docs(infra): pg backup & restore runbook for forte-drop

Covers: nightly backup mechanism, listing backups, manual trigger,
full restore procedure (2-pod mc-download + psql-pipe), verification,
object-data note, and a disaster-scenario recovery table.

README.md

@@ -57,7 +57,7 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 
 ### What's Inside
 
-- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets, Homepage (platform dashboard)
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
 - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
@@ -84,24 +84,25 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
 │
 ├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
-│   ├── base/                  # Base ArgoCD Application manifests (EU defaults)
-│   │   ├── kustomization.yaml
-│   │   ├── traefik-application.yaml
-│   │   ├── keycloak.yaml
-│   │   ├── grafana.yaml
-│   │   ├── gitea.yaml
-│   │   ├── gitea-actions.yaml
-│   │   ├── tempo.yaml
-│   │   ├── renovate.yaml
-│   │   ├── ...                # All other Application manifests
-│   │   └── secrets.yaml
+│   ├── base/                  # Base ArgoCD Application manifests (one dir per component)
+│   │   ├── kustomization.yaml # Aggregates all component subdirectories
+│   │   ├── traefik-application/
+│   │   │   ├── kustomization.yaml
+│   │   │   └── traefik-application.yaml
+│   │   ├── keycloak/
+│   │   │   ├── kustomization.yaml
+│   │   │   └── keycloak.yaml
+│   │   ├── grafana/
+│   │   ├── prometheus/
+│   │   ├── ...               # Each component in its own subdirectory
+│   │   └── secrets/
 │   ├── overlays/              # Per-cluster overrides (Kustomize)
-│   │   ├── upc-dev/           # UpCloud Dev (uses base as-is)
-│   │   ├── upc-prod/         # UpCloud Prod (patches value paths)
+│   │   ├── upc-dev/           # UpCloud Dev — includes all base components
+│   │   ├── upc-prod/         # UpCloud Prod — all components + patches
+│   │   ├── aks-dev/          # Azure AKS Dev — selective components only
+│   │   ├── aks-prod/         # Azure AKS Prod
 │   │   ├── eks-dev/           # AWS EKS Dev
 │   │   ├── eks-prod/         # AWS EKS Prod
-│   │   ├── aks-dev/        # Azure AKS Dev
-│   │   ├── aks-prod/       # Azure AKS Prod
 │   │   ├── gke-dev/          # GCP GKE Dev
 │   │   └── gke-prod/         # GCP GKE Prod
 │   ├── dashboards/            # Grafana dashboard ConfigMaps
@@ -116,11 +117,18 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 │       ├── gke-dev/          # GCP GKE Dev
 │       └── gke-prod/         # GCP GKE Prod
 │
-├── apps/                      # Business Applications
-│   ├── mcp10x.yaml
-│   ├── musicman.yaml
-│   ├── dot-ai-stack.yaml
-│   └── argo-mcp.yaml
+├── apps/                      # Business Applications (Kustomize, same pattern as infra)
+│   ├── base/                  # One subdirectory per app
+│   │   ├── kustomization.yaml
+│   │   ├── musicman/
+│   │   ├── mcp10x/
+│   │   ├── dot-ai-stack/
+│   │   ├── ts-mcp/
+│   │   └── argo-mcp/
+│   └── overlays/              # Per-cluster: cherry-pick or include all
+│       ├── upc-dev/           # All apps
+│       ├── upc-prod/         # All apps + patches
+│       └── aks-dev/          # Selective apps only
 │
 ├── cluster-resources/         # Cluster-wide Kubernetes resources
 │   ├── letsencrypt-issuer.yaml
@@ -372,7 +380,7 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts
 
 ### App-of-Apps Pattern
-`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{cluster}/` render the base Applications with per-cluster patches (e.g., swapping value file paths). Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
+`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Each component in `infra/base/` lives in its own subdirectory (e.g., `infra/base/grafana/`). Overlays can either include **all** components (via `../../base`) or **cherry-pick** specific ones (via `../../base/grafana`, `../../base/prometheus`, etc.). Per-cluster patches swap Helm value file paths. Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
 
 ### Multi-Source Pattern
 Applications reference both:

apps/base/argo-mcp/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- argo-mcp.yaml
+- argocdmcp-auth-oidc-sealed.yaml
+- argocd-mcp-credentials.yaml

apps/base/dot-ai-stack/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- dot-ai-stack.yaml
+- dot-ai-secrets.yaml

apps/base/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- dot-ai-stack.yaml
-- mcp10x.yaml
-- musicman.yaml
-- ts-mcp.yaml
-- argo-mcp.yaml
+- dot-ai-stack
+- mcp10x
+- musicman
+- ts-mcp
+- argo-mcp

apps/base/mcp10x/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- mcp10x.yaml
+- forte10x-app-credentials-sealed.yaml

apps/base/musicman/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- musicman.yaml
+- musicman-credentials.yaml

apps/base/musicman/musicman-credentials.yaml

@@ -4,6 +4,8 @@ metadata:
   creationTimestamp: null
   name: musicman-credentials
   namespace: music-man
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
 spec:
   encryptedData:
     DATABASE_URL: AgBGLu8Rw9z9WMo3uX7fezN7tOVlEsmWtikFlyBxuSuQ1dCv6KTCePkwxJx4LuKvaHXlwdWl5yP8wQxMJP0BNJ1wewFb9zeUkP1YuCz4MrfuXq1zrecIr86R5hNbPiOb66e/4oOTCY/z3QREX9WjZdLJV/PCyBz8MP0D51pgWXpM6CBdhwpFbHSALyJk89+q44c9KkRxAUG2OLnesMeRe9nXJt5ariUCl9Qd2POIjx2hSNII1l0KbTcjI9hCf91DYM6poqKYYQUpnrjKv3LJwWS79I2b56+iTtroH3usIRgaiwgtFt2INm+8gwLBmC4xxKJ5VAjjYB/3dcN9XeboXvj0NB05P9jS3e77imUFANIB9coeaNlcvRWxwGCewYMp8+7RT7jPVA41/+aT/zT74tq9WhkKvgrr1It9/5fRnXtFEkhZg5bBcYCChzooarHkiwKlA3Wo0CrFsDPqy89oZrnwMRnVqKWBf79koZV4l7uCA0do9ojf55lTy8mt3mKQkwfqK9UdzZNbYzH0/Fk6gxlSxANOOqe7kt6VPywYUBnh6JS5U+kdTgNeSrFy/xqLFz28fXuikSJvLEouSFu66MeT+6uvYEmdfdLeh7quW/n+p7QTok3v3kRYJ/1Dl8ZtgvM7e8F/J5bLcacj394AJ/bBt+RIDa+XBjNNPrWKcWt/mkudZ25F/84G+hNxYQv7PIbhYfA1JTuHmQSoF+xah5QhKpyNpI3+knJmJj/4MhPKLnTuebg0xfbPevm2CU9fSa4sPIqmSvSGtqlXODvCfDSFEYzWfyfXV5Tys1NGAt04V8fl9A9UxULUm510NCeD0jzFeeYm3ZJiyavA5xF6hXCHoqLE

apps/base/musicman/musicman.yaml

@@ -36,13 +36,8 @@ spec:
     automated:
       prune: true
       selfHeal: true
-      allowEmpty: false
-
     syncOptions:
     - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=false
-    - Replace=false
     retry:
       limit: 5
       backoff:

apps/base/ts-mcp/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ts-mcp.yaml
+- ts-mcp-secrets-sealed.yaml

apps/overlays/aks-dev/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base/musicman

apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml

@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dbunk-demo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
+  labels:
+    app.kubernetes.io/name: dbunk-demo
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/dbunk-demo/values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: dbunk-demo
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m

apps/overlays/upc-dev/dbunk-demo/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- dbunk-demo.yaml

apps/overlays/upc-dev/kustomization.yaml

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
+- dbunk-demo
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster

bootstrap.sh

@@ -18,7 +18,7 @@ echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
 Bootstrap()
 {
     ArgoCd
-#    Gitea
+    Gitea
 }
 
 

cluster-resources/policies/label-checker.yaml

@@ -1,40 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: require-labels
-  annotations:
-    policies.kyverno.io/title: Require Labels
-    policies.kyverno.io/category: Best Practices
-    policies.kyverno.io/minversion: 1.6.0
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Pod, Label
-    policies.kyverno.io/description: Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
-spec:
-  validationFailureAction: Audit
-  background: true
-  rules:
-  - name: check-for-labels
-    skipBackgroundRequests: true
-    exclude:
-      any:
-      - resources:
-          namespaces:
-          - kube-system
-          - istio-system
-          - argocd
-          - cert-manager
-          - monitoring
-          - secrets
-          - kyverno
-    match:
-      any:
-      - resources:
-          kinds:
-          - Pod
-    validate:
-      message: The label `app.kubernetes.io/name` is required.
-      allowExistingViolations: true
-      pattern:
-        metadata:
-          labels:
-            app.kubernetes.io/name: "?*"

clusters/aks-dev.yaml

@@ -1,6 +1,6 @@
 # Cluster config reference — values must match the corresponding overlay files.
 # Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: dev-aks                     # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
+clusterName: k8s-launchpad # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
 domain: example.com # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
 argocdDomain: argocd.example.com # → infra/values/aks-dev/argocd-values.yaml (global.domain)
 grafanaDomain: grafana.example.com # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)

docs/GITOPS-ARCHITECTURE.md

@@ -120,24 +120,25 @@ launchpad/
 ├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
 │
 ├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
-│   ├── base/                         # Base Application manifests (upc-dev defaults)
-│   │   ├── kustomization.yaml
-│   │   ├── traefik-application.yaml
-│   │   ├── keycloak.yaml
-│   │   ├── grafana.yaml
-│   │   ├── gitea.yaml
-│   │   ├── gitea-actions.yaml
-│   │   ├── tempo.yaml
-│   │   ├── renovate.yaml
-│   │   ├── ...                       # All other Application manifests
-│   │   └── secrets.yaml
+│   ├── base/                         # Base Application manifests (one dir per component)
+│   │   ├── kustomization.yaml        # Aggregates all component subdirectories
+│   │   ├── traefik-application/
+│   │   │   ├── kustomization.yaml
+│   │   │   └── traefik-application.yaml
+│   │   ├── keycloak/
+│   │   │   ├── kustomization.yaml
+│   │   │   └── keycloak.yaml
+│   │   ├── grafana/
+│   │   ├── prometheus/
+│   │   ├── ...                       # Each component in its own subdirectory
+│   │   └── secrets/
 │   ├── overlays/                     # Per-cluster Kustomize overrides
-│   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
-│   │   ├── upc-prod/                # UpCloud Prod (patches value paths)
+│   │   ├── upc-dev/                  # UpCloud Dev — includes all (resources: ../../base)
+│   │   ├── upc-prod/                # UpCloud Prod — all + patches
+│   │   ├── aks-dev/                 # Azure AKS Dev — selective components
+│   │   ├── aks-prod/               # Azure AKS Prod
 │   │   ├── eks-dev/                  # AWS EKS Dev
 │   │   ├── eks-prod/                # AWS EKS Prod
-│   │   ├── aks-dev/               # Azure AKS Dev
-│   │   ├── aks-prod/              # Azure AKS Prod
 │   │   ├── gke-dev/                 # GCP GKE Dev
 │   │   └── gke-prod/               # GCP GKE Prod
 │   ├── dashboards/                   # Grafana dashboard ConfigMaps
@@ -149,13 +150,17 @@ launchpad/
 │       └── gcp-{dev,prod}/           # GCP: premium-rwo, L4 LB
 │
 ├── apps/                             # Business Application ArgoCD manifests (Kustomize)
-│   ├── base/                         # Base app manifests
+│   ├── base/                         # One subdirectory per app
 │   │   ├── kustomization.yaml
-│   │   ├── dot-ai-stack.yaml
-│   │   └── ...
+│   │   ├── musicman/
+│   │   ├── mcp10x/
+│   │   ├── dot-ai-stack/
+│   │   ├── ts-mcp/
+│   │   └── argo-mcp/
 │   └── overlays/
-│       ├── upc-dev/                  # Uses base as-is
-│       └── upc-prod/                # Patches value paths
+│       ├── upc-dev/                  # All apps (resources: ../../base)
+│       ├── upc-prod/                # All apps + patches
+│       └── aks-dev/                 # Selective apps only
 │
 ├── cluster-resources/                # Cluster-wide Kubernetes resources
 │   ├── ...
@@ -171,6 +176,8 @@ launchpad/
 
 **Key Points**:
 - `_app-of-apps-upc-dev.yaml` and `_app-of-apps-upc-prod.yaml` are the per-cluster root Applications
+- Each component in `base/` has its own subdirectory with a `kustomization.yaml`
+- Overlays can include **all** components (`resources: [../../base]`) or **cherry-pick** specific ones (`resources: [../../base/grafana, ../../base/prometheus]`)
 - Kustomize overlays in `infra/overlays/` render base Applications with per-cluster patches
 - Helm values are split: `values/base/` (shared) + `values/upc-dev/` or `values/upc-prod/` (cluster-specific)
 - `apps/` follows the same base/overlays pattern for business applications
@@ -353,16 +360,30 @@ spec:
 
 ### Multi-Cluster Pattern
 
-Kustomize overlays enable deploying the same Applications across clusters with different configurations:
+Kustomize overlays enable deploying the same Applications across clusters with different configurations.
+
+Each component in `infra/base/` and `apps/base/` lives in its own subdirectory. Overlays define **which components to include** and optionally **patch** them:
 
 ```yaml
-# infra/base/ contains default (upc-dev) Applications
-# Helm values are layered: base + cluster-specific
-valueFiles:
-- $values/infra/values/base/traefik-values.yaml    # Shared config
-- $values/infra/values/upc-dev/traefik-values.yaml  # Cluster-specific
+# Option 1: Include ALL components (full cluster)
+# infra/overlays/upc-dev/kustomization.yaml
+resources:
+- ../../base                    # Pulls in every component subdirectory
 
-# infra/overlays/upc-prod/kustomization.yaml patches the second valueFile
+# Option 2: Cherry-pick specific components (lightweight cluster)
+# infra/overlays/aks-dev/kustomization.yaml
+resources:
+- ../../base/traefik-application
+- ../../base/grafana
+- ../../base/prometheus
+- ../../base/loki
+# Only listed components are deployed — others are excluded
+```
+
+Per-cluster patches swap Helm value file paths:
+
+```yaml
+# infra/overlays/upc-prod/kustomization.yaml
 patches:
 - target:
     kind: Application

docs/REFERENCE.md

@@ -76,33 +76,28 @@ launchpad/
 ├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
 ├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
 │
-├── infra/                         # Infrastructure applications
-│   ├── cluster-resources-application.yaml
-│   ├── enterprise-apps.yaml
-│   ├── traefik-application.yaml
-│   ├── cert-manager-application.yaml
-│   ├── kyverno.yaml
-│   ├── kyverno-policies.yaml
-│   ├── prometheus.yaml
-│   ├── grafana.yaml
-│   ├── loki.yaml
-│   ├── tempo.yaml
-│   ├── fluent-bit.yaml
-│   ├── gitea.yaml
-│   ├── gitea-actions.yaml
-│   ├── sealedsecrets.yaml
-│   ├── secrets.yaml
-│   ├── renovate.yaml
-│   ├── base/                      # ArgoCD Application manifests (Kustomize base)
-│   │   ├── gitea.yaml
-│   │   ├── opencost.yaml
-│   │   ├── traefik-application.yaml
-│   │   ├── keycloak.yaml
-│   │   ├── grafana.yaml
-│   │   └── ...
-│   ├── overlays/
-│   │   └── upc-prod/
-│   │       └── kustomization.yaml # Patches upc-dev → upc-prod valueFile paths
+├── infra/                         # Infrastructure applications (Kustomize)
+│   ├── base/                      # One subdirectory per component
+│   │   ├── kustomization.yaml     # Aggregates all component subdirectories
+│   │   ├── traefik-application/
+│   │   │   ├── kustomization.yaml
+│   │   │   └── traefik-application.yaml
+│   │   ├── keycloak/
+│   │   │   ├── kustomization.yaml
+│   │   │   └── keycloak.yaml
+│   │   ├── grafana/
+│   │   ├── prometheus/
+│   │   ├── loki/
+│   │   ├── tempo/
+│   │   ├── gitea/
+│   │   ├── opencost/
+│   │   ├── ...                    # Each component in own directory
+│   │   └── secrets/
+│   ├── overlays/                  # Per-cluster: include all or cherry-pick
+│   │   ├── upc-dev/              # resources: [../../base] (all components)
+│   │   ├── upc-prod/            # resources: [../../base] + patches
+│   │   ├── aks-dev/             # resources: [../../base/grafana, ...] (selective)
+│   │   └── .../                  # 8 clusters total
 │   └── values/
 │       ├── base/                   # Cloud-agnostic Helm values
 │       │   ├── gitea-values.yaml
@@ -122,11 +117,18 @@ launchpad/
 │           ├── gitea-values.yaml
 │           └── opencost-values.yaml
 │
-├── apps/                          # Business applications
-│   ├── mcp10x.yaml
-│   ├── musicman.yaml
-│   ├── dot-ai-stack.yaml
-│   └── argo-mcp.yaml
+├── apps/                          # Business applications (Kustomize)
+│   ├── base/                     # One subdirectory per app
+│   │   ├── kustomization.yaml
+│   │   ├── musicman/
+│   │   ├── mcp10x/
+│   │   ├── dot-ai-stack/
+│   │   ├── ts-mcp/
+│   │   └── argo-mcp/
+│   └── overlays/                 # Per-cluster: include all or cherry-pick
+│       ├── upc-dev/
+│       ├── upc-prod/
+│       └── aks-dev/              # Selective apps only
 │
 ├── cluster-resources/             # Cluster-level resources
 │   ├── cert-manager-namespace.yaml
@@ -723,6 +725,59 @@ TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
 
 ## Infrastructure Components
 
+### Homepage (Platform Dashboard)
+
+**Chart**: `jameswynn/homepage`
+**Namespace**: `homepage`
+**URL**: `https://start.forteapps.net`
+
+Platform dashboard that auto-discovers deployed apps via Kubernetes service annotations.
+
+**Discovery mechanism**: Services annotated with `gethomepage.dev/enabled: "true"` appear in the dashboard. Apps not deployed = annotations absent = not shown. Fully dynamic per environment.
+
+**Annotated services**:
+| Service | Namespace | Group | Widget |
+|---------|-----------|-------|--------|
+| `gitea-http` | `gitea` | DevOps | `gitea` |
+| `argocd-server` | `argocd` | DevOps | `argocd` |
+| `keycloak` | `keycloak` | Identity | none |
+| `grafana` | `monitoring` | Monitoring | `grafana` |
+| `karpor-server` | `karpor` | DevOps | none |
+
+**Adding a new app**: Annotate the app's Service in its Helm values:
+```yaml
+service:
+  annotations:
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/name: "My App"
+    gethomepage.dev/description: "What it does"
+    gethomepage.dev/group: "GroupName"
+    gethomepage.dev/icon: "icon-name"     # https://github.com/walkxcode/dashboard-icons
+    gethomepage.dev/href: "https://myapp.forteapps.net"
+    # Optional live widget:
+    gethomepage.dev/widget.type: "myapp"
+    gethomepage.dev/widget.url: "https://myapp.forteapps.net"
+    # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_MYAPP_TOKEN}}"
+```
+
+**Widget API credentials**: Inject via env vars into the Homepage pod:
+```yaml
+# In homepage-values.yaml per environment
+env:
+- name: HOMEPAGE_VAR_GRAFANA_TOKEN
+  valueFrom:
+    secretKeyRef:
+      name: homepage-widget-credentials
+      key: grafana-token
+```
+Then reference as `gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"`.
+
+**Values files**:
+- `infra/values/base/homepage-values.yaml` — RBAC, kubernetes mode, layout
+- `infra/values/{env}/homepage-values.yaml` — hostname per environment
+
+---
+
 ### Traefik
 
 **Chart**: `traefik/traefik`
@@ -1008,6 +1063,52 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes
 
+### Vaultwarden
+
+**Chart**: `guerzon/vaultwarden`
+**Version**: 0.36.4 (app v1.36.0-alpine)
+**Namespace**: `vaultwarden`
+
+**Purpose**: Self-hosted Bitwarden-compatible password manager.
+
+**Configuration**:
+```yaml
+# infra/overlays/upc-dev/vaultwarden/ + infra/values/
+domain: "https://bitwarden.forteapps.net"
+
+ingress:
+  enabled: true
+  class: "traefik"
+  tls: true
+  tlsSecret: vaultwarden-tls
+  hostname: bitwarden.forteapps.net
+  additionalAnnotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+
+database:
+  type: postgresql
+  host: vaultwarden-postgresql  # StatefulSet in overlay
+  existingSecret: prod-db-creds
+
+storage:
+  data: 5Gi (ReadWriteOnce)
+  attachments: 5Gi (ReadWriteOnce)
+```
+
+**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc).
+
+**SSO**: Keycloak OIDC via `forte` realm (client ID: `vaultwarden`). Self-service client config Secret (`keycloak-client-vaultwarden`) triggers registrar to create KC client and sync credentials to `vaultwarden-oidc-credentials`. PKCE enabled.
+
+**Endpoints**:
+- Web UI: `https://bitwarden.forteapps.net`
+
+**Database**: Separate ArgoCD Application `vaultwarden-postgresql` (sync-wave `"0"`) deploys PostgreSQL 16 StatefulSet + SealedSecret before Vaultwarden (wave `"1"`). 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately.
+
+**Secrets**:
+- `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials
+- `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
+- `vaultwarden-tls` — auto-managed by cert-manager
+
 ### AI Code Review (ai-review)
 
 **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
@@ -1086,6 +1187,30 @@ ignore:
 - Check Gitea Actions tab for workflow run status and logs
 - Monitor Anthropic usage dashboard for token consumption
 
+### Keycloak Browser Flow (IdP Auto-Redirect)
+
+**File**: `infra/values/base/keycloak-values.yaml` (inside `forte-realm.json`)
+
+The realm uses a custom browser authentication flow (`browser-auto-idp`) that skips the Keycloak login page and redirects directly to the Entra ID identity provider.
+
+**Flow executions**:
+
+| Priority | Authenticator | Requirement | Purpose |
+|----------|--------------|-------------|---------|
+| 10 | `auth-cookie` | ALTERNATIVE | Reuse existing session (no redirect) |
+| 20 | `identity-provider-redirector` | ALTERNATIVE | Auto-redirect to `forte-entra` IdP |
+
+**Key fields in realm JSON**:
+- `"browserFlow": "browser-auto-idp"` — overrides the default `browser` flow at realm level
+- `"authenticationFlows"` — defines the custom flow with its executions
+- `"authenticatorConfig"` — sets `defaultProvider: "forte-entra"` on the redirector
+
+**Why custom flow**: The default KC browser flow shows a username/password form with an IdP button. Since all authentication is via Entra ID, the custom flow eliminates this step. The `auth-cookie` execution preserves session reuse so returning users aren't redirected again.
+
+**Important**: The `forte-entra` identity provider must exist in Keycloak (currently configured manually in the KC admin console). If the IdP alias changes, update the `defaultProvider` value in the realm JSON.
+
+---
+
 ### Keycloak Client Registrar
 
 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)

infra/base/cert-manager-application/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- cert-manager-application.yaml

infra/base/cluster-resources-application/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- cluster-resources-application.yaml

infra/base/databunker/databunker.yaml

@@ -0,0 +1,42 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: databunker
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: databunker
+    app.kubernetes.io/part-of: identity
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://securitybunker.github.io/databunkerpro-setup
+    chart: databunkerpro
+    targetRevision: "0.1.0"
+    helm:
+      releaseName: databunkerpro
+      valueFiles:
+      - $values/infra/values/base/databunker-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: databunker
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true

infra/base/databunker/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- databunker.yaml

infra/base/enterprise-apps/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- enterprise-apps.yaml

infra/base/fluent-bit/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- fluent-bit.yaml

infra/base/gitea-actions/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gitea-actions.yaml

infra/base/gitea/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gitea.yaml
+- gitea-backup-s3-sealed.yaml
+- gitea-credentials-sealed.yaml
+- gitea-runner-token-sealed.yaml
+- gitea-smtp-secret-sealed.yaml

infra/base/grafana-dashboards/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- grafana-dashboards.yaml

infra/base/grafana/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- grafana.yaml

infra/base/homepage/homepage-extra-rbac.yaml

@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: homepage-services-reader
+rules:
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: homepage-services-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: homepage-services-reader
+subjects:
+- kind: ServiceAccount
+  name: homepage
+  namespace: homepage

infra/base/homepage/homepage-widget-credentials-sealed.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: homepage-widget-credentials
+  namespace: homepage
+spec:
+  encryptedData:
+    HOMEPAGE_VAR_GITEA_TOKEN: AgAVN1C931EQpn+sodr3CpjlhORfJVTW8aUr+pGZQb+65Pb8QLGeVGVa7Jv60gDJUX3r+93/jMrEbCOeDL6I4qCz/V35wMCxFZLnXIdkmto0W4MKt6cK8To1/OP7EhQJOGBlSuOFsrwoy+HDtvLIqmyF0nrxhTusm9/NHrw+gCVwSTPhiAX1MCuSOSRWpbXvyNphW8j7aqUaV6ixDt424Fe4alEIShYELcS3EX/VPgsf2p2bhvBRCQOh3LEprkuxSFMuPfCBk06TPTbIN4saNVm0Ke0zW/pxkVNSiIxEnKjOmpPJtacsfWN7du+nQbx276G2qvWrf+iawJVq0Z/SLikA/NUFBL6EjSRfgE3cSOri8sbxsd0AycsFGyp98EM29wE+WOQl52M/lwl02EmCivqkICSO7Jp9pM1ScbmRMa5vcnupsGbVDxhRKLqxhAskt/BXDkRzvHN31gH3YmelES3JuqNMHV0urFxmX2oOX9Pxbtv63csc+zhy1Ui5aoex7TPnLdk7kYLSAE2MSrzT6wHvVhBC5kNnDYVrLehvJrT+eNh0MOLx2wkuJmIOxRAGUyNi5DfDnP6qnvj2aefEymLuOXAIUXH8DbeBtrjsd74HX2hhIfBlPkXvhJR3ks7i5RXjK2/YYHkgJ+nJoW80S9N7ciaRy103g74TNJZt6QzzL5Vb80qZ6yQOD4G081KmTLDmhHjJVIIv9M3nLh2s0IeBV3/Z5qHZmtjN7sSaKAn4MIr5FaH9quhx
+    HOMEPAGE_VAR_GRAFANA_TOKEN: AgBloBlOlP+R/4VizE1CGpj0wyiwU14BemAnuUpld7OvOGc67dwfDPyponkQXjAZg3UU2cZ70A51WUAuVlAr+25Ktlf/FW2OBqj+1BJOCqMMyu+kv026yjX2aB8dKGzlTxgF8aji+j1mC8vP3vvmgI4Zf2HQAH7uFwLfeo8+QnV5EyhcExSS0xDne+VtOP9jNXbPRayry0DdyRVtaeKAiZacO+45oAJWszWOwmoMTg9FZQkLjER6Q0tyI6NnoNObsFCnh56chZTdzBOYtmPnwld1bP2FjoJDqn8AfRwbPTIj7t0eFP7WLUO7GQKpxVl+pFwJLb5xCOw2+HNtp1BhNCu7icuc0P88IlvwzkbN0lXJbYigVOzyjEo8f/al1DXPM4WaB/Nqmr7Mtt8KTRh2WMVTgiX5jsu25D0rGDvY9gqfBBqswkRhCLsG0v0EN32zXj1/52KYdmB7pk/+2lMwSaGMS11MOenHeU1Z95fGxm9f3EGF0E8xlFr4FowgsNwr+tJQqpM0bT/4mZnaQbGWtKPFizMtsfQFm+rHFcNCrGaOuecslmiIJs8lTm18KlrncsGfxNS64tVXk+LvydU0rwybvpg2rQjEWtAl1IQsaaiz96OAlYxxK1MGxN7KE6F8R4kfnWTZ5Fs1KMmd/DOIVBXyCbqXxk8pbekmaIeNSfv92JNZ0QNJWsBa2vgQ24WI2pb4XiR0BvtLpt3BVlZUcSK92SzUblWmYWVMwHYCJkEeEUV1PhYEmyiN+V/Kq5Qb
+  template:
+    metadata:
+      creationTimestamp: null
+      name: homepage-widget-credentials
+      namespace: homepage

infra/base/homepage/homepage.yaml

@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: homepage
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "3"
+  labels:
+    app.kubernetes.io/name: homepage
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://jameswynn.github.io/helm-charts
+    chart: homepage
+    targetRevision: "2.1.0"
+    helm:
+      releaseName: homepage
+      valueFiles:
+      - $values/infra/values/base/homepage-values.yaml
+      - $values/infra/values/upc-dev/homepage-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: homepage
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true

infra/base/homepage/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- homepage.yaml
+- homepage-widget-credentials-sealed.yaml
+- homepage-extra-rbac.yaml

infra/base/karpor/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base
+- karpor.yaml

infra/base/keycloak/keycloak.yaml

@@ -43,10 +43,6 @@ spec:
     - ServerSideApply=true
 
   ignoreDifferences:
-  - group: batch
-    kind: CronJob
-    jsonPointers:
-    - /spec/jobTemplate/spec/template/spec/containers/0/args
   - group: apps
     kind: StatefulSet
     jsonPointers:

infra/base/keycloak/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- keycloak.yaml
+- keycloak-credentials-sealed.yaml

infra/base/kustomization.yaml

@@ -1,23 +1,25 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- traefik-application.yaml
-- keycloak.yaml
-- grafana.yaml
-- cert-manager-application.yaml
-- kyverno.yaml
-- sealedsecrets.yaml
-- prometheus.yaml
-- loki.yaml
-- fluent-bit.yaml
-- enterprise-apps.yaml
-- cluster-resources-application.yaml
-- kyverno-policies.yaml
-- secrets.yaml
-- gitea.yaml
-- gitea-actions.yaml
-- opencost.yaml
-- renovate.yaml
-- tempo.yaml
-- grafana-dashboards.yaml
-- karpor.yaml
+- traefik-application
+- keycloak
+- grafana
+- cert-manager-application
+- kyverno
+- sealedsecrets
+- prometheus
+- loki
+- fluent-bit
+- enterprise-apps
+- cluster-resources-application
+- kyverno-policies
+- gitea
+- gitea-actions
+- opencost
+- renovate
+- tempo
+- grafana-dashboards
+- karpor
+- databunker
+- homepage
+- vault

infra/base/kyverno-policies/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- kyverno-policies.yaml

infra/base/kyverno-policies/kyverno-policies.yaml

@@ -27,7 +27,6 @@ spec:
     automated:
       prune: true
       selfHeal: true
-      allowEmpty: false
     syncOptions:
     - CreateNamespace=true
     - Validate=true

infra/base/kyverno/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- kyverno.yaml

infra/base/loki/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base
+- loki.yaml

infra/base/opencost/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- opencost.yaml

infra/base/prometheus/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- prometheus.yaml

infra/base/renovate/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- renovate.yaml
+- renovate-env-sealed.yaml

infra/base/sealedsecrets/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- sealedsecrets.yaml
+- argocd-forte-helm-secret-sealed.yaml

infra/base/tempo/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base
+- tempo.yaml

infra/base/traefik-application/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- traefik-application.yaml

infra/base/vault/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base
+- vault.yaml

infra/base/vault/vault.yaml

@@ -0,0 +1,49 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/part-of: security
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://helm.releases.hashicorp.com
+    chart: vault
+    targetRevision: "0.32.0"
+    helm:
+      releaseName: vault
+      valueFiles:
+      - $values/infra/values/base/vault-values.yaml
+      - $values/infra/values/upc-dev/vault-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: vault
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates

infra/overlays/aks-dev/kustomization.yaml

@@ -1,9 +1,31 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base
+- ../../base/cert-manager-application
+- ../../base/cluster-resources-application
+- ../../base/grafana
+- ../../base/grafana-dashboards
+- ../../base/kyverno
+- ../../base/kyverno-policies
+- ../../base/loki
+- ../../base/enterprise-apps
+- ../../base/opencost
+- ../../base/prometheus
+- ../../base/sealedsecrets
+- ../../base/tempo
+- ../../base/homepage
+- ../../base/traefik-application
 
 patches:
+# Homepage: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: homepage
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/homepage-values.yaml
+
 # Traefik: swap upc-dev → aks-dev
 - target:
     kind: Application
@@ -13,15 +35,6 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/aks-dev/traefik-values.yaml
 
-# Keycloak: swap upc-dev → aks-dev
-- target:
-    kind: Application
-    name: keycloak
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-dev/keycloak-values.yaml
-
 # Grafana: swap upc-dev → aks-dev
 - target:
     kind: Application
@@ -31,15 +44,6 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/aks-dev/grafana-values.yaml
 
-# Gitea: swap upc-dev → aks-dev
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-dev/gitea-values.yaml
-
 # OpenCost: swap upc-dev → aks-dev
 - target:
     kind: Application
@@ -49,16 +53,7 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/aks-dev/opencost-values.yaml
 
-# Secrets: change path to aks-dev
-- target:
-    kind: Application
-    name: secrets
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: secrets/aks-dev
-
-# Enterprise-apps: point to aks-dev overlay
+# Ent apps: swap upc-dev → aks-prod
 - target:
     kind: Application
     name: enterprise-apps

infra/overlays/aks-prod/kustomization.yaml

@@ -1,7 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base
+- ../../base/cert-manager-application
+- ../../base/cluster-resources-application
+- ../../base/grafana
+- ../../base/grafana-dashboards
+- ../../base/kyverno
+- ../../base/kyverno-policies
+- ../../base/loki
+- ../../base/opencost
+- ../../base/prometheus
+- ../../base/sealedsecrets
+- ../../base/tempo
+- ../../base/traefik-application
 
 patches:
 # Traefik: swap upc-dev → aks-prod
@@ -13,15 +24,6 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/aks-prod/traefik-values.yaml
 
-# Keycloak: swap upc-dev → aks-prod
-- target:
-    kind: Application
-    name: keycloak
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-prod/keycloak-values.yaml
-
 # Grafana: swap upc-dev → aks-prod  
 - target:
     kind: Application
@@ -31,15 +33,6 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/aks-prod/grafana-values.yaml
 
-# Gitea: swap upc-dev → aks-prod
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-prod/gitea-values.yaml
-
 # OpenCost: swap upc-dev → aks-prod
 - target:
     kind: Application
@@ -48,21 +41,3 @@ patches:
     - op: replace
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/aks-prod/opencost-values.yaml
-
-# Secrets: change path to aks-prod
-- target:
-    kind: Application
-    name: secrets
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: secrets/aks-prod
-
-# Enterprise-apps: point to aks-prod overlay
-- target:
-    kind: Application
-    name: enterprise-apps
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: apps/overlays/aks-prod

infra/overlays/eks-dev/kustomization.yaml

@@ -1,7 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base
+- ../../base/cert-manager-application
+- ../../base/cluster-resources-application
+- ../../base/grafana
+- ../../base/grafana-dashboards
+- ../../base/kyverno
+- ../../base/kyverno-policies
+- ../../base/loki
+- ../../base/opencost
+- ../../base/prometheus
+- ../../base/sealedsecrets
+- ../../base/tempo
+- ../../base/traefik-application
 
 patches:
 # Traefik: swap upc-dev → eks-dev
@@ -13,15 +24,6 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/eks-dev/traefik-values.yaml
 
-# Keycloak: swap upc-dev → eks-dev
-- target:
-    kind: Application
-    name: keycloak
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-dev/keycloak-values.yaml
-
 # Grafana: swap upc-dev → eks-dev  
 - target:
     kind: Application
@@ -31,15 +33,6 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/eks-dev/grafana-values.yaml
 
-# Gitea: swap upc-dev → eks-dev
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-dev/gitea-values.yaml
-
 # OpenCost: swap upc-dev → eks-dev
 - target:
     kind: Application
@@ -48,21 +41,3 @@ patches:
     - op: replace
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/eks-dev/opencost-values.yaml
-
-# Secrets: change path to eks-dev
-- target:
-    kind: Application
-    name: secrets
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: secrets/eks-dev
-
-# Enterprise-apps: point to eks-dev overlay
-- target:
-    kind: Application
-    name: enterprise-apps
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: apps/overlays/eks-dev

infra/overlays/eks-prod/kustomization.yaml

@@ -1,7 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base
+- ../../base/cert-manager-application
+- ../../base/cluster-resources-application
+- ../../base/grafana
+- ../../base/grafana-dashboards
+- ../../base/kyverno
+- ../../base/kyverno-policies
+- ../../base/loki
+- ../../base/opencost
+- ../../base/prometheus
+- ../../base/sealedsecrets
+- ../../base/tempo
+- ../../base/traefik-application
 
 patches:
 # Traefik: swap upc-dev → eks-prod
@@ -13,15 +24,6 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/eks-prod/traefik-values.yaml
 
-# Keycloak: swap upc-dev → eks-prod
-- target:
-    kind: Application
-    name: keycloak
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-prod/keycloak-values.yaml
-
 # Grafana: swap upc-dev → eks-prod  
 - target:
     kind: Application
@@ -31,15 +33,6 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/eks-prod/grafana-values.yaml
 
-# Gitea: swap upc-dev → eks-prod
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/eks-prod/gitea-values.yaml
-
 # OpenCost: swap upc-dev → eks-prod
 - target:
     kind: Application
@@ -48,21 +41,3 @@ patches:
     - op: replace
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/eks-prod/opencost-values.yaml
-
-# Secrets: change path to eks-prod
-- target:
-    kind: Application
-    name: secrets
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: secrets/eks-prod
-
-# Enterprise-apps: point to eks-prod overlay
-- target:
-    kind: Application
-    name: enterprise-apps
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: apps/overlays/eks-prod

infra/overlays/gke-dev/kustomization.yaml

@@ -1,7 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base
+- ../../base/cert-manager-application
+- ../../base/cluster-resources-application
+- ../../base/grafana
+- ../../base/grafana-dashboards
+- ../../base/kyverno
+- ../../base/kyverno-policies
+- ../../base/loki
+- ../../base/opencost
+- ../../base/prometheus
+- ../../base/sealedsecrets
+- ../../base/tempo
+- ../../base/traefik-application
 
 patches:
 # Traefik: swap upc-dev → gke-dev
@@ -13,15 +24,6 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/gke-dev/traefik-values.yaml
 
-# Keycloak: swap upc-dev → gke-dev
-- target:
-    kind: Application
-    name: keycloak
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-dev/keycloak-values.yaml
-
 # Grafana: swap upc-dev → gke-dev  
 - target:
     kind: Application
@@ -31,15 +33,6 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/gke-dev/grafana-values.yaml
 
-# Gitea: swap upc-dev → gke-dev
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-dev/gitea-values.yaml
-
 # OpenCost: swap upc-dev → gke-dev
 - target:
     kind: Application
@@ -48,21 +41,3 @@ patches:
     - op: replace
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/gke-dev/opencost-values.yaml
-
-# Secrets: change path to gke-dev
-- target:
-    kind: Application
-    name: secrets
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: secrets/gke-dev
-
-# Enterprise-apps: point to gke-dev overlay
-- target:
-    kind: Application
-    name: enterprise-apps
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: apps/overlays/gke-dev

infra/overlays/gke-prod/kustomization.yaml

@@ -1,7 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base
+- ../../base/cert-manager-application
+- ../../base/cluster-resources-application
+- ../../base/grafana
+- ../../base/grafana-dashboards
+- ../../base/kyverno
+- ../../base/kyverno-policies
+- ../../base/loki
+- ../../base/opencost
+- ../../base/prometheus
+- ../../base/sealedsecrets
+- ../../base/tempo
+- ../../base/traefik-application
 
 patches:
 # Traefik: swap upc-dev → gke-prod
@@ -13,15 +24,6 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/gke-prod/traefik-values.yaml
 
-# Keycloak: swap upc-dev → gke-prod
-- target:
-    kind: Application
-    name: keycloak
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-prod/keycloak-values.yaml
-
 # Grafana: swap upc-dev → gke-prod  
 - target:
     kind: Application
@@ -31,15 +33,6 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/gke-prod/grafana-values.yaml
 
-# Gitea: swap upc-dev → gke-prod
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/gke-prod/gitea-values.yaml
-
 # OpenCost: swap upc-dev → gke-prod
 - target:
     kind: Application
@@ -48,21 +41,3 @@ patches:
     - op: replace
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/gke-prod/opencost-values.yaml
-
-# Secrets: change path to gke-prod
-- target:
-    kind: Application
-    name: secrets
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: secrets/gke-prod
-
-# Enterprise-apps: point to gke-prod overlay
-- target:
-    kind: Application
-    name: enterprise-apps
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: apps/overlays/gke-prod

infra/overlays/upc-dev/forte-drop-postgresql/RESTORE.md

@@ -0,0 +1,143 @@
+# forte-drop Postgres — backup & restore runbook
+
+## What gets backed up
+
+A CronJob (`forte-drop-pg-backup`, namespace `forte-drop`) runs nightly at **02:00 UTC**:
+
+1. `pg_dump` of the `drops` database → gzip.
+2. Upload to **UpCloud Managed Object Storage**: `s3://drops/_pgbackups/forte-drop-<TS>.sql.gz`
+   (the `_pgbackups/` prefix is collision-proof: app slugs match `/^[a-z0-9][a-z0-9-]{0,62}$/`
+   and can never start with `_`).
+3. Retention: dumps older than **30 days** are pruned.
+
+S3 creds come from the `forte-drop-secrets` Secret (`S3_ENDPOINT` / `S3_KEY` / `S3_SECRET`).
+Postgres creds from `forte-drop-pg-creds` (`pgusername` / `pgpassword`).
+
+> **Object storage is the durable tier.** App data + DB backups both live in UpCloud
+> Managed Object Storage (replicated by UpCloud). The in-cluster Postgres PVC is the
+> live working copy; the nightly dump is the recovery point. The PVC carries
+> `Prune=false,Delete=false` so ArgoCD never deletes it.
+
+## Prerequisites
+
+```bash
+export KUBECONFIG=~/Downloads/dev-fd-no-svg1_kubeconfig.yaml
+# Confirm the namespace + DB pod are up:
+kubectl -n forte-drop get pods -l app.kubernetes.io/name=postgresql
+```
+
+## List available backups
+
+```bash
+# Run an ephemeral mc pod with the app's S3 creds:
+kubectl -n forte-drop run mc-list --rm -it --restart=Never \
+  --image=quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z \
+  --overrides='{"spec":{"containers":[{"name":"mc","image":"quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z","command":["sh","-c","mc alias set obj \"$S3_ENDPOINT\" \"$S3_KEY\" \"$S3_SECRET\" >/dev/null && mc ls obj/drops/_pgbackups/"],"envFrom":[{"secretRef":{"name":"forte-drop-secrets"}}]}]}}'
+```
+
+## Manually trigger a backup (before risky changes)
+
+```bash
+kubectl -n forte-drop create job --from=cronjob/forte-drop-pg-backup pg-backup-manual-$(date +%s)
+# Watch:
+kubectl -n forte-drop get jobs -l app.kubernetes.io/component=backup
+kubectl -n forte-drop logs -l app.kubernetes.io/component=backup --tail=40
+```
+
+## Restore a dump
+
+> **Destructive.** This overwrites the live `drops` database. Take a fresh manual
+> backup first (above) and confirm with whoever owns the data before proceeding.
+
+### 1. Pick the dump to restore
+
+List backups (above), choose `forte-drop-<TS>.sql.gz`.
+
+### 2. Run a restore pod that pulls the dump and pipes it into Postgres
+
+```bash
+DUMP="forte-drop-20260530T020000Z.sql.gz"   # <-- set to the chosen file
+
+kubectl -n forte-drop run pg-restore --rm -it --restart=Never \
+  --image=postgres:16-alpine \
+  --overrides='{
+    "spec": {
+      "containers": [{
+        "name": "restore",
+        "image": "postgres:16-alpine",
+        "command": ["sh","-c","set -euo pipefail; \
+          apk add --no-cache curl >/dev/null; \
+          # download via mc is simpler — use a 2-step instead (see note). \
+          echo placeholder"],
+        "envFrom": [
+          {"secretRef":{"name":"forte-drop-pg-creds"}},
+          {"secretRef":{"name":"forte-drop-secrets"}}
+        ]
+      }]
+    }
+  }'
+```
+
+**Simpler 2-pod approach (recommended — avoids cramming mc + psql in one image):**
+
+```bash
+DUMP="forte-drop-20260530T020000Z.sql.gz"
+
+# (a) Download the dump from object storage to a local file:
+kubectl -n forte-drop run mc-get --rm -it --restart=Never \
+  --image=quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z \
+  --overrides='{"spec":{"containers":[{"name":"mc","image":"quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z","command":["sh","-c","mc alias set obj \"$S3_ENDPOINT\" \"$S3_KEY\" \"$S3_SECRET\" >/dev/null && mc cat obj/drops/_pgbackups/'"$DUMP"'"],"envFrom":[{"secretRef":{"name":"forte-drop-secrets"}}]}]}}' \
+  > /tmp/$DUMP
+
+# (b) Pipe it into the live Postgres via the service:
+gunzip -c /tmp/$DUMP | kubectl -n forte-drop run pg-restore --rm -i --restart=Never \
+  --image=postgres:16-alpine \
+  --overrides='{"spec":{"containers":[{"name":"psql","image":"postgres:16-alpine","stdin":true,"command":["sh","-c","PGPASSWORD=\"$pgpassword\" psql -h forte-drop-postgresql.forte-drop.svc -U \"$pgusername\" -d drops"],"env":[{"name":"pgusername","valueFrom":{"secretKeyRef":{"name":"forte-drop-pg-creds","key":"pgusername"}}},{"name":"pgpassword","valueFrom":{"secretKeyRef":{"name":"forte-drop-pg-creds","key":"pgpassword"}}}]}]}}'
+```
+
+> The app's schema is created idempotently on boot (`CREATE TABLE IF NOT EXISTS` +
+> `ALTER TABLE ... ADD COLUMN IF NOT EXISTS` in `src/repo/pg.ts`), and `pg_dump`
+> output includes the data. For a clean restore into a fresh DB this just works.
+> To restore over an existing DB with conflicting rows, drop/recreate the `drops`
+> database first (coordinate downtime — scale the web Deployment to 0 during the
+> restore so the app isn't writing).
+
+### 3. Verify
+
+```bash
+kubectl -n forte-drop run pg-check --rm -it --restart=Never \
+  --image=postgres:16-alpine \
+  --env="PGPASSWORD=$(kubectl -n forte-drop get secret forte-drop-pg-creds -o jsonpath='{.data.pgpassword}' | base64 -d)" \
+  --command -- psql -h forte-drop-postgresql.forte-drop.svc -U drops -d drops \
+  -c "SELECT count(*) AS drops FROM drops;" -c "SELECT count(*) AS view_hits FROM view_hits;"
+```
+
+### 4. Bring the app back
+
+```bash
+# If you scaled web to 0 for the restore:
+kubectl -n forte-drop scale deploy/forte-drop --replicas=2
+```
+
+## Object data (uploaded drop files)
+
+Drop files live in `s3://drops/<slug>/...` in the same managed bucket. They are
+**not** part of the pg backup (the dump only holds metadata). Object storage is
+UpCloud-managed/replicated, so no separate file backup is configured. If a
+file-level backup is later required, mirror the bucket to a second bucket/region:
+
+```bash
+mc mirror --overwrite obj/drops/ backup-target/drops-mirror/
+```
+
+(Exclude `_pgbackups/` from the app-data mirror if you split them.)
+
+## Disaster scenarios
+
+| Scenario | Recovery |
+|---|---|
+| Postgres pod crash / reschedule | StatefulSet reattaches the PVC; ~1–2 min downtime; no data loss. |
+| PVC lost / corrupted | Recreate StatefulSet, restore latest nightly dump (above). Data since last dump is lost. |
+| Accidental `drops` table data loss | Restore latest dump; or `pg_restore` a single table from a dump. |
+| Namespace deleted | PVC has `Prune=false,Delete=false`; recreate Applications, PVC re-binds, app recovers. Backups in object storage are independent. |
+| Object storage bucket lost | UpCloud-managed (replicated). If the IAM key is rotated, update `forte-drop-secrets` (re-seal). |

infra/overlays/upc-dev/forte-drop-postgresql/forte-drop-postgresql.yaml

@@ -1,30 +1,40 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: secrets
+  name: forte-drop-postgresql
   namespace: argocd
   annotations:
-    argocd.argoproj.io/sync-wave: "2"
-    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
-    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
-    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+    argocd.argoproj.io/sync-wave: "0"
   labels:
-    app.kubernetes.io/name: secrets
-    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/name: forte-drop-postgresql
+    app.kubernetes.io/part-of: apps
     app.kubernetes.io/managed-by: argocd
   finalizers:
   - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
+
   source:
     repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    path: secrets/overlays/upc-dev
+    targetRevision: HEAD
+    path: infra/overlays/upc-dev/forte-drop-postgresql/resources
+
   destination:
     server: https://kubernetes.default.svc
-    namespace: secrets
+    namespace: forte-drop
+
   syncPolicy:
     automated:
       prune: true
       selfHeal: true
+      allowEmpty: false
     syncOptions:
     - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates

infra/overlays/upc-dev/forte-drop-postgresql/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- forte-drop-postgresql.yaml

infra/overlays/upc-dev/forte-drop-postgresql/resources/forte-drop-pg-creds-sealed.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: forte-drop-pg-creds
+  namespace: forte-drop
+spec:
+  encryptedData:
+    pgpassword: AgBYokuQRCTmPGC8soB7n8W39nmSAZDTV97i77NmdMh5ndaZNtCtXxhMcpM2z8kaGv2tCWIh47dr38a5tGPZ0TsmeEQOF9Rbbtq1fyR7pJwT8S+N2Z2zu354wNWQlltEAVvTvthe2wTer/BpyRofeSZprxihmfNpuHUP8rLsnIXln5tOWDzJ8hnRWoYZFITaihC2qrJj/kFE0Rfdcmzt1tSq3jCB/rWijVaJF9XSh4rzQoqZDiUNjDPUjyERILw59JWU4zf9OKcqNHDnmpXBR4LSjLhd9waN6ElEzO4gGcVaHISKrTwewX1ONwPHDnw6lqkQObyBPx8aUsGzxLkUhNDtvIYDkB4BKWP5Qu4bNcSztIbrxi6l7Lr/DWC9qTbKm1/p83rc6r8VqRMURUyQg8/vBlCHOIUbZ8DM1OfNlMd8gvcSkaxEVIdCDUjguCvE3cGyG4cqv2unllZQ+9417WwLNJecT6x1EL3nQyAlK5c9vUIbcVyaFlbSUcGB7xmPgZrZ6/3RDyOH6Tmew1ssV9gLvdaehscUE0fjnnFnJpczkwdyxIOSNLIkjlWetCKEbhowJbzk05h3M2p6XQQOuNTnsYjAADMGD72GUgAQlY8KXmDELtv09KELcXbeYS4gABPpMrVmvZymq8lqQ13Py8o+cIqbrU5V86WxASTfQ5gMo/ymYabuhTBIapcnaKR1dFCCfu8deh5f2HJ6/1NjdWR+XvEshg+EF5OkTUInukX4vA==
+    pgusername: AgCs6vyQ8CIv5OneP/jMltIPGdZQbpq/BFmQM1mkBD61Ve+anzve5K0Gkg+zsNfbZf0pOPAXtu4C4aL1Lwv7gqpoe4Hp/UEb/X9uLfJ1b8ZitmM1XsPmmSiCskHjrc2BLkAvfrVIXkHc3LOY2uZ/E5stc6Ss2WFE8/uzzVXW0B8fdEK0criludQ8iwR1gypulEcDNomXgkK/1gmmCWosUcVv4jDMDhqBD+b9WYnBB6J73gUclWVMvYDFdNas2PuoRzu5Twc9TAZrTxN5lvLOXAonOo0YiUbUhEC83sfMWYDT5/9OxqcJhAxtgFe9j83MpCwLSwfeLZm7UsUapWDb60MxPJLGvoGD/ZOhkeYt/YCZYROa57TMslVIL5YU1KCiNWvtRjIqnvdiBxI7MRvPUfAoawS4ktT5PDhTTfrixFbaF95jul2kKBXV+OYB1UNsFhcCgZx9rzYRt4lNmBv4m4HeXIp3EYY8VlGLQ45BVVqjJ4QkISvb7ifQWH1aPMQllj+J3GwW0KJN0dEgsh1LT+C7W5I5mq461NOTF1eih/XRBeuPoLlgApxiGXvFCTx8lji2/JIdOaqcg29hdabSprxa0YMStChi2pbtHhRzAuFCp8mInGt8Q406vu67Y4/51yuwI40YeDVu0lf010TB+/v2Zy3OrNyjlqrD5JNynsLuRl3UhuAKC14Xhg/MiDLvTzfsYE8aog==
+  template:
+    metadata:
+      name: forte-drop-pg-creds
+      namespace: forte-drop

infra/overlays/upc-dev/forte-drop-postgresql/resources/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- postgresql.yaml
+- forte-drop-pg-creds-sealed.yaml
+- pg-backup-cronjob.yaml

infra/overlays/upc-dev/forte-drop-postgresql/resources/pg-backup-cronjob.yaml

@@ -0,0 +1,93 @@
+# Nightly logical backup of the forte-drop Postgres → UpCloud Managed Object Storage.
+# Dumps to s3://drops/_pgbackups/ (the `_` prefix is collision-proof: app slugs match
+# /^[a-z0-9][a-z0-9-]{0,62}$/ and can never start with `_`). Retains 30 days.
+#
+# Pod shape: initContainer pg_dump → shared emptyDir → mc upload + retention prune.
+# Both images pinned. S3 creds reuse forte-drop-secrets (the app's UpCloud user has
+# s3:* on the drops bucket). PG creds from forte-drop-pg-creds.
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: forte-drop-pg-backup
+  namespace: forte-drop
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: forte-drop
+    app.kubernetes.io/component: backup
+spec:
+  schedule: "0 2 * * *"           # 02:00 UTC daily
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: postgresql
+            app.kubernetes.io/instance: forte-drop
+            app.kubernetes.io/component: backup
+        spec:
+          restartPolicy: Never
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65532
+            fsGroup: 65532
+          volumes:
+          - name: work
+            emptyDir: {}
+          initContainers:
+          - name: dump
+            image: postgres:16-alpine
+            command:
+            - sh
+            - -c
+            - |
+              set -euo pipefail
+              TS=$(date -u +%Y%m%dT%H%M%SZ)
+              echo "dumping to /work/forte-drop-${TS}.sql.gz"
+              PGPASSWORD="$PGPASSWORD" pg_dump \
+                -h forte-drop-postgresql.forte-drop.svc \
+                -p 5432 -U "$PGUSER" -d drops \
+                --no-owner --no-privileges \
+                | gzip -9 > "/work/forte-drop-${TS}.sql.gz"
+              echo "dump complete: $(ls -lh /work/)"
+            env:
+            - name: PGUSER
+              valueFrom:
+                secretKeyRef: { name: forte-drop-pg-creds, key: pgusername }
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef: { name: forte-drop-pg-creds, key: pgpassword }
+            volumeMounts:
+            - name: work
+              mountPath: /work
+          containers:
+          - name: upload
+            image: quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z
+            command:
+            - sh
+            - -c
+            - |
+              set -euo pipefail
+              mc alias set obj "$S3_ENDPOINT" "$S3_KEY" "$S3_SECRET"
+              mc cp /work/*.sql.gz "obj/${S3_BUCKET}/_pgbackups/"
+              echo "uploaded. pruning backups older than 30d:"
+              mc rm --recursive --force --older-than 30d "obj/${S3_BUCKET}/_pgbackups/" || true
+              echo "backup retention pass complete"
+            env:
+            - name: S3_ENDPOINT
+              valueFrom:
+                secretKeyRef: { name: forte-drop-secrets, key: S3_ENDPOINT }
+            - name: S3_BUCKET
+              value: "drops"
+            - name: S3_KEY
+              valueFrom:
+                secretKeyRef: { name: forte-drop-secrets, key: S3_KEY }
+            - name: S3_SECRET
+              valueFrom:
+                secretKeyRef: { name: forte-drop-secrets, key: S3_SECRET }
+            volumeMounts:
+            - name: work
+              mountPath: /work

infra/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml

@@ -0,0 +1,105 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: forte-drop-postgresql
+  namespace: forte-drop
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: forte-drop
+    app.kubernetes.io/component: database
+spec:
+  type: ClusterIP
+  ports:
+  - name: tcp-postgresql
+    port: 5432
+    targetPort: tcp-postgresql
+  selector:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: forte-drop
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: forte-drop-postgresql
+  namespace: forte-drop
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: forte-drop
+    app.kubernetes.io/component: database
+spec:
+  serviceName: forte-drop-postgresql
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/instance: forte-drop
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: postgresql
+        app.kubernetes.io/instance: forte-drop
+        app.kubernetes.io/component: database
+    spec:
+      containers:
+      - name: postgresql
+        image: postgres:16-alpine
+        # NOTE: no securityContext. The official postgres image's entrypoint must
+        # start as root to chown a fresh /var/lib/postgresql/data, then drops to
+        # the postgres user (uid 70 in alpine) via gosu. Forcing runAsNonRoot here
+        # breaks initdb on a fresh PVC. Matches the vaultwarden-postgresql pattern.
+        ports:
+        - name: tcp-postgresql
+          containerPort: 5432
+        env:
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: forte-drop-pg-creds
+              key: pgusername
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: forte-drop-pg-creds
+              key: pgpassword
+        - name: POSTGRES_DB
+          value: drops
+        - name: PGDATA
+          value: /var/lib/postgresql/data/pgdata
+        volumeMounts:
+        - name: data
+          mountPath: /var/lib/postgresql/data
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - pg_isready -U "$POSTGRES_USER" -d drops
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - pg_isready -U "$POSTGRES_USER" -d drops
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+      annotations:
+        argocd.argoproj.io/sync-options: Prune=false,Delete=false
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      storageClassName: upcloud-block-storage-maxiops
+      resources:
+        requests:
+          storage: 5Gi

infra/overlays/upc-dev/kustomization.yaml

@@ -2,6 +2,18 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
+- vaultwarden-postgresql
+- vaultwarden
+- forte-drop-postgresql
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
+
+patches:
+- target:
+    kind: Application
+    name: databunker
+  patch: |
+    - op: add
+      path: /spec/sources/0/helm/valueFiles/-
+      value: $values/infra/values/upc-dev/databunker-values.yaml

infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- vaultwarden-postgresql.yaml

infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- postgresql.yaml
+- vaultwarden-db-secret-sealed.yaml

infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml

@@ -0,0 +1,98 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vaultwarden-postgresql
+  namespace: vaultwarden
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: vaultwarden
+    app.kubernetes.io/component: database
+spec:
+  type: ClusterIP
+  ports:
+  - name: tcp-postgresql
+    port: 5432
+    targetPort: tcp-postgresql
+  selector:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: vaultwarden
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: vaultwarden-postgresql
+  namespace: vaultwarden
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: vaultwarden
+    app.kubernetes.io/component: database
+spec:
+  serviceName: vaultwarden-postgresql
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/instance: vaultwarden
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: postgresql
+        app.kubernetes.io/instance: vaultwarden
+        app.kubernetes.io/component: database
+    spec:
+      containers:
+      - name: postgresql
+        image: postgres:16-alpine
+        ports:
+        - name: tcp-postgresql
+          containerPort: 5432
+        env:
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: prod-db-creds
+              key: pgusername
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: prod-db-creds
+              key: pgpassword
+        - name: POSTGRES_DB
+          value: vaultwarden
+        - name: PGDATA
+          value: /var/lib/postgresql/data/pgdata
+        volumeMounts:
+        - name: data
+          mountPath: /var/lib/postgresql/data
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - pg_isready -U "$POSTGRES_USER" -d vaultwarden
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - pg_isready -U "$POSTGRES_USER" -d vaultwarden
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 2Gi

infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: prod-db-creds
+  namespace: vaultwarden
+spec:
+  encryptedData:
+    DATABASE_URL: AgAy1d//kBevUqZxB5KAXd+qxm8QykNxp5J1QP7Y30XCpE8hldPXF+NIx3w0B0PUyMAVsa+JrBmCMtzgibddIJqqF2upu/8EYxJZNusrJPOi47g3VcZIg1WyxoFfffH6jwhzv69TE/T8WGBXmWbD2vr+XWjE24Q+lgwLut0mocVfihUjpuYq0WDjgJx7pqLnY1VatTwgSkAv1uRRVqdi7e1M5isDNEpdItCbEoWwdvZhG5JIMAA/2vecY4/vEne3cg46lJAkv4ueZNATG6DOXGgQgz6h7zCKSGS1xTfGr+4A2V2/vSYpQ/r8Td37mlseoBvwN4H5O+FgHrVREm7N6aafDariYd+ZfqUIGObsZIXhxhDmAM96pjtP8ehYVwq1srWTU+SUewEmwLFWhVP1UFnTB5vgIuOWoKjHlS7dSUpStpw2u7/mQ6vhRhEaDqY6cNzJgM9hipQM/pt5an7z4ovWVeAeK8InGzKU+uxOpv/oxmi9N54B+5O4DVZC+BIbFXchxDvqivRcZrTK+CNjHjkk4We5MvN0qlhSuCYOGzEVaQ192yHciDoncw58D7fG4NicT2AcCJDVIwRGG05wqKal7g61g7Qg16oqdZIauKIU7ChSgBk7Xv33biZ4ZPe+JoSEmp9izJ8R7yyNO3KJgqH7iQ2UQzXDUqhfTr6w/oIdFST8sQtEIo7o1Z5JoXpzd4R1gVkcPWqtbbB22iRrDJsofeW+yvgGqyZLsWT2bKuDMLUn3GiqvaHaeQ9AbhNBnl6Qth3X8heBm2Zle1xxapFktisPwBQC7FDlukgvkiAOO7BywVI0+ITU4KLLOAftVqHmZ4fgDDqNFg8=
+    SMTP_PASSWORD: AgCbhM99+DbSTCcuxtcccOrZq99GjR51B5SkW6DNxz1jW2q4lgc6o21+gHEGGAamRDg/mWyu2UBBNgEzrW024558qP6SjVPwJclWhNZHyL4R4MCA0kv/kqNa43na2j3pq7kzT0MrqPAXD8IJrtYPxr+ngiuo7MCRef/TzEfwbwK+KgkeB1g+9ErwHWr5tU1B+3yAn5tfNeHmGFrLX230mra2ie+ntNx9kn80mb5TYoJ/mSaX7wv4bqZGEHkg7isXrMoMROXLBepCvP0zi3ta+SKJjHy73TvhKSzo7/ZHxapHw3oaazdpKJobeolWB7SziWsbXfT0gYYim3LrcieQeb7hhN3OAvSYx1Z/3UefEE1o3GFEzK1UV9ISwU/mBjMDZWyM7dK9lSbuPGvbpKU1jjP8qZWQP5v2SIT6Nb5TQgNeATdO3RkjoviqRzjJfpuu+oe5paXNeEIUSTskL7HuUjWj13DX1zDqQWTR1/Tb9ntxRtgIoAl2ymDsOednurnJeX71OJ3G++Oc8b5P2EkNQuEwaYb9raNHqZkCXeRpQVyEGIUh9sAGZUplUJSues/Jw25WuFoNBfMi/F022Mkvfnp/s0J+QrMIxSRvqiWS+7hODknvE3Zf2DI+DKClWxspfv084DAkOSV1Lq9fqNy/bKoJR/5MVHmxbW6teza6zXBnwn2nk+2DZ8IU20P15aVdtKR2zG9u8hnrqWrTQHTdvzb34WKjC0km4/MaIGKvboyw
+    SMTP_USERNAME: AgCijAuSvlGeMME1FyPXQdOTGKktyXfT8tjBK/ozt3X8O5hebFVvM61hNLDQTe9V/O/NLw6P1wbV4V+wtztqLs9TPDyq9L3D9JUEDjh97gWxVf7nFf8/d24F0PJoR8srKp3onb7+Rx02318RUp+gp7YsXbK6YBfkaOsoD08UgrFY3ARnP4eIirRICNCdouPgKkh038yAWcQDA20GBN2faJlQSejS4cr8WAa/ME1fRe40Q4tewgiX7hK5BWjt2eoovLrPzcHvbgTbfjwUWvmeiSicnF+VLrc3M56aKML2xuAggBk4vKtla/Af1pJfjv+Ut2z6VzECfIth12yQa6kIvKOE8aa3o/6oKLRJQRO8rQOOmLiInR+jQxrOmYw+OzkON07nBIeBon7nKYSIMiBt68kXKWJ9ZDexF7WGOHsFgUo4hA/z/c/Ccg6XHgxFt7uXZYLyziihQXy33zIsvu0rXOaczT5j3NJIhO60jz2Q8ig9JuWhd7+Dnd9EFMC0WJOM9kjpxeSjg4MYjH7VGnnEDF2GAQTlwDn5HwZJXRQFHfdCiHS5CCpfmak9MtIC9uoIsbPAnEhdTC20wDvIGlR5O4JGlQRyirKKmCdT1MJt8zi5d+EVQiicVZLGGD6nsqCNchvFYcx+glMYqWWsmyS6M+uVaYa/Fb/n+0QR6GNCF3Qi7voMJf2bFxFDk78fk76MG919XPQVAG/FPliNyWJJ7gEM+j/rDYuSrul14duV
+    adminToken: AgCVSgRK39WksTX6GogBvMZtPMd4XzMFkKSPhjTCm8pllzuc88pS2LXHxyGDWVLf+GZXRTCNrf5JLPst8/GTvOX17J9scRAjmhoyVVgzFNbcqGI/czLf9vH6JnhorMmUHxS+kWBm3oLZjhW3f/9vq0xzSbut87VDsyenaK4EcFLrYnfVRlMrwxL9oxPPTeB+Wah/uGoyLNfc7MMLK+/sUma4RO61VJ8YvmLUnwYNFosUcbF2B9hXMSzKKCJ+ihXYIdNIz2YWdMmj7a3D+Mor5x4jIjC+tunT4Zge5L1mx0i92KPgPkP48jKxayIZ/FxnYej+ggU6PmdYD1B6wgUbgLQV6ccwysjHce7ICvGWiM+PozFWI1qEVKqtNgp3kwInThD63Hyub9Euj0g/SE/nZcwy8DuIEhsLpLSdvxDT2lCps0VdXcb01kuta/3i4vgozSBvdIL1FrQKPLqF5+6ZEQ6BdZDkgxVqQ845WZoGbfqIyI03BMvsx/8HB5c+0Y0w0C6DRpEW55T9yRTZqzvqWUOpXy5/L2Nc9G4PCUK3lY0QPIFlPCBDl+cKgfP/XvKhMFcFpwp/Ssd0o+RhgOMBHJ5qk7RxAN1k2Y6Tkros39eUKWbM6UQ97LjrAdLcgJKX86ZkEChdeeKOnSxRmqHFXx5m4Wa6syixjipeQPwybCYQA9TgNBv0lToA7gi+lcVvXkoAgYIeB9Cp0j8UVEwdgvwWp8YgkpuWhPCAafhboH8qGhHhVfKADmlB05vUItZ0eoEVv7D9SqUTFueUmoZXwo67uyMLZhQo7eGr9+k8hiesCoEm11HCTa4DvF9zE54zgkyt0TMsKAEKmX47zJwnw76zidZC/K9e
+    pgpassword: AgCeQLwzajVBHW+o1ZSAcfbcJXny5K7UxxMfjud0j3hm9qx3TlLaFJrNoWd4XCuHAW1Ybl23ynWm+8kpXfZv95bXGkl0jZIm989MlAJQYKcaSTdhIM6Bkl3Cbr8kTVj2yrylGPJ96QISKNoiV7IetU82t8f21kxjyrNwt4lQEwWRFjW45jozb32qFXRkTioJ1WKaeJkyRSHWn7nLVitqZ4QjZzoN9AC7cUDOY/FffEiz7QRYSf6xaVPqQfCeH6QVtfmwtU5qNTcthOW0+/LQKpkg8i2nuoAsyOe7tsOYCENbDGkLckNTns2oPvDnH5eA8F5VDlnyJtROlwKjWfTC2zjazZynpA6cBH9XzX3Pg9P45G5HJ/4TVSUbTMCSVrbW8Ec+zdA2P4l3ytfVM2ER4N2/bQrUEVW2/ngDzhsKllmOPEN/M7b/VTed7U1xyJHsoT+AJEqVJO/vFBRxpI/ZacD+m5kWf3sp1SUWSgkUi+YWH8xuRurM2/kiUGwwUXu5ZMumjpMTkJBfX4NYRezq0DCsgaXdO2yI4xTfAysj78UikdU0PKyAXPcT8y55kJQ1jECszFauyeSYh0FpLu/XAmeB8dunlBqgISLszwnnman0/ThLeo96MFo6WPXoAeMTy8+GfTSH5tkmm8TVD7A+gRHprfFS66eY5Zi38OPU+VGRJS1J8yLSD2cNvCFR/sz1Br9VV7IySx1S+HvbEd7BwmdWrIoEcVUwIAD/U0Uxbw4sr7wLQ2wFQjDil4VItA==
+    pgusername: AgAcgel8GpdRVThE9i4EfFwcJYHEPnCyi4jHEaAltn4VMtub6hvhtH+ihxS97AhK6kgrTLEgtlfb07n1EZ3AK18A+ci9P5ulP0GgwMrMt1yxiHliqInvZPNb8vWC/2f2lZm7EFrBvYqMFRPV10YygtkW3Kku8h31l0xc2/DUKqZ2hMymIjx7hupabUOhnPJeF+IxVhTcsAa6SjhppX1ED0R/Im73pxTxbfLQETkHd5KcB4h6RLIPvuNiG5uftkPP8qjJqFIhNew+0IxMrsTzJbyLx90vqI6LHHtsrNDAsOHqWGnyZqIdkK+Bagm84VlpBfIdz8Fs0YqzBQaZts4+QXByzkcQZBDy11Hg9FCjdUVk3VgVLDQj+hL+aWTeJ0Iui4zW4LMSB0Dk0ZQeQa4BtwuDllky5GUA7sLmkbceAWymBNzNXSOeeAi1qfR6h6rNnh0x5yOnSN8soReNaCEYBSa8HjUamvuzu4yn+fKOJyI50QEJ7hKLXLaqyiNpa5bJw4FQvGM7qESkZW2BZLEvkq4mlKjzvSm891DozA44Zy1s/3CvytFsUtaWmquSvqqHWUxqEEemJ8zOCFXEYo1TjEfkYIUipM5KJ+PrpQGTgjdnL8FbAv3r3NG7DoucQtVeJJVeaBqOZcfEQw4Xz15grsdjggFunhmz+ZjWjgEwV4G/dCmeus3SBWJWLMOoPWCvBWrQZRQq9KVj
+  template:
+    metadata:
+      creationTimestamp: null
+      name: prod-db-creds
+      namespace: vaultwarden

infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vaultwarden
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vaultwarden-postgresql
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  labels:
+    app.kubernetes.io/name: vaultwarden-postgresql
+    app.kubernetes.io/part-of: security
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/upc-dev/vaultwarden-postgresql/resources
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: vaultwarden
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates