7 +1616,7 @@ echo "Remember to delete: $SECRET_FILE"
 - [ ] Gitea Actions workflow configured
 - [ ] Helm values created in `helm-prod-values/`
 - [ ] ArgoCD application manifest created in `apps/`
-- [ ] Secrets created and sealed
+- [ ] Secrets written to Vault and VaultStaticSecret CRD created
 - [ ] DNS record added for domain
 - [ ] Application synced successfully
 - [ ] Health check passed

docs/REFERENCE.md

@@ -9,6 +9,7 @@
 - [Kyverno Policies](#kyverno-policies)
 - [Configuration Reference](#configuration-reference)
 - [API Endpoints](#api-endpoints)
+- [Cloud Overlay Pattern](#cloud-overlay-pattern)
 - [Glossary](#glossary)
 
 ---
@@ -20,8 +21,9 @@
 | Component | Value |
 |-----------|-------|
 | **Provider** | Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE) |
+| **Environment** | Dev + Production per cloud |
 | **Active clusters** | UpCloud (upc-dev, upc-prod) |
-| **Cloud-ready templates** | AWS, Azure, GCP (dev + prod each) |
+| **Cloud-ready templates** | EKS, AKS, GKE (dev + prod each) |
 | **GitOps Tool** | ArgoCD |
 | **Ingress Controller** | Traefik v2 |
 | **Certificate Management** | Cert-Manager + Let's Encrypt |
@@ -74,40 +76,59 @@ launchpad/
 ├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
 ├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
 │
-├── infra/                         # Infrastructure applications
+├── infra/                         # Infrastructure applications (Kustomize)
-│   ├── cluster-resources-application.yaml
+│   ├── base/                      # One subdirectory per component
-│   ├── enterprise-apps.yaml
+│   │   ├── kustomization.yaml     # Aggregates all component subdirectories
-│   ├── traefik-application.yaml
+│   │   ├── traefik-application/
-│   ├── cert-manager-application.yaml
+│   │   │   ├── kustomization.yaml
-│   ├── kyverno.yaml
+│   │   │   └── traefik-application.yaml
-│   ├── kyverno-policies.yaml
+│   │   ├── keycloak/
-│   ├── prometheus.yaml
+│   │   │   ├── kustomization.yaml
-│   ├── grafana.yaml
+│   │   │   └── keycloak.yaml
-│   ├── loki.yaml
+│   │   ├── grafana/
-│   ├── tempo.yaml
+│   │   ├── prometheus/
-│   ├── fluent-bit.yaml
+│   │   ├── loki/
-│   ├── trivy.yaml
+│   │   ├── tempo/
-│   ├── gitea.yaml
+│   │   ├── gitea/
-│   ├── gitea-actions.yaml
+│   │   ├── opencost/
-│   ├── sealedsecrets.yaml
+│   │   ├── ...                    # Each component in own directory
-│   ├── secrets.yaml
+│   │   └── secrets/
-│   ├── renovate.yaml
+│   ├── overlays/                  # Per-cluster: include all or cherry-pick
+│   │   ├── upc-dev/              # resources: [../../base] (all components)
+│   │   ├── upc-prod/            # resources: [../../base] + patches
+│   │   ├── aks-dev/             # resources: [../../base/grafana, ...] (selective)
+│   │   └── .../                  # 8 clusters total
 │   └── values/
-│       ├── argocd-values.yaml
+│       ├── base/                   # Cloud-agnostic Helm values
-│       ├── prometheus-values.yaml
+│       │   ├── gitea-values.yaml
-│       ├── grafana-values.yaml
+│       │   ├── opencost-values.yaml
-│       ├── loki-values.yaml
+│       │   ├── prometheus-values.yaml
-│       ├── tempo-values.yaml
+│       │   └── ...
-│       ├── gitea-values.yaml
+│       ├── upc-dev/               # UpCloud dev overlay values
-│       ├── gitea-actions-values.yaml
+│       │   ├── traefik-values.yaml
-│       ├── fluent-bit-values.yaml
+│       │   ├── keycloak-values.yaml
-│       └── renovate-values.yaml
+│       │   ├── grafana-values.yaml
+│       │   ├── gitea-values.yaml
+│       │   └── opencost-values.yaml
+│       └── upc-prod/              # UpCloud prod overlay values
+│           ├── traefik-values.yaml
+│           ├── keycloak-values.yaml
+│           ├── grafana-values.yaml
+│           ├── gitea-values.yaml
+│           └── opencost-values.yaml
 │
-├── apps/                          # Business applications
+├── apps/                          # Business applications (Kustomize)
-│   ├── mcp10x.yaml
+│   ├── base/                     # One subdirectory per app
-│   ├── musicman.yaml
+│   │   ├── kustomization.yaml
-│   ├── dot-ai-stack.yaml
+│   │   ├── musicman/
-│   └── argo-mcp.yaml
+│   │   ├── mcp10x/
+│   │   ├── dot-ai-stack/
+│   │   ├── ts-mcp/
+│   │   └── argo-mcp/
+│   └── overlays/                 # Per-cluster: include all or cherry-pick
+│       ├── upc-dev/
+│       ├── upc-prod/
+│       └── aks-dev/              # Selective apps only
 │
 ├── cluster-resources/             # Cluster-level resources
 │   ├── cert-manager-namespace.yaml
@@ -128,12 +149,39 @@ launchpad/
 │       └── auth-sidecar-injector.yaml
 │
 ├── secrets/                       # Application secrets (sealed)
-│   ├── argocd-mcp-credentials.yaml
+│   ├── base/                     # All SealedSecrets (shared across clouds)
-│   ├── dot-ai-secrets.yaml
+│   │   ├── kustomization.yaml
-│   ├── gitea-credentials-sealed.yaml
+│   │   ├── argocd-forte-helm-secret-sealed.yaml
-│   ├── gitea-runner-token-sealed.yaml
+│   │   ├── argocd-mcp-credentials.yaml
-│   ├── mcp10x-credentials-sealed.yaml
+│   │   ├── argocdmcp-auth-oidc-sealed.yaml
-│   └── musicman-credentials.yaml
+│   │   ├── dot-ai-secrets.yaml
+│   │   ├── forte10x-app-credentials-sealed.yaml
+│   │   ├── gitea-backup-s3-sealed.yaml
+│   │   ├── gitea-credentials-sealed.yaml
+│   │   ├── gitea-runner-token-sealed.yaml
+│   │   ├── gitea-smtp-secret-sealed.yaml
+│   │   ├── keycloak-credentials-sealed.yaml
+│   │   ├── musicman-auth-oidc-sealed.yaml
+│   │   ├── musicman-credentials.yaml
+│   │   └── renovate-env-sealed.yaml
+│   └── overlays/                 # Per-cloud overlays (reference base)
+│       ├── aks-dev/kustomization.yaml
+│       ├── aks-prod/kustomization.yaml
+│       ├── eks-dev/kustomization.yaml
+│       ├── eks-prod/kustomization.yaml
+│       ├── gke-dev/kustomization.yaml
+│       ├── gke-prod/kustomization.yaml
+│       ├── upc-dev/kustomization.yaml
+│       └── upc-prod/kustomization.yaml
+│
+├── scripts/                       # Operational helper scripts
+│   ├── gitea-backup.sh            # S3 backup helper (list/download)
+│   ├── gitea-restore.sh
+│   └── backup/                    # Per-cloud backup reference scripts
+│       ├── s3-minio.sh            # S3-compatible (UpCloud, MinIO, Wasabi)
+│       ├── aws-s3.sh              # Native AWS S3
+│       ├── azure-blob.sh          # Azure Blob Storage
+│       └── gcp-gcs.sh             # GCP Cloud Storage
 │
 ├── private/                       # Local-only (Git-ignored)
 │   ├── *.yaml
@@ -602,10 +650,134 @@ retry:
 4. 40 seconds
 5. 80 seconds (capped at 3 minutes)
 
+### Global Settings (`argocd-cm`)
+
+| Setting | Value | Purpose |
+|---------|-------|---------|
+| `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
+| `timeout.reconciliation` | `60s` | Reconciliation interval |
+| `admin.enabled` | `false` | Admin login disabled (SSO-only) |
+| `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
+
+**Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
+```yaml
+configs:
+  params:
+    "reposerver.enable.git.submodule": "false"
+```
+This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
+
+**Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
+```bash
+# Enable admin login
+kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
+# Log in as admin, do what's needed, then disable again
+kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
+```
+ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
+
+**OIDC Authentication** (Keycloak):
+```yaml
+configs:
+  cm:
+    oidc.config: |
+      name: Forte SSO
+      issuer: https://id.forteapps.net/realms/forte
+      clientID: argocd
+      clientSecret: $oidc.clientSecret
+      requestedScopes: ["openid", "email", "profile"]
+  rbacConfig:
+    policy.csv: |
+      g, ArgoCD Admins, role:admin
+      g, ArgoCD Viewers, role:readonly
+    # Deny users not in any declared KC group
+    policy.default: ""
+    scopes: '[groups]'
+```
+
+**Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console.
+
+- ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
+- Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
+- `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
+- OIDC secret is synced by CronJob `argocd-oidc-sync` (see `cluster-resources/argocd-oidc-secret-sync.yaml`)
+- The CronJob bridges `argocd-oidc-credentials` (from KC registrar) → `argocd-secret` every 2 min
+- Safe for fresh deploys: no-ops if source secret doesn't exist yet
+
+**Ingress** (Traefik + TLS):
+```yaml
+server:
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls: true
+  extraArgs:
+  - --insecure
+configs:
+  params:
+    "server.insecure": true
+```
+TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
+
 ---
 
 ## Infrastructure Components
 
+### Homepage (Platform Dashboard)
+
+**Chart**: `jameswynn/homepage`
+**Namespace**: `homepage`
+**URL**: `https://start.forteapps.net`
+
+Platform dashboard that auto-discovers deployed apps via Kubernetes service annotations.
+
+**Discovery mechanism**: Services annotated with `gethomepage.dev/enabled: "true"` appear in the dashboard. Apps not deployed = annotations absent = not shown. Fully dynamic per environment.
+
+**Annotated services**:
+| Service | Namespace | Group | Widget |
+|---------|-----------|-------|--------|
+| `gitea-http` | `gitea` | DevOps | `gitea` |
+| `argocd-server` | `argocd` | DevOps | `argocd` |
+| `keycloak` | `keycloak` | Identity | none |
+| `grafana` | `monitoring` | Monitoring | `grafana` |
+| `karpor-server` | `karpor` | DevOps | none |
+
+**Adding a new app**: Annotate the app's Service in its Helm values:
+```yaml
+service:
+  annotations:
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/name: "My App"
+    gethomepage.dev/description: "What it does"
+    gethomepage.dev/group: "GroupName"
+    gethomepage.dev/icon: "icon-name"     # https://github.com/walkxcode/dashboard-icons
+    gethomepage.dev/href: "https://myapp.forteapps.net"
+    # Optional live widget:
+    gethomepage.dev/widget.type: "myapp"
+    gethomepage.dev/widget.url: "https://myapp.forteapps.net"
+    # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_MYAPP_TOKEN}}"
+```
+
+**Widget API credentials**: Inject via env vars into the Homepage pod:
+```yaml
+# In homepage-values.yaml per environment
+env:
+- name: HOMEPAGE_VAR_GRAFANA_TOKEN
+  valueFrom:
+    secretKeyRef:
+      name: homepage-widget-credentials
+      key: grafana-token
+```
+Then reference as `gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"`.
+
+**Values files**:
+- `infra/values/base/homepage-values.yaml` — RBAC, kubernetes mode, layout
+- `infra/values/{env}/homepage-values.yaml` — hostname per environment
+
+---
+
 ### Traefik
 
 **Chart**: `traefik/traefik`
@@ -677,6 +849,10 @@ spec:
 **Chart**: `sealed-secrets/sealed-secrets-controller`
 **Namespace**: `kube-system`
 
+**Directory Structure**: `secrets/base/` contains all SealedSecrets with a `kustomization.yaml`. Per-cloud overlays in `secrets/overlays/<cloud>/` reference the base via Kustomize. The ArgoCD `secrets` Application points to the active overlay (e.g., `secrets/overlays/upc-dev`), and `infra/overlays/upc-prod` patches the path to `secrets/overlays/upc-prod`.
+
+To add cloud-specific secrets, create a new SealedSecret in the overlay directory and add it to the overlay's `kustomization.yaml`.
+
 **Public Certificate**:
 ```bash
 kubeseal --fetch-cert \
@@ -717,6 +893,15 @@ kubeStateMetrics:
 - Loki
 - Tempo
 
+**Ingress**: Exposed via Traefik at `https://grafana.forteapps.net` with cert-manager TLS.
+
+**OIDC Authentication** (Keycloak):
+- Uses `grafana.ini.auth.generic_oauth` with KC `grafana` client
+- Secret `grafana-oidc-credentials` synced by KC registrar, loaded via `envFromSecrets`
+- SSO-only mode: `auth.disable_login_form: true` + `auth.generic_oauth.auto_login: true`
+- Role mapping via JMESPath on `resource_access.grafana.roles` claim (requires KC client role mapper)
+- Roles: KC client roles `Admin`/`Editor` map to Grafana roles; default is `Viewer`
+
 ### Loki
 
 **Chart**: `grafana/loki-stack`
@@ -1069,6 +1254,33 @@ kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.ann
 
 **See**: [Developer Guide - Adding a New Keycloak Client](DEVELOPER-GUIDE.md#adding-a-new-keycloak-client)
 
+### Karpor
+
+**Chart**: `karpor` from `https://kusionstack.github.io/charts`
+**Version**: 0.7.6 (app v0.6.4)
+**Namespace**: `karpor`
+**Sync Wave**: 1
+
+**Purpose**: Kubernetes visualization and intelligence tool. Provides cross-cluster resource search, compliance checking, and topology visualization. Gives platform engineers a unified view of all cluster resources and their relationships.
+
+**Architecture** (4 components):
+- **Server** — main Karpor API/UI (port 7443)
+- **Syncer** — syncs cluster state into the search index
+- **ElasticSearch** — search backend for resource indexing
+- **etcd** — persistent key-value store (10Gi PVC)
+
+**Configuration** (`infra/values/base/karpor-values.yaml`):
+- `namespaceEnabled: false` — ArgoCD manages namespace creation
+- Default resource limits tuned for small clusters
+- ElasticSearch: 2 CPU / 4Gi memory (the heaviest component)
+- AI features available but not enabled (requires `server.ai.authToken` + backend config)
+
+**Access**: Port-forward to reach the UI:
+```bash
+kubectl port-forward svc/karpor-release-server -n karpor 7443:7443
+# Open https://localhost:7443
+```
+
 ### Renovate
 
 **Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`)
@@ -1172,6 +1384,46 @@ spec:
 - Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
 - `synchronize: true` — changes to the source Secret are reflected in the clone
 
+### Keycloak Microsoft/Entra Identity Provider
+
+**File**: `infra/values/upc-dev/keycloak-values.yaml`
+**Namespace**: `keycloak`
+
+**Purpose**: Configures Microsoft Entra (Azure AD) as an external identity provider for the Forte realm, enabling SSO via Microsoft accounts with token storage for downstream API access (e.g., Microsoft Graph).
+
+**Configuration via keycloakConfigCli**:
+- IdP alias: `forte-entra`, provider: `microsoft`
+- Client secret injected from `microsoft-idp-credentials` Secret via `$(env:MS_IDP_CLIENT_SECRET)` syntax
+- `extraEnvVarsSecret: microsoft-idp-credentials` makes the Secret available as env vars to config-cli
+
+**Key Configuration Notes**:
+
+| Field | Location | Notes |
+|-------|----------|-------|
+| `tenant` | `config.tenant` | **Must be `tenant`, NOT `tenantId`** — wrong key silently falls back to `common` (multi-tenant) |
+| `storeToken` | Top-level IdP field | **NOT inside `config`** — enables broker token storage for KC broker API |
+| `defaultScope` | `config.defaultScope` | Space-separated: `openid email profile User.Read Mail.Send` |
+| `syncMode` | `config.syncMode` | `IMPORT` — imports user on first login |
+
+**Token Storage & Broker Access**:
+- `storeToken: true` persists the Entra access token in Keycloak
+- Realm role `default-roles-forte` includes composite `broker.read-token` — grants all realm users access to broker token API
+- Broker token retrievable via: `GET /realms/forte/broker/forte-entra/token`
+
+**Identity Provider Mappers**:
+- `forte-entra-email`: Hardcodes `emailVerified=true` for Entra-authenticated users (Entra guarantees email verification)
+
+**Required Secret** (`microsoft-idp-credentials`):
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: microsoft-idp-credentials
+  namespace: keycloak
+stringData:
+  MS_IDP_CLIENT_SECRET: "<entra-app-client-secret>"
+```
+
 ### Default Namespace Blocker
 
 **File**: `cluster-resources/policies/default-ns-blocker.yaml`
@@ -1516,7 +1768,23 @@ Forward to Application (localhost:3000)
 Application processes request
 ```
 
-**See**: [Developer Guide - Enabling Authentication](DEVELOPER-GUIDE.md#enabling-authentication-for-applications) for usage examples.
+#### Forwarded Headers
+
+After successful authentication, the sidecar injects user identity as HTTP headers before forwarding the request to the application container:
+
+| Header | Description | Auth Modes |
+|--------|-------------|------------|
+| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
+| `X-Auth-Email` | User email address | OIDC |
+| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
+| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if `groups` scope) |
+| `X-Auth-Token` | The validated access token | All modes |
+
+These headers are trustworthy because the auto-generated `NetworkPolicy` restricts pod ingress to the sidecar port only — external traffic cannot reach the application container directly, so headers cannot be spoofed.
+
+Applications should read these headers to obtain authenticated user information (e.g. for display, authorisation decisions, or audit logging) instead of implementing their own authentication.
+
+**See**: [Developer Guide - Accessing Authenticated User Information](DEVELOPER-GUIDE.md#accessing-authenticated-user-information) for code examples.
 
 ---
 
@@ -1629,6 +1897,88 @@ POST /loki/api/v1/push
 
 ---
 
+## Cloud Overlay Pattern
+
+### Overview
+
+Cloud-specific configuration (StorageClass, LoadBalancer annotations, pricing models, etc.) lives in per-cloud overlay value files, **not** in `base/`. Adding a new cloud provider only requires a new overlay directory — no base changes.
+
+### Supported Clouds
+
+| Cloud | Dev overlay | Prod overlay | StorageClass | LB type |
+|-------|-----------|-------------|-------------|---------|
+| **UpCloud** | `upc-dev` | `upc-prod` | `upcloud-block-storage-maxiops` | UpCloud LB (proxy protocol v2) |
+| **Azure AKS** | `aks-dev` | `aks-prod` | `managed-csi-premium` | Azure LB |
+| **AWS EKS** | `eks-dev` | `eks-prod` | `gp3` | AWS NLB (proxy protocol) |
+| **GCP GKE** | `gke-dev` | `gke-prod` | `premium-rwo` | GCP NEG |
+
+Bootstrap any cluster with: `./bootstrap.sh <cluster>` (e.g., `./bootstrap.sh aks-dev`)
+
+### How It Works
+
+Each ArgoCD Application uses **multi-source Helm values** with two value files:
+
+```yaml
+# infra/base/gitea.yaml (example)
+helm:
+  valueFiles:
+  - $values/infra/values/base/gitea-values.yaml      # [0] cloud-agnostic
+  - $values/infra/values/upc-dev/gitea-values.yaml    # [1] cloud-specific (default: upc-dev)
+```
+
+The `upc-prod` Kustomize overlay patches index `[1]` to swap the cloud-specific file:
+
+```yaml
+# infra/overlays/upc-prod/kustomization.yaml
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/gitea-values.yaml
+```
+
+### Components Using Cloud Overlays
+
+| Component | Cloud-specific config | Overlay value file |
+|-----------|----------------------|-------------------|
+| **Traefik** | LB annotations, proxy protocol IPs | `traefik-values.yaml` |
+| **Keycloak** | Hostname, TLS settings | `keycloak-values.yaml` |
+| **Grafana** | Hostname, datasource URLs | `grafana-values.yaml` |
+| **Gitea** | StorageClass (persistence + PostgreSQL) | `gitea-values.yaml` |
+| **OpenCost** | Custom pricing model (CPU/RAM/storage rates) | `opencost-values.yaml` |
+
+### Backup CronJob
+
+The `gitea-backup` CronJob uses a generic `s3` alias for `minio/mc`. The actual endpoint and credentials come from the `gitea-backup-s3` Sealed Secret, which is per-cloud. Reference scripts for different cloud providers are in `scripts/backup/`:
+
+| Script | Provider | Tool |
+|--------|----------|------|
+| `s3-minio.sh` | S3-compatible (UpCloud, MinIO, Wasabi) | `minio/mc` |
+| `aws-s3.sh` | AWS S3 | `aws` CLI |
+| `azure-blob.sh` | Azure Blob Storage | `az` CLI |
+| `gcp-gcs.sh` | GCP Cloud Storage | `gsutil` |
+
+### Adding a New Cloud Provider
+
+To add support for a new cloud (e.g., `oci-dev` for Oracle Cloud):
+
+1. **Cluster config**: `clusters/oci-dev.yaml` — clusterName, domain, trustedIPs, cloudProvider
+2. **Overlay value files** in `infra/values/oci-dev/`:
+   - `traefik-values.yaml` — LB annotations, proxy protocol config
+   - `keycloak-values.yaml` — hostname
+   - `grafana-values.yaml` — hostname
+   - `gitea-values.yaml` — `storageClass` for persistence + PostgreSQL
+   - `opencost-values.yaml` — pricing model or cloud billing integration
+3. **Kustomize overlay**: `infra/overlays/oci-dev/kustomization.yaml` — patch `valueFiles[1]` for each Application
+4. **App-of-apps**: `_app-of-apps-oci-dev.yaml` — points to `infra/overlays/oci-dev`
+5. **Secrets overlay**: `secrets/overlays/oci-dev/kustomization.yaml` — references `../../base`, add cloud-specific SealedSecrets if needed
+6. **Secrets patch**: Add patch to `infra/overlays/oci-dev/kustomization.yaml` to swap secrets path to `secrets/overlays/oci-dev`
+7. **Bootstrap**: `./bootstrap.sh oci-dev`
+
+---
+
 ## Glossary
 
 ### Terms

docs/vault-secrets-operator.md

@@ -0,0 +1,206 @@
+# Vault Secrets Operator (VSO) Reference
+
+## Overview
+
+The platform uses HashiCorp Vault Secrets Operator (VSO) to sync secrets from Vault KV v2 to native Kubernetes Secrets. This replaces the previous SealedSecrets workflow.
+
+**Key benefit**: Secret values can be rotated via Vault UI/CLI without a git commit. Only new VaultStaticSecret CRDs need to be committed.
+
+## Architecture
+
+```
+Vault (KV v2)                VSO                        K8s Secret
+kv/{namespace}/{name}  -->  VaultStaticSecret CRD  -->  Secret in namespace
+                            (polls every 30s)
+```
+
+- **Vault**: Standalone instance in `vault` namespace, KV v2 at `kv/`
+- **VSO**: Deployed in `vault-secrets-operator-system` namespace via ArgoCD
+- **Auth**: Kubernetes auth method — each namespace has its own ServiceAccount + VaultAuth CRD
+
+## KV Path Convention
+
+```
+kv/{namespace}/{secret-name}
+```
+
+Examples:
+- `kv/homepage/homepage-widget-credentials`
+- `kv/argocd/forte-helm-repo`
+- `kv/gitea/gitea-smtp-secret`
+- `kv/keycloak/keycloak-credentials`
+
+## Vault Policy Structure
+
+Each namespace gets a read-only policy:
+
+```hcl
+# Policy: ns-{namespace}
+path "kv/data/{namespace}/*" {
+  capabilities = ["read"]
+}
+path "kv/metadata/{namespace}/*" {
+  capabilities = ["read", "list"]
+}
+```
+
+## Kubernetes Auth Roles
+
+Each namespace has a bound ServiceAccount:
+
+```
+Role: ns-{namespace}
+  bound_service_account_names: vault-auth-{namespace}
+  bound_service_account_namespaces: {namespace}
+  policies: ns-{namespace}
+  audience: vault
+  ttl: 1h
+```
+
+## CRD Reference
+
+### VaultAuth
+
+Per-namespace auth binding. One per namespace.
+
+```yaml
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: {namespace}
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-{namespace}
+    serviceAccount: vault-auth-{namespace}
+    audiences:
+    - vault
+```
+
+Each VaultAuth requires a corresponding ServiceAccount:
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-{namespace}
+  namespace: {namespace}
+```
+
+### VaultStaticSecret
+
+One per secret. Syncs a Vault KV path to a K8s Secret.
+
+```yaml
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: {secret-name}
+  namespace: {namespace}
+spec:
+  type: kv-v2
+  mount: kv
+  path: {namespace}/{secret-name}
+  destination:
+    name: {secret-name}        # K8s Secret name (must match what apps expect)
+    create: true
+    type: Opaque               # Optional, defaults to Opaque
+    labels:                    # Optional, for secrets that need labels
+      some-label: "value"
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
+```
+
+## Special Labels
+
+Some secrets require specific labels for correct operation:
+
+| Secret | Label | Purpose |
+|--------|-------|---------|
+| `renovate-env` | `allowedToBeCloned: "true"` | Kyverno secret-cloner policy |
+| `gitea-smtp-secret` | `allowedToBeCloned: "true"` | Kyverno secret-cloner policy |
+| `forte-helm-repo` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
+| `forte10x-repo-creds` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
+| `mcp10x-repo-creds` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
+
+These are set in `destination.labels` of the VaultStaticSecret CRD.
+
+## Namespaces & Secrets Map
+
+| Namespace | Secrets |
+|-----------|---------|
+| `homepage` | homepage-widget-credentials |
+| `renovate` | renovate-env |
+| `gitea` | gitea-credentials, gitea-backup-s3, gitea-smtp-secret, gitea-runner-token |
+| `keycloak` | keycloak-credentials, microsoft-idp-credentials (overlay) |
+| `argocd` | forte-helm-repo, forte10x-repo-creds, mcp10x-repo-creds, argocd-notifications-secret |
+| `mcp10x` | app-credentials |
+| `ts-mcp` | ts-mcp-secrets |
+| `argocd-mcp` | auth-oidc, argocd-mcp-credentials |
+| `dot-ai` | dot-ai-secrets |
+| `music-man` | musicman-credentials |
+
+## Common Operations
+
+### Add a new secret
+
+1. Write to Vault:
+   ```bash
+   vault kv put kv/{namespace}/{secret-name} key1=val1 key2=val2
+   ```
+
+2. Create VaultStaticSecret YAML (see template above)
+
+3. Add to kustomization.yaml in the appropriate directory
+
+4. Commit and push — ArgoCD syncs the CRD, VSO creates the K8s Secret
+
+### Rotate a secret value
+
+No git commit needed:
+```bash
+vault kv put kv/{namespace}/{secret-name} key1=new-val1 key2=new-val2
+```
+VSO picks up changes within 30 seconds.
+
+### Check sync status
+
+```bash
+# VaultAuth status
+kubectl get vaultauth -n {namespace}
+
+# VaultStaticSecret status
+kubectl get vaultstaticsecret -n {namespace}
+
+# Verify K8s Secret exists with correct keys
+kubectl get secret {name} -n {namespace} -o jsonpath='{.data}' | jq
+```
+
+### Troubleshooting
+
+1. **VaultAuth not authenticating**: Check ServiceAccount exists, Vault role matches SA name/namespace
+2. **VaultStaticSecret not syncing**: Check `kubectl describe vaultstaticsecret {name} -n {ns}` for events
+3. **Secret missing keys**: Verify Vault KV path has all expected keys: `vault kv get kv/{ns}/{name}`
+4. **Permission denied**: Verify Vault policy allows read on `kv/data/{ns}/*`
+
+## File Locations
+
+| Type | Location |
+|------|----------|
+| VSO ArgoCD Application | `infra/base/vault-secrets-operator/` |
+| VSO Helm values | `infra/values/base/vault-secrets-operator-values.yaml` |
+| Vault policies script | `scripts/vault-setup-policies.sh` |
+| Seed script | `scripts/seed-vault-from-cluster.sh` |
+| VaultAuth + VaultStaticSecret | Alongside ArgoCD Application in each component directory |
+
+## Setup Scripts
+
+```bash
+# Create all Vault policies and auth roles
+./scripts/vault-setup-policies.sh
+
+# Seed Vault KV from existing K8s Secrets
+./scripts/seed-vault-from-cluster.sh
+```

infra/base/cert-manager-application/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- cert-manager-application.yaml

infra/base/cluster-resources-application/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- cluster-resources-application.yaml

infra/base/databunker/databunker.yaml

@@ -1,33 +1,42 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: network-policies
+  name: databunker
   namespace: argocd
-  labels:
-    app.kubernetes.io/name: network-policies
-    app.kubernetes.io/part-of: platform
-    app.kubernetes.io/managed-by: argocd
   annotations:
     argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: databunker
+    app.kubernetes.io/part-of: identity
+    app.kubernetes.io/managed-by: argocd
   finalizers:
   - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
 
-  source:
+  sources:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  - repoURL: https://securitybunker.github.io/databunkerpro-setup
+    chart: databunkerpro
+    targetRevision: "0.1.0"
+    helm:
+      releaseName: databunkerpro
+      valueFiles:
+      - $values/infra/values/base/databunker-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
-    path: cluster-resources/network
+    ref: values
 
   destination:
     server: https://kubernetes.default.svc
+    namespace: databunker
 
   syncPolicy:
     automated:
       prune: true
       selfHeal: true
       allowEmpty: false
-
     syncOptions:
+    - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true

infra/base/databunker/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- databunker.yaml

infra/base/enterprise-apps/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- enterprise-apps.yaml

infra/base/fluent-bit/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- fluent-bit.yaml

infra/base/gitea-actions/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gitea-actions.yaml

infra/base/gitea/gitea-backup-s3-vault.yaml

@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-backup-s3
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-backup-s3
+  destination:
+    name: gitea-backup-s3
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/gitea/gitea-credentials-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-credentials
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-credentials
+  destination:
+    name: gitea-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/gitea/gitea-runner-token-vault.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-runner-token
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-runner-token
+  destination:
+    name: gitea-runner-token
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/gitea/gitea-smtp-secret-vault.yaml

@@ -0,0 +1,17 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-smtp-secret
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-smtp-secret
+  destination:
+    name: gitea-smtp-secret
+    create: true
+    type: Opaque
+    labels:
+      allowedToBeCloned: "true"
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth

infra/base/gitea/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gitea.yaml
+- vault-auth.yaml
+- gitea-credentials-vault.yaml
+- gitea-backup-s3-vault.yaml
+- gitea-smtp-secret-vault.yaml
+- gitea-runner-token-vault.yaml
+# Removed: gitea-*-sealed.yaml (migrated to VSO)

infra/base/gitea/vault-auth.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-gitea
+  namespace: gitea
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: gitea
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-gitea
+    serviceAccount: vault-auth-gitea
+    audiences:
+    - vault