Merge branch 'feature/cloud-agnostic' into feature/multi-cloud

.gitattributes

@@ -1,2 +0,0 @@
-# Force LF line endings for shell scripts
-*.sh text eol=lf

README.md

@@ -355,6 +355,7 @@ kubectl patch application myapp -n argocd \
 | **Fluent-Bit** | Log shipping | `monitoring` | DaemonSet |
 | **OpenCost** | Cost monitoring | `monitoring` | 1 |
 | **Renovate** | Dependency updates | `renovate` | CronJob |
+| **Trivy** | Vulnerability scanning | `trivy-system` | 1 |
 
 **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components)
 

apps/base/kustomization.yaml

@@ -4,5 +4,4 @@ resources:
 - dot-ai-stack.yaml
 - mcp10x.yaml
 - musicman.yaml
-- ts-mcp.yaml
 - argo-mcp.yaml

apps/base/ts-mcp.yaml

@@ -1,40 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: ts-mcp
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "11"
-    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
-    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
-    notifications.argoproj.io/subscribe.on-degraded.slack: ""
-  labels:
-    app.kubernetes.io/name: ts-mcp
-    app.kubernetes.io/part-of: apps
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  sources:
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
-    path: forteapp
-    targetRevision: HEAD
-    helm:
-      valueFiles:
-      - $values/ts-mcp/values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: ts-mcp
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true

bootstrap.sh

@@ -1,5 +1,4 @@
 #!/bin/zsh
-
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
 
@@ -28,8 +27,8 @@ Bootstrap()
 Gitea()
 {
     echo "Installing secret..."
-    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
+    kubectl apply -f private/gitea-repo-main.yaml
-    kubectl apply -f "private/${CLUSTER}/main.key"
+    kubectl apply -f private/main.key
 }
 
 ############################################################
@@ -37,15 +36,10 @@ Gitea()
 ############################################################
 ArgoCd()
 {
-    # Pre-create ConfigMap for repo-server env (must exist before Helm upgrade)
-    kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
-    kubectl apply -f cluster-resources/argocd-repo-server-config.yaml
-
     # install argocd
     echo "Installing ArgoCD..."
     helm upgrade --install argocd argo-cd \
             --repo https://argoproj.github.io/argo-helm \
-            --version "7.8.0" \
             --namespace argocd --create-namespace \
             --values infra/values/base/argocd-values.yaml \
             --values "infra/values/${CLUSTER}/argocd-values.yaml" \
@@ -55,4 +49,4 @@ ArgoCd()
     kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }
 
-Bootstrap
+# Bootstrap

cluster-resources/argocd-oidc-secret-sync.yaml

@@ -1,83 +0,0 @@
-# CronJob: syncs OIDC client secret from registrar-managed
-# argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
-# Runs every 2 min. No-ops if source secret doesn't exist yet
-# (safe for fresh deploys before Keycloak is up).
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argocd-oidc-sync
-  namespace: argocd
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: argocd-oidc-sync
-  namespace: argocd
-rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
-  verbs: ["get", "patch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: argocd-oidc-sync
-  namespace: argocd
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: argocd-oidc-sync
-subjects:
-- kind: ServiceAccount
-  name: argocd-oidc-sync
-  namespace: argocd
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: argocd-oidc-sync
-  namespace: argocd
-spec:
-  schedule: "*/2 * * * *"
-  concurrencyPolicy: Forbid
-  successfulJobsHistoryLimit: 1
-  failedJobsHistoryLimit: 3
-  jobTemplate:
-    spec:
-      backoffLimit: 1
-      template:
-        spec:
-          serviceAccountName: argocd-oidc-sync
-          restartPolicy: Never
-          containers:
-          - name: sync
-            image: bitnami/kubectl:latest
-            command: ["/bin/sh", "-c"]
-            args:
-            - |
-              set -e
-
-              # Exit gracefully if source secret doesn't exist yet
-              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
-                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
-                exit 0
-              fi
-
-              # Read current OIDC client secret
-              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
-                -o jsonpath='{.data.client-secret}' | base64 -d)
-
-              # Read current value in argocd-secret (if any)
-              CURRENT=$(kubectl get secret argocd-secret -n argocd \
-                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")
-
-              # Only patch if changed
-              if [ "$NEW_SECRET" = "$CURRENT" ]; then
-                echo "oidc.clientSecret already up to date"
-                exit 0
-              fi
-
-              kubectl patch secret argocd-secret -n argocd --type merge \
-                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
-              echo "Patched argocd-secret with oidc.clientSecret"

cluster-resources/argocd-repo-server-config.yaml

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: argocd-repo-server-config
-  namespace: argocd
-data:
-  # Disable git submodule checkout - submodules (e.g. shared-prompts)
-  # are not needed for K8s manifest generation
-  ARGOCD_GIT_MODULES_ENABLED: "false"

cluster-resources/policies/label-checker.yaml

@@ -26,6 +26,7 @@ spec:
           - monitoring
           - secrets
           - kyverno
+          - trivy-system
     match:
       any:
       - resources:

cluster-resources/policies/secret-cloner.yaml

@@ -16,6 +16,7 @@ spec:
       - resources:
           namespaces:
           - kube-system
+          - trivy-system
           - monitoring
           - argocd
           - cert-manager

clusters/aks-dev.yaml

@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
+clusterName: dev-aks                  # <- adjust to your AKS cluster name
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+domain: example.com                   # <- adjust to your domain
-clusterName: dev-aks                     # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
+argocdDomain: argocd.example.com
-domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+grafanaDomain: grafana.example.com
-argocdDomain: argocd.example.com         # → infra/values/aks-dev/argocd-values.yaml (global.domain)
+keycloakDomain: id.example.com
-grafanaDomain: grafana.example.com       # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
+dotaiDomain: kubemcp.example.com
-keycloakDomain: id.example.com           # → infra/values/aks-dev/keycloak-values.yaml (ingress.hostname)
+dotaiUiDomain: kubemcpui.example.com
-dotaiDomain: kubemcp.example.com         # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+letsencryptEmail: admin@example.com   # <- adjust
-dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+trustedIPs: "10.0.0.0/8,168.63.129.16/32"  # <- VNet CIDR + Azure health probe
-letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+cloudProvider: azure
-trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-dev/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
-cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations

clusters/aks-prod.yaml

@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
+clusterName: prod-aks                 # <- adjust to your AKS cluster name
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+domain: example.com                   # <- adjust to your domain
-clusterName: prod-aks                    # → infra/values/aks-prod/argocd-values.yaml (notifications.context.clusterName)
+argocdDomain: argocd.example.com
-domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+grafanaDomain: grafana.example.com
-argocdDomain: argocd.example.com         # → infra/values/aks-prod/argocd-values.yaml (global.domain)
+keycloakDomain: id.example.com
-grafanaDomain: grafana.example.com       # → infra/values/aks-prod/grafana-values.yaml (ingress.hosts)
+dotaiDomain: kubemcp.example.com
-keycloakDomain: id.example.com           # → infra/values/aks-prod/keycloak-values.yaml (ingress.hostname)
+dotaiUiDomain: kubemcpui.example.com
-dotaiDomain: kubemcp.example.com         # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+letsencryptEmail: admin@example.com   # <- adjust
-dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+trustedIPs: "10.0.0.0/8,168.63.129.16/32"  # <- VNet CIDR + Azure health probe
-letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+cloudProvider: azure
-trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-prod/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
-cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations

clusters/eks-dev.yaml

@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
+clusterName: dev-eks                  # <- adjust to your EKS cluster name
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+domain: example.com                   # <- adjust to your domain
-clusterName: dev-eks                     # → infra/values/eks-dev/argocd-values.yaml (notifications.context.clusterName)
+argocdDomain: argocd.example.com
-domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+grafanaDomain: grafana.example.com
-argocdDomain: argocd.example.com         # → infra/values/eks-dev/argocd-values.yaml (global.domain)
+keycloakDomain: id.example.com
-grafanaDomain: grafana.example.com       # → infra/values/eks-dev/grafana-values.yaml (ingress.hosts)
+dotaiDomain: kubemcp.example.com
-keycloakDomain: id.example.com           # → infra/values/eks-dev/keycloak-values.yaml (ingress.hostname)
+dotaiUiDomain: kubemcpui.example.com
-dotaiDomain: kubemcp.example.com         # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+letsencryptEmail: admin@example.com   # <- adjust
-dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+trustedIPs: "10.0.0.0/8"             # <- adjust to your VPC CIDR
-letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+cloudProvider: eks
-trustedIPs: "10.0.0.0/8"                # → infra/values/eks-dev/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
-cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations

clusters/eks-prod.yaml

@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
+clusterName: prod-eks                 # <- adjust to your EKS cluster name
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+domain: example.com                   # <- adjust to your domain
-clusterName: prod-eks                    # → infra/values/eks-prod/argocd-values.yaml (notifications.context.clusterName)
+argocdDomain: argocd.example.com
-domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+grafanaDomain: grafana.example.com
-argocdDomain: argocd.example.com         # → infra/values/eks-prod/argocd-values.yaml (global.domain)
+keycloakDomain: id.example.com
-grafanaDomain: grafana.example.com       # → infra/values/eks-prod/grafana-values.yaml (ingress.hosts)
+dotaiDomain: kubemcp.example.com
-keycloakDomain: id.example.com           # → infra/values/eks-prod/keycloak-values.yaml (ingress.hostname)
+dotaiUiDomain: kubemcpui.example.com
-dotaiDomain: kubemcp.example.com         # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+letsencryptEmail: admin@example.com   # <- adjust
-dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+trustedIPs: "10.0.0.0/8"             # <- adjust to your VPC CIDR
-letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+cloudProvider: eks
-trustedIPs: "10.0.0.0/8"                # → infra/values/eks-prod/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
-cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations

clusters/gke-dev.yaml

@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
+clusterName: dev-gke                  # <- adjust to your GKE cluster name
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+domain: example.com                   # <- adjust to your domain
-clusterName: dev-gke                     # → infra/values/gke-dev/argocd-values.yaml (notifications.context.clusterName)
+argocdDomain: argocd.example.com
-domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+grafanaDomain: grafana.example.com
-argocdDomain: argocd.example.com         # → infra/values/gke-dev/argocd-values.yaml (global.domain)
+keycloakDomain: id.example.com
-grafanaDomain: grafana.example.com       # → infra/values/gke-dev/grafana-values.yaml (ingress.hosts)
+dotaiDomain: kubemcp.example.com
-keycloakDomain: id.example.com           # → infra/values/gke-dev/keycloak-values.yaml (ingress.hostname)
+dotaiUiDomain: kubemcpui.example.com
-dotaiDomain: kubemcp.example.com         # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+letsencryptEmail: admin@example.com   # <- adjust
-dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"  # <- subnet CIDR + GCP health checks
-letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+cloudProvider: gke
-trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-dev/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
-cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations

clusters/gke-prod.yaml

@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
+clusterName: prod-gke                 # <- adjust to your GKE cluster name
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+domain: example.com                   # <- adjust to your domain
-clusterName: prod-gke                    # → infra/values/gke-prod/argocd-values.yaml (notifications.context.clusterName)
+argocdDomain: argocd.example.com
-domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+grafanaDomain: grafana.example.com
-argocdDomain: argocd.example.com         # → infra/values/gke-prod/argocd-values.yaml (global.domain)
+keycloakDomain: id.example.com
-grafanaDomain: grafana.example.com       # → infra/values/gke-prod/grafana-values.yaml (ingress.hosts)
+dotaiDomain: kubemcp.example.com
-keycloakDomain: id.example.com           # → infra/values/gke-prod/keycloak-values.yaml (ingress.hostname)
+dotaiUiDomain: kubemcpui.example.com
-dotaiDomain: kubemcp.example.com         # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+letsencryptEmail: admin@example.com   # <- adjust
-dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"  # <- subnet CIDR + GCP health checks
-letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+cloudProvider: gke
-trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-prod/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
-cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations

clusters/upc-dev.yaml

@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
+clusterName: dev-fd-no-svg1
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+domain: forteapps.net
-clusterName: dev-fd-no-svg1              # → infra/values/upc-dev/argocd-values.yaml (notifications.context.clusterName)
+argocdDomain: argocd.127.0.0.1.nip.io
-domain: forteapps.net                    # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+grafanaDomain: grafana.forteapps.net
-argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-dev/argocd-values.yaml (global.domain)
+keycloakDomain: id.forteapps.net
-grafanaDomain: grafana.forteapps.net     # → infra/values/upc-dev/grafana-values.yaml (ingress.hosts)
+dotaiDomain: kubemcp.forteapps.net
-keycloakDomain: id.forteapps.net         # → infra/values/upc-dev/keycloak-values.yaml (ingress.hostname)
+dotaiUiDomain: kubemcpui.forteapps.net
-dotaiDomain: kubemcp.forteapps.net       # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host)
+letsencryptEmail: danijels@gmail.com
-dotaiUiDomain: kubemcpui.forteapps.net   # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
+trustedIPs: "172.16.1.0/24"
-letsencryptEmail: danijels@gmail.com     # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+cloudProvider: upcloud
-trustedIPs: "172.16.1.0/24"             # → infra/values/upc-dev/traefik-values.yaml (ports.*.trustedIPs)
-cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations

clusters/upc-prod.yaml

@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
+clusterName: prod-fd-no-svg1
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+domain: fortedigital.com
-clusterName: prod-fd-no-svg1             # → infra/values/upc-prod/argocd-values.yaml (notifications.context.clusterName)
+argocdDomain: argocd.127.0.0.1.nip.io
-domain: fortedigital.com                 # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+grafanaDomain: grafana.fortedigital.com
-argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-prod/argocd-values.yaml (global.domain)
+keycloakDomain: id.fortedigital.com
-grafanaDomain: grafana.fortedigital.com  # → infra/values/upc-prod/grafana-values.yaml (ingress.hosts)
+dotaiDomain: kubemcp.fortedigital.com
-keycloakDomain: id.fortedigital.com      # → infra/values/upc-prod/keycloak-values.yaml (ingress.hostname)
+dotaiUiDomain: kubemcpui.fortedigital.com
-dotaiDomain: kubemcp.fortedigital.com    # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host)
+letsencryptEmail: danijel.simeunovic@fortedigital.com
-dotaiUiDomain: kubemcpui.fortedigital.com # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
+trustedIPs: "172.16.1.0/24"
-letsencryptEmail: danijel.simeunovic@fortedigital.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+cloudProvider: upcloud
-trustedIPs: "172.16.1.0/24"             # → infra/values/upc-prod/traefik-values.yaml (ports.*.trustedIPs)
-cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations

devbox.json

@@ -1,32 +0,0 @@
-{
-  "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.16.0/.schema/devbox.schema.json",
-  "packages": [
-    "kubectl@1.33.2",
-    "kubernetes-helm@3.18.4",
-    "k9s@0.50.7",
-    "kubeseal@0.30.0",
-    "argocd@2.14.11",
-    "kubecm@0.33.1",
-    "kubectl-tree@0.4.3",
-    "kind@0.29.0",
-    "kustomize@5.7.0",
-    "kyverno@1.14.3",
-    "syft@1.29.0",
-    "grype@0.92.2",
-    "traefik@3.6.7",
-    "claude-code@latest",
-    "go@latest",
-    "dotnet-sdk@latest",
-    "opentofu@1.11.6"
-  ],
-  "shell": {
-    "init_hook": [
-      "echo 'Welcome to devbox!' > /dev/null"
-    ],
-    "scripts": {
-      "test": [
-        "echo \"Error: no test specified\" && exit 1"
-      ]
-    }
-  }
-}

docs/DEVELOPER-GUIDE.md

@@ -654,11 +654,21 @@ kubectl create secret generic myapp-credentials \
 
 #### Step 2: Seal the Secret
 
+Get the public certificate (one-time setup):
+
+```bash
+# Fetch public cert from cluster
+kubeseal --fetch-cert \
+  --controller-name=sealed-secrets-controller \
+  --controller-namespace=kube-system \
+  > pub-cert.pem
+```
+
 Seal your secret:
 
 ```bash
 kubeseal --format=yaml \
-  --namespace=myapp \
+  --cert=pub-cert.pem \
   < private/myapp-credentials.yaml \
   > secrets/myapp-credentials-sealed.yaml
 ```
@@ -701,7 +711,7 @@ kubectl create secret generic myapp-credentials \
 
 # 2. Seal it
 kubeseal --format=yaml \
-  --namespace=myapp \
+  --cert=pub-cert.pem \
   < private/myapp-credentials.yaml \
   > secrets/myapp-credentials-sealed.yaml
 
@@ -952,46 +962,6 @@ User sees application (authenticated)
 
 ---
 
-### Accessing Authenticated User Information
-
-The auth sidecar handles all authentication before requests reach your application. Your app never sees unauthenticated traffic — the sidecar returns 401 or redirects to the IdP first.
-
-After successful authentication, the sidecar forwards the request to your application with user identity injected as HTTP headers:
-
-| Header | Description | Available in |
-|--------|-------------|-------------|
-| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
-| `X-Auth-Email` | User email address | OIDC |
-| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
-| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if scope includes `groups`) |
-| `X-Auth-Token` | The validated access token | All modes |
-
-**Your application reads these headers — no auth library needed:**
-
-```javascript
-// Express.js example
-app.get('/profile', (req, res) => {
-  const user = req.headers['x-auth-user'];
-  const email = req.headers['x-auth-email'];
-  res.json({ user, email });
-});
-```
-
-```python
-# Flask example
-@app.route('/profile')
-def profile():
-    user = request.headers.get('X-Auth-User')
-    email = request.headers.get('X-Auth-Email')
-    return jsonify(user=user, email=email)
-```
-
-**Why this is safe**: The Kyverno-generated NetworkPolicy restricts ingress to the sidecar port only. Traffic cannot bypass the sidecar to reach the application port directly, so the `X-Auth-*` headers can be trusted unconditionally.
-
-**Key principle**: Your application is zero-trust-unaware by design. It reads headers and renders UI. All authentication complexity lives in the sidecar and Kyverno policy.
-
----
-
 ### Authentication Configuration Reference
 
 #### Helm Values Schema

docs/REFERENCE.md

@@ -88,6 +88,7 @@ launchpad/
 │   ├── loki.yaml
 │   ├── tempo.yaml
 │   ├── fluent-bit.yaml
+│   ├── trivy.yaml
 │   ├── gitea.yaml
 │   ├── gitea-actions.yaml
 │   ├── sealedsecrets.yaml
@@ -147,30 +148,12 @@ launchpad/
 │       └── auth-sidecar-injector.yaml
 │
 ├── secrets/                       # Application secrets (sealed)
-│   ├── base/                     # All SealedSecrets (shared across clouds)
+│   ├── argocd-mcp-credentials.yaml
-│   │   ├── kustomization.yaml
+│   ├── dot-ai-secrets.yaml
-│   │   ├── argocd-forte-helm-secret-sealed.yaml
+│   ├── gitea-credentials-sealed.yaml
-│   │   ├── argocd-mcp-credentials.yaml
+│   ├── gitea-runner-token-sealed.yaml
-│   │   ├── argocdmcp-auth-oidc-sealed.yaml
+│   ├── mcp10x-credentials-sealed.yaml
-│   │   ├── dot-ai-secrets.yaml
+│   └── musicman-credentials.yaml
-│   │   ├── forte10x-app-credentials-sealed.yaml
-│   │   ├── gitea-backup-s3-sealed.yaml
-│   │   ├── gitea-credentials-sealed.yaml
-│   │   ├── gitea-runner-token-sealed.yaml
-│   │   ├── gitea-smtp-secret-sealed.yaml
-│   │   ├── keycloak-credentials-sealed.yaml
-│   │   ├── musicman-auth-oidc-sealed.yaml
-│   │   ├── musicman-credentials.yaml
-│   │   └── renovate-env-sealed.yaml
-│   └── overlays/                 # Per-cloud overlays (reference base)
-│       ├── aks-dev/kustomization.yaml
-│       ├── aks-prod/kustomization.yaml
-│       ├── eks-dev/kustomization.yaml
-│       ├── eks-prod/kustomization.yaml
-│       ├── gke-dev/kustomization.yaml
-│       ├── gke-prod/kustomization.yaml
-│       ├── upc-dev/kustomization.yaml
-│       └── upc-prod/kustomization.yaml
 │
 ├── scripts/                       # Operational helper scripts
 │   ├── gitea-backup.sh            # S3 backup helper (list/download)
@@ -648,95 +631,6 @@ retry:
 4. 40 seconds
 5. 80 seconds (capped at 3 minutes)
 
-### Global Settings (`argocd-cm`)
-
-| Setting | Value | Purpose |
-|---------|-------|---------|
-| `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
-| `timeout.reconciliation` | `60s` | Reconciliation interval |
-| `admin.enabled` | `false` | Admin login disabled (SSO-only) |
-| `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
-
-**Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
-```yaml
-configs:
-  params:
-    "reposerver.enable.git.submodule": "false"
-```
-This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
-
-**Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
-```bash
-# Enable admin login
-kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
-# Log in as admin, do what's needed, then disable again
-kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
-```
-ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
-
-**OIDC Authentication** (Keycloak):
-```yaml
-configs:
-  cm:
-    oidc.config: |
-      name: Forte SSO
-      issuer: https://id.forteapps.net/realms/forte
-      clientID: argocd
-      clientSecret: $oidc.clientSecret
-      requestedScopes: ["openid", "email", "profile"]
-  rbacConfig:
-    policy.csv: |
-      g, ArgoCD Admins, role:admin
-      g, ArgoCD Viewers, role:readonly
-    # Deny users not in any declared KC group
-    policy.default: ""
-    scopes: '[groups]'
-```
-
-**Access Control**: Only users in declared Keycloak groups can access ArgoCD. Users not in any group are denied (`policy.default: ""`). Assign users to groups in Keycloak admin console.
-
-| KC Group | ArgoCD Role | Access |
-|----------|-------------|--------|
-| `ArgoCD Admins` | `role:admin` | Full control over all apps |
-| `ArgoCD Viewers` | `role:readonly` | Read-only access to all apps |
-| `Observability Team` | `role:observability` | Get/sync monitoring apps (prometheus, loki, fluent-bit, tempo, grafana, opencost) |
-| `Dev Tools Team` | `role:devtools` | Get/sync dev tool apps (gitea, gitea-actions, renovate, karpor) |
-| `App Developers` | `role:app-dev` | Get/sync/action on enterprise-apps only |
-
-**Per-Cluster RBAC**: Add cluster-specific policies in `infra/values/<cluster>/argocd-values.yaml` using `configs.rbac.policy.<cluster>.csv`. ArgoCD concatenates all `policy.*.csv` keys alphabetically after `policy.csv`. Example:
-```yaml
-# infra/values/upc-dev/argocd-values.yaml
-configs:
-  rbac:
-    policy.upc-dev.csv: |
-      p, role:staging-deployer, applications, sync, default/enterprise-apps, allow
-      g, Staging Deployers, role:staging-deployer
-```
-
-- ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
-- Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
-- `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
-- OIDC secret is synced by CronJob `argocd-oidc-sync` (see `cluster-resources/argocd-oidc-secret-sync.yaml`)
-- The CronJob bridges `argocd-oidc-credentials` (from KC registrar) → `argocd-secret` every 2 min
-- Safe for fresh deploys: no-ops if source secret doesn't exist yet
-
-**Ingress** (Traefik + TLS):
-```yaml
-server:
-  ingress:
-    enabled: true
-    ingressClassName: traefik
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-    tls: true
-  extraArgs:
-  - --insecure
-configs:
-  params:
-    "server.insecure": true
-```
-TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
-
 ---
 
 ## Infrastructure Components
@@ -812,10 +706,6 @@ spec:
 **Chart**: `sealed-secrets/sealed-secrets-controller`
 **Namespace**: `kube-system`
 
-**Directory Structure**: `secrets/base/` contains all SealedSecrets with a `kustomization.yaml`. Per-cloud overlays in `secrets/overlays/<cloud>/` reference the base via Kustomize. The ArgoCD `secrets` Application points to the active overlay (e.g., `secrets/overlays/upc-dev`), and `infra/overlays/upc-prod` patches the path to `secrets/overlays/upc-prod`.
-
-To add cloud-specific secrets, create a new SealedSecret in the overlay directory and add it to the overlay's `kustomization.yaml`.
-
 **Public Certificate**:
 ```bash
 kubeseal --fetch-cert \
@@ -856,15 +746,6 @@ kubeStateMetrics:
 - Loki
 - Tempo
 
-**Ingress**: Exposed via Traefik at `https://grafana.forteapps.net` with cert-manager TLS.
-
-**OIDC Authentication** (Keycloak):
-- Uses `grafana.ini.auth.generic_oauth` with KC `grafana` client
-- Secret `grafana-oidc-credentials` synced by KC registrar, loaded via `envFromSecrets`
-- SSO-only mode: `auth.disable_login_form: true` + `auth.generic_oauth.auto_login: true`
-- Role mapping via JMESPath on `resource_access.grafana.roles` claim (requires KC client role mapper)
-- Roles: KC client roles `Admin`/`Editor` map to Grafana roles; default is `Viewer`
-
 ### Loki
 
 **Chart**: `grafana/loki-stack`
@@ -1217,33 +1098,6 @@ kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.ann
 
 **See**: [Developer Guide - Adding a New Keycloak Client](DEVELOPER-GUIDE.md#adding-a-new-keycloak-client)
 
-### Karpor
-
-**Chart**: `karpor` from `https://kusionstack.github.io/charts`
-**Version**: 0.7.6 (app v0.6.4)
-**Namespace**: `karpor`
-**Sync Wave**: 1
-
-**Purpose**: Kubernetes visualization and intelligence tool. Provides cross-cluster resource search, compliance checking, and topology visualization. Gives platform engineers a unified view of all cluster resources and their relationships.
-
-**Architecture** (4 components):
-- **Server** — main Karpor API/UI (port 7443)
-- **Syncer** — syncs cluster state into the search index
-- **ElasticSearch** — search backend for resource indexing
-- **etcd** — persistent key-value store (10Gi PVC)
-
-**Configuration** (`infra/values/base/karpor-values.yaml`):
-- `namespaceEnabled: false` — ArgoCD manages namespace creation
-- Default resource limits tuned for small clusters
-- ElasticSearch: 2 CPU / 4Gi memory (the heaviest component)
-- AI features available but not enabled (requires `server.ai.authToken` + backend config)
-
-**Access**: Port-forward to reach the UI:
-```bash
-kubectl port-forward svc/karpor-release-server -n karpor 7443:7443
-# Open https://localhost:7443
-```
-
 ### Renovate
 
 **Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`)
@@ -1691,23 +1545,7 @@ Forward to Application (localhost:3000)
 Application processes request
 ```
 
-#### Forwarded Headers
+**See**: [Developer Guide - Enabling Authentication](DEVELOPER-GUIDE.md#enabling-authentication-for-applications) for usage examples.
-
-After successful authentication, the sidecar injects user identity as HTTP headers before forwarding the request to the application container:
-
-| Header | Description | Auth Modes |
-|--------|-------------|------------|
-| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
-| `X-Auth-Email` | User email address | OIDC |
-| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
-| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if `groups` scope) |
-| `X-Auth-Token` | The validated access token | All modes |
-
-These headers are trustworthy because the auto-generated `NetworkPolicy` restricts pod ingress to the sidecar port only — external traffic cannot reach the application container directly, so headers cannot be spoofed.
-
-Applications should read these headers to obtain authenticated user information (e.g. for display, authorisation decisions, or audit logging) instead of implementing their own authentication.
-
-**See**: [Developer Guide - Accessing Authenticated User Information](DEVELOPER-GUIDE.md#accessing-authenticated-user-information) for code examples.
 
 ---
 
@@ -1896,9 +1734,8 @@ To add support for a new cloud (e.g., `oci-dev` for Oracle Cloud):
    - `opencost-values.yaml` — pricing model or cloud billing integration
 3. **Kustomize overlay**: `infra/overlays/oci-dev/kustomization.yaml` — patch `valueFiles[1]` for each Application
 4. **App-of-apps**: `_app-of-apps-oci-dev.yaml` — points to `infra/overlays/oci-dev`
-5. **Secrets overlay**: `secrets/overlays/oci-dev/kustomization.yaml` — references `../../base`, add cloud-specific SealedSecrets if needed
+5. **Sealed Secrets**: `secrets/oci-dev/` — TLS certs, credentials, backup S3 config
-6. **Secrets patch**: Add patch to `infra/overlays/oci-dev/kustomization.yaml` to swap secrets path to `secrets/overlays/oci-dev`
+6. **Bootstrap**: `./bootstrap.sh oci-dev`
-7. **Bootstrap**: `./bootstrap.sh oci-dev`
 
 ---
 

infra/base/karpor.yaml

@@ -1,48 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: karpor
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: karpor
-    app.kubernetes.io/part-of: developer-portal
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://kusionstack.github.io/charts
-    chart: karpor
-    targetRevision: "0.7.6"
-    helm:
-      releaseName: karpor
-      valueFiles:
-      - $values/infra/values/base/karpor-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: karpor
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates

infra/base/keycloak.yaml

@@ -15,7 +15,7 @@ spec:
   project: default
 
   sources:
-  - repoURL: registry-1.docker.io/bitnamicharts
+  - repoURL: https://charts.bitnami.com/bitnami
     chart: keycloak
     targetRevision: "25.2.0"
     helm:
@@ -47,7 +47,3 @@ spec:
     kind: CronJob
     jsonPointers:
     - /spec/jobTemplate/spec/template/spec/containers/0/args
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates

infra/base/kustomization.yaml

@@ -10,6 +10,7 @@ resources:
 - prometheus.yaml
 - loki.yaml
 - fluent-bit.yaml
+- trivy.yaml
 - enterprise-apps.yaml
 - cluster-resources-application.yaml
 - kyverno-policies.yaml
@@ -20,4 +21,4 @@ resources:
 - renovate.yaml
 - tempo.yaml
 - grafana-dashboards.yaml
-- karpor.yaml
+- network-policies-application.yaml

infra/base/loki.yaml

@@ -40,9 +40,3 @@ spec:
     - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates

infra/base/network-policies-application.yaml

@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: network-policies
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: network-policies
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: cluster-resources/network
+
+  destination:
+    server: https://kubernetes.default.svc
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+    - Validate=true
+    - ServerSideApply=true

infra/base/secrets.yaml

@@ -18,7 +18,7 @@ spec:
   project: default
   source:
     repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    path: secrets/overlays/upc-dev
+    path: secrets/upc-dev
   destination:
     server: https://kubernetes.default.svc
     namespace: secrets

infra/base/tempo.yaml

@@ -40,9 +40,3 @@ spec:
     - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates

infra/base/trivy.yaml

@@ -0,0 +1,67 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: trivy-system
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: trivy-operator
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  labels:
+    app.kubernetes.io/name: trivy-operator
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: https://aquasecurity.github.io/helm-charts
+    chart: trivy-operator
+    targetRevision: 0.31.0
+    helm:
+      releaseName: trivy-operator
+      valuesObject:
+        operator:
+          targetNamespaces: ""
+          excludeNamespaces: "argocd,trivy-system,kube-system,monitoring,kyverno,cert-manager"
+          scanJobsInSameNamespace: true
+          metricsVulnIdEnabled: true
+          metricsImageInfo: true
+        trivy:
+          ignoreUnfixed: false
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: trivy-system
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  ignoreDifferences:
+  - group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    jsonPointers:
+    - /metadata/labels
+    - /metadata/annotations
+    - /metadata/finalizers

infra/dashboards/kustomization.yaml

@@ -8,6 +8,9 @@ generatorOptions:
     grafana_dashboard: "1"
 
 configMapGenerator:
+- name: grafana-dashboard-trivy
+  files:
+  - trivy.json
 - name: grafana-dashboard-traefik-loki
   files:
   - traefik-loki.json

infra/overlays/upc-prod/kustomization.yaml

@@ -56,7 +56,7 @@ patches:
   patch: |
     - op: replace
       path: /spec/source/path
-      value: secrets/overlays/upc-prod
+      value: secrets/upc-prod
 
 # Enterprise-apps: point to upc-prod overlay
 - target:
@@ -66,3 +66,21 @@ patches:
     - op: replace
       path: /spec/source/path
       value: apps/overlays/upc-prod
+
+# Gitea: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/opencost-values.yaml

infra/values/base/argocd-values.yaml

@@ -2,85 +2,16 @@ configs:
   secret:
     createSecret: true
     argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
-    # oidc.clientSecret managed by argocd-oidc-sync CronJob
-    # (reads from argocd-oidc-credentials, patches argocd-secret)
-  ssh:
-    knownHosts: |
-      [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
   cm:
     application.resourceTrackingMethod: annotation
     timeout.reconciliation: 60s
-    # Admin login disabled — SSO only. Break-glass: kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
+    admin.enabled: "true"
-    admin.enabled: "false"
-    url: https://argocd.forteapps.net
-    oidc.config: |
-      name: Forte SSO
-      issuer: https://id.forteapps.net/realms/forte
-      clientID: argocd
-      clientSecret: $oidc.clientSecret
-      requestedScopes: ["openid", "email", "profile"]
-  rbac:
-    # Base RBAC — org-wide roles shared across all clusters.
-    # Per-cluster policies go in infra/values/<cluster>/argocd-values.yaml
-    # as configs.rbac.policy.<cluster>.csv (ArgoCD concatenates all policy.*.csv keys)
-    policy.csv: |
-      # Platform administrators — full control
-      g, ArgoCD Admins, role:admin
-
-      # Read-only viewers — see all, change nothing
-      g, ArgoCD Viewers, role:readonly
-
-      # --- Per-team roles (scoped to default project app names) ---
-      # Observability team — manage monitoring stack
-      p, role:observability, applications, get, default/prometheus, allow
-      p, role:observability, applications, get, default/loki, allow
-      p, role:observability, applications, get, default/fluent-bit, allow
-      p, role:observability, applications, get, default/tempo, allow
-      p, role:observability, applications, get, default/grafana, allow
-      p, role:observability, applications, get, default/grafana-dashboards, allow
-      p, role:observability, applications, get, default/opencost, allow
-      p, role:observability, applications, sync, default/prometheus, allow
-      p, role:observability, applications, sync, default/loki, allow
-      p, role:observability, applications, sync, default/fluent-bit, allow
-      p, role:observability, applications, sync, default/tempo, allow
-      p, role:observability, applications, sync, default/grafana, allow
-      p, role:observability, applications, sync, default/grafana-dashboards, allow
-      p, role:observability, applications, sync, default/opencost, allow
-      p, role:observability, logs, get, default/*, allow
-      g, Observability Team, role:observability
-
-      # Dev tools team — manage gitea, renovate, karpor
-      p, role:devtools, applications, get, default/gitea, allow
-      p, role:devtools, applications, get, default/gitea-actions, allow
-      p, role:devtools, applications, get, default/renovate, allow
-      p, role:devtools, applications, get, default/karpor, allow
-      p, role:devtools, applications, sync, default/gitea, allow
-      p, role:devtools, applications, sync, default/gitea-actions, allow
-      p, role:devtools, applications, sync, default/renovate, allow
-      p, role:devtools, applications, sync, default/karpor, allow
-      p, role:devtools, logs, get, default/*, allow
-      g, Dev Tools Team, role:devtools
-
-      # App developers — manage enterprise apps only
-      p, role:app-dev, applications, get, default/enterprise-apps, allow
-      p, role:app-dev, applications, sync, default/enterprise-apps, allow
-      p, role:app-dev, applications, action, default/enterprise-apps, allow
-      p, role:app-dev, logs, get, default/enterprise-apps, allow
-      g, App Developers, role:app-dev
-
-    # Deny users not in any declared KC group
-    policy.default: ""
-    scopes: '[groups]'
   params:
     "server.insecure": true
-    "reposerver.enable.git.submodule": "false"
 server:
   ingress:
-    enabled: true
+    enabled: false
-    ingressClassName: traefik
+    ingressClassName: nginx
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-    tls: true
   extraArgs:
   - --insecure
 

infra/values/base/gitea-values.yaml

@@ -77,7 +77,7 @@ gitea:
       FROM: "noreply@fortedigital.com"
 
     admin:
-      DEFAULT_EMAIL_NOTIFICATIONS: onmention
+      DEFAULT_EMAIL_NOTIFICATIONS: enabled
 
   # -- SMTP credentials injected from secret (USER and PASSWD)
   additionalConfigFromEnvs:
@@ -98,7 +98,7 @@ gitea:
     existingSecret: gitea-oidc-credentials
     key: gitea
     autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
-    scopes: "email profile organization"
+    scopes: "openid email profile organization"
     groupClaimName: "groups"
     adminGroup: ""
     restrictedGroup: ""

infra/values/base/grafana-values.yaml

@@ -1,13 +1,5 @@
 ingress:
   enabled: true
-  ingressClassName: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-  tls:
-  - secretName: grafana-tls
-    hosts:
-    - grafana.forteapps.net
-
 resources:
   requests:
     cpu: 50m
@@ -19,29 +11,6 @@ resources:
 adminUser: admin
 adminPassword: "forte"
 
-envFromSecrets:
-- name: grafana-oidc-credentials
-
-grafana.ini:
-  server:
-    root_url: https://grafana.forteapps.net
-  auth.generic_oauth:
-    enabled: true
-    name: Forte SSO
-    allow_sign_up: true
-    client_id: ${client-id}
-    client_secret: ${client-secret}
-    scopes: openid email profile
-    auth_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/auth
-    token_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/token
-    api_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/userinfo
-    role_attribute_path: "contains(resource_access.grafana.roles[*], 'Admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor' || 'Viewer'"
-    role_attribute_strict: true
-    allow_assign_grafana_admin: true
-    auto_login: true
-  auth:
-    disable_login_form: true
-
 datasources:
   datasources.yaml:
     apiVersion: 1

infra/values/base/karpor-values.yaml

@@ -1,44 +0,0 @@
-# Karpor - Kubernetes Visualization & Intelligence Tool
-# Helm chart: https://github.com/KusionStack/charts/tree/master/charts/karpor
-
-# Let the ArgoCD Application manage the namespace
-namespaceEnabled: false
-
-server:
-  replicas: 1
-  port: 7443
-  resources:
-    requests:
-      cpu: 250m
-      memory: 256Mi
-    limits:
-      cpu: 500m
-      memory: 1Gi
-
-syncer:
-  replicas: 1
-  port: 7443
-  resources:
-    requests:
-      cpu: 250m
-      memory: 256Mi
-    limits:
-      cpu: 500m
-      memory: 1Gi
-
-elasticsearch:
-  replicas: 1
-  port: 9200
-  resources:
-    requests:
-      cpu: 500m
-      memory: 2Gi
-    limits:
-      cpu: "2"
-      memory: 4Gi
-
-etcd:
-  replicas: 1
-  port: 2379
-  persistence:
-    size: 5Gi

infra/values/base/keycloak-values.yaml

@@ -75,6 +75,7 @@ keycloakConfigCli:
             "publicClient": false,
             "redirectUris": ["https://git.forteapps.net/*"],
             "webOrigins": ["https://git.forteapps.net"],
+            "defaultClientScopes": ["openid", "email", "profile"],
             "attributes": {
               "k8s.secret.sync": "true",
               "k8s.secret.namespace": "gitea",
@@ -97,96 +98,6 @@ keycloakConfigCli:
                 }
               }
             ]
-          },
-          {
-            "clientId": "grafana",
-            "name": "Grafana",
-            "enabled": true,
-            "protocol": "openid-connect",
-            "clientAuthenticatorType": "client-secret",
-            "standardFlowEnabled": true,
-            "directAccessGrantsEnabled": false,
-            "publicClient": false,
-            "redirectUris": ["https://grafana.forteapps.net/*"],
-            "webOrigins": ["https://grafana.forteapps.net"],
-            "attributes": {
-              "k8s.secret.sync": "true",
-              "k8s.secret.namespace": "monitoring",
-              "k8s.secret.name": "grafana-oidc-credentials",
-              "k8s.secret.client-id-key": "client-id",
-              "k8s.secret.client-secret-key": "client-secret"
-            },
-            "protocolMappers": [
-              {
-                "name": "client-roles",
-                "protocol": "openid-connect",
-                "protocolMapper": "oidc-usermodel-client-role-mapper",
-                "config": {
-                  "claim.name": "resource_access.grafana.roles",
-                  "jsonType.label": "String",
-                  "multivalued": "true",
-                  "usermodel.clientRoleMapping.clientId": "grafana",
-                  "id.token.claim": "true",
-                  "access.token.claim": "true",
-                  "userinfo.token.claim": "true"
-                }
-              }
-            ]
-          },
-          {
-            "clientId": "argocd",
-            "name": "ArgoCD",
-            "enabled": true,
-            "protocol": "openid-connect",
-            "clientAuthenticatorType": "client-secret",
-            "standardFlowEnabled": true,
-            "directAccessGrantsEnabled": false,
-            "publicClient": false,
-            "redirectUris": ["https://argocd.forteapps.net/auth/callback"],
-            "webOrigins": ["https://argocd.forteapps.net"],
-            "attributes": {
-              "k8s.secret.sync": "true",
-              "k8s.secret.namespace": "argocd",
-              "k8s.secret.name": "argocd-oidc-credentials",
-              "k8s.secret.client-id-key": "client-id",
-              "k8s.secret.client-secret-key": "client-secret"
-            },
-            "protocolMappers": [
-              {
-                "name": "groups",
-                "protocol": "openid-connect",
-                "protocolMapper": "oidc-group-membership-mapper",
-                "config": {
-                  "claim.name": "groups",
-                  "full.path": "false",
-                  "id.token.claim": "true",
-                  "access.token.claim": "true",
-                  "userinfo.token.claim": "true"
-                }
-              }
-            ]
-          }
-        ],
-        "groups": [
-          {
-            "name": "ArgoCD Admins",
-            "path": "/ArgoCD Admins"
-          },
-          {
-            "name": "ArgoCD Viewers",
-            "path": "/ArgoCD Viewers"
-          },
-          {
-            "name": "Observability Team",
-            "path": "/Observability Team"
-          },
-          {
-            "name": "Dev Tools Team",
-            "path": "/Dev Tools Team"
-          },
-          {
-            "name": "App Developers",
-            "path": "/App Developers"
           }
         ]
       }

infra/values/base/prometheus-values.yaml

@@ -36,6 +36,28 @@ extraScrapeConfigs: |
       - source_labels: [__meta_kubernetes_namespace]
         target_label: namespace
 
+  - job_name: trivy-operator
+    scrape_interval: 30s
+    metrics_path: /metrics
+    kubernetes_sd_configs:
+      - role: pod
+        namespaces:
+          names:
+            - trivy-system
+    relabel_configs:
+      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name]
+        regex: trivy-operator
+        action: keep
+      - source_labels: [__meta_kubernetes_pod_container_port_number]
+        regex: "8080"
+        action: keep
+      - source_labels: [__meta_kubernetes_pod_name]
+        target_label: pod
+      - source_labels: [__meta_kubernetes_namespace]
+        target_label: namespace
+      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance]
+        target_label: instance
+
   - job_name: traefik
     scrape_interval: 15s
     metrics_path: /metrics

infra/values/upc-dev/argocd-values.yaml

@@ -1,5 +1,5 @@
 global:
-  domain: argocd.forteapps.net
+  domain: argocd.127.0.0.1.nip.io
 notifications:
   context:
     clusterName: "dev-fd-eu-no-svg1"

secrets/base/kustomization.yaml

@@ -1,16 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- argocd-forte-helm-secret-sealed.yaml
-- argocd-mcp-credentials.yaml
-- argocdmcp-auth-oidc-sealed.yaml
-- dot-ai-secrets.yaml
-- forte10x-app-credentials-sealed.yaml
-- gitea-backup-s3-sealed.yaml
-- gitea-credentials-sealed.yaml
-- gitea-runner-token-sealed.yaml
-- gitea-smtp-secret-sealed.yaml
-- keycloak-credentials-sealed.yaml
-- musicman-credentials.yaml
-- renovate-env-sealed.yaml
-- ts-mcp-secrets-sealed.yaml

secrets/base/ts-mcp-secrets-sealed.yaml

@@ -1,13 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: ts-mcp-secrets
-  namespace: ts-mcp
-spec:
-  encryptedData:
-    AZURE_CLIENT_SECRET: AgCWj525+NHkZ8XG97hEe4RS0SDC0QIGDXmEvzSlIqJQ9XVZEeKxVuAYmJ+w/HH7zBXD3qlZISeOPKn3FbMEeRukmYK0d5PsH26tRUMPoMzwWCuQkZIQ83uX9Pz/wMiqW8aZFIxpdEiUgVdanxHSFoDRPC1VlSEtV9B9yN2MgXBID5s0oje5BM9ttc4WVRe6+9pMeaOC6u+YUgcfY7xPLetZfC9nQO4zn4jYhoQXfAddwMzNODvQNGPzIv6PXDXJweTwdmtGaxM6eDdcCJI/30bEV9prA5m6UlgTZ/Qp+onU70KdkBA9gM9tMMVUR6j/2sbWzqMP/rVaFLeUH1PjHv15n4EieWyuDyYEfmZNDFXc7O9RIK6P0jCIE+t3myxK2ZQ7cfXprdOSj94au0qP6leat0UUVoc9CFJHHtrNxXYWl7IYVhwvIQCMSgO2qoAXkdW4wKVJAcbJadJjoL2pWxzjaD4GgnUaAxWBANqZI2lD8CED4VfUVMB0ZUYRS/zvy/eqIGlT8WbzwTYFi3YDZRvAUIknxaWEavIG4x52d0FqTmFYY06W53fGYfBrUjJI54GWYyBpKdZTf7b/AlAN0+kwkk6OqsUWwWDqxR7LVCcPhjSIKd/THp+Tbq9z5TiPIHxOO9V60u51f8IoQrEgQfNov7CEGQZ8B9HUGObjNc5MhujzBJasMhrUcd2Ddk6KWk07B7223p/gIEM+81ZWQYUcc29+U/j1dQyRNZy/TC56ywe5DDBJSoGp
-  template:
-    metadata:
-      name: ts-mcp-secrets
-      namespace: ts-mcp

secrets/dot-ai-secrets-sealed.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: dot-ai-secrets
+  namespace: dot-ai
+spec:
+  encryptedData:
+    anthropic-api-key: AgAdnPQzl2SNSqyAZkoBdEEGEjXfpMJUNMg4e040vxri4jbjoTnmwQ/DjmmIGtoInjhQA3NZRUKcIuDrO7nGMXFOPY9tSfhpdaAMWTji1CVZvmdJnrQwZY1LFBwgbozq3RSZZQQcZd2EPrhhsU5UlmacKk2WpuQdq76twfdU5WVD8xalxbt0H5UDvihuQa3sYX/rUIDZK2Th5IfaFqYZk5JvaxR8PFwBh9IOooGewWXWrsxVT510lxHRotSDIgKt/jl8ymsVA7IpddnbQHr6K77it7BxR6fLvDGaTQeQW0RtPZwsLvB268OTwp338RQ2sjmVuUDErWViLuk1V6UFmj5vhRR0X2dy/EipkWEJwR0Zf8JCW+vAXJ4NFiVFjmOsiTXoLHCYp0k01EwFcPQpnswKSdaQ3tuCEa4Q+rHu2DiXyfSuZ1MnWnTyLSx9H51VYUgIPwQa+BUVoVnAswypw4yLQHrfLu9TSvsNl/OonP0dSmgSGaByTc1RzwpvHBUAaOYII2LuuvkF90oA4cChGkGe1KuYKHFqiBdaT9jrsfeBUpgqFAH0uH9DNjBjU5EjlUtV3bdO7wXDHct9EOBZniKMH7cIbXfT2TBaormeHNqFtXxSRXy1szDpXiDD1QDoAJx0ylrwwqix7XPBlqSt91OZ8N1VPSUPvfnTQf7zirVWJNckU9fW6tsnQ+GDOOEwERPEAhqxWuw6V0HMab4VzpbGgWuvtQY5CsI2bFUYWSZAIJ6H8E5ip3lb8ilWtYadhx8QZD3aKi7k5h4bFWd6M0rg0uj7bfbW8YXauTS6Uz4b9FlvgrAPkmcWG84um/jsmP6a0YhvJDGKHMHoUmY=
+    auth-token: AgBq/MM/+fqi1H6L5o/xFeKYMfcn6+bmbkepbq97O0Ob+dFKWuyfXmzqM2Dha+NKpXcu47qSBbLpaOdLS5ONq7JDIcZ2byW0ae9khBuL7k2mCa5ZPh96LS46c+v1qNJb6F4NQe+jWSx2H9LIShoihom+lRueBT1/uthW3hnUUUgQMgXU3NYimDNAg6JK6VgX3yKkI7ePLPAet7+ykaL1aPXwcfCAldcobPmls0vxMQDtgd+o4nLqx2sKArFplnwZ9G1SEz2dRXNFm8HI4HhgtOBdv1ISjXO8XGRZWnFqgX3s3BqcwFcPqVuFGHo+2ZvAUW+mdkuAEJOloJEoZXJkFCP+l7/yMV7/FmFAhntqfdTwijEJ+rP/sUbUNSzn6BKM2ITRGXEJkOeNq4xfpgS16AOs+O0DWkIAr0kWCJG+mkn94U7ALCGYQXtKLy0g/87MJ3IwaUU7gowVawHoDmpY0QoAYDJwpbIa9yMnlPOzJANkc99dl85sbLeQMvkkb4RqQlbMc80gkFFhbU5/0kKX483ylqhRi0b4ZjGHgl72s/8+FhxTDkSXJQ2HbrNPGlna+B7TAgxYZ9IS1cpw4wSNzSCk23Rt3STHnXuu/QXRLeMijXGBDFNJgU0JNKLp63JC1gftHcNhqRL6lxK1tLyo5+0Cnh/KJN64b1DpPXZnzdaeR25GQFSDxsymjLm2BFATtufRPJqeIT7tn5TRGTr97fH6LQv/LuJ4VnjS6WLsQoFdUhDuNug2LDuyLHjpKg==
+    openai-api-key: AgCQR+HezEHwiwFD1pIkla1Byzz91SBoUyaWVTTuBrBDq201KvlLmqahjQwpKWs4YvqhmKkbF/mXKuMSyFut72IwH025tfmzzmTryOD6bOQDxI0Ws5NndnztzKv2qw2Js0c+6lAOJR+lEuo1ynGlG3hfS+bGShShvLZIDcD/hDa8IfhQBh7fKyFslJ52KxKK+zeEFDVQcx6Lrq/zP9IPH2QXz0bVQYlRyrQ4vqONO9h2pjxNAhDxuJ5FPk+Hb4ClGjyRPHFT34ZYsYdvHUgkjL3nOeaOUrc0GGJOKYZChfsK/JrqX8iOqgbE+0vQvMX+q8Tr6Ynr0KRKMcGPr6ak3eCNknJaZ1EABtkyUS2u5TzKqMzYq5DF4kpvPApIvaQW+VS05zD8piTQSZEFNRwwXDpyru/R4MmPvwt7OdSM0SJpQ8kR7tsuRgBPFY2Eduk6fhrDmMVgHze3AoRaqyh87CeqR3Z7/XofbdgZBqEp2vwiY425ArB6yMLpVvO6eB+yoTgCJ/UpfOxBDHE1M6U3goJhk/YeOy9UpTfRD1VyA2OuzJliDNtC784wxnGAsOk3qKk1bjjBqUzwITK41mOWqNLKCn4Ol9lXZtbbqLIiU4lXv4Pl93mVSuPLOIXINLGMRFl0rlvDICEjrrfE+JmwKx6i45sqsk3/hz1Fb+/bKFo7pl9JnAXvr5WfDW/rflwBrokfJVeYsSm6R2yxGWlosrKZIwIRctOut1EbbylurI5pIPp6vHguyIvZDDxwj3Qk3ewU/WVAcI9989aLR++UrZ5FGXt3apMk8BY9bq7DIQOUtgfPO98+cVPdoZSIh5bhQpCHAVPMGcGTdIPkuQbxSai0FsP8ipdHx0fluI6p/4v1Rv/BqZH0X8dnwPQoqUhSD+C575w511Fc8PEzgaG63S9hHx5Azw==
+    ui-auth-token: AgBgKRwErv5MtWIdqSN5BSQ/deHFE4469gzqL6gwp/3JidtBEiAAyuOIbc9dRCWuJNcdtixKOZT1rKuI8O/e6oJ6ABGAx+ckDfH468VKsR4AJhdZGcxub5j79NKccbNA5MKTnqxlU05zukUOkgw3wdsOyuQr3RnfL31GFbEVyDMej+Xr7Rs0fWrfqpasCi45/PEi8fkofMg45kGc+LMfDgovNtkKla2MAXwYlUk24SA+lgCFoG2DHB50GdTK2byCks4Px4J3jQqqHdLUfC+/gyqimPoVUsVGb5SY0xeNepKfTz7lHEkmDOB9R1wfv7pUaLMapc+eVrVN7reLHKOA47IEedDpnlLm/fyEfPe7ktkejc59tPyIyxBubrN+Vb/+6bDgi7xsXy/N5uD/2sPqWVgI2D7veWOJEjM+GYOYeb2iRbf7KlrokCXD/gRMiQBKqYyUdjWx40MjrhxzPArOa+cL0kb1CUgwuyjmqq5hNIUO2wo6/kkeNtUeT7r067LE5rtMoZG2EAfw/xrL1CI2F+3c72JzRd//aClt1MsSfPPPoFz0TlWSSc7qNDhYHuQf//G/Zd29Nk/Ac52HVwdkl2AXJE/GIFdwi+ypqK5mjmSUTn/JVE0ZaA3OpHOF/01meISuqBo+HuAWCV8sw6en0F8AF+DF8rw8t5hDdexScXep5QuJmm4CYgqThyjz2V5xME9oMmGA+Yiu/MJ4AlkLowijpXkKEWpEOBRpRRhu2q2szhZqmx1oKJw+qJ40CQ==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: dot-ai-secrets
+      namespace: dot-ai

secrets/musicman-auth-oidc-sealed.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: auth-oidc
+  namespace: music-man
+spec:
+  encryptedData:
+    client-secret: AgAKQ24qP43Dopfb6LfH0o7RIQjK3IMjII8knmdpfL5ldXJRGaYYYQDjZJcIE5HiLoEFXKkLHm39k83l6sJ1fn1RCbbskSGmosYNenJgxOqTZdlyC911km1PVMu890N2JEqUVRQb4YTn8+1dYUglWPL+zaAki3wJ84G5uM6ZY0R7mMEp/5J8RFEeByzdTiHLtB9U2fPnBJiGdKfFN/ysnoZOLN0nAHvvnTEa4pkO2BXNrrhVl7Nje/y9IDmQntCNIHomF9Fy4bo1SpChj1vRXWbLETlMdFkRINHMVWAvemoIDv+CaHVRaaoy/XtTngqA5lyZZwiwiix+HBIDPE5HAnGE/Zqgc2L+ByR3ak33H6O6iGJoVdR79uu9PiW0iaWJwruXgSfm7Fq0KuOHNg0QzfTqsZf0jgT5RhT4apSGHZOl2g4QUkMUee6BPuFM435ZZFdOfDZw1YRdqdFvI6OJgx7+G+kwwnEa125LuBgbJzqLRVxH0LbD9HoBoEqZUB4H0V+0PUY7uVSKcpZUi0RwiLjcoHJzaJlgJdaEc9GrDhh8OvDXOxsBJcRrJDmAH5WbGLXbq7+HUknfbJFkcl6rg9bPWDah0DDf98weqUdafpn0TTt7qoOGW1z27yVApGn9bm9B7ykCa/i9QtX/6G9RTaoslTU45pYzA1Clw9ccRNxv7O+2afU5KZORZPYNXCho4K7tpR7Hw788Rj68x1GYxrZh82+s0fs/SYpvzvN6EiFxKY8R+f1azefD
+    cookie-secret: AgAPJomNWVV2m8izVg8CQ78mnXP9qQaXh1WaIELv4JzwyUIcMOddDDq8PWzmAiWfV24iYj/oy9QB0jruI8+78H5nU6QsF5KB3DlZiDjzwaUeNOs1q4wPsQ/aU9JygYpWD2dYUn4pBYqQQxJyf/gJ1u6jbGMbjsO5J3kkK4RaFiTNt+A3151nmYVgWToknTPPcTaFgpH0xumhQHicO9MyaNsSKOJ1c2AeUiWHqc/0a39tuchCgq4Gm1FOKjXXfevcZw/IamnRiEegoAr5qgSPl7e1xfZeG49FJacsfpWEuQhmKGsaePTHok141VnkKHhlmFdewe3Sn+kSWJbtAx6jky0sqClUKqopVjxfj5IKwcucE0NjxxX2HXmQb/e9nY3BLQ1CRjQQVCNa+JJy6DvAbcERHs7t9T7ATXm4S5lawp9fp8UB1ySy++q4Qvmc+4/16tgugqVEths/n+gSYLWAM8Ibd42RhNXlWqjzvpAUXmHX3Dt/26wNy+5ZnRlcwOIotPBdDqQKlp3fGKc2loC2JHcyN1PH31EwY5+h4pdU/sGSU+EsPd43hALUHq3XzvibHVDQTzyerJgC77NX6kvu2W+V5iWN9LYAAVjMh5yzLYjfgoC/zzIiOIe9yRf6zJzW0nhSkdcoC8EH0lcwEEDp0d/CuO0A6AwWOBaer+tnQtjHeZse9RdKEfyisJDDa7xUNj4T9e8Z+shdkU94vladQpVP1lyRd4auXF7B+T0+1Pkmvac8wDHDk67iomi+1BpS+/2jdJUGJO+91+qIdCFLPi1Y
+  template:
+    metadata:
+      creationTimestamp: null
+      name: auth-oidc
+      namespace: music-man

secrets/overlays/aks-dev/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base

secrets/overlays/aks-prod/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base

secrets/overlays/eks-dev/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base

secrets/overlays/eks-prod/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base

secrets/overlays/gke-dev/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base

secrets/overlays/gke-prod/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base

secrets/overlays/upc-dev/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base

secrets/overlays/upc-prod/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base