token

multi-cloud + mcp
2026-04-22 13:37:32 +02:00 · 2026-04-22 13:34:48 +02:00
119 changed files with 2134 additions and 2112 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +0,0 @@
 # Force LF line endings for shell scripts
 *.sh text eol=lf
--- a/README.md
+++ b/README.md
@@ -1,9 +1,9 @@
 # Kubernetes Cluster - GitOps Configuration
-> **Kubernetes cluster bootstrapping and GitOps configuration repository** using ArgoCD for multi-cloud Kubernetes (UpCloud, AWS EKS, Azure AKS, GCP GKE)
+> **Kubernetes cluster bootstrapping and GitOps configuration repository** using ArgoCD for UpCloud Managed Kubernetes
 [![GitOps](https://img.shields.io/badge/GitOps-ArgoCD-blue)](https://argoproj.github.io/cd/)
-[![Kubernetes](https://img.shields.io/badge/Kubernetes-Multi--Cloud-orange)]()
+[![Kubernetes](https://img.shields.io/badge/Kubernetes-UpCloud-orange)](https://upcloud.com/)
 ---
@@ -95,26 +95,14 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 │   │   ├── renovate.yaml
 │   │   ├── ...                # All other Application manifests
 │   │   └── secrets.yaml
-│   ├── overlays/              # Per-cluster overrides (Kustomize)
+│   ├── overlays/              # Per-cluster overrides
-│   │   ├── upc-dev/           # UpCloud Dev (uses base as-is)
+│   │   ├── upc-dev/           # UpCloud Dev cluster (uses base as-is)
-│   │   ├── upc-prod/         # UpCloud Prod (patches value paths)
+│   │   └── upc-prod/         # UpCloud Prod cluster (patches value paths)
 │   │   ├── eks-dev/           # AWS EKS Dev
 │   │   ├── eks-prod/         # AWS EKS Prod
 │   │   ├── aks-dev/        # Azure AKS Dev
 │   │   ├── aks-prod/       # Azure AKS Prod
 │   │   ├── gke-dev/          # GCP GKE Dev
 │   │   └── gke-prod/         # GCP GKE Prod
 │   ├── dashboards/            # Grafana dashboard ConfigMaps
 │   └── values/                # Helm value overrides
-│       ├── base/              # Shared cloud-agnostic values
+│       ├── base/              # Shared values (all clusters)
-│       ├── upc-dev/           # UpCloud Dev (storage, LB, pricing)
+│       ├── upc-dev/           # UpCloud Dev-specific values
-│       ├── upc-prod/         # UpCloud Prod
+│       └── upc-prod/         # UpCloud Prod-specific values
 │       ├── eks-dev/           # AWS EKS Dev
 │       ├── eks-prod/         # AWS EKS Prod
 │       ├── aks-dev/        # Azure AKS Dev
 │       ├── aks-prod/       # Azure AKS Prod
 │       ├── gke-dev/          # GCP GKE Dev
 │       └── gke-prod/         # GCP GKE Prod
 │
 ├── apps/                      # Business Applications
 │   ├── mcp10x.yaml
@@ -355,6 +343,7 @@ kubectl patch application myapp -n argocd \
 | **Fluent-Bit** | Log shipping | `monitoring` | DaemonSet |
 | **OpenCost** | Cost monitoring | `monitoring` | 1 |
 | **Renovate** | Dependency updates | `renovate` | CronJob |
 | **Trivy** | Vulnerability scanning | `trivy-system` | 1 |
 **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components)
@@ -372,7 +361,7 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts
 ### App-of-Apps Pattern
-`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{cluster}/` render the base Applications with per-cluster patches (e.g., swapping value file paths). Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
+`_app-of-apps.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{upc-dev,upc-prod}/` render the base Applications with per-cluster patches (e.g., swapping value file paths from `upc-dev` to `upc-prod`).
 ### Multi-Source Pattern
 Applications reference both:
@@ -469,14 +458,16 @@ Documentation lives in `docs/`. To update:
 ## 📝 Notes
 ### Current Environment
- **Provider**: Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE)
+- **Provider**: UpCloud Managed Kubernetes
 - **Active clusters**: UpCloud (upc-dev, upc-prod)
 - **Environment**: Production (internal use only)
 - **Clusters**: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays
 - **Auth**: Disabled for ArgoCD (internal access)
- **Backup**: Gitea daily backup to S3-compatible storage
+- **Backup**: None (cluster rebuildable via GitOps)
 ### Known Limitations
 - No automated backups (yet)
 - Secret rotation not automated
 - Multi-cluster limited to upc-dev and upc-prod environments
 - DNS management is manual
 **Future improvements**: See [Operations Runbook - Disaster Recovery](docs/OPERATIONS-RUNBOOK.md#disaster-recovery)
@@ -513,7 +504,7 @@ Internal use only. Not for public distribution.
 ---
-**Last Updated**: 2026-04-22
+**Last Updated**: 2026-03-16
 **Documentation Version**: 1.0.0
 **🚀 Ready to get started? Check out the [Documentation Index](docs/README.md)!**
--- a/_app-of-apps-aks-dev.yaml
+++ b/_app-of-apps-aks-dev.yaml
@@ -1,32 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: monitoring
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: infrastructure-apps
  namespace: argocd
  labels:
    app.kubernetes.io/name: infrastructure-apps
    app.kubernetes.io/part-of: platform
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    path: infra/overlays/aks-dev
  destination:
    server: https://kubernetes.default.svc
    namespace: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
--- a/_app-of-apps-aks-prod.yaml
+++ b/_app-of-apps-aks-prod.yaml
@@ -1,32 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: monitoring
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: infrastructure-apps
  namespace: argocd
  labels:
    app.kubernetes.io/name: infrastructure-apps
    app.kubernetes.io/part-of: platform
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    path: infra/overlays/aks-prod
  destination:
    server: https://kubernetes.default.svc
    namespace: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
--- a/_app-of-apps-eks-dev.yaml
+++ b/_app-of-apps-eks-dev.yaml
@@ -1,32 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: monitoring
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: infrastructure-apps
  namespace: argocd
  labels:
    app.kubernetes.io/name: infrastructure-apps
    app.kubernetes.io/part-of: platform
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    path: infra/overlays/eks-dev
  destination:
    server: https://kubernetes.default.svc
    namespace: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
--- a/_app-of-apps-eks-prod.yaml
+++ b/_app-of-apps-eks-prod.yaml
@@ -1,32 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: monitoring
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: infrastructure-apps
  namespace: argocd
  labels:
    app.kubernetes.io/name: infrastructure-apps
    app.kubernetes.io/part-of: platform
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    path: infra/overlays/eks-prod
  destination:
    server: https://kubernetes.default.svc
    namespace: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
--- a/_app-of-apps-gke-prod.yaml
+++ b/_app-of-apps-gke-prod.yaml
@@ -1,32 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: monitoring
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: infrastructure-apps
  namespace: argocd
  labels:
    app.kubernetes.io/name: infrastructure-apps
    app.kubernetes.io/part-of: platform
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    path: infra/overlays/gke-prod
  destination:
    server: https://kubernetes.default.svc
    namespace: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
--- a/_app-of-apps-upc-prod.yaml
+++ b/_app-of-apps-upc-prod.yaml
@@ -18,7 +18,7 @@ metadata:
 spec:
  project: default
  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    repoURL: git@github.com:fortedigital/sturdy-adventure.git
    targetRevision: HEAD
    path: infra/overlays/upc-prod
  destination:
--- a/apps/base/dot-ai-stack.yaml
+++ b/apps/base/dot-ai-stack.yaml
@@ -37,7 +37,7 @@ spec:
      - $values/infra/values/base/dot-ai-stack-values.yaml
      - $values/infra/values/upc-dev/dot-ai-stack-values.yaml
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
    targetRevision: HEAD
    ref: values
--- a/apps/base/kustomization.yaml
+++ b/apps/base/kustomization.yaml
@@ -4,5 +4,4 @@ resources:
 - dot-ai-stack.yaml
 - mcp10x.yaml
 - musicman.yaml
 - ts-mcp.yaml
 - argo-mcp.yaml
--- a/apps/base/ts-mcp.yaml
+++ b/apps/base/ts-mcp.yaml
@@ -1,40 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: ts-mcp
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "11"
    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
    notifications.argoproj.io/subscribe.on-degraded.slack: ""
  labels:
    app.kubernetes.io/name: ts-mcp
    app.kubernetes.io/part-of: apps
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
      - $values/ts-mcp/values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: ts-mcp
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -1,9 +1,8 @@
 #!/bin/zsh
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
-CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod|aks-dev|aks-prod|eks-dev|eks-prod|gke-dev|gke-prod)}"
+CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod)}"
 echo "running $0 for cluster: ${CLUSTER}..."
@@ -28,8 +27,8 @@ Bootstrap()
 Gitea()
 {
    echo "Installing secret..."
-    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
+    kubectl apply -f private/gitea-repo-main.yaml
-    kubectl apply -f "private/${CLUSTER}/main.key"
+    kubectl apply -f private/main.key
 }
 ############################################################
@@ -37,15 +36,10 @@ Gitea()
 ############################################################
 ArgoCd()
 {
    # Pre-create ConfigMap for repo-server env (must exist before Helm upgrade)
    kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
    kubectl apply -f cluster-resources/argocd-repo-server-config.yaml
    # install argocd
    echo "Installing ArgoCD..."
    helm upgrade --install argocd argo-cd \
            --repo https://argoproj.github.io/argo-helm \
            --version "7.8.0" \
            --namespace argocd --create-namespace \
            --values infra/values/base/argocd-values.yaml \
            --values "infra/values/${CLUSTER}/argocd-values.yaml" \
@@ -55,4 +49,4 @@ ArgoCd()
    kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }
-Bootstrap
+# Bootstrap
--- a/cluster-resources/argocd-oidc-secret-sync.yaml
+++ b/cluster-resources/argocd-oidc-secret-sync.yaml
@@ -1,83 +0,0 @@
 # CronJob: syncs OIDC client secret from registrar-managed
 # argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
 # Runs every 2 min. No-ops if source secret doesn't exist yet
 # (safe for fresh deploys before Keycloak is up).
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
  verbs: ["get", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argocd-oidc-sync
 subjects:
 - kind: ServiceAccount
  name: argocd-oidc-sync
  namespace: argocd
 ---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 spec:
  schedule: "*/2 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        spec:
          serviceAccountName: argocd-oidc-sync
          restartPolicy: Never
          containers:
          - name: sync
            image: bitnami/kubectl:latest
            command: ["/bin/sh", "-c"]
            args:
            - |
              set -e
              # Exit gracefully if source secret doesn't exist yet
              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
                exit 0
              fi
              # Read current OIDC client secret
              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
                -o jsonpath='{.data.client-secret}' | base64 -d)
              # Read current value in argocd-secret (if any)
              CURRENT=$(kubectl get secret argocd-secret -n argocd \
                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")
              # Only patch if changed
              if [ "$NEW_SECRET" = "$CURRENT" ]; then
                echo "oidc.clientSecret already up to date"
                exit 0
              fi
              kubectl patch secret argocd-secret -n argocd --type merge \
                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
              echo "Patched argocd-secret with oidc.clientSecret"
--- a/cluster-resources/argocd-repo-server-config.yaml
+++ b/cluster-resources/argocd-repo-server-config.yaml
@@ -1,9 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: argocd-repo-server-config
  namespace: argocd
 data:
  # Disable git submodule checkout - submodules (e.g. shared-prompts)
  # are not needed for K8s manifest generation
  ARGOCD_GIT_MODULES_ENABLED: "false"
--- a/cluster-resources/policies/label-checker.yaml
+++ b/cluster-resources/policies/label-checker.yaml
@@ -26,6 +26,7 @@ spec:
          - monitoring
          - secrets
          - kyverno
          - trivy-system
    match:
      any:
      - resources:
--- a/cluster-resources/policies/secret-cloner.yaml
+++ b/cluster-resources/policies/secret-cloner.yaml
@@ -16,6 +16,7 @@ spec:
      - resources:
          namespaces:
          - kube-system
          - trivy-system
          - monitoring
          - argocd
          - cert-manager
--- a/clusters/aks-dev.yaml
+++ b/clusters/aks-dev.yaml
@@ -1,12 +0,0 @@
 # Cluster config reference — values must match the corresponding overlay files.
 # Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
 clusterName: dev-aks                     # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
 domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
 argocdDomain: argocd.example.com         # → infra/values/aks-dev/argocd-values.yaml (global.domain)
 grafanaDomain: grafana.example.com       # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
 keycloakDomain: id.example.com           # → infra/values/aks-dev/keycloak-values.yaml (ingress.hostname)
 dotaiDomain: kubemcp.example.com         # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
 dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
 letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
 trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-dev/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
 cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/aks-prod.yaml
+++ b/clusters/aks-prod.yaml
@@ -1,12 +0,0 @@
 # Cluster config reference — values must match the corresponding overlay files.
 # Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
 clusterName: prod-aks                    # → infra/values/aks-prod/argocd-values.yaml (notifications.context.clusterName)
 domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
 argocdDomain: argocd.example.com         # → infra/values/aks-prod/argocd-values.yaml (global.domain)
 grafanaDomain: grafana.example.com       # → infra/values/aks-prod/grafana-values.yaml (ingress.hosts)
 keycloakDomain: id.example.com           # → infra/values/aks-prod/keycloak-values.yaml (ingress.hostname)
 dotaiDomain: kubemcp.example.com         # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
 dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
 letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
 trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-prod/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
 cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/eks-dev.yaml
+++ b/clusters/eks-dev.yaml
@@ -1,12 +0,0 @@
 # Cluster config reference — values must match the corresponding overlay files.
 # Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
 clusterName: dev-eks                     # → infra/values/eks-dev/argocd-values.yaml (notifications.context.clusterName)
 domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
 argocdDomain: argocd.example.com         # → infra/values/eks-dev/argocd-values.yaml (global.domain)
 grafanaDomain: grafana.example.com       # → infra/values/eks-dev/grafana-values.yaml (ingress.hosts)
 keycloakDomain: id.example.com           # → infra/values/eks-dev/keycloak-values.yaml (ingress.hostname)
 dotaiDomain: kubemcp.example.com         # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
 dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
 letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
 trustedIPs: "10.0.0.0/8"                # → infra/values/eks-dev/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
 cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/eks-prod.yaml
+++ b/clusters/eks-prod.yaml
@@ -1,12 +0,0 @@
 # Cluster config reference — values must match the corresponding overlay files.
 # Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
 clusterName: prod-eks                    # → infra/values/eks-prod/argocd-values.yaml (notifications.context.clusterName)
 domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
 argocdDomain: argocd.example.com         # → infra/values/eks-prod/argocd-values.yaml (global.domain)
 grafanaDomain: grafana.example.com       # → infra/values/eks-prod/grafana-values.yaml (ingress.hosts)
 keycloakDomain: id.example.com           # → infra/values/eks-prod/keycloak-values.yaml (ingress.hostname)
 dotaiDomain: kubemcp.example.com         # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
 dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
 letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
 trustedIPs: "10.0.0.0/8"                # → infra/values/eks-prod/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
 cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/gke-dev.yaml
+++ b/clusters/gke-dev.yaml
@@ -1,12 +0,0 @@
 # Cluster config reference — values must match the corresponding overlay files.
 # Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
 clusterName: dev-gke                     # → infra/values/gke-dev/argocd-values.yaml (notifications.context.clusterName)
 domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
 argocdDomain: argocd.example.com         # → infra/values/gke-dev/argocd-values.yaml (global.domain)
 grafanaDomain: grafana.example.com       # → infra/values/gke-dev/grafana-values.yaml (ingress.hosts)
 keycloakDomain: id.example.com           # → infra/values/gke-dev/keycloak-values.yaml (ingress.hostname)
 dotaiDomain: kubemcp.example.com         # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
 dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
 letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
 trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-dev/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
 cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/gke-prod.yaml
+++ b/clusters/gke-prod.yaml
@@ -1,12 +0,0 @@
 # Cluster config reference — values must match the corresponding overlay files.
 # Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
 clusterName: prod-gke                    # → infra/values/gke-prod/argocd-values.yaml (notifications.context.clusterName)
 domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
 argocdDomain: argocd.example.com         # → infra/values/gke-prod/argocd-values.yaml (global.domain)
 grafanaDomain: grafana.example.com       # → infra/values/gke-prod/grafana-values.yaml (ingress.hosts)
 keycloakDomain: id.example.com           # → infra/values/gke-prod/keycloak-values.yaml (ingress.hostname)
 dotaiDomain: kubemcp.example.com         # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
 dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
 letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
 trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-prod/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
 cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/upc-dev.yaml
+++ b/clusters/upc-dev.yaml
@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
+clusterName: dev-fd-no-svg1
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+domain: forteapps.net
-clusterName: dev-fd-no-svg1              # → infra/values/upc-dev/argocd-values.yaml (notifications.context.clusterName)
+argocdDomain: argocd.127.0.0.1.nip.io
-domain: forteapps.net                    # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+grafanaDomain: grafana.forteapps.net
-argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-dev/argocd-values.yaml (global.domain)
+keycloakDomain: id.forteapps.net
-grafanaDomain: grafana.forteapps.net     # → infra/values/upc-dev/grafana-values.yaml (ingress.hosts)
+dotaiDomain: kubemcp.forteapps.net
-keycloakDomain: id.forteapps.net         # → infra/values/upc-dev/keycloak-values.yaml (ingress.hostname)
+dotaiUiDomain: kubemcpui.forteapps.net
-dotaiDomain: kubemcp.forteapps.net       # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host)
+letsencryptEmail: danijels@gmail.com
-dotaiUiDomain: kubemcpui.forteapps.net   # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
+trustedIPs: "172.16.1.0/24"
-letsencryptEmail: danijels@gmail.com     # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+cloudProvider: upcloud
 trustedIPs: "172.16.1.0/24"             # → infra/values/upc-dev/traefik-values.yaml (ports.*.trustedIPs)
 cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/upc-prod.yaml
+++ b/clusters/upc-prod.yaml
@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
+clusterName: prod-fd-no-svg1
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+domain: fortedigital.com
-clusterName: prod-fd-no-svg1             # → infra/values/upc-prod/argocd-values.yaml (notifications.context.clusterName)
+argocdDomain: argocd.127.0.0.1.nip.io
-domain: fortedigital.com                 # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+grafanaDomain: grafana.fortedigital.com
-argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-prod/argocd-values.yaml (global.domain)
+keycloakDomain: id.fortedigital.com
-grafanaDomain: grafana.fortedigital.com  # → infra/values/upc-prod/grafana-values.yaml (ingress.hosts)
+dotaiDomain: kubemcp.fortedigital.com
-keycloakDomain: id.fortedigital.com      # → infra/values/upc-prod/keycloak-values.yaml (ingress.hostname)
+dotaiUiDomain: kubemcpui.fortedigital.com
-dotaiDomain: kubemcp.fortedigital.com    # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host)
+letsencryptEmail: danijel.simeunovic@fortedigital.com
-dotaiUiDomain: kubemcpui.fortedigital.com # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
+trustedIPs: "172.16.1.0/24"
-letsencryptEmail: danijel.simeunovic@fortedigital.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+cloudProvider: upcloud
 trustedIPs: "172.16.1.0/24"             # → infra/values/upc-prod/traefik-values.yaml (ports.*.trustedIPs)
 cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations
--- a/devbox.json
+++ b/devbox.json
@@ -1,32 +0,0 @@
 {
  "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.16.0/.schema/devbox.schema.json",
  "packages": [
    "kubectl@1.33.2",
    "kubernetes-helm@3.18.4",
    "k9s@0.50.7",
    "kubeseal@0.30.0",
    "argocd@2.14.11",
    "kubecm@0.33.1",
    "kubectl-tree@0.4.3",
    "kind@0.29.0",
    "kustomize@5.7.0",
    "kyverno@1.14.3",
    "syft@1.29.0",
    "grype@0.92.2",
    "traefik@3.6.7",
    "claude-code@latest",
    "go@latest",
    "dotnet-sdk@latest",
    "opentofu@1.11.6"
  ],
  "shell": {
    "init_hook": [
      "echo 'Welcome to devbox!' > /dev/null"
    ],
    "scripts": {
      "test": [
        "echo \"Error: no test specified\" && exit 1"
      ]
    }
  }
 }
--- a/docs/DEVELOPER-GUIDE.md
+++ b/docs/DEVELOPER-GUIDE.md
@@ -654,11 +654,21 @@ kubectl create secret generic myapp-credentials \
 #### Step 2: Seal the Secret
 Get the public certificate (one-time setup):
 ```bash
 # Fetch public cert from cluster
 kubeseal --fetch-cert \
  --controller-name=sealed-secrets-controller \
  --controller-namespace=kube-system \
  > pub-cert.pem
 ```
 Seal your secret:
 ```bash
 kubeseal --format=yaml \
-  --namespace=myapp \
+  --cert=pub-cert.pem \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
 ```
@@ -701,7 +711,7 @@ kubectl create secret generic myapp-credentials \
 # 2. Seal it
 kubeseal --format=yaml \
-  --namespace=myapp \
+  --cert=pub-cert.pem \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
@@ -952,46 +962,6 @@ User sees application (authenticated)
 ---
 ### Accessing Authenticated User Information
 The auth sidecar handles all authentication before requests reach your application. Your app never sees unauthenticated traffic — the sidecar returns 401 or redirects to the IdP first.
 After successful authentication, the sidecar forwards the request to your application with user identity injected as HTTP headers:
 | Header | Description | Available in |
 |--------|-------------|-------------|
 | `X-Auth-User` | Username or display name | Token, OIDC, MCP |
 | `X-Auth-Email` | User email address | OIDC |
 | `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
 | `X-Auth-Groups` | Comma-separated group memberships | OIDC (if scope includes `groups`) |
 | `X-Auth-Token` | The validated access token | All modes |
 **Your application reads these headers — no auth library needed:**
 ```javascript
 // Express.js example
 app.get('/profile', (req, res) => {
  const user = req.headers['x-auth-user'];
  const email = req.headers['x-auth-email'];
  res.json({ user, email });
 });
 ```
 ```python
 # Flask example
@app.route('/profile')
 def profile():
    user = request.headers.get('X-Auth-User')
    email = request.headers.get('X-Auth-Email')
    return jsonify(user=user, email=email)
 ```
 **Why this is safe**: The Kyverno-generated NetworkPolicy restricts ingress to the sidecar port only. Traffic cannot bypass the sidecar to reach the application port directly, so the `X-Auth-*` headers can be trusted unconditionally.
 **Key principle**: Your application is zero-trust-unaware by design. It reads headers and renders UI. All authentication complexity lives in the sidecar and Kyverno policy.
 ---
 ### Authentication Configuration Reference
 #### Helm Values Schema
--- a/docs/GITOPS-ARCHITECTURE.md
+++ b/docs/GITOPS-ARCHITECTURE.md
@@ -12,11 +12,11 @@
 ## Overview
-This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where Git repositories serve as the single source of truth for both infrastructure and application deployments. The cluster setup is **cloud-agnostic**, with ready-to-use configurations for **UpCloud**, **AWS EKS**, **Azure AKS**, and **GCP GKE**.
+This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where Git repositories serve as the single source of truth for both infrastructure and application deployments. The cluster is running on **UpCloud Managed Kubernetes** but is designed to be cloud-agnostic.
 ### Key Characteristics
 - **Environment**: Production (internal use only)
- **Cluster Type**: Multi-cloud, multi-cluster via Kustomize overlays (UpCloud, AWS, Azure, GCP)
+- **Cluster Type**: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays
 - **GitOps Tool**: ArgoCD
 - **Deployment Pattern**: App-of-Apps
 - **Secret Management**: Sealed Secrets (kubeseal)
@@ -63,7 +63,7 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
                                                        ▼
                                           ┌────────────────────────────────┐
                                           │   Kubernetes Clusters          │
-                                           │   (UpCloud, AWS, Azure, GCP)    │
+                                           │   (UpCloud: upc-dev, upc-prod) │
                                           │                                │
                                           │  ┌──────────────────────────┐  │
                                           │  │    ArgoCD                │  │
@@ -131,22 +131,26 @@ launchpad/
 │   │   ├── renovate.yaml
 │   │   ├── ...                       # All other Application manifests
 │   │   └── secrets.yaml
-│   ├── overlays/                     # Per-cluster Kustomize overrides
+│   ├── overlays/                     # Per-cluster overrides
 │   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
-│   │   ├── upc-prod/                # UpCloud Prod (patches value paths)
+│   │   └── upc-prod/                # UpCloud Prod (patches value paths)
 │   │   ├── eks-dev/                  # AWS EKS Dev
 │   │   ├── eks-prod/                # AWS EKS Prod
 │   │   ├── aks-dev/               # Azure AKS Dev
 │   │   ├── aks-prod/              # Azure AKS Prod
 │   │   ├── gke-dev/                 # GCP GKE Dev
 │   │   └── gke-prod/               # GCP GKE Prod
 │   ├── dashboards/                   # Grafana dashboard ConfigMaps
 │   └── values/                       # Helm value overrides for infra
-│       ├── base/                     # Cloud-agnostic shared values
+│       ├── base/                     # Shared values (all clusters)
-│       ├── upc-{dev,prod}/           # UpCloud: storage class, LB, pricing
+│       │   ├── traefik-values.yaml
-│       ├── aws-{dev,prod}/           # AWS: gp3, NLB, CUR pricing
+│       │   ├── keycloak-values.yaml
-│       ├── aks-{dev,prod}/         # Azure: managed-csi-premium, Standard LB
+│       │   ├── grafana-values.yaml
-│       └── gcp-{dev,prod}/           # GCP: premium-rwo, L4 LB
+│       │   ├── prometheus-values.yaml
 │       │   ├── gitea-values.yaml
 │       │   └── ...
 │       ├── upc-dev/                  # upc-dev cluster-specific values
 │       │   ├── traefik-values.yaml
 │       │   ├── keycloak-values.yaml
 │       │   └── grafana-values.yaml
 │       └── upc-prod/                # upc-prod cluster-specific values
 │           ├── traefik-values.yaml
 │           ├── keycloak-values.yaml
 │           └── grafana-values.yaml
 │
 ├── apps/                             # Business Application ArgoCD manifests (Kustomize)
 │   ├── base/                         # Base app manifests
@@ -283,7 +287,7 @@ app-repository/
 ### The App-of-Apps Pattern
 ```
-_app-of-apps-{cluster}.yaml (Root, per cluster — e.g. upc-dev, eks-prod, gke-dev)
+_app-of-apps-{upc-dev,upc-prod}.yaml (Root, per cluster)
    │
    ├── infrastructure-apps (manages infra/)
    │   ├── cluster-resources-application
@@ -373,15 +377,6 @@ patches:
      value: $values/infra/values/upc-prod/traefik-values.yaml
 ```
 Cloud-specific values (storage classes, load balancer annotations, cost model) are isolated in per-cluster value files. Base values are fully cloud-agnostic:
 | Cloud | Storage Class | Load Balancer | OpenCost Provider |
 |-------|--------------|---------------|-------------------|
 | **UpCloud** | `upcloud-block-storage-maxiops` | UpCloud LB (ProxyProtocol v2) | Custom pricing |
 | **AWS EKS** | `gp3` (EBS CSI) | NLB (ProxyProtocol v2) | AWS CUR |
 | **Azure AKS** | `managed-csi-premium` | Standard LB (`externalTrafficPolicy: Local`) | Azure Billing API |
 | **GCP GKE** | `premium-rwo` (PD CSI) | L4 passthrough NLB | GCP Cloud Billing |
 **Benefits**:
 - Single source of truth for Application definitions
 - Cluster-specific values isolated per overlay
@@ -663,6 +658,6 @@ Notifications include:
 ---
-**Last Updated**: 2026-04-22
+**Last Updated**: 2026-03-16
 **Maintained By**: Platform Team
 **Questions?**: Contact #platform-support on Slack
--- a/docs/OPERATIONS-RUNBOOK.md
+++ b/docs/OPERATIONS-RUNBOOK.md
@@ -37,7 +37,7 @@ Bootstrap a new cluster from scratch:
 #### Prerequisites
-1. **Kubernetes cluster running** (UpCloud, AWS EKS, Azure AKS, GCP GKE, or any K8s cluster)
+1. **Kubernetes cluster running** (UpCloud or any K8s cluster)
 2. **kubectl configured** with admin access
 3. **Repositories cloned** locally
@@ -54,13 +54,11 @@ kubectl get nodes
 git clone https://git.forteapps.net/Forte/launchpad
 cd launchpad
-# 2. Run bootstrap script with cluster target
+# 2. Set cluster name (optional)
-# Available clusters: upc-dev, upc-prod, eks-dev, eks-prod,
+export CLUSTER_NAME="prod-cluster-01"
 #                     aks-dev, aks-prod, gke-dev, gke-prod
 ./bootstrap.sh upc-dev
-# Cluster config is loaded from clusters/<cluster>.yaml
+# 3. Run bootstrap script
-# (cloudProvider, trustedIPs, domain, etc.)
+./bootstrap.sh
 ```
 **What Happens:**
@@ -1264,21 +1262,13 @@ spec:
 ### Backup Strategy
-**Current State**: Gitea daily backups to S3-compatible storage
+**Current State**: No automated backups
-**What Is Backed Up**:
+**What Needs Backup**:
- ✅ Gitea repositories + database: Daily CronJob (`cluster-resources/gitea-backup-cronjob.yaml`) uploads to S3-compatible storage with 7-day retention
+- ❌ Cluster state (not backed up - recreate via GitOps)
- ✅ Git repositories: Full cluster config recoverable from Git
+- ❌ Persistent volumes (currently not critical)
- ⚠️ Secrets: Sealed secrets in Git; unseal keys need safekeeping
+- ✅ Git repositories (Gitea provides backup)
-
+- ⚠️ Secrets (sealed secrets in Git, unseal keys need safekeeping)
 **What Is NOT Backed Up**:
 - ❌ Cluster state (recreate via GitOps)
 - ❌ Other persistent volumes (Prometheus, Loki, Tempo data)
 **Per-cloud backup scripts** (manual restore helpers):
 - UpCloud/AWS: `scripts/gitea-backup.sh` / `scripts/gitea-backup-eks.sh` (MinIO CLI, S3-compatible)
 - Azure: `scripts/gitea-backup-aks.sh` (Azure CLI + Blob Storage)
 - GCP: `scripts/gitea-backup-gke.sh` (gsutil + GCS)
 ### Cluster Rebuild
@@ -1380,9 +1370,6 @@ kubectl get pods -n argocd
 ```bash
 # UpCloud: Upgrade via control panel or CLI
 # AWS EKS: eksctl upgrade cluster / AWS Console
 # Azure AKS: az aks upgrade / Azure Portal
 # GCP GKE: gcloud container clusters upgrade / Cloud Console
 # After upgrade, verify cluster
 kubectl version
@@ -1520,35 +1507,18 @@ git push
 ### Multi-Cluster Setup
-The repository supports multiple clusters across multiple clouds via Kustomize overlays:
+The repository supports multiple clusters via Kustomize overlays:
 **Active clusters:**
 - **upc-dev** (default): `infra/overlays/upc-dev/` — uses base Applications as-is
 - **upc-prod**: `infra/overlays/upc-prod/` — patches value file paths from `upc-dev` to `upc-prod`
 **Cloud-ready templates (fill in `clusters/*.yaml` before use):**
 - **eks-dev** / **eks-prod**: AWS EKS with NLB, gp3 storage, AWS CUR pricing
 - **aks-dev** / **aks-prod**: Azure AKS with Standard LB, managed-csi-premium storage
 - **gke-dev** / **gke-prod**: GCP GKE with L4 LB, premium-rwo storage
 Each cluster has its own:
- Root app-of-apps: `_app-of-apps-{cluster}.yaml`
+- Root app-of-apps file: `_app-of-apps-upc-dev.yaml` / `_app-of-apps-upc-prod.yaml`
- Cluster config: `clusters/{cluster}.yaml` (domain, trustedIPs, cloudProvider)
+- Cluster-specific Helm values: `infra/values/upc-dev/` / `infra/values/upc-prod/`
- Kustomize overlay: `infra/overlays/{cluster}/kustomization.yaml`
+- Sealed secrets: `secrets/upc-dev/` (others as needed)
- Helm value overrides: `infra/values/{cluster}/` (traefik, gitea, opencost)
+- Apps overlay: `apps/overlays/upc-dev/` / `apps/overlays/upc-prod/`
 - Sealed secrets: `secrets/{cluster}/` (as needed)
 - Apps overlay: `apps/overlays/{cluster}/`
-Cloud-specific values handled per-cluster:
+To add a new cluster, create a new overlay directory (e.g., `infra/overlays/upc-staging/`) with patches that swap the value file paths.
 | Concern | UpCloud | AWS EKS | Azure AKS | GCP GKE |
 |---------|---------|---------|-----------|---------|
 | **Storage class** | `upcloud-block-storage-maxiops` | `gp3` | `managed-csi-premium` | `premium-rwo` |
 | **Load balancer** | UpCloud LB + ProxyProtocol v2 | NLB + ProxyProtocol v2 | Standard LB + `externalTrafficPolicy: Local` | L4 passthrough NLB |
 | **Cost monitoring** | Custom pricing | AWS CUR | Azure Billing API | GCP Cloud Billing |
 | **Backup storage** | UpCloud S3-compat | AWS S3 (native) | Azure Blob Storage | GCS |
 To add a new cluster, create a new overlay directory (e.g., `infra/overlays/eks-staging/`) with patches that swap the value file paths, and a matching `clusters/eks-staging.yaml`.
 ### Blue-Green Deployments
@@ -1691,6 +1661,6 @@ echo "Remember to delete: $SECRET_FILE"
 ---
-**Last Updated**: 2026-04-22
+**Last Updated**: 2026-03-16
 **Maintained By**: Platform Team
 **Emergency Contact**: #platform-support on Slack
--- a/docs/README.md
+++ b/docs/README.md
@@ -180,7 +180,7 @@ Reference for:
                            │
                            ▼
 ┌──────────────────────────────────────────────────────────────┐
-│          Kubernetes Clusters (UpCloud, AWS, Azure, GCP)       │
+│          Kubernetes Clusters (UpCloud: upc-dev, upc-prod)     │
 │  ┌──────────────────────────────────────────────────────┐    │
 │  │  Infrastructure: Traefik, Cert-Manager, Kyverno     │    │
 │  ├──────────────────────────────────────────────────────┤    │
@@ -194,7 +194,7 @@ Reference for:
 ### Key Technologies
 - **GitOps**: ArgoCD
- **Kubernetes**: Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE)
+- **Kubernetes**: UpCloud Managed Kubernetes (multi-cluster: upc-dev, upc-prod)
 - **Ingress**: Traefik v2
 - **Certificates**: Cert-Manager + Let's Encrypt
 - **Policies**: Kyverno
@@ -299,16 +299,11 @@ docs/
 ## 🔄 Documentation Versions
 **Current Version**: 1.0.0
-**Last Updated**: 2026-04-22
+**Last Updated**: 2026-03-16
 **Maintained By**: Platform Team
 ### Changelog
 - **v1.1.0 (2026-04-22)**: Multi-cloud support
  - Cloud-agnostic base values (storage, LB, pricing moved to per-cluster overlays)
  - Added AWS EKS, Azure AKS, GCP GKE configurations
  - Per-cloud backup scripts
  - Updated all documentation
 - **v1.0.0 (2026-03-16)**: Initial comprehensive documentation release
  - GitOps Architecture guide
  - Developer Onboarding guide
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -20,10 +20,9 @@
 | Component | Value |
 |-----------|-------|
-| **Provider** | Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE) |
+| **Provider** | UpCloud Managed Kubernetes |
-| **Environment** | Dev + Production per cloud |
+| **Environment** | Production (internal use) |
-| **Active clusters** | UpCloud (upc-dev, upc-prod) |
+| **Cluster Count** | Multi-cluster (upc-dev, upc-prod) |
 | **Cloud-ready templates** | EKS, AKS, GKE (dev + prod each) |
 | **GitOps Tool** | ArgoCD |
 | **Ingress Controller** | Traefik v2 |
 | **Certificate Management** | Cert-Manager + Let's Encrypt |
@@ -44,7 +43,7 @@ Internet
 [DNS: *.forteapps.net]
   │
   ▼
-[Cloud Load Balancer]
+[UpCloud LoadBalancer]
   │
   ▼
 [Traefik Ingress Controller]
@@ -88,6 +87,7 @@ launchpad/
 │   ├── loki.yaml
 │   ├── tempo.yaml
 │   ├── fluent-bit.yaml
 │   ├── trivy.yaml
 │   ├── gitea.yaml
 │   ├── gitea-actions.yaml
 │   ├── sealedsecrets.yaml
@@ -147,30 +147,12 @@ launchpad/
 │       └── auth-sidecar-injector.yaml
 │
 ├── secrets/                       # Application secrets (sealed)
-│   ├── base/                     # All SealedSecrets (shared across clouds)
+│   ├── argocd-mcp-credentials.yaml
-│   │   ├── kustomization.yaml
+│   ├── dot-ai-secrets.yaml
-│   │   ├── argocd-forte-helm-secret-sealed.yaml
+│   ├── gitea-credentials-sealed.yaml
-│   │   ├── argocd-mcp-credentials.yaml
+│   ├── gitea-runner-token-sealed.yaml
-│   │   ├── argocdmcp-auth-oidc-sealed.yaml
+│   ├── mcp10x-credentials-sealed.yaml
-│   │   ├── dot-ai-secrets.yaml
+│   └── musicman-credentials.yaml
 │   │   ├── forte10x-app-credentials-sealed.yaml
 │   │   ├── gitea-backup-s3-sealed.yaml
 │   │   ├── gitea-credentials-sealed.yaml
 │   │   ├── gitea-runner-token-sealed.yaml
 │   │   ├── gitea-smtp-secret-sealed.yaml
 │   │   ├── keycloak-credentials-sealed.yaml
 │   │   ├── musicman-auth-oidc-sealed.yaml
 │   │   ├── musicman-credentials.yaml
 │   │   └── renovate-env-sealed.yaml
 │   └── overlays/                 # Per-cloud overlays (reference base)
 │       ├── aks-dev/kustomization.yaml
 │       ├── aks-prod/kustomization.yaml
 │       ├── eks-dev/kustomization.yaml
 │       ├── eks-prod/kustomization.yaml
 │       ├── gke-dev/kustomization.yaml
 │       ├── gke-prod/kustomization.yaml
 │       ├── upc-dev/kustomization.yaml
 │       └── upc-prod/kustomization.yaml
 │
 ├── scripts/                       # Operational helper scripts
 │   ├── gitea-backup.sh            # S3 backup helper (list/download)
@@ -648,95 +630,6 @@ retry:
 4. 40 seconds
 5. 80 seconds (capped at 3 minutes)
 ### Global Settings (`argocd-cm`)
 | Setting | Value | Purpose |
 |---------|-------|---------|
 | `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
 | `timeout.reconciliation` | `60s` | Reconciliation interval |
 | `admin.enabled` | `false` | Admin login disabled (SSO-only) |
 | `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
 **Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
 ```yaml
 configs:
  params:
    "reposerver.enable.git.submodule": "false"
 ```
 This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
 **Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
 ```bash
 # Enable admin login
 kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
 # Log in as admin, do what's needed, then disable again
 kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
 ```
 ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
 **OIDC Authentication** (Keycloak):
 ```yaml
 configs:
  cm:
    oidc.config: |
      name: Forte SSO
      issuer: https://id.forteapps.net/realms/forte
      clientID: argocd
      clientSecret: $oidc.clientSecret
      requestedScopes: ["openid", "email", "profile"]
  rbacConfig:
    policy.csv: |
      g, ArgoCD Admins, role:admin
      g, ArgoCD Viewers, role:readonly
    # Deny users not in any declared KC group
    policy.default: ""
    scopes: '[groups]'
 ```
 **Access Control**: Only users in declared Keycloak groups can access ArgoCD. Users not in any group are denied (`policy.default: ""`). Assign users to groups in Keycloak admin console.
 | KC Group | ArgoCD Role | Access |
 |----------|-------------|--------|
 | `ArgoCD Admins` | `role:admin` | Full control over all apps |
 | `ArgoCD Viewers` | `role:readonly` | Read-only access to all apps |
 | `Observability Team` | `role:observability` | Get/sync monitoring apps (prometheus, loki, fluent-bit, tempo, grafana, opencost) |
 | `Dev Tools Team` | `role:devtools` | Get/sync dev tool apps (gitea, gitea-actions, renovate, karpor) |
 | `App Developers` | `role:app-dev` | Get/sync/action on enterprise-apps only |
 **Per-Cluster RBAC**: Add cluster-specific policies in `infra/values/<cluster>/argocd-values.yaml` using `configs.rbac.policy.<cluster>.csv`. ArgoCD concatenates all `policy.*.csv` keys alphabetically after `policy.csv`. Example:
 ```yaml
 # infra/values/upc-dev/argocd-values.yaml
 configs:
  rbac:
    policy.upc-dev.csv: |
      p, role:staging-deployer, applications, sync, default/enterprise-apps, allow
      g, Staging Deployers, role:staging-deployer
 ```
 - ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
 - Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
 - `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
 - OIDC secret is synced by CronJob `argocd-oidc-sync` (see `cluster-resources/argocd-oidc-secret-sync.yaml`)
 - The CronJob bridges `argocd-oidc-credentials` (from KC registrar) → `argocd-secret` every 2 min
 - Safe for fresh deploys: no-ops if source secret doesn't exist yet
 **Ingress** (Traefik + TLS):
 ```yaml
 server:
  ingress:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    tls: true
  extraArgs:
  - --insecure
 configs:
  params:
    "server.insecure": true
 ```
 TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
 ---
 ## Infrastructure Components
@@ -812,10 +705,6 @@ spec:
 **Chart**: `sealed-secrets/sealed-secrets-controller`
 **Namespace**: `kube-system`
 **Directory Structure**: `secrets/base/` contains all SealedSecrets with a `kustomization.yaml`. Per-cloud overlays in `secrets/overlays/<cloud>/` reference the base via Kustomize. The ArgoCD `secrets` Application points to the active overlay (e.g., `secrets/overlays/upc-dev`), and `infra/overlays/upc-prod` patches the path to `secrets/overlays/upc-prod`.
 To add cloud-specific secrets, create a new SealedSecret in the overlay directory and add it to the overlay's `kustomization.yaml`.
 **Public Certificate**:
 ```bash
 kubeseal --fetch-cert \
@@ -856,15 +745,6 @@ kubeStateMetrics:
 - Loki
 - Tempo
 **Ingress**: Exposed via Traefik at `https://grafana.forteapps.net` with cert-manager TLS.
 **OIDC Authentication** (Keycloak):
 - Uses `grafana.ini.auth.generic_oauth` with KC `grafana` client
 - Secret `grafana-oidc-credentials` synced by KC registrar, loaded via `envFromSecrets`
 - SSO-only mode: `auth.disable_login_form: true` + `auth.generic_oauth.auto_login: true`
 - Role mapping via JMESPath on `resource_access.grafana.roles` claim (requires KC client role mapper)
 - Roles: KC client roles `Admin`/`Editor` map to Grafana roles; default is `Viewer`
 ### Loki
 **Chart**: `grafana/loki-stack`
@@ -1217,33 +1097,6 @@ kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.ann
 **See**: [Developer Guide - Adding a New Keycloak Client](DEVELOPER-GUIDE.md#adding-a-new-keycloak-client)
 ### Karpor
 **Chart**: `karpor` from `https://kusionstack.github.io/charts`
 **Version**: 0.7.6 (app v0.6.4)
 **Namespace**: `karpor`
 **Sync Wave**: 1
 **Purpose**: Kubernetes visualization and intelligence tool. Provides cross-cluster resource search, compliance checking, and topology visualization. Gives platform engineers a unified view of all cluster resources and their relationships.
 **Architecture** (4 components):
 - **Server** — main Karpor API/UI (port 7443)
 - **Syncer** — syncs cluster state into the search index
 - **ElasticSearch** — search backend for resource indexing
 - **etcd** — persistent key-value store (10Gi PVC)
 **Configuration** (`infra/values/base/karpor-values.yaml`):
 - `namespaceEnabled: false` — ArgoCD manages namespace creation
 - Default resource limits tuned for small clusters
 - ElasticSearch: 2 CPU / 4Gi memory (the heaviest component)
 - AI features available but not enabled (requires `server.ai.authToken` + backend config)
 **Access**: Port-forward to reach the UI:
 ```bash
 kubectl port-forward svc/karpor-release-server -n karpor 7443:7443
 # Open https://localhost:7443
 ```
 ### Renovate
 **Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`)
@@ -1691,23 +1544,7 @@ Forward to Application (localhost:3000)
 Application processes request
 ```
-#### Forwarded Headers
+**See**: [Developer Guide - Enabling Authentication](DEVELOPER-GUIDE.md#enabling-authentication-for-applications) for usage examples.
 After successful authentication, the sidecar injects user identity as HTTP headers before forwarding the request to the application container:
 | Header | Description | Auth Modes |
 |--------|-------------|------------|
 | `X-Auth-User` | Username or display name | Token, OIDC, MCP |
 | `X-Auth-Email` | User email address | OIDC |
 | `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
 | `X-Auth-Groups` | Comma-separated group memberships | OIDC (if `groups` scope) |
 | `X-Auth-Token` | The validated access token | All modes |
 These headers are trustworthy because the auto-generated `NetworkPolicy` restricts pod ingress to the sidecar port only — external traffic cannot reach the application container directly, so headers cannot be spoofed.
 Applications should read these headers to obtain authenticated user information (e.g. for display, authorisation decisions, or audit logging) instead of implementing their own authentication.
 **See**: [Developer Guide - Accessing Authenticated User Information](DEVELOPER-GUIDE.md#accessing-authenticated-user-information) for code examples.
 ---
@@ -1741,22 +1578,14 @@ Recommended resource allocation:
 ### Storage Classes
-Storage classes are cloud-specific and configured in per-cluster value overrides (`infra/values/{cluster}/gitea-values.yaml`):
+Default storage class used: **UpCloud default** (varies by provider)
 | Cloud | Storage Class | Driver |
 |-------|--------------|--------|
 | **UpCloud** | `upcloud-block-storage-maxiops` | UpCloud CSI |
 | **AWS EKS** | `gp3` | EBS CSI |
 | **Azure AKS** | `managed-csi-premium` | Azure Disk CSI |
 | **GCP GKE** | `premium-rwo` | PD CSI |
 ```yaml
 # Example: base values omit storageClass (set in per-cluster overlay)
 persistence:
  enabled: true
  storageClass: ""     # Uses default
  accessMode: ReadWriteOnce
  size: 5Gi
  # storageClass set by infra/values/{cluster}/gitea-values.yaml
 ```
 ---
@@ -1824,18 +1653,7 @@ POST /loki/api/v1/push
 ### Overview
-Cloud-specific configuration (StorageClass, LoadBalancer annotations, pricing models, etc.) lives in per-cloud overlay value files, **not** in `base/`. Adding a new cloud provider only requires a new overlay directory — no base changes.
+Cloud-specific configuration (StorageClass, LoadBalancer annotations, pricing models, etc.) lives in per-cloud overlay value files, **not** in `base/`. This means adding a new cloud provider (AKS, EKS, GKE) only requires a new overlay directory — no base changes.
 ### Supported Clouds
 | Cloud | Dev overlay | Prod overlay | StorageClass | LB type |
 |-------|-----------|-------------|-------------|---------|
 | **UpCloud** | `upc-dev` | `upc-prod` | `upcloud-block-storage-maxiops` | UpCloud LB (proxy protocol v2) |
 | **Azure AKS** | `aks-dev` | `aks-prod` | `managed-csi-premium` | Azure LB |
 | **AWS EKS** | `eks-dev` | `eks-prod` | `gp3` | AWS NLB (proxy protocol) |
 | **GCP GKE** | `gke-dev` | `gke-prod` | `premium-rwo` | GCP NEG |
 Bootstrap any cluster with: `./bootstrap.sh <cluster>` (e.g., `./bootstrap.sh aks-dev`)
 ### How It Works
@@ -1885,20 +1703,22 @@ The `gitea-backup` CronJob uses a generic `s3` alias for `minio/mc`. The actual
 ### Adding a New Cloud Provider
-To add support for a new cloud (e.g., `oci-dev` for Oracle Cloud):
+To add support for a new cloud (e.g., `aks-dev`):
-1. **Cluster config**: `clusters/oci-dev.yaml` — clusterName, domain, trustedIPs, cloudProvider
+1. **Create overlay value directory**: `infra/values/aks-dev/`
-2. **Overlay value files** in `infra/values/oci-dev/`:
+2. **Add cloud-specific value files** for each component that needs one:
   - `traefik-values.yaml` — LB annotations, proxy protocol config
-   - `keycloak-values.yaml` — hostname
+   - `keycloak-values.yaml` — hostname/TLS if different
-   - `grafana-values.yaml` — hostname
+   - `grafana-values.yaml` — hostname/datasources if different
   - `gitea-values.yaml` — `storageClass` for persistence + PostgreSQL
-   - `opencost-values.yaml` — pricing model or cloud billing integration
+   - `opencost-values.yaml` — `customPricing` cost model for your cloud
-3. **Kustomize overlay**: `infra/overlays/oci-dev/kustomization.yaml` — patch `valueFiles[1]` for each Application
+3. **Create a Kustomize overlay** (if needed): `infra/overlays/aks-prod/kustomization.yaml`
-4. **App-of-apps**: `_app-of-apps-oci-dev.yaml` — points to `infra/overlays/oci-dev`
+   - Patch each Application's `valueFiles[1]` to point to `aks-prod/` files
-5. **Secrets overlay**: `secrets/overlays/oci-dev/kustomization.yaml` — references `../../base`, add cloud-specific SealedSecrets if needed
+4. **Create a root Application**: `_app-of-apps-aks-dev.yaml` pointing to the overlay
-6. **Secrets patch**: Add patch to `infra/overlays/oci-dev/kustomization.yaml` to swap secrets path to `secrets/overlays/oci-dev`
+5. **Create Sealed Secrets** for the new cluster:
-7. **Bootstrap**: `./bootstrap.sh oci-dev`
+   - `secrets/aks-dev/` — TLS certs, credentials, backup S3 config
 6. **Update `gitea-backup-s3` secret** with the new cloud's S3-compatible endpoint
 7. **Bootstrap**: `kubectl apply -f _app-of-apps-aks-dev.yaml -n argocd`
 ---
@@ -2034,6 +1854,6 @@ team: platform
 ---
-**Last Updated**: 2026-04-22
+**Last Updated**: 2026-04-16
 **Maintained By**: Platform Team
 **Version**: 1.0.0
--- a/infra/base/karpor.yaml
+++ b/infra/base/karpor.yaml
@@ -1,48 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: karpor
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  labels:
    app.kubernetes.io/name: karpor
    app.kubernetes.io/part-of: developer-portal
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: https://kusionstack.github.io/charts
    chart: karpor
    targetRevision: "0.7.6"
    helm:
      releaseName: karpor
      valueFiles:
      - $values/infra/values/base/karpor-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: karpor
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/keycloak.yaml
+++ b/infra/base/keycloak.yaml
@@ -15,7 +15,7 @@ spec:
  project: default
  sources:
-  - repoURL: registry-1.docker.io/bitnamicharts
+  - repoURL: https://charts.bitnami.com/bitnami
    chart: keycloak
    targetRevision: "25.2.0"
    helm:
@@ -47,7 +47,3 @@ spec:
    kind: CronJob
    jsonPointers:
    - /spec/jobTemplate/spec/template/spec/containers/0/args
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -10,6 +10,7 @@ resources:
 - prometheus.yaml
 - loki.yaml
 - fluent-bit.yaml
 - trivy.yaml
 - enterprise-apps.yaml
 - cluster-resources-application.yaml
 - kyverno-policies.yaml
@@ -20,4 +21,4 @@ resources:
 - renovate.yaml
 - tempo.yaml
 - grafana-dashboards.yaml
- karpor.yaml
+- network-policies-application.yaml
--- a/infra/base/loki.yaml
+++ b/infra/base/loki.yaml
@@ -40,9 +40,3 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/network-policies-application.yaml
+++ b/infra/base/network-policies-application.yaml
@@ -1,32 +1,33 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: monitoring
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: infrastructure-apps
+  name: network-policies
  namespace: argocd
  labels:
-    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/name: network-policies
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    path: infra/overlays/gke-dev
+    path: cluster-resources/network
  destination:
    server: https://kubernetes.default.svc
-    namespace: default
+
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
-    - CreateNamespace=true
+    - Validate=true
    - ServerSideApply=true
--- a/infra/base/opencost.yaml
+++ b/infra/base/opencost.yaml
@@ -24,7 +24,7 @@ spec:
      - $values/infra/values/base/opencost-values.yaml
      - $values/infra/values/upc-dev/opencost-values.yaml
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
    targetRevision: HEAD
    ref: values
--- a/infra/base/secrets.yaml
+++ b/infra/base/secrets.yaml
@@ -18,7 +18,7 @@ spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    path: secrets/overlays/upc-dev
+    path: secrets/upc-dev
  destination:
    server: https://kubernetes.default.svc
    namespace: secrets
--- a/infra/base/tempo.yaml
+++ b/infra/base/tempo.yaml
@@ -40,9 +40,3 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/traefik-application.yaml
+++ b/infra/base/traefik-application.yaml
@@ -31,7 +31,7 @@ spec:
      - $values/infra/values/base/traefik-values.yaml
      - $values/infra/values/upc-dev/traefik-values.yaml
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
    targetRevision: HEAD
    ref: values
--- a/infra/base/trivy.yaml
+++ b/infra/base/trivy.yaml
@@ -0,0 +1,67 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: trivy-system
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: trivy-operator
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "0"
  labels:
    app.kubernetes.io/name: trivy-operator
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://aquasecurity.github.io/helm-charts
    chart: trivy-operator
    targetRevision: 0.31.0
    helm:
      releaseName: trivy-operator
      valuesObject:
        operator:
          targetNamespaces: ""
          excludeNamespaces: "argocd,trivy-system,kube-system,monitoring,kyverno,cert-manager"
          scanJobsInSameNamespace: true
          metricsVulnIdEnabled: true
          metricsImageInfo: true
        trivy:
          ignoreUnfixed: false
  destination:
    server: https://kubernetes.default.svc
    namespace: trivy-system
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m
  ignoreDifferences:
  - group: apiextensions.k8s.io
    kind: CustomResourceDefinition
    jsonPointers:
    - /metadata/labels
    - /metadata/annotations
    - /metadata/finalizers
--- a/infra/dashboards/kustomization.yaml
+++ b/infra/dashboards/kustomization.yaml
@@ -8,6 +8,9 @@ generatorOptions:
    grafana_dashboard: "1"
 configMapGenerator:
 - name: grafana-dashboard-trivy
  files:
  - trivy.json
 - name: grafana-dashboard-traefik-loki
  files:
  - traefik-loki.json
--- a/infra/dashboards/trivy.json
+++ b/infra/dashboards/trivy.json
--- a/infra/overlays/aks-dev/kustomization.yaml
+++ b/infra/overlays/aks-dev/kustomization.yaml
@@ -1,68 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 patches:
 # Traefik: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: traefik
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/traefik-values.yaml
 # Keycloak: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/keycloak-values.yaml
 # Grafana: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: grafana
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/grafana-values.yaml
 # Gitea: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/gitea-values.yaml
 # OpenCost: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: opencost
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/opencost-values.yaml
 # Secrets: change path to aks-dev
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/aks-dev
 # Enterprise-apps: point to aks-dev overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/aks-dev
--- a/infra/overlays/aks-prod/kustomization.yaml
+++ b/infra/overlays/aks-prod/kustomization.yaml
@@ -1,68 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 patches:
 # Traefik: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: traefik
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/traefik-values.yaml
 # Keycloak: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: grafana
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/grafana-values.yaml
 # Gitea: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: opencost
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/opencost-values.yaml
 # Secrets: change path to aks-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/aks-prod
 # Enterprise-apps: point to aks-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/aks-prod
--- a/infra/overlays/eks-dev/kustomization.yaml
+++ b/infra/overlays/eks-dev/kustomization.yaml
@@ -1,68 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 patches:
 # Traefik: swap upc-dev → eks-dev
 - target:
    kind: Application
    name: traefik
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/traefik-values.yaml
 # Keycloak: swap upc-dev → eks-dev
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/keycloak-values.yaml
 # Grafana: swap upc-dev → eks-dev
 - target:
    kind: Application
    name: grafana
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/grafana-values.yaml
 # Gitea: swap upc-dev → eks-dev
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/gitea-values.yaml
 # OpenCost: swap upc-dev → eks-dev
 - target:
    kind: Application
    name: opencost
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/opencost-values.yaml
 # Secrets: change path to eks-dev
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/eks-dev
 # Enterprise-apps: point to eks-dev overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/eks-dev
--- a/infra/overlays/eks-prod/kustomization.yaml
+++ b/infra/overlays/eks-prod/kustomization.yaml
@@ -1,68 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 patches:
 # Traefik: swap upc-dev → eks-prod
 - target:
    kind: Application
    name: traefik
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/traefik-values.yaml
 # Keycloak: swap upc-dev → eks-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → eks-prod
 - target:
    kind: Application
    name: grafana
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/grafana-values.yaml
 # Gitea: swap upc-dev → eks-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → eks-prod
 - target:
    kind: Application
    name: opencost
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/opencost-values.yaml
 # Secrets: change path to eks-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/eks-prod
 # Enterprise-apps: point to eks-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/eks-prod
--- a/infra/overlays/gke-dev/kustomization.yaml
+++ b/infra/overlays/gke-dev/kustomization.yaml
@@ -1,68 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 patches:
 # Traefik: swap upc-dev → gke-dev
 - target:
    kind: Application
    name: traefik
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/traefik-values.yaml
 # Keycloak: swap upc-dev → gke-dev
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/keycloak-values.yaml
 # Grafana: swap upc-dev → gke-dev
 - target:
    kind: Application
    name: grafana
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/grafana-values.yaml
 # Gitea: swap upc-dev → gke-dev
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/gitea-values.yaml
 # OpenCost: swap upc-dev → gke-dev
 - target:
    kind: Application
    name: opencost
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/opencost-values.yaml
 # Secrets: change path to gke-dev
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/gke-dev
 # Enterprise-apps: point to gke-dev overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/gke-dev
--- a/infra/overlays/gke-prod/kustomization.yaml
+++ b/infra/overlays/gke-prod/kustomization.yaml
@@ -1,68 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 patches:
 # Traefik: swap upc-dev → gke-prod
 - target:
    kind: Application
    name: traefik
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/traefik-values.yaml
 # Keycloak: swap upc-dev → gke-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → gke-prod
 - target:
    kind: Application
    name: grafana
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/grafana-values.yaml
 # Gitea: swap upc-dev → gke-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → gke-prod
 - target:
    kind: Application
    name: opencost
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/opencost-values.yaml
 # Secrets: change path to gke-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/gke-prod
 # Enterprise-apps: point to gke-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/gke-prod
--- a/infra/overlays/upc-prod/kustomization.yaml
+++ b/infra/overlays/upc-prod/kustomization.yaml
@@ -56,7 +56,7 @@ patches:
  patch: |
    - op: replace
      path: /spec/source/path
-      value: secrets/overlays/upc-prod
+      value: secrets/upc-prod
 # Enterprise-apps: point to upc-prod overlay
 - target:
--- a/infra/values/aks-dev/gitea-values.yaml
+++ b/infra/values/aks-dev/gitea-values.yaml
@@ -1,7 +0,0 @@
 # AKS-specific: Azure managed disk storage class
 persistence:
  storageClass: managed-csi-premium
 postgresql:
  primary:
    persistence:
      storageClass: managed-csi-premium
--- a/infra/values/aks-dev/grafana-values.yaml
+++ b/infra/values/aks-dev/grafana-values.yaml
@@ -1,4 +0,0 @@
 # AKS-specific: Grafana hostname
 ingress:
  hosts:
  - grafana.forteapps.net
--- a/infra/values/aks-dev/keycloak-values.yaml
+++ b/infra/values/aks-dev/keycloak-values.yaml
@@ -1,3 +0,0 @@
 # AKS-specific: Keycloak hostname
 ingress:
  hostname: id.forteapps.net
--- a/infra/values/aks-dev/opencost-values.yaml
+++ b/infra/values/aks-dev/opencost-values.yaml
@@ -1,8 +0,0 @@
 # AKS-specific: Azure pricing via Cloud Billing API
 opencost:
  exporter:
    cloudProviderApiKey: ""
    customPricing:
      enabled: false
    azure:
      secretName: opencost-azure-billing
--- a/infra/values/aks-dev/traefik-values.yaml
+++ b/infra/values/aks-dev/traefik-values.yaml
@@ -1,11 +0,0 @@
 # AKS-specific: Azure Load Balancer for Traefik
 service:
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
 ports:
  web:
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
  websecure:
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
--- a/infra/values/aks-prod/gitea-values.yaml
+++ b/infra/values/aks-prod/gitea-values.yaml
@@ -1,7 +0,0 @@
 # AKS-specific: Azure managed disk storage class (prod)
 persistence:
  storageClass: managed-csi-premium
 postgresql:
  primary:
    persistence:
      storageClass: managed-csi-premium
--- a/infra/values/aks-prod/grafana-values.yaml
+++ b/infra/values/aks-prod/grafana-values.yaml
@@ -1,4 +0,0 @@
 # AKS-specific: Grafana hostname (prod)
 ingress:
  hosts:
  - grafana.fortedigital.com
--- a/infra/values/aks-prod/keycloak-values.yaml
+++ b/infra/values/aks-prod/keycloak-values.yaml
@@ -1,3 +0,0 @@
 # AKS-specific: Keycloak hostname (prod)
 ingress:
  hostname: id.fortedigital.com
--- a/infra/values/aks-prod/opencost-values.yaml
+++ b/infra/values/aks-prod/opencost-values.yaml
@@ -1,8 +0,0 @@
 # AKS-specific: Azure pricing via Cloud Billing API (prod)
 opencost:
  exporter:
    cloudProviderApiKey: ""
    customPricing:
      enabled: false
    azure:
      secretName: opencost-azure-billing
--- a/infra/values/aks-prod/traefik-values.yaml
+++ b/infra/values/aks-prod/traefik-values.yaml
@@ -1,12 +0,0 @@
 # AKS-specific: Azure Load Balancer for Traefik (prod)
 service:
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
    service.beta.kubernetes.io/azure-load-balancer-internal: "false"
 ports:
  web:
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
  websecure:
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
--- a/infra/values/base/argocd-values.yaml
+++ b/infra/values/base/argocd-values.yaml
@@ -2,85 +2,16 @@ configs:
  secret:
    createSecret: true
    argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
    # oidc.clientSecret managed by argocd-oidc-sync CronJob
    # (reads from argocd-oidc-credentials, patches argocd-secret)
  ssh:
    knownHosts: |
      [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
  cm:
    application.resourceTrackingMethod: annotation
    timeout.reconciliation: 60s
-    # Admin login disabled — SSO only. Break-glass: kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
+    admin.enabled: "true"
    admin.enabled: "false"
    url: https://argocd.forteapps.net
    oidc.config: |
      name: Forte SSO
      issuer: https://id.forteapps.net/realms/forte
      clientID: argocd
      clientSecret: $oidc.clientSecret
      requestedScopes: ["openid", "email", "profile"]
  rbac:
    # Base RBAC — org-wide roles shared across all clusters.
    # Per-cluster policies go in infra/values/<cluster>/argocd-values.yaml
    # as configs.rbac.policy.<cluster>.csv (ArgoCD concatenates all policy.*.csv keys)
    policy.csv: |
      # Platform administrators — full control
      g, ArgoCD Admins, role:admin
      # Read-only viewers — see all, change nothing
      g, ArgoCD Viewers, role:readonly
      # --- Per-team roles (scoped to default project app names) ---
      # Observability team — manage monitoring stack
      p, role:observability, applications, get, default/prometheus, allow
      p, role:observability, applications, get, default/loki, allow
      p, role:observability, applications, get, default/fluent-bit, allow
      p, role:observability, applications, get, default/tempo, allow
      p, role:observability, applications, get, default/grafana, allow
      p, role:observability, applications, get, default/grafana-dashboards, allow
      p, role:observability, applications, get, default/opencost, allow
      p, role:observability, applications, sync, default/prometheus, allow
      p, role:observability, applications, sync, default/loki, allow
      p, role:observability, applications, sync, default/fluent-bit, allow
      p, role:observability, applications, sync, default/tempo, allow
      p, role:observability, applications, sync, default/grafana, allow
      p, role:observability, applications, sync, default/grafana-dashboards, allow
      p, role:observability, applications, sync, default/opencost, allow
      p, role:observability, logs, get, default/*, allow
      g, Observability Team, role:observability
      # Dev tools team — manage gitea, renovate, karpor
      p, role:devtools, applications, get, default/gitea, allow
      p, role:devtools, applications, get, default/gitea-actions, allow
      p, role:devtools, applications, get, default/renovate, allow
      p, role:devtools, applications, get, default/karpor, allow
      p, role:devtools, applications, sync, default/gitea, allow
      p, role:devtools, applications, sync, default/gitea-actions, allow
      p, role:devtools, applications, sync, default/renovate, allow
      p, role:devtools, applications, sync, default/karpor, allow
      p, role:devtools, logs, get, default/*, allow
      g, Dev Tools Team, role:devtools
      # App developers — manage enterprise apps only
      p, role:app-dev, applications, get, default/enterprise-apps, allow
      p, role:app-dev, applications, sync, default/enterprise-apps, allow
      p, role:app-dev, applications, action, default/enterprise-apps, allow
      p, role:app-dev, logs, get, default/enterprise-apps, allow
      g, App Developers, role:app-dev
    # Deny users not in any declared KC group
    policy.default: ""
    scopes: '[groups]'
  params:
    "server.insecure": true
    "reposerver.enable.git.submodule": "false"
 server:
  ingress:
-    enabled: true
+    enabled: false
-    ingressClassName: traefik
+    ingressClassName: nginx
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    tls: true
  extraArgs:
  - --insecure
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -77,7 +77,7 @@ gitea:
      FROM: "noreply@fortedigital.com"
    admin:
-      DEFAULT_EMAIL_NOTIFICATIONS: onmention
+      DEFAULT_EMAIL_NOTIFICATIONS: enabled
  # -- SMTP credentials injected from secret (USER and PASSWD)
  additionalConfigFromEnvs:
@@ -98,7 +98,7 @@ gitea:
    existingSecret: gitea-oidc-credentials
    key: gitea
    autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
-    scopes: "email profile organization"
+    scopes: "openid email profile organization"
    groupClaimName: "groups"
    adminGroup: ""
    restrictedGroup: ""
--- a/infra/values/base/grafana-values.yaml
+++ b/infra/values/base/grafana-values.yaml
@@ -1,13 +1,5 @@
 ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  tls:
  - secretName: grafana-tls
    hosts:
    - grafana.forteapps.net
 resources:
  requests:
    cpu: 50m
@@ -19,29 +11,6 @@ resources:
 adminUser: admin
 adminPassword: "forte"
 envFromSecrets:
 - name: grafana-oidc-credentials
 grafana.ini:
  server:
    root_url: https://grafana.forteapps.net
  auth.generic_oauth:
    enabled: true
    name: Forte SSO
    allow_sign_up: true
    client_id: ${client-id}
    client_secret: ${client-secret}
    scopes: openid email profile
    auth_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/auth
    token_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/token
    api_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/userinfo
    role_attribute_path: "contains(resource_access.grafana.roles[*], 'Admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor' || 'Viewer'"
    role_attribute_strict: true
    allow_assign_grafana_admin: true
    auto_login: true
  auth:
    disable_login_form: true
 datasources:
  datasources.yaml:
    apiVersion: 1
--- a/infra/values/base/karpor-values.yaml
+++ b/infra/values/base/karpor-values.yaml
@@ -1,44 +0,0 @@
 # Karpor - Kubernetes Visualization & Intelligence Tool
 # Helm chart: https://github.com/KusionStack/charts/tree/master/charts/karpor
 # Let the ArgoCD Application manage the namespace
 namespaceEnabled: false
 server:
  replicas: 1
  port: 7443
  resources:
    requests:
      cpu: 250m
      memory: 256Mi
    limits:
      cpu: 500m
      memory: 1Gi
 syncer:
  replicas: 1
  port: 7443
  resources:
    requests:
      cpu: 250m
      memory: 256Mi
    limits:
      cpu: 500m
      memory: 1Gi
 elasticsearch:
  replicas: 1
  port: 9200
  resources:
    requests:
      cpu: 500m
      memory: 2Gi
    limits:
      cpu: "2"
      memory: 4Gi
 etcd:
  replicas: 1
  port: 2379
  persistence:
    size: 5Gi
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -75,6 +75,7 @@ keycloakConfigCli:
            "publicClient": false,
            "redirectUris": ["https://git.forteapps.net/*"],
            "webOrigins": ["https://git.forteapps.net"],
            "defaultClientScopes": ["openid", "email", "profile"],
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "gitea",
@@ -97,96 +98,6 @@ keycloakConfigCli:
                }
              }
            ]
          },
          {
            "clientId": "grafana",
            "name": "Grafana",
            "enabled": true,
            "protocol": "openid-connect",
            "clientAuthenticatorType": "client-secret",
            "standardFlowEnabled": true,
            "directAccessGrantsEnabled": false,
            "publicClient": false,
            "redirectUris": ["https://grafana.forteapps.net/*"],
            "webOrigins": ["https://grafana.forteapps.net"],
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "monitoring",
              "k8s.secret.name": "grafana-oidc-credentials",
              "k8s.secret.client-id-key": "client-id",
              "k8s.secret.client-secret-key": "client-secret"
            },
            "protocolMappers": [
              {
                "name": "client-roles",
                "protocol": "openid-connect",
                "protocolMapper": "oidc-usermodel-client-role-mapper",
                "config": {
                  "claim.name": "resource_access.grafana.roles",
                  "jsonType.label": "String",
                  "multivalued": "true",
                  "usermodel.clientRoleMapping.clientId": "grafana",
                  "id.token.claim": "true",
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
              }
            ]
          },
          {
            "clientId": "argocd",
            "name": "ArgoCD",
            "enabled": true,
            "protocol": "openid-connect",
            "clientAuthenticatorType": "client-secret",
            "standardFlowEnabled": true,
            "directAccessGrantsEnabled": false,
            "publicClient": false,
            "redirectUris": ["https://argocd.forteapps.net/auth/callback"],
            "webOrigins": ["https://argocd.forteapps.net"],
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "argocd",
              "k8s.secret.name": "argocd-oidc-credentials",
              "k8s.secret.client-id-key": "client-id",
              "k8s.secret.client-secret-key": "client-secret"
            },
            "protocolMappers": [
              {
                "name": "groups",
                "protocol": "openid-connect",
                "protocolMapper": "oidc-group-membership-mapper",
                "config": {
                  "claim.name": "groups",
                  "full.path": "false",
                  "id.token.claim": "true",
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
              }
            ]
          }
        ],
        "groups": [
          {
            "name": "ArgoCD Admins",
            "path": "/ArgoCD Admins"
          },
          {
            "name": "ArgoCD Viewers",
            "path": "/ArgoCD Viewers"
          },
          {
            "name": "Observability Team",
            "path": "/Observability Team"
          },
          {
            "name": "Dev Tools Team",
            "path": "/Dev Tools Team"
          },
          {
            "name": "App Developers",
            "path": "/App Developers"
          }
        ]
      }
--- a/infra/values/base/opencost-values.yaml
+++ b/infra/values/base/opencost-values.yaml
@@ -10,8 +10,6 @@ opencost:
        serviceName: prometheus-server
        namespaceName: monitoring
        port: 80
    # Cloud-specific pricing is in per-cluster value overrides
    # (e.g. infra/values/upc-dev/opencost-values.yaml)
  ui:
    enabled: false
 service:
--- a/infra/values/base/prometheus-values.yaml
+++ b/infra/values/base/prometheus-values.yaml
@@ -36,6 +36,28 @@ extraScrapeConfigs: |
      - source_labels: [__meta_kubernetes_namespace]
        target_label: namespace
  - job_name: trivy-operator
    scrape_interval: 30s
    metrics_path: /metrics
    kubernetes_sd_configs:
      - role: pod
        namespaces:
          names:
            - trivy-system
    relabel_configs:
      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name]
        regex: trivy-operator
        action: keep
      - source_labels: [__meta_kubernetes_pod_container_port_number]
        regex: "8080"
        action: keep
      - source_labels: [__meta_kubernetes_pod_name]
        target_label: pod
      - source_labels: [__meta_kubernetes_namespace]
        target_label: namespace
      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance]
        target_label: instance
  - job_name: traefik
    scrape_interval: 15s
    metrics_path: /metrics
--- a/infra/values/eks-dev/gitea-values.yaml
+++ b/infra/values/eks-dev/gitea-values.yaml
@@ -1,7 +0,0 @@
 # EKS-specific: gp3 storage class
 persistence:
  storageClass: gp3
 postgresql:
  primary:
    persistence:
      storageClass: gp3
--- a/infra/values/eks-dev/grafana-values.yaml
+++ b/infra/values/eks-dev/grafana-values.yaml
@@ -1,4 +0,0 @@
 # EKS-specific: Grafana hostname
 ingress:
  hosts:
  - grafana.forteapps.net
--- a/infra/values/eks-dev/keycloak-values.yaml
+++ b/infra/values/eks-dev/keycloak-values.yaml
@@ -1,3 +0,0 @@
 # EKS-specific: Keycloak hostname
 ingress:
  hostname: id.forteapps.net
--- a/infra/values/eks-dev/opencost-values.yaml
+++ b/infra/values/eks-dev/opencost-values.yaml
@@ -1,11 +0,0 @@
 # EKS-specific: AWS pricing via Cost and Usage Report
 opencost:
  exporter:
    cloudProviderApiKey: ""
    customPricing:
      enabled: false
    aws:
      spot_data_region: ""
      spot_data_bucket: ""
      spot_data_prefix: ""
      account_id: ""
--- a/infra/values/eks-dev/traefik-values.yaml
+++ b/infra/values/eks-dev/traefik-values.yaml
@@ -1,17 +0,0 @@
 # EKS-specific: AWS NLB for Traefik
 service:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
 ports:
  web:
    proxyProtocol:
      trustedIPs: "10.0.0.0/8"
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
  websecure:
    proxyProtocol:
      trustedIPs: "10.0.0.0/8"
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
--- a/infra/values/eks-prod/gitea-values.yaml
+++ b/infra/values/eks-prod/gitea-values.yaml
@@ -1,7 +0,0 @@
 # EKS-specific: gp3 storage class (prod)
 persistence:
  storageClass: gp3
 postgresql:
  primary:
    persistence:
      storageClass: gp3
--- a/infra/values/eks-prod/grafana-values.yaml
+++ b/infra/values/eks-prod/grafana-values.yaml
@@ -1,4 +0,0 @@
 # EKS-specific: Grafana hostname (prod)
 ingress:
  hosts:
  - grafana.fortedigital.com
--- a/infra/values/eks-prod/keycloak-values.yaml
+++ b/infra/values/eks-prod/keycloak-values.yaml
@@ -1,3 +0,0 @@
 # EKS-specific: Keycloak hostname (prod)
 ingress:
  hostname: id.fortedigital.com
--- a/infra/values/eks-prod/opencost-values.yaml
+++ b/infra/values/eks-prod/opencost-values.yaml
@@ -1,11 +0,0 @@
 # EKS-specific: AWS pricing via Cost and Usage Report (prod)
 opencost:
  exporter:
    cloudProviderApiKey: ""
    customPricing:
      enabled: false
    aws:
      spot_data_region: ""
      spot_data_bucket: ""
      spot_data_prefix: ""
      account_id: ""
--- a/infra/values/eks-prod/traefik-values.yaml
+++ b/infra/values/eks-prod/traefik-values.yaml
@@ -1,18 +0,0 @@
 # EKS-specific: AWS NLB for Traefik (prod)
 service:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
 ports:
  web:
    proxyProtocol:
      trustedIPs: "10.0.0.0/8"
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
  websecure:
    proxyProtocol:
      trustedIPs: "10.0.0.0/8"
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
--- a/infra/values/gke-dev/gitea-values.yaml
+++ b/infra/values/gke-dev/gitea-values.yaml
@@ -1,7 +0,0 @@
 # GKE-specific: SSD persistent disk storage class
 persistence:
  storageClass: premium-rwo
 postgresql:
  primary:
    persistence:
      storageClass: premium-rwo
--- a/infra/values/gke-dev/grafana-values.yaml
+++ b/infra/values/gke-dev/grafana-values.yaml
@@ -1,4 +0,0 @@
 # GKE-specific: Grafana hostname
 ingress:
  hosts:
  - grafana.forteapps.net
--- a/infra/values/gke-dev/keycloak-values.yaml
+++ b/infra/values/gke-dev/keycloak-values.yaml
@@ -1,3 +0,0 @@
 # GKE-specific: Keycloak hostname
 ingress:
  hostname: id.forteapps.net
--- a/infra/values/gke-dev/opencost-values.yaml
+++ b/infra/values/gke-dev/opencost-values.yaml
@@ -1,10 +0,0 @@
 # GKE-specific: GCP pricing via BigQuery billing export
 opencost:
  exporter:
    cloudProviderApiKey: ""
    customPricing:
      enabled: false
    google:
      key: ""
      project_id: ""
      billing_account: ""
--- a/infra/values/gke-dev/traefik-values.yaml
+++ b/infra/values/gke-dev/traefik-values.yaml
@@ -1,12 +0,0 @@
 # GKE-specific: Google Cloud Load Balancer for Traefik
 service:
  annotations:
    cloud.google.com/neg: '{"ingress":true}'
    networking.gke.io/load-balancer-type: External
 ports:
  web:
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
  websecure:
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
--- a/infra/values/gke-prod/gitea-values.yaml
+++ b/infra/values/gke-prod/gitea-values.yaml
@@ -1,7 +0,0 @@
 # GKE-specific: SSD persistent disk storage class (prod)
 persistence:
  storageClass: premium-rwo
 postgresql:
  primary:
    persistence:
      storageClass: premium-rwo
--- a/infra/values/gke-prod/grafana-values.yaml
+++ b/infra/values/gke-prod/grafana-values.yaml
@@ -1,4 +0,0 @@
 # GKE-specific: Grafana hostname (prod)
 ingress:
  hosts:
  - grafana.fortedigital.com
--- a/infra/values/gke-prod/keycloak-values.yaml
+++ b/infra/values/gke-prod/keycloak-values.yaml
@@ -1,3 +0,0 @@
 # GKE-specific: Keycloak hostname (prod)
 ingress:
  hostname: id.fortedigital.com
--- a/infra/values/gke-prod/opencost-values.yaml
+++ b/infra/values/gke-prod/opencost-values.yaml
@@ -1,10 +0,0 @@
 # GKE-specific: GCP pricing via BigQuery billing export (prod)
 opencost:
  exporter:
    cloudProviderApiKey: ""
    customPricing:
      enabled: false
    google:
      key: ""
      project_id: ""
      billing_account: ""
--- a/infra/values/gke-prod/traefik-values.yaml
+++ b/infra/values/gke-prod/traefik-values.yaml
@@ -1,12 +0,0 @@
 # GKE-specific: Google Cloud Load Balancer for Traefik (prod)
 service:
  annotations:
    cloud.google.com/neg: '{"ingress":true}'
    networking.gke.io/load-balancer-type: External
 ports:
  web:
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
  websecure:
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
--- a/infra/values/upc-dev/argocd-values.yaml
+++ b/infra/values/upc-dev/argocd-values.yaml
@@ -1,5 +1,5 @@
 global:
-  domain: argocd.forteapps.net
+  domain: argocd.127.0.0.1.nip.io
 notifications:
  context:
    clusterName: "dev-fd-eu-no-svg1"
--- a/infra/values/upc-dev/gitea-values.yaml
+++ b/infra/values/upc-dev/gitea-values.yaml
@@ -1,4 +1,4 @@
-# UpCloud storage class for Gitea and its embedded PostgreSQL
+# UpCloud-specific: block storage class for Gitea + PostgreSQL
 persistence:
  storageClass: upcloud-block-storage-maxiops
 postgresql:
--- a/infra/values/upc-dev/opencost-values.yaml
+++ b/infra/values/upc-dev/opencost-values.yaml
@@ -1,4 +1,4 @@
-# UpCloud custom pricing (no native OpenCost integration)
+# UpCloud-specific: custom pricing model
 opencost:
  exporter:
    customPricing:
--- a/infra/values/upc-prod/gitea-values.yaml
+++ b/infra/values/upc-prod/gitea-values.yaml
@@ -1,4 +1,4 @@
-# UpCloud storage class for Gitea and its embedded PostgreSQL
+# UpCloud-specific: block storage class for Gitea + PostgreSQL
 persistence:
  storageClass: upcloud-block-storage-maxiops
 postgresql:
--- a/infra/values/upc-prod/opencost-values.yaml
+++ b/infra/values/upc-prod/opencost-values.yaml
@@ -1,4 +1,4 @@
-# UpCloud custom pricing (no native OpenCost integration)
+# UpCloud-specific: custom pricing model
 opencost:
  exporter:
    customPricing:
--- a/scripts/gitea-backup-aks.sh
+++ b/scripts/gitea-backup-aks.sh
@@ -1,100 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # Gitea backup helper for Azure Blob Storage
 # Uses the gitea-backup-aks secret in the gitea namespace
 # Required secret keys:
 #   AZURE_STORAGE_ACCOUNT   — storage account name
 #   AZURE_STORAGE_KEY       — storage account key
 #   AZURE_CONTAINER         — blob container name
 #
 # Usage:
 #   ./scripts/gitea-backup-aks.sh list                    # list all backups
 #   ./scripts/gitea-backup-aks.sh download <filename>     # download a backup
 #   ./scripts/gitea-backup-aks.sh download latest          # download the most recent backup
 NAMESPACE="gitea"
 SECRET="gitea-backup-aks"
 IMAGE="mcr.microsoft.com/azure-cli:latest"
 POD_NAME="gitea-backup-helper"
 cleanup() {
  kubectl -n "$NAMESPACE" delete pod "$POD_NAME" --ignore-not-found --grace-period=0 > /dev/null 2>&1 || true
 }
 az_run() {
  cleanup
  kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
    --image="$IMAGE" \
    --overrides="{
      \"spec\":{\"containers\":[{
        \"name\":\"$POD_NAME\",
        \"image\":\"$IMAGE\",
        \"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
        \"command\":[\"sh\",\"-c\",\"$1\"],
        \"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
      }]}
    }" > /dev/null 2>&1
  kubectl -n "$NAMESPACE" wait --for=jsonpath='{.status.phase}'=Succeeded "pod/$POD_NAME" --timeout=120s > /dev/null 2>&1
  kubectl -n "$NAMESPACE" logs "$POD_NAME"
  cleanup
 }
 case "${1:-help}" in
  list)
    echo "Listing backups..."
    az_run 'az storage blob list --account-name ${AZURE_STORAGE_ACCOUNT} --account-key ${AZURE_STORAGE_KEY} --container-name ${AZURE_CONTAINER} --output table --query "[].{Name:name, Size:properties.contentLength, Modified:properties.lastModified}"'
    ;;
  download)
    FILE="${2:?Usage: $0 download <filename|latest>}"
    if [ "$FILE" = "latest" ]; then
      echo "Finding latest backup..."
      FILE=$(az_run 'az storage blob list --account-name ${AZURE_STORAGE_ACCOUNT} --account-key ${AZURE_STORAGE_KEY} --container-name ${AZURE_CONTAINER} --query "sort_by([], &properties.lastModified)[-1].name" -o tsv' | tr -d '[:space:]')
      if [ -z "$FILE" ]; then
        echo "No backups found."
        exit 1
      fi
      echo "Latest: $FILE"
    fi
    echo "Downloading $FILE..."
    cleanup
    kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
      --image="$IMAGE" \
      --overrides="{
        \"spec\":{\"containers\":[{
          \"name\":\"$POD_NAME\",
          \"image\":\"$IMAGE\",
          \"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
          \"command\":[\"sh\",\"-c\",\"sleep 300\"],
          \"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
        }]}
      }" > /dev/null 2>&1
    kubectl -n "$NAMESPACE" wait --for=condition=Ready "pod/$POD_NAME" --timeout=60s > /dev/null 2>&1
    echo "Saving to ./$FILE ..."
    kubectl -n "$NAMESPACE" exec "$POD_NAME" -- \
      az storage blob download \
        --account-name "\${AZURE_STORAGE_ACCOUNT}" \
        --account-key "\${AZURE_STORAGE_KEY}" \
        --container-name "\${AZURE_CONTAINER}" \
        --name "$FILE" \
        --file /dev/stdout 2>/dev/null > "./$FILE"
    cleanup
    echo "Downloaded: ./$FILE"
    ;;
  *)
    echo "Gitea backup helper (Azure Blob Storage)"
    echo ""
    echo "Usage:"
    echo "  $0 list                    List all backups in Azure Blob"
    echo "  $0 download <filename>     Download a specific backup"
    echo "  $0 download latest         Download the most recent backup"
    ;;
 esac
--- a/scripts/gitea-backup-eks.sh
+++ b/scripts/gitea-backup-eks.sh
@@ -1,94 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # Gitea backup helper for AWS S3
 # Uses the gitea-backup-s3 secret in the gitea namespace
 # (same secret schema: S3_ENDPOINT, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, S3_BUCKET)
 #
 # For AWS, S3_ENDPOINT is typically https://s3.<region>.amazonaws.com
 #
 # Usage:
 #   ./scripts/gitea-backup-eks.sh list                    # list all backups
 #   ./scripts/gitea-backup-eks.sh download <filename>     # download a backup to current dir
 #   ./scripts/gitea-backup-eks.sh download latest          # download the most recent backup
 NAMESPACE="gitea"
 SECRET="gitea-backup-s3"
 IMAGE="minio/mc:latest"
 POD_NAME="gitea-backup-helper"
 ALIAS_CMD='mc alias set s3 ${S3_ENDPOINT} ${AWS_ACCESS_KEY_ID} ${AWS_SECRET_ACCESS_KEY} > /dev/null'
 cleanup() {
  kubectl -n "$NAMESPACE" delete pod "$POD_NAME" --ignore-not-found --grace-period=0 > /dev/null 2>&1 || true
 }
 mc_run() {
  cleanup
  kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
    --image="$IMAGE" \
    --overrides="{
      \"spec\":{\"containers\":[{
        \"name\":\"$POD_NAME\",
        \"image\":\"$IMAGE\",
        \"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
        \"command\":[\"sh\",\"-c\",\"${ALIAS_CMD}; $1\"],
        \"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
      }]}
    }" > /dev/null 2>&1
  kubectl -n "$NAMESPACE" wait --for=jsonpath='{.status.phase}'=Succeeded "pod/$POD_NAME" --timeout=120s > /dev/null 2>&1
  kubectl -n "$NAMESPACE" logs "$POD_NAME"
  cleanup
 }
 case "${1:-help}" in
  list)
    echo "Listing backups..."
    mc_run 'mc ls s3/${S3_BUCKET}/'
    ;;
  download)
    FILE="${2:?Usage: $0 download <filename|latest>}"
    if [ "$FILE" = "latest" ]; then
      echo "Finding latest backup..."
      FILE=$(mc_run 'mc ls s3/${S3_BUCKET}/' | sort | tail -1 | awk '{print $NF}' | tr -d '[:space:]')
      if [ -z "$FILE" ]; then
        echo "No backups found."
        exit 1
      fi
      echo "Latest: $FILE"
    fi
    echo "Downloading $FILE..."
    cleanup
    kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
      --image="$IMAGE" \
      --overrides="{
        \"spec\":{\"containers\":[{
          \"name\":\"$POD_NAME\",
          \"image\":\"$IMAGE\",
          \"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
          \"command\":[\"sh\",\"-c\",\"sleep 300\"],
          \"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
        }]}
      }" > /dev/null 2>&1
    kubectl -n "$NAMESPACE" wait --for=condition=Ready "pod/$POD_NAME" --timeout=60s > /dev/null 2>&1
    echo "Saving to ./$FILE ..."
    kubectl -n "$NAMESPACE" exec "$POD_NAME" -- sh -c "${ALIAS_CMD} && mc cat s3/\${S3_BUCKET}/$FILE" > "./$FILE"
    cleanup
    echo "Downloaded: ./$FILE"
    ;;
  *)
    echo "Gitea backup helper (AWS S3)"
    echo ""
    echo "Usage:"
    echo "  $0 list                    List all backups in S3"
    echo "  $0 download <filename>     Download a specific backup"
    echo "  $0 download latest         Download the most recent backup"
    ;;
 esac
--- a/scripts/gitea-backup-gke.sh
+++ b/scripts/gitea-backup-gke.sh
@@ -1,95 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # Gitea backup helper for Google Cloud Storage
 # Uses the gitea-backup-gcs secret in the gitea namespace
 # Required secret keys:
 #   GCS_BUCKET              — bucket name (without gs:// prefix)
 #   GOOGLE_APPLICATION_CREDENTIALS_JSON — service account key JSON
 #     (alternatively, use Workload Identity and omit the key)
 #
 # Usage:
 #   ./scripts/gitea-backup-gke.sh list                    # list all backups
 #   ./scripts/gitea-backup-gke.sh download <filename>     # download a backup
 #   ./scripts/gitea-backup-gke.sh download latest          # download the most recent backup
 NAMESPACE="gitea"
 SECRET="gitea-backup-gcs"
 IMAGE="gcr.io/google.com/cloudsdktool/google-cloud-cli:slim"
 POD_NAME="gitea-backup-helper"
 AUTH_CMD='if [ -n "${GOOGLE_APPLICATION_CREDENTIALS_JSON:-}" ]; then echo "${GOOGLE_APPLICATION_CREDENTIALS_JSON}" > /tmp/gcs-key.json && gcloud auth activate-service-account --key-file=/tmp/gcs-key.json > /dev/null 2>&1; fi'
 cleanup() {
  kubectl -n "$NAMESPACE" delete pod "$POD_NAME" --ignore-not-found --grace-period=0 > /dev/null 2>&1 || true
 }
 gcs_run() {
  cleanup
  kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
    --image="$IMAGE" \
    --overrides="{
      \"spec\":{\"containers\":[{
        \"name\":\"$POD_NAME\",
        \"image\":\"$IMAGE\",
        \"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
        \"command\":[\"sh\",\"-c\",\"${AUTH_CMD}; $1\"],
        \"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
      }]}
    }" > /dev/null 2>&1
  kubectl -n "$NAMESPACE" wait --for=jsonpath='{.status.phase}'=Succeeded "pod/$POD_NAME" --timeout=120s > /dev/null 2>&1
  kubectl -n "$NAMESPACE" logs "$POD_NAME"
  cleanup
 }
 case "${1:-help}" in
  list)
    echo "Listing backups..."
    gcs_run 'gsutil ls -l gs://${GCS_BUCKET}/'
    ;;
  download)
    FILE="${2:?Usage: $0 download <filename|latest>}"
    if [ "$FILE" = "latest" ]; then
      echo "Finding latest backup..."
      FILE=$(gcs_run 'gsutil ls gs://${GCS_BUCKET}/' | grep -v '^$' | grep -v 'TOTAL' | sort | tail -1 | xargs -I{} basename {} | tr -d '[:space:]')
      if [ -z "$FILE" ]; then
        echo "No backups found."
        exit 1
      fi
      echo "Latest: $FILE"
    fi
    echo "Downloading $FILE..."
    cleanup
    kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
      --image="$IMAGE" \
      --overrides="{
        \"spec\":{\"containers\":[{
          \"name\":\"$POD_NAME\",
          \"image\":\"$IMAGE\",
          \"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
          \"command\":[\"sh\",\"-c\",\"sleep 300\"],
          \"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
        }]}
      }" > /dev/null 2>&1
    kubectl -n "$NAMESPACE" wait --for=condition=Ready "pod/$POD_NAME" --timeout=60s > /dev/null 2>&1
    echo "Saving to ./$FILE ..."
    kubectl -n "$NAMESPACE" exec "$POD_NAME" -- sh -c "${AUTH_CMD} && gsutil cat gs://\${GCS_BUCKET}/$FILE" > "./$FILE"
    cleanup
    echo "Downloaded: ./$FILE"
    ;;
  *)
    echo "Gitea backup helper (Google Cloud Storage)"
    echo ""
    echo "Usage:"
    echo "  $0 list                    List all backups in GCS"
    echo "  $0 download <filename>     Download a specific backup"
    echo "  $0 download latest         Download the most recent backup"
    ;;
 esac
--- a/secrets/base/argocd-forte-helm-secret-sealed.yaml
+++ b/secrets/base/argocd-forte-helm-secret-sealed.yaml
--- a/secrets/base/kustomization.yaml
+++ b/secrets/base/kustomization.yaml
@@ -1,16 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - argocd-forte-helm-secret-sealed.yaml
 - argocd-mcp-credentials.yaml
 - argocdmcp-auth-oidc-sealed.yaml
 - dot-ai-secrets.yaml
 - forte10x-app-credentials-sealed.yaml
 - gitea-backup-s3-sealed.yaml
 - gitea-credentials-sealed.yaml
 - gitea-runner-token-sealed.yaml
 - gitea-smtp-secret-sealed.yaml
 - keycloak-credentials-sealed.yaml
 - musicman-credentials.yaml
 - renovate-env-sealed.yaml
 - ts-mcp-secrets-sealed.yaml
--- a/secrets/base/ts-mcp-secrets-sealed.yaml
+++ b/secrets/base/ts-mcp-secrets-sealed.yaml
@@ -1,13 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: ts-mcp-secrets
  namespace: ts-mcp
 spec:
  encryptedData:
    AZURE_CLIENT_SECRET: AgCWj525+NHkZ8XG97hEe4RS0SDC0QIGDXmEvzSlIqJQ9XVZEeKxVuAYmJ+w/HH7zBXD3qlZISeOPKn3FbMEeRukmYK0d5PsH26tRUMPoMzwWCuQkZIQ83uX9Pz/wMiqW8aZFIxpdEiUgVdanxHSFoDRPC1VlSEtV9B9yN2MgXBID5s0oje5BM9ttc4WVRe6+9pMeaOC6u+YUgcfY7xPLetZfC9nQO4zn4jYhoQXfAddwMzNODvQNGPzIv6PXDXJweTwdmtGaxM6eDdcCJI/30bEV9prA5m6UlgTZ/Qp+onU70KdkBA9gM9tMMVUR6j/2sbWzqMP/rVaFLeUH1PjHv15n4EieWyuDyYEfmZNDFXc7O9RIK6P0jCIE+t3myxK2ZQ7cfXprdOSj94au0qP6leat0UUVoc9CFJHHtrNxXYWl7IYVhwvIQCMSgO2qoAXkdW4wKVJAcbJadJjoL2pWxzjaD4GgnUaAxWBANqZI2lD8CED4VfUVMB0ZUYRS/zvy/eqIGlT8WbzwTYFi3YDZRvAUIknxaWEavIG4x52d0FqTmFYY06W53fGYfBrUjJI54GWYyBpKdZTf7b/AlAN0+kwkk6OqsUWwWDqxR7LVCcPhjSIKd/THp+Tbq9z5TiPIHxOO9V60u51f8IoQrEgQfNov7CEGQZ8B9HUGObjNc5MhujzBJasMhrUcd2Ddk6KWk07B7223p/gIEM+81ZWQYUcc29+U/j1dQyRNZy/TC56ywe5DDBJSoGp
  template:
    metadata:
      name: ts-mcp-secrets
      namespace: ts-mcp
--- a/secrets/dot-ai-secrets-sealed.yaml
+++ b/secrets/dot-ai-secrets-sealed.yaml
@@ -0,0 +1,18 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: dot-ai-secrets
  namespace: dot-ai
 spec:
  encryptedData:
    anthropic-api-key: AgAdnPQzl2SNSqyAZkoBdEEGEjXfpMJUNMg4e040vxri4jbjoTnmwQ/DjmmIGtoInjhQA3NZRUKcIuDrO7nGMXFOPY9tSfhpdaAMWTji1CVZvmdJnrQwZY1LFBwgbozq3RSZZQQcZd2EPrhhsU5UlmacKk2WpuQdq76twfdU5WVD8xalxbt0H5UDvihuQa3sYX/rUIDZK2Th5IfaFqYZk5JvaxR8PFwBh9IOooGewWXWrsxVT510lxHRotSDIgKt/jl8ymsVA7IpddnbQHr6K77it7BxR6fLvDGaTQeQW0RtPZwsLvB268OTwp338RQ2sjmVuUDErWViLuk1V6UFmj5vhRR0X2dy/EipkWEJwR0Zf8JCW+vAXJ4NFiVFjmOsiTXoLHCYp0k01EwFcPQpnswKSdaQ3tuCEa4Q+rHu2DiXyfSuZ1MnWnTyLSx9H51VYUgIPwQa+BUVoVnAswypw4yLQHrfLu9TSvsNl/OonP0dSmgSGaByTc1RzwpvHBUAaOYII2LuuvkF90oA4cChGkGe1KuYKHFqiBdaT9jrsfeBUpgqFAH0uH9DNjBjU5EjlUtV3bdO7wXDHct9EOBZniKMH7cIbXfT2TBaormeHNqFtXxSRXy1szDpXiDD1QDoAJx0ylrwwqix7XPBlqSt91OZ8N1VPSUPvfnTQf7zirVWJNckU9fW6tsnQ+GDOOEwERPEAhqxWuw6V0HMab4VzpbGgWuvtQY5CsI2bFUYWSZAIJ6H8E5ip3lb8ilWtYadhx8QZD3aKi7k5h4bFWd6M0rg0uj7bfbW8YXauTS6Uz4b9FlvgrAPkmcWG84um/jsmP6a0YhvJDGKHMHoUmY=
    auth-token: AgBq/MM/+fqi1H6L5o/xFeKYMfcn6+bmbkepbq97O0Ob+dFKWuyfXmzqM2Dha+NKpXcu47qSBbLpaOdLS5ONq7JDIcZ2byW0ae9khBuL7k2mCa5ZPh96LS46c+v1qNJb6F4NQe+jWSx2H9LIShoihom+lRueBT1/uthW3hnUUUgQMgXU3NYimDNAg6JK6VgX3yKkI7ePLPAet7+ykaL1aPXwcfCAldcobPmls0vxMQDtgd+o4nLqx2sKArFplnwZ9G1SEz2dRXNFm8HI4HhgtOBdv1ISjXO8XGRZWnFqgX3s3BqcwFcPqVuFGHo+2ZvAUW+mdkuAEJOloJEoZXJkFCP+l7/yMV7/FmFAhntqfdTwijEJ+rP/sUbUNSzn6BKM2ITRGXEJkOeNq4xfpgS16AOs+O0DWkIAr0kWCJG+mkn94U7ALCGYQXtKLy0g/87MJ3IwaUU7gowVawHoDmpY0QoAYDJwpbIa9yMnlPOzJANkc99dl85sbLeQMvkkb4RqQlbMc80gkFFhbU5/0kKX483ylqhRi0b4ZjGHgl72s/8+FhxTDkSXJQ2HbrNPGlna+B7TAgxYZ9IS1cpw4wSNzSCk23Rt3STHnXuu/QXRLeMijXGBDFNJgU0JNKLp63JC1gftHcNhqRL6lxK1tLyo5+0Cnh/KJN64b1DpPXZnzdaeR25GQFSDxsymjLm2BFATtufRPJqeIT7tn5TRGTr97fH6LQv/LuJ4VnjS6WLsQoFdUhDuNug2LDuyLHjpKg==
    openai-api-key: AgCQR+HezEHwiwFD1pIkla1Byzz91SBoUyaWVTTuBrBDq201KvlLmqahjQwpKWs4YvqhmKkbF/mXKuMSyFut72IwH025tfmzzmTryOD6bOQDxI0Ws5NndnztzKv2qw2Js0c+6lAOJR+lEuo1ynGlG3hfS+bGShShvLZIDcD/hDa8IfhQBh7fKyFslJ52KxKK+zeEFDVQcx6Lrq/zP9IPH2QXz0bVQYlRyrQ4vqONO9h2pjxNAhDxuJ5FPk+Hb4ClGjyRPHFT34ZYsYdvHUgkjL3nOeaOUrc0GGJOKYZChfsK/JrqX8iOqgbE+0vQvMX+q8Tr6Ynr0KRKMcGPr6ak3eCNknJaZ1EABtkyUS2u5TzKqMzYq5DF4kpvPApIvaQW+VS05zD8piTQSZEFNRwwXDpyru/R4MmPvwt7OdSM0SJpQ8kR7tsuRgBPFY2Eduk6fhrDmMVgHze3AoRaqyh87CeqR3Z7/XofbdgZBqEp2vwiY425ArB6yMLpVvO6eB+yoTgCJ/UpfOxBDHE1M6U3goJhk/YeOy9UpTfRD1VyA2OuzJliDNtC784wxnGAsOk3qKk1bjjBqUzwITK41mOWqNLKCn4Ol9lXZtbbqLIiU4lXv4Pl93mVSuPLOIXINLGMRFl0rlvDICEjrrfE+JmwKx6i45sqsk3/hz1Fb+/bKFo7pl9JnAXvr5WfDW/rflwBrokfJVeYsSm6R2yxGWlosrKZIwIRctOut1EbbylurI5pIPp6vHguyIvZDDxwj3Qk3ewU/WVAcI9989aLR++UrZ5FGXt3apMk8BY9bq7DIQOUtgfPO98+cVPdoZSIh5bhQpCHAVPMGcGTdIPkuQbxSai0FsP8ipdHx0fluI6p/4v1Rv/BqZH0X8dnwPQoqUhSD+C575w511Fc8PEzgaG63S9hHx5Azw==
    ui-auth-token: AgBgKRwErv5MtWIdqSN5BSQ/deHFE4469gzqL6gwp/3JidtBEiAAyuOIbc9dRCWuJNcdtixKOZT1rKuI8O/e6oJ6ABGAx+ckDfH468VKsR4AJhdZGcxub5j79NKccbNA5MKTnqxlU05zukUOkgw3wdsOyuQr3RnfL31GFbEVyDMej+Xr7Rs0fWrfqpasCi45/PEi8fkofMg45kGc+LMfDgovNtkKla2MAXwYlUk24SA+lgCFoG2DHB50GdTK2byCks4Px4J3jQqqHdLUfC+/gyqimPoVUsVGb5SY0xeNepKfTz7lHEkmDOB9R1wfv7pUaLMapc+eVrVN7reLHKOA47IEedDpnlLm/fyEfPe7ktkejc59tPyIyxBubrN+Vb/+6bDgi7xsXy/N5uD/2sPqWVgI2D7veWOJEjM+GYOYeb2iRbf7KlrokCXD/gRMiQBKqYyUdjWx40MjrhxzPArOa+cL0kb1CUgwuyjmqq5hNIUO2wo6/kkeNtUeT7r067LE5rtMoZG2EAfw/xrL1CI2F+3c72JzRd//aClt1MsSfPPPoFz0TlWSSc7qNDhYHuQf//G/Zd29Nk/Ac52HVwdkl2AXJE/GIFdwi+ypqK5mjmSUTn/JVE0ZaA3OpHOF/01meISuqBo+HuAWCV8sw6en0F8AF+DF8rw8t5hDdexScXep5QuJmm4CYgqThyjz2V5xME9oMmGA+Yiu/MJ4AlkLowijpXkKEWpEOBRpRRhu2q2szhZqmx1oKJw+qJ40CQ==
  template:
    metadata:
      creationTimestamp: null
      name: dot-ai-secrets
      namespace: dot-ai
--- a/secrets/base/gitea-backup-s3-sealed.yaml
+++ b/secrets/base/gitea-backup-s3-sealed.yaml
--- a/secrets/base/gitea-credentials-sealed.yaml
+++ b/secrets/base/gitea-credentials-sealed.yaml
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Danijel Simeunovic	4e6a84785a	token All checks were successful AI Code Review / ai-review (pull_request) Successful in 28s Details	2026-04-22 13:37:32 +02:00
Danijel Simeunovic	e0bdaab422	multi-cloud + mcp Some checks failed AI Code Review / ai-review (pull_request) Failing after 2s Details	2026-04-22 13:34:48 +02:00
		`@@ -1,2 +0,0 @@`
			`# Force LF line endings for shell scripts`
			`*.sh text eol=lf`