homepage annotations

more mem homepage
homepage
2026-04-28 14:10:12 +02:00 · 2026-04-28 14:03:21 +02:00 · 2026-04-28 13:58:34 +02:00 · 2026-04-27 20:35:27 +02:00 · 2026-04-27 20:16:06 +02:00 · 2026-04-27 17:40:46 +02:00
103 changed files with 956 additions and 472 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1,2 @@
 # Force LF line endings for shell scripts
 *.sh text eol=lf
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ### What's Inside
- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets, Homepage (platform dashboard)
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
 - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
@@ -84,24 +84,25 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
 │
 ├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
-│   ├── base/                  # Base ArgoCD Application manifests (EU defaults)
+│   ├── base/                  # Base ArgoCD Application manifests (one dir per component)
-│   │   ├── kustomization.yaml
+│   │   ├── kustomization.yaml # Aggregates all component subdirectories
-│   │   ├── traefik-application.yaml
+│   │   ├── traefik-application/
-│   │   ├── keycloak.yaml
+│   │   │   ├── kustomization.yaml
-│   │   ├── grafana.yaml
+│   │   │   └── traefik-application.yaml
-│   │   ├── gitea.yaml
+│   │   ├── keycloak/
-│   │   ├── gitea-actions.yaml
+│   │   │   ├── kustomization.yaml
-│   │   ├── tempo.yaml
+│   │   │   └── keycloak.yaml
-│   │   ├── renovate.yaml
+│   │   ├── grafana/
-│   │   ├── ...                # All other Application manifests
+│   │   ├── prometheus/
-│   │   └── secrets.yaml
+│   │   ├── ...               # Each component in its own subdirectory
 │   │   └── secrets/
 │   ├── overlays/              # Per-cluster overrides (Kustomize)
-│   │   ├── upc-dev/           # UpCloud Dev (uses base as-is)
+│   │   ├── upc-dev/           # UpCloud Dev — includes all base components
-│   │   ├── upc-prod/         # UpCloud Prod (patches value paths)
+│   │   ├── upc-prod/         # UpCloud Prod — all components + patches
 │   │   ├── aks-dev/          # Azure AKS Dev — selective components only
 │   │   ├── aks-prod/         # Azure AKS Prod
 │   │   ├── eks-dev/           # AWS EKS Dev
 │   │   ├── eks-prod/         # AWS EKS Prod
 │   │   ├── aks-dev/        # Azure AKS Dev
 │   │   ├── aks-prod/       # Azure AKS Prod
 │   │   ├── gke-dev/          # GCP GKE Dev
 │   │   └── gke-prod/         # GCP GKE Prod
 │   ├── dashboards/            # Grafana dashboard ConfigMaps
@@ -116,11 +117,18 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 │       ├── gke-dev/          # GCP GKE Dev
 │       └── gke-prod/         # GCP GKE Prod
 │
-├── apps/                      # Business Applications
+├── apps/                      # Business Applications (Kustomize, same pattern as infra)
-│   ├── mcp10x.yaml
+│   ├── base/                  # One subdirectory per app
-│   ├── musicman.yaml
+│   │   ├── kustomization.yaml
-│   ├── dot-ai-stack.yaml
+│   │   ├── musicman/
-│   └── argo-mcp.yaml
+│   │   ├── mcp10x/
 │   │   ├── dot-ai-stack/
 │   │   ├── ts-mcp/
 │   │   └── argo-mcp/
 │   └── overlays/              # Per-cluster: cherry-pick or include all
 │       ├── upc-dev/           # All apps
 │       ├── upc-prod/         # All apps + patches
 │       └── aks-dev/          # Selective apps only
 │
 ├── cluster-resources/         # Cluster-wide Kubernetes resources
 │   ├── letsencrypt-issuer.yaml
@@ -372,7 +380,7 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts
 ### App-of-Apps Pattern
-`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{cluster}/` render the base Applications with per-cluster patches (e.g., swapping value file paths). Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
+`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Each component in `infra/base/` lives in its own subdirectory (e.g., `infra/base/grafana/`). Overlays can either include **all** components (via `../../base`) or **cherry-pick** specific ones (via `../../base/grafana`, `../../base/prometheus`, etc.). Per-cluster patches swap Helm value file paths. Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
 ### Multi-Source Pattern
 Applications reference both:
--- a/apps/base/argo-mcp/argo-mcp.yaml
+++ b/apps/base/argo-mcp/argo-mcp.yaml
--- a/apps/base/argo-mcp/argocd-mcp-credentials.yaml
+++ b/apps/base/argo-mcp/argocd-mcp-credentials.yaml
--- a/apps/base/argo-mcp/argocdmcp-auth-oidc-sealed.yaml
+++ b/apps/base/argo-mcp/argocdmcp-auth-oidc-sealed.yaml
--- a/apps/base/argo-mcp/kustomization.yaml
+++ b/apps/base/argo-mcp/kustomization.yaml
@@ -0,0 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - argo-mcp.yaml
 - argocdmcp-auth-oidc-sealed.yaml
 - argocd-mcp-credentials.yaml
--- a/apps/base/dot-ai-stack/dot-ai-secrets.yaml
+++ b/apps/base/dot-ai-stack/dot-ai-secrets.yaml
--- a/apps/base/dot-ai-stack/dot-ai-stack.yaml
+++ b/apps/base/dot-ai-stack/dot-ai-stack.yaml
--- a/apps/base/dot-ai-stack/kustomization.yaml
+++ b/apps/base/dot-ai-stack/kustomization.yaml
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - dot-ai-stack.yaml
 - dot-ai-secrets.yaml
--- a/apps/base/kustomization.yaml
+++ b/apps/base/kustomization.yaml
@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- dot-ai-stack.yaml
+- dot-ai-stack
- mcp10x.yaml
+- mcp10x
- musicman.yaml
+- musicman
- ts-mcp.yaml
+- ts-mcp
- argo-mcp.yaml
+- argo-mcp
--- a/apps/base/mcp10x/forte10x-app-credentials-sealed.yaml
+++ b/apps/base/mcp10x/forte10x-app-credentials-sealed.yaml
--- a/apps/base/mcp10x/kustomization.yaml
+++ b/apps/base/mcp10x/kustomization.yaml
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - mcp10x.yaml
 - forte10x-app-credentials-sealed.yaml
--- a/apps/base/mcp10x/mcp10x.yaml
+++ b/apps/base/mcp10x/mcp10x.yaml
--- a/apps/base/musicman/kustomization.yaml
+++ b/apps/base/musicman/kustomization.yaml
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - musicman.yaml
 - musicman-credentials.yaml
--- a/apps/base/musicman/musicman-credentials.yaml
+++ b/apps/base/musicman/musicman-credentials.yaml
@@ -4,6 +4,8 @@ metadata:
  creationTimestamp: null
  name: musicman-credentials
  namespace: music-man
  annotations:
    argocd.argoproj.io/sync-wave: "12"
 spec:
  encryptedData:
    DATABASE_URL: AgBGLu8Rw9z9WMo3uX7fezN7tOVlEsmWtikFlyBxuSuQ1dCv6KTCePkwxJx4LuKvaHXlwdWl5yP8wQxMJP0BNJ1wewFb9zeUkP1YuCz4MrfuXq1zrecIr86R5hNbPiOb66e/4oOTCY/z3QREX9WjZdLJV/PCyBz8MP0D51pgWXpM6CBdhwpFbHSALyJk89+q44c9KkRxAUG2OLnesMeRe9nXJt5ariUCl9Qd2POIjx2hSNII1l0KbTcjI9hCf91DYM6poqKYYQUpnrjKv3LJwWS79I2b56+iTtroH3usIRgaiwgtFt2INm+8gwLBmC4xxKJ5VAjjYB/3dcN9XeboXvj0NB05P9jS3e77imUFANIB9coeaNlcvRWxwGCewYMp8+7RT7jPVA41/+aT/zT74tq9WhkKvgrr1It9/5fRnXtFEkhZg5bBcYCChzooarHkiwKlA3Wo0CrFsDPqy89oZrnwMRnVqKWBf79koZV4l7uCA0do9ojf55lTy8mt3mKQkwfqK9UdzZNbYzH0/Fk6gxlSxANOOqe7kt6VPywYUBnh6JS5U+kdTgNeSrFy/xqLFz28fXuikSJvLEouSFu66MeT+6uvYEmdfdLeh7quW/n+p7QTok3v3kRYJ/1Dl8ZtgvM7e8F/J5bLcacj394AJ/bBt+RIDa+XBjNNPrWKcWt/mkudZ25F/84G+hNxYQv7PIbhYfA1JTuHmQSoF+xah5QhKpyNpI3+knJmJj/4MhPKLnTuebg0xfbPevm2CU9fSa4sPIqmSvSGtqlXODvCfDSFEYzWfyfXV5Tys1NGAt04V8fl9A9UxULUm510NCeD0jzFeeYm3ZJiyavA5xF6hXCHoqLE
--- a/apps/base/musicman/musicman.yaml
+++ b/apps/base/musicman/musicman.yaml
@@ -36,13 +36,8 @@ spec:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=false
    - Replace=false
    retry:
      limit: 5
      backoff:
--- a/apps/base/ts-mcp/kustomization.yaml
+++ b/apps/base/ts-mcp/kustomization.yaml
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ts-mcp.yaml
 - ts-mcp-secrets-sealed.yaml
--- a/apps/base/ts-mcp/ts-mcp-secrets-sealed.yaml
+++ b/apps/base/ts-mcp/ts-mcp-secrets-sealed.yaml
--- a/apps/base/ts-mcp/ts-mcp.yaml
+++ b/apps/base/ts-mcp/ts-mcp.yaml
--- a/apps/overlays/aks-dev/kustomization.yaml
+++ b/apps/overlays/aks-dev/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base/musicman
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -1,4 +1,5 @@
 #!/bin/zsh
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
@@ -17,7 +18,7 @@ echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
 Bootstrap()
 {
    ArgoCd
-#    Gitea
+    Gitea
 }
@@ -27,8 +28,9 @@ Bootstrap()
 Gitea()
 {
    echo "Installing secret..."
-    kubectl apply -f private/gitea-repo-main.yaml
+    kubectl apply -f "secrets/"
-    kubectl apply -f private/main.key
+    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
    kubectl apply -f "private/${CLUSTER}/main.key"
 }
 ############################################################
@@ -36,10 +38,15 @@ Gitea()
 ############################################################
 ArgoCd()
 {
    # Pre-create ConfigMap for repo-server env (must exist before Helm upgrade)
    kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
    kubectl apply -f cluster-resources/argocd-repo-server-config.yaml
    # install argocd
    echo "Installing ArgoCD..."
    helm upgrade --install argocd argo-cd \
            --repo https://argoproj.github.io/argo-helm \
            --version "7.8.0" \
            --namespace argocd --create-namespace \
            --values infra/values/base/argocd-values.yaml \
            --values "infra/values/${CLUSTER}/argocd-values.yaml" \
@@ -49,4 +56,4 @@ ArgoCd()
    kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }
-# Bootstrap
+Bootstrap
--- a/cluster-resources/argocd-oidc-secret-sync.yaml
+++ b/cluster-resources/argocd-oidc-secret-sync.yaml
@@ -0,0 +1,83 @@
 # CronJob: syncs OIDC client secret from registrar-managed
 # argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
 # Runs every 2 min. No-ops if source secret doesn't exist yet
 # (safe for fresh deploys before Keycloak is up).
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
  verbs: ["get", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argocd-oidc-sync
 subjects:
 - kind: ServiceAccount
  name: argocd-oidc-sync
  namespace: argocd
 ---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 spec:
  schedule: "*/2 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        spec:
          serviceAccountName: argocd-oidc-sync
          restartPolicy: Never
          containers:
          - name: sync
            image: bitnami/kubectl:latest
            command: ["/bin/sh", "-c"]
            args:
            - |
              set -e
              # Exit gracefully if source secret doesn't exist yet
              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
                exit 0
              fi
              # Read current OIDC client secret
              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
                -o jsonpath='{.data.client-secret}' | base64 -d)
              # Read current value in argocd-secret (if any)
              CURRENT=$(kubectl get secret argocd-secret -n argocd \
                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")
              # Only patch if changed
              if [ "$NEW_SECRET" = "$CURRENT" ]; then
                echo "oidc.clientSecret already up to date"
                exit 0
              fi
              kubectl patch secret argocd-secret -n argocd --type merge \
                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
              echo "Patched argocd-secret with oidc.clientSecret"
--- a/cluster-resources/argocd-repo-server-config.yaml
+++ b/cluster-resources/argocd-repo-server-config.yaml
@@ -0,0 +1,9 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: argocd-repo-server-config
  namespace: argocd
 data:
  # Disable git submodule checkout - submodules (e.g. shared-prompts)
  # are not needed for K8s manifest generation
  ARGOCD_GIT_MODULES_ENABLED: "false"
--- a/cluster-resources/network/deny-external-egress-trivy.yaml
+++ b/cluster-resources/network/deny-external-egress-trivy.yaml
@@ -0,0 +1,37 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: deny-external-egress
  namespace: trivy-system
  labels:
    app.kubernetes.io/managed-by: argocd
    app.kubernetes.io/part-of: network-policies
 spec:
  endpointSelector: {}
  egress:
    # Allow DNS resolution
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: kube-system
            k8s-app: kube-dns
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
            - port: "53"
              protocol: TCP
    # Allow cluster-internal traffic (RFC1918)
    - toCIDR:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
    # Allow Trivy vulnerability DB downloads (ghcr.io OCI registry)
    - toFQDNs:
        - matchName: ghcr.io
        - matchName: pkg-containers.githubusercontent.com
      toPorts:
        - ports:
            - port: "443"
              protocol: TCP
--- a/clusters/aks-dev.yaml
+++ b/clusters/aks-dev.yaml
@@ -1,12 +1,12 @@
 # Cluster config reference — values must match the corresponding overlay files.
 # Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: dev-aks                     # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
+clusterName: k8s-launchpad # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
-domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+domain: example.com # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-argocdDomain: argocd.example.com         # → infra/values/aks-dev/argocd-values.yaml (global.domain)
+argocdDomain: argocd.example.com # → infra/values/aks-dev/argocd-values.yaml (global.domain)
-grafanaDomain: grafana.example.com       # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
+grafanaDomain: grafana.example.com # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
-keycloakDomain: id.example.com           # → infra/values/aks-dev/keycloak-values.yaml (ingress.hostname)
+keycloakDomain: id.example.com # → infra/values/aks-dev/keycloak-values.yaml (ingress.hostname)
-dotaiDomain: kubemcp.example.com         # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiDomain: kubemcp.example.com # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
-dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
-letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+letsencryptEmail: admin@example.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
 trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-dev/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
-cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations
+cloudProvider: azure # → determines overlay directory and cloud-specific LB/storage annotations
--- a/docs/GITOPS-ARCHITECTURE.md
+++ b/docs/GITOPS-ARCHITECTURE.md
@@ -120,24 +120,25 @@ launchpad/
 ├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
 │
 ├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
-│   ├── base/                         # Base Application manifests (upc-dev defaults)
+│   ├── base/                         # Base Application manifests (one dir per component)
-│   │   ├── kustomization.yaml
+│   │   ├── kustomization.yaml        # Aggregates all component subdirectories
-│   │   ├── traefik-application.yaml
+│   │   ├── traefik-application/
-│   │   ├── keycloak.yaml
+│   │   │   ├── kustomization.yaml
-│   │   ├── grafana.yaml
+│   │   │   └── traefik-application.yaml
-│   │   ├── gitea.yaml
+│   │   ├── keycloak/
-│   │   ├── gitea-actions.yaml
+│   │   │   ├── kustomization.yaml
-│   │   ├── tempo.yaml
+│   │   │   └── keycloak.yaml
-│   │   ├── renovate.yaml
+│   │   ├── grafana/
-│   │   ├── ...                       # All other Application manifests
+│   │   ├── prometheus/
-│   │   └── secrets.yaml
+│   │   ├── ...                       # Each component in its own subdirectory
 │   │   └── secrets/
 │   ├── overlays/                     # Per-cluster Kustomize overrides
-│   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
+│   │   ├── upc-dev/                  # UpCloud Dev — includes all (resources: ../../base)
-│   │   ├── upc-prod/                # UpCloud Prod (patches value paths)
+│   │   ├── upc-prod/                # UpCloud Prod — all + patches
 │   │   ├── aks-dev/                 # Azure AKS Dev — selective components
 │   │   ├── aks-prod/               # Azure AKS Prod
 │   │   ├── eks-dev/                  # AWS EKS Dev
 │   │   ├── eks-prod/                # AWS EKS Prod
 │   │   ├── aks-dev/               # Azure AKS Dev
 │   │   ├── aks-prod/              # Azure AKS Prod
 │   │   ├── gke-dev/                 # GCP GKE Dev
 │   │   └── gke-prod/               # GCP GKE Prod
 │   ├── dashboards/                   # Grafana dashboard ConfigMaps
@@ -149,13 +150,17 @@ launchpad/
 │       └── gcp-{dev,prod}/           # GCP: premium-rwo, L4 LB
 │
 ├── apps/                             # Business Application ArgoCD manifests (Kustomize)
-│   ├── base/                         # Base app manifests
+│   ├── base/                         # One subdirectory per app
 │   │   ├── kustomization.yaml
-│   │   ├── dot-ai-stack.yaml
+│   │   ├── musicman/
-│   │   └── ...
+│   │   ├── mcp10x/
 │   │   ├── dot-ai-stack/
 │   │   ├── ts-mcp/
 │   │   └── argo-mcp/
 │   └── overlays/
-│       ├── upc-dev/                  # Uses base as-is
+│       ├── upc-dev/                  # All apps (resources: ../../base)
-│       └── upc-prod/                # Patches value paths
+│       ├── upc-prod/                # All apps + patches
 │       └── aks-dev/                 # Selective apps only
 │
 ├── cluster-resources/                # Cluster-wide Kubernetes resources
 │   ├── ...
@@ -171,6 +176,8 @@ launchpad/
 **Key Points**:
 - `_app-of-apps-upc-dev.yaml` and `_app-of-apps-upc-prod.yaml` are the per-cluster root Applications
 - Each component in `base/` has its own subdirectory with a `kustomization.yaml`
 - Overlays can include **all** components (`resources: [../../base]`) or **cherry-pick** specific ones (`resources: [../../base/grafana, ../../base/prometheus]`)
 - Kustomize overlays in `infra/overlays/` render base Applications with per-cluster patches
 - Helm values are split: `values/base/` (shared) + `values/upc-dev/` or `values/upc-prod/` (cluster-specific)
 - `apps/` follows the same base/overlays pattern for business applications
@@ -353,16 +360,30 @@ spec:
 ### Multi-Cluster Pattern
-Kustomize overlays enable deploying the same Applications across clusters with different configurations:
+Kustomize overlays enable deploying the same Applications across clusters with different configurations.
 Each component in `infra/base/` and `apps/base/` lives in its own subdirectory. Overlays define **which components to include** and optionally **patch** them:
 ```yaml
-# infra/base/ contains default (upc-dev) Applications
+# Option 1: Include ALL components (full cluster)
-# Helm values are layered: base + cluster-specific
+# infra/overlays/upc-dev/kustomization.yaml
-valueFiles:
+resources:
- $values/infra/values/base/traefik-values.yaml    # Shared config
+- ../../base                    # Pulls in every component subdirectory
 - $values/infra/values/upc-dev/traefik-values.yaml  # Cluster-specific
-# infra/overlays/upc-prod/kustomization.yaml patches the second valueFile
+# Option 2: Cherry-pick specific components (lightweight cluster)
 # infra/overlays/aks-dev/kustomization.yaml
 resources:
 - ../../base/traefik-application
 - ../../base/grafana
 - ../../base/prometheus
 - ../../base/loki
 # Only listed components are deployed — others are excluded
 ```
 Per-cluster patches swap Helm value file paths:
 ```yaml
 # infra/overlays/upc-prod/kustomization.yaml
 patches:
 - target:
    kind: Application
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -76,33 +76,28 @@ launchpad/
 ├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
 ├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
 │
-├── infra/                         # Infrastructure applications
+├── infra/                         # Infrastructure applications (Kustomize)
-│   ├── cluster-resources-application.yaml
+│   ├── base/                      # One subdirectory per component
-│   ├── enterprise-apps.yaml
+│   │   ├── kustomization.yaml     # Aggregates all component subdirectories
-│   ├── traefik-application.yaml
+│   │   ├── traefik-application/
-│   ├── cert-manager-application.yaml
+│   │   │   ├── kustomization.yaml
-│   ├── kyverno.yaml
+│   │   │   └── traefik-application.yaml
-│   ├── kyverno-policies.yaml
+│   │   ├── keycloak/
-│   ├── prometheus.yaml
+│   │   │   ├── kustomization.yaml
-│   ├── grafana.yaml
+│   │   │   └── keycloak.yaml
-│   ├── loki.yaml
+│   │   ├── grafana/
-│   ├── tempo.yaml
+│   │   ├── prometheus/
-│   ├── fluent-bit.yaml
+│   │   ├── loki/
-│   ├── gitea.yaml
+│   │   ├── tempo/
-│   ├── gitea-actions.yaml
+│   │   ├── gitea/
-│   ├── sealedsecrets.yaml
+│   │   ├── opencost/
-│   ├── secrets.yaml
+│   │   ├── ...                    # Each component in own directory
-│   ├── renovate.yaml
+│   │   └── secrets/
-│   ├── base/                      # ArgoCD Application manifests (Kustomize base)
+│   ├── overlays/                  # Per-cluster: include all or cherry-pick
-│   │   ├── gitea.yaml
+│   │   ├── upc-dev/              # resources: [../../base] (all components)
-│   │   ├── opencost.yaml
+│   │   ├── upc-prod/            # resources: [../../base] + patches
-│   │   ├── traefik-application.yaml
+│   │   ├── aks-dev/             # resources: [../../base/grafana, ...] (selective)
-│   │   ├── keycloak.yaml
+│   │   └── .../                  # 8 clusters total
 │   │   ├── grafana.yaml
 │   │   └── ...
 │   ├── overlays/
 │   │   └── upc-prod/
 │   │       └── kustomization.yaml # Patches upc-dev → upc-prod valueFile paths
 │   └── values/
 │       ├── base/                   # Cloud-agnostic Helm values
 │       │   ├── gitea-values.yaml
@@ -122,11 +117,18 @@ launchpad/
 │           ├── gitea-values.yaml
 │           └── opencost-values.yaml
 │
-├── apps/                          # Business applications
+├── apps/                          # Business applications (Kustomize)
-│   ├── mcp10x.yaml
+│   ├── base/                     # One subdirectory per app
-│   ├── musicman.yaml
+│   │   ├── kustomization.yaml
-│   ├── dot-ai-stack.yaml
+│   │   ├── musicman/
-│   └── argo-mcp.yaml
+│   │   ├── mcp10x/
 │   │   ├── dot-ai-stack/
 │   │   ├── ts-mcp/
 │   │   └── argo-mcp/
 │   └── overlays/                 # Per-cluster: include all or cherry-pick
 │       ├── upc-dev/
 │       ├── upc-prod/
 │       └── aks-dev/              # Selective apps only
 │
 ├── cluster-resources/             # Cluster-level resources
 │   ├── cert-manager-namespace.yaml
@@ -654,13 +656,128 @@ retry:
 |---------|-------|---------|
 | `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
 | `timeout.reconciliation` | `60s` | Reconciliation interval |
-| `admin.enabled` | `true` | Enable admin account |
+| `admin.enabled` | `false` | Admin login disabled (SSO-only) |
-| `git.submodule.enabled` | `false` | Disable git submodule checkout — submodules are not needed for manifest generation |
+| `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
 **Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
 ```yaml
 configs:
  params:
    "reposerver.enable.git.submodule": "false"
 ```
 This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
 **Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
 ```bash
 # Enable admin login
 kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
 # Log in as admin, do what's needed, then disable again
 kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
 ```
 ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
 **OIDC Authentication** (Keycloak):
 ```yaml
 configs:
  cm:
    oidc.config: |
      name: Forte SSO
      issuer: https://id.forteapps.net/realms/forte
      clientID: argocd
      clientSecret: $oidc.clientSecret
      requestedScopes: ["openid", "email", "profile"]
  rbacConfig:
    policy.csv: |
      g, ArgoCD Admins, role:admin
      g, ArgoCD Viewers, role:readonly
    # Deny users not in any declared KC group
    policy.default: ""
    scopes: '[groups]'
 ```
 **Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console.
 - ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
 - Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
 - `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
 - OIDC secret is synced by CronJob `argocd-oidc-sync` (see `cluster-resources/argocd-oidc-secret-sync.yaml`)
 - The CronJob bridges `argocd-oidc-credentials` (from KC registrar) → `argocd-secret` every 2 min
 - Safe for fresh deploys: no-ops if source secret doesn't exist yet
 **Ingress** (Traefik + TLS):
 ```yaml
 server:
  ingress:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    tls: true
  extraArgs:
  - --insecure
 configs:
  params:
    "server.insecure": true
 ```
 TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
 ---
 ## Infrastructure Components
 ### Homepage (Platform Dashboard)
 **Chart**: `jameswynn/homepage`
 **Namespace**: `homepage`
 **URL**: `https://start.forteapps.net`
 Platform dashboard that auto-discovers deployed apps via Kubernetes service annotations.
 **Discovery mechanism**: Services annotated with `gethomepage.dev/enabled: "true"` appear in the dashboard. Apps not deployed = annotations absent = not shown. Fully dynamic per environment.
 **Annotated services**:
 | Service | Namespace | Group | Widget |
 |---------|-----------|-------|--------|
 | `gitea-http` | `gitea` | DevOps | `gitea` |
 | `argocd-server` | `argocd` | DevOps | `argocd` |
 | `keycloak` | `keycloak` | Identity | none |
 | `grafana` | `monitoring` | Monitoring | `grafana` |
 | `karpor-server` | `karpor` | DevOps | none |
 **Adding a new app**: Annotate the app's Service in its Helm values:
 ```yaml
 service:
  annotations:
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "My App"
    gethomepage.dev/description: "What it does"
    gethomepage.dev/group: "GroupName"
    gethomepage.dev/icon: "icon-name"     # https://github.com/walkxcode/dashboard-icons
    gethomepage.dev/href: "https://myapp.forteapps.net"
    # Optional live widget:
    gethomepage.dev/widget.type: "myapp"
    gethomepage.dev/widget.url: "https://myapp.forteapps.net"
    # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_MYAPP_TOKEN}}"
 ```
 **Widget API credentials**: Inject via env vars into the Homepage pod:
 ```yaml
 # In homepage-values.yaml per environment
 env:
 - name: HOMEPAGE_VAR_GRAFANA_TOKEN
  valueFrom:
    secretKeyRef:
      name: homepage-widget-credentials
      key: grafana-token
 ```
 Then reference as `gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"`.
 **Values files**:
 - `infra/values/base/homepage-values.yaml` — RBAC, kubernetes mode, layout
 - `infra/values/{env}/homepage-values.yaml` — hostname per environment
 ---
 ### Traefik
 **Chart**: `traefik/traefik`
@@ -776,6 +893,15 @@ kubeStateMetrics:
 - Loki
 - Tempo
 **Ingress**: Exposed via Traefik at `https://grafana.forteapps.net` with cert-manager TLS.
 **OIDC Authentication** (Keycloak):
 - Uses `grafana.ini.auth.generic_oauth` with KC `grafana` client
 - Secret `grafana-oidc-credentials` synced by KC registrar, loaded via `envFromSecrets`
 - SSO-only mode: `auth.disable_login_form: true` + `auth.generic_oauth.auto_login: true`
 - Role mapping via JMESPath on `resource_access.grafana.roles` claim (requires KC client role mapper)
 - Roles: KC client roles `Admin`/`Editor` map to Grafana roles; default is `Viewer`
 ### Loki
 **Chart**: `grafana/loki-stack`
--- a/infra/base/cert-manager-application/cert-manager-application.yaml
+++ b/infra/base/cert-manager-application/cert-manager-application.yaml
--- a/infra/base/cert-manager-application/kustomization.yaml
+++ b/infra/base/cert-manager-application/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - cert-manager-application.yaml
--- a/infra/base/cluster-resources-application/cluster-resources-application.yaml
+++ b/infra/base/cluster-resources-application/cluster-resources-application.yaml
--- a/infra/base/cluster-resources-application/kustomization.yaml
+++ b/infra/base/cluster-resources-application/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - cluster-resources-application.yaml
--- a/infra/base/network-policies-application.yaml
+++ b/infra/base/network-policies-application.yaml
@@ -1,33 +1,42 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: network-policies
+  name: databunker
  namespace: argocd
  labels:
    app.kubernetes.io/name: network-policies
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  labels:
    app.kubernetes.io/name: databunker
    app.kubernetes.io/part-of: identity
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
-  source:
+  sources:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  - repoURL: https://securitybunker.github.io/databunkerpro-setup
    chart: databunkerpro
    targetRevision: "0.1.0"
    helm:
      releaseName: databunkerpro
      valueFiles:
      - $values/infra/values/base/databunker-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    path: cluster-resources/network
+    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: databunker
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
--- a/infra/base/databunker/kustomization.yaml
+++ b/infra/base/databunker/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - databunker.yaml
--- a/infra/base/enterprise-apps/enterprise-apps.yaml
+++ b/infra/base/enterprise-apps/enterprise-apps.yaml
--- a/infra/base/enterprise-apps/kustomization.yaml
+++ b/infra/base/enterprise-apps/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - enterprise-apps.yaml
--- a/infra/base/fluent-bit/fluent-bit.yaml
+++ b/infra/base/fluent-bit/fluent-bit.yaml
--- a/infra/base/fluent-bit/kustomization.yaml
+++ b/infra/base/fluent-bit/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - fluent-bit.yaml
--- a/infra/base/gitea-actions/gitea-actions.yaml
+++ b/infra/base/gitea-actions/gitea-actions.yaml
--- a/infra/base/gitea-actions/kustomization.yaml
+++ b/infra/base/gitea-actions/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gitea-actions.yaml
--- a/infra/base/gitea/gitea-backup-s3-sealed.yaml
+++ b/infra/base/gitea/gitea-backup-s3-sealed.yaml
--- a/infra/base/gitea/gitea-credentials-sealed.yaml
+++ b/infra/base/gitea/gitea-credentials-sealed.yaml
--- a/infra/base/gitea/gitea-runner-token-sealed.yaml
+++ b/infra/base/gitea/gitea-runner-token-sealed.yaml
--- a/infra/base/gitea/gitea-smtp-secret-sealed.yaml
+++ b/infra/base/gitea/gitea-smtp-secret-sealed.yaml
--- a/infra/base/gitea/gitea.yaml
+++ b/infra/base/gitea/gitea.yaml
--- a/infra/base/gitea/kustomization.yaml
+++ b/infra/base/gitea/kustomization.yaml
@@ -0,0 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gitea.yaml
 - gitea-backup-s3-sealed.yaml
 - gitea-credentials-sealed.yaml
 - gitea-runner-token-sealed.yaml
 - gitea-smtp-secret-sealed.yaml
--- a/infra/base/grafana-dashboards/grafana-dashboards.yaml
+++ b/infra/base/grafana-dashboards/grafana-dashboards.yaml
--- a/infra/base/grafana-dashboards/kustomization.yaml
+++ b/infra/base/grafana-dashboards/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - grafana-dashboards.yaml
--- a/infra/base/grafana/grafana.yaml
+++ b/infra/base/grafana/grafana.yaml
--- a/secrets/overlays/aks-dev/kustomization.yaml
+++ b/secrets/overlays/aks-dev/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base
+- grafana.yaml
--- a/infra/base/homepage/homepage.yaml
+++ b/infra/base/homepage/homepage.yaml
@@ -0,0 +1,43 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: homepage
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "3"
  labels:
    app.kubernetes.io/name: homepage
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: https://jameswynn.github.io/helm-charts
    chart: homepage
    targetRevision: "2.1.0"
    helm:
      releaseName: homepage
      valueFiles:
      - $values/infra/values/base/homepage-values.yaml
      - $values/infra/values/upc-dev/homepage-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: homepage
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
--- a/infra/base/homepage/kustomization.yaml
+++ b/infra/base/homepage/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - homepage.yaml
--- a/infra/base/karpor/karpor.yaml
+++ b/infra/base/karpor/karpor.yaml
--- a/secrets/overlays/eks-prod/kustomization.yaml
+++ b/secrets/overlays/eks-prod/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base
+- karpor.yaml
--- a/infra/base/keycloak/keycloak-credentials-sealed.yaml
+++ b/infra/base/keycloak/keycloak-credentials-sealed.yaml
--- a/infra/base/keycloak/keycloak.yaml
+++ b/infra/base/keycloak/keycloak.yaml
@@ -15,7 +15,7 @@ spec:
  project: default
  sources:
-  - repoURL: https://charts.bitnami.com/bitnami
+  - repoURL: registry-1.docker.io/bitnamicharts
    chart: keycloak
    targetRevision: "25.2.0"
    helm:
@@ -47,3 +47,7 @@ spec:
    kind: CronJob
    jsonPointers:
    - /spec/jobTemplate/spec/template/spec/containers/0/args
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/keycloak/kustomization.yaml
+++ b/infra/base/keycloak/kustomization.yaml
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - keycloak.yaml
 - keycloak-credentials-sealed.yaml
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -1,24 +1,24 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- traefik-application.yaml
+- traefik-application
- keycloak.yaml
+- keycloak
- grafana.yaml
+- grafana
- cert-manager-application.yaml
+- cert-manager-application
- kyverno.yaml
+- kyverno
- sealedsecrets.yaml
+- sealedsecrets
- prometheus.yaml
+- prometheus
- loki.yaml
+- loki
- fluent-bit.yaml
+- fluent-bit
- enterprise-apps.yaml
+- enterprise-apps
- cluster-resources-application.yaml
+- cluster-resources-application
- kyverno-policies.yaml
+- kyverno-policies
- secrets.yaml
+- gitea
- gitea.yaml
+- gitea-actions
- gitea-actions.yaml
+- opencost
- opencost.yaml
+- renovate
- renovate.yaml
+- tempo
- tempo.yaml
+- grafana-dashboards
- grafana-dashboards.yaml
+- karpor
- network-policies-application.yaml
+- databunker
- karpor.yaml
+- homepage
--- a/infra/base/kyverno-policies/kustomization.yaml
+++ b/infra/base/kyverno-policies/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - kyverno-policies.yaml
--- a/infra/base/kyverno-policies/kyverno-policies.yaml
+++ b/infra/base/kyverno-policies/kyverno-policies.yaml
--- a/infra/base/kyverno/kustomization.yaml
+++ b/infra/base/kyverno/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - kyverno.yaml
--- a/infra/base/kyverno/kyverno.yaml
+++ b/infra/base/kyverno/kyverno.yaml
--- a/secrets/overlays/aks-prod/kustomization.yaml
+++ b/secrets/overlays/aks-prod/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base
+- loki.yaml
--- a/infra/base/loki/loki.yaml
+++ b/infra/base/loki/loki.yaml
@@ -40,3 +40,9 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/opencost/kustomization.yaml
+++ b/infra/base/opencost/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - opencost.yaml
--- a/infra/base/opencost/opencost.yaml
+++ b/infra/base/opencost/opencost.yaml
--- a/infra/base/prometheus/kustomization.yaml
+++ b/infra/base/prometheus/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - prometheus.yaml
--- a/infra/base/prometheus/prometheus.yaml
+++ b/infra/base/prometheus/prometheus.yaml
--- a/infra/base/renovate/kustomization.yaml
+++ b/infra/base/renovate/kustomization.yaml
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - renovate.yaml
 - renovate-env-sealed.yaml
--- a/infra/base/renovate/renovate-env-sealed.yaml
+++ b/infra/base/renovate/renovate-env-sealed.yaml
--- a/infra/base/renovate/renovate.yaml
+++ b/infra/base/renovate/renovate.yaml
--- a/infra/base/sealedsecrets/argocd-forte-helm-secret-sealed.yaml
+++ b/infra/base/sealedsecrets/argocd-forte-helm-secret-sealed.yaml
--- a/infra/base/sealedsecrets/kustomization.yaml
+++ b/infra/base/sealedsecrets/kustomization.yaml
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - sealedsecrets.yaml
 - argocd-forte-helm-secret-sealed.yaml
--- a/infra/base/sealedsecrets/sealedsecrets.yaml
+++ b/infra/base/sealedsecrets/sealedsecrets.yaml
--- a/infra/base/secrets.yaml
+++ b/infra/base/secrets.yaml
@@ -1,30 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: secrets
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "2"
    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
    notifications.argoproj.io/subscribe.on-degraded.slack: ""
  labels:
    app.kubernetes.io/name: secrets
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    path: secrets/overlays/upc-dev
  destination:
    server: https://kubernetes.default.svc
    namespace: secrets
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
--- a/secrets/overlays/eks-dev/kustomization.yaml
+++ b/secrets/overlays/eks-dev/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base
+- tempo.yaml
--- a/infra/base/tempo/tempo.yaml
+++ b/infra/base/tempo/tempo.yaml
@@ -40,3 +40,9 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/traefik-application/kustomization.yaml
+++ b/infra/base/traefik-application/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - traefik-application.yaml
--- a/infra/base/traefik-application/traefik-application.yaml
+++ b/infra/base/traefik-application/traefik-application.yaml
--- a/infra/overlays/aks-dev/kustomization.yaml
+++ b/infra/overlays/aks-dev/kustomization.yaml
@@ -1,9 +1,31 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base
+- ../../base/cert-manager-application
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/enterprise-apps
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/homepage
 - ../../base/traefik-application
 patches:
 # Homepage: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: homepage
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/homepage-values.yaml
 # Traefik: swap upc-dev → aks-dev
 - target:
    kind: Application
@@ -13,15 +35,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/traefik-values.yaml
 # Keycloak: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/keycloak-values.yaml
 # Grafana: swap upc-dev → aks-dev
 - target:
    kind: Application
@@ -31,15 +44,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/grafana-values.yaml
 # Gitea: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/gitea-values.yaml
 # OpenCost: swap upc-dev → aks-dev
 - target:
    kind: Application
@@ -49,16 +53,7 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/opencost-values.yaml
-# Secrets: change path to aks-dev
+# Ent apps: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/aks-dev
 # Enterprise-apps: point to aks-dev overlay
 - target:
    kind: Application
    name: enterprise-apps
--- a/infra/overlays/aks-prod/kustomization.yaml
+++ b/infra/overlays/aks-prod/kustomization.yaml
@@ -1,7 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base
+- ../../base/cert-manager-application
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → aks-prod
@@ -13,15 +24,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/traefik-values.yaml
 # Keycloak: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → aks-prod  
 - target:
    kind: Application
@@ -31,15 +33,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/grafana-values.yaml
 # Gitea: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → aks-prod
 - target:
    kind: Application
@@ -48,21 +41,3 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/opencost-values.yaml
 # Secrets: change path to aks-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/aks-prod
 # Enterprise-apps: point to aks-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/aks-prod
--- a/infra/overlays/eks-dev/kustomization.yaml
+++ b/infra/overlays/eks-dev/kustomization.yaml
@@ -1,7 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base
+- ../../base/cert-manager-application
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → eks-dev
@@ -13,15 +24,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/traefik-values.yaml
 # Keycloak: swap upc-dev → eks-dev
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/keycloak-values.yaml
 # Grafana: swap upc-dev → eks-dev  
 - target:
    kind: Application
@@ -31,15 +33,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/grafana-values.yaml
 # Gitea: swap upc-dev → eks-dev
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/gitea-values.yaml
 # OpenCost: swap upc-dev → eks-dev
 - target:
    kind: Application
@@ -48,21 +41,3 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/opencost-values.yaml
 # Secrets: change path to eks-dev
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/eks-dev
 # Enterprise-apps: point to eks-dev overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/eks-dev
--- a/infra/overlays/eks-prod/kustomization.yaml
+++ b/infra/overlays/eks-prod/kustomization.yaml
@@ -1,7 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base
+- ../../base/cert-manager-application
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → eks-prod
@@ -13,15 +24,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/traefik-values.yaml
 # Keycloak: swap upc-dev → eks-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → eks-prod  
 - target:
    kind: Application
@@ -31,15 +33,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/grafana-values.yaml
 # Gitea: swap upc-dev → eks-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → eks-prod
 - target:
    kind: Application
@@ -48,21 +41,3 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/opencost-values.yaml
 # Secrets: change path to eks-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/eks-prod
 # Enterprise-apps: point to eks-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/eks-prod
--- a/infra/overlays/gke-dev/kustomization.yaml
+++ b/infra/overlays/gke-dev/kustomization.yaml
@@ -1,7 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base
+- ../../base/cert-manager-application
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → gke-dev
@@ -13,15 +24,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/traefik-values.yaml
 # Keycloak: swap upc-dev → gke-dev
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/keycloak-values.yaml
 # Grafana: swap upc-dev → gke-dev  
 - target:
    kind: Application
@@ -31,15 +33,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/grafana-values.yaml
 # Gitea: swap upc-dev → gke-dev
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/gitea-values.yaml
 # OpenCost: swap upc-dev → gke-dev
 - target:
    kind: Application
@@ -48,21 +41,3 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/opencost-values.yaml
 # Secrets: change path to gke-dev
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/gke-dev
 # Enterprise-apps: point to gke-dev overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/gke-dev
--- a/infra/overlays/gke-prod/kustomization.yaml
+++ b/infra/overlays/gke-prod/kustomization.yaml
@@ -1,7 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base
+- ../../base/cert-manager-application
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → gke-prod
@@ -13,15 +24,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/traefik-values.yaml
 # Keycloak: swap upc-dev → gke-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → gke-prod  
 - target:
    kind: Application
@@ -31,15 +33,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/grafana-values.yaml
 # Gitea: swap upc-dev → gke-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → gke-prod
 - target:
    kind: Application
@@ -48,21 +41,3 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/opencost-values.yaml
 # Secrets: change path to gke-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/gke-prod
 # Enterprise-apps: point to gke-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/gke-prod
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -5,3 +5,12 @@ resources:
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
 patches:
 - target:
    kind: Application
    name: databunker
  patch: |
    - op: add
      path: /spec/sources/0/helm/valueFiles/-
      value: $values/infra/values/upc-dev/databunker-values.yaml
--- a/infra/overlays/upc-prod/kustomization.yaml
+++ b/infra/overlays/upc-prod/kustomization.yaml
@@ -1,10 +1,21 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base
+- ../../base/cert-manager-application
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
-# Traefik: swap upc-dev → upc-prod in valueFiles
+# Traefik: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: traefik
@@ -13,15 +24,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/traefik-values.yaml
 # Keycloak: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → upc-prod  
 - target:
    kind: Application
@@ -31,15 +33,6 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/grafana-values.yaml
 # Gitea: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → upc-prod
 - target:
    kind: Application
@@ -48,21 +41,3 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/opencost-values.yaml
 # Secrets: change path to upc-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/overlays/upc-prod
 # Enterprise-apps: point to upc-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/upc-prod
--- a/infra/values/aks-dev/argocd-values.yaml
+++ b/infra/values/aks-dev/argocd-values.yaml
@@ -0,0 +1,5 @@
 global:
  domain: argocd.127.0.0.1.nip.io
 notifications:
  context:
    clusterName: "aks-dev-launchpad"
--- a/infra/values/aks-dev/homepage-values.yaml
+++ b/infra/values/aks-dev/homepage-values.yaml
@@ -0,0 +1,15 @@
 ingress:
  main:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
    - host: start.forteapps.net
      paths:
      - path: /
        pathType: Prefix
    tls:
    - secretName: homepage-tls
      hosts:
      - start.forteapps.net
--- a/infra/values/base/argocd-values.yaml
+++ b/infra/values/base/argocd-values.yaml
@@ -2,25 +2,49 @@ configs:
  secret:
    createSecret: true
    argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
    # oidc.clientSecret managed by argocd-oidc-sync CronJob
    # (reads from argocd-oidc-credentials, patches argocd-secret)
  ssh:
    knownHosts: |
      [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
  cm:
    application.resourceTrackingMethod: annotation
    timeout.reconciliation: 60s
-    admin.enabled: "true"
+    # Admin login disabled — SSO only. Break-glass: kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
    admin.enabled: "false"
    url: https://argocd.forteapps.net
    oidc.config: |
      name: Forte SSO
      issuer: https://id.forteapps.net/realms/forte
      clientID: argocd
      clientSecret: $oidc.clientSecret
      requestedScopes: ["openid", "email", "profile"]
  rbac:
    policy.csv: |
      g, ArgoCD Admins, role:admin
      g, ArgoCD Viewers, role:readonly
    # Deny users not in any declared KC group (ArgoCD Admins / ArgoCD Viewers)
    policy.default: ""
    scopes: '[groups]'
  params:
    "server.insecure": true
-repoServer:
+    "reposerver.enable.git.submodule": "false"
  env:
  # Disable git submodule checkout - submodules (e.g. shared-prompts)
  # are not needed for K8s manifest generation
  - name: ARGOCD_GIT_MODULES_ENABLED
    value: "false"
 server:
  ingress:
-    enabled: false
+    enabled: true
-    ingressClassName: nginx
+    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
      gethomepage.dev/enabled: "true"
      gethomepage.dev/name: "ArgoCD"
      gethomepage.dev/description: "GitOps continuous delivery"
      gethomepage.dev/group: "DevOps"
      gethomepage.dev/icon: "argocd"
      gethomepage.dev/href: "https://argocd.forteapps.net"
      gethomepage.dev/widget.type: "argocd"
      gethomepage.dev/widget.url: "https://argocd.forteapps.net"
      # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_ARGOCD_TOKEN}}"
    tls: true
  extraArgs:
  - --insecure
--- a/infra/values/base/databunker-values.yaml
+++ b/infra/values/base/databunker-values.yaml
@@ -0,0 +1,42 @@
 # Default values for databunkerpro
 image:
  tag: 0.14.15
 ingress:
  enabled: false # Set to true to enable ingress
  className: traefik
  # Set host to enable ingress
  host: databunker.example.com
  annotations:
    kubernetes.io/ingress.class: traefik
    cert-manager.io/cluster-issuer: "letsencrypt-prod" # or your cluster issuer
    traefik.ingress.kubernetes.io/ssl-redirect: "true"
    traefik.ingress.kubernetes.io/force-ssl-redirect: "true"
    traefik.ingress.kubernetes.io/ssl-passthrough: "false"
    # Security headers
    traefik.ingress.kubernetes.io/configuration-snippet: |
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
      add_header X-Frame-Options DENY always;
      add_header X-Content-Type-Options nosniff always;
      add_header X-XSS-Protection "1; mode=block" always;
  # TLS configuration
  tls:
    enabled: true # Set to true to enable TLS
    secretName: "databunker-tls" # Name of the secret containing TLS certificate
 # Pin PostgreSQL password — chart uses randAlphaNum without lookup,
 # so each ArgoCD sync would regenerate the password while PVC keeps the old one.
 # Same issue as Backstage PostgreSQL (see MEMORY.md).
 internal:
  postgresql:
    auth:
      password: "databunker-pg-pass-2026"
 resources:
  # Uncomment and adjust these values based on your requirements
  # requests:
  #   memory: "512Mi"
  #   cpu: "250m"
  # limits:
  #   memory: "1Gi"
  #   cpu: "500m"
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -114,6 +114,15 @@ ingress:
  className: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "Gitea"
    gethomepage.dev/description: "Git hosting & CI/CD"
    gethomepage.dev/group: "DevOps"
    gethomepage.dev/icon: "gitea"
    gethomepage.dev/href: "https://git.forteapps.net"
    gethomepage.dev/widget.type: "gitea"
    gethomepage.dev/widget.url: "https://git.forteapps.net"
    # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GITEA_TOKEN}}"
  hosts:
  - host: git.forteapps.net
    paths:
--- a/infra/values/base/grafana-values.yaml
+++ b/infra/values/base/grafana-values.yaml
@@ -3,6 +3,16 @@ ingress:
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "Grafana"
    gethomepage.dev/description: "Metrics & observability dashboards"
    gethomepage.dev/group: "Monitoring"
    gethomepage.dev/icon: "grafana"
    gethomepage.dev/href: "https://grafana.forteapps.net"
    gethomepage.dev/widget.type: "grafana"
    gethomepage.dev/widget.url: "https://grafana.forteapps.net"
    # gethomepage.dev/widget.username: "{{HOMEPAGE_VAR_GRAFANA_USER}}"
    # gethomepage.dev/widget.password: "{{HOMEPAGE_VAR_GRAFANA_PASSWORD}}"
  tls:
  - secretName: grafana-tls
    hosts:
--- a/infra/values/base/homepage-values.yaml
+++ b/infra/values/base/homepage-values.yaml
@@ -0,0 +1,57 @@
 # Homepage Helm Values
 # Chart: jameswynn/homepage — https://gethomepage.dev
 # Discovery: K8s service annotations (gethomepage.dev/*)
 # Each deployed app annotates its own Service — apps not deployed = not visible.
 # RBAC ClusterRole — required for cluster-wide service annotation scanning
 enableRbac: true
 serviceAccount:
  create: true
  name: homepage
 config:
  # Scan all namespaces for services with gethomepage.dev/enabled: "true"
  kubernetes:
    mode: cluster
  settings:
    title: "Forte Platform"
    headerStyle: clean
    layout:
      DevOps:
        style: row
        columns: 4
      Identity:
        style: row
        columns: 4
      Monitoring:
        style: row
        columns: 4
  # Top-of-page cluster overview widget
  widgets:
  - kubernetes:
      cluster:
        show: true
        cpu: true
        memory: true
        showLabel: true
        label: "Cluster"
      nodes:
        show: false
  # Both empty — all entries come from K8s service annotations
  bookmarks: []
  services: []
  # Widget API credentials (optional — add via SealedSecret + envFrom below)
  # Homepage reads HOMEPAGE_VAR_* env vars and substitutes them in widget annotations.
  # Example: gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"
  # To enable: create a sealed secret and add envFrom to load it.
 resources:
  requests:
    cpu: 10m
    memory: 128Mi
  limits:
    cpu: 100m
    memory: 256Mi
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -18,6 +18,12 @@ ingress:
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "Keycloak"
    gethomepage.dev/description: "Identity & access management"
    gethomepage.dev/group: "Identity"
    gethomepage.dev/icon: "keycloak"
    gethomepage.dev/href: "https://id.forteapps.net"
 metrics:
  enabled: true
@@ -132,6 +138,49 @@ keycloakConfigCli:
                }
              }
            ]
          },
          {
            "clientId": "argocd",
            "name": "ArgoCD",
            "enabled": true,
            "protocol": "openid-connect",
            "clientAuthenticatorType": "client-secret",
            "standardFlowEnabled": true,
            "directAccessGrantsEnabled": false,
            "publicClient": false,
            "redirectUris": ["https://argocd.forteapps.net/auth/callback"],
            "webOrigins": ["https://argocd.forteapps.net"],
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "argocd",
              "k8s.secret.name": "argocd-oidc-credentials",
              "k8s.secret.client-id-key": "client-id",
              "k8s.secret.client-secret-key": "client-secret"
            },
            "protocolMappers": [
              {
                "name": "groups",
                "protocol": "openid-connect",
                "protocolMapper": "oidc-group-membership-mapper",
                "config": {
                  "claim.name": "groups",
                  "full.path": "false",
                  "id.token.claim": "true",
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
              }
            ]
          }
        ],
        "groups": [
          {
            "name": "ArgoCD Admins",
            "path": "/ArgoCD Admins"
          },
          {
            "name": "ArgoCD Viewers",
            "path": "/ArgoCD Viewers"
          }
        ]
      }
--- a/infra/values/upc-dev/argocd-values.yaml
+++ b/infra/values/upc-dev/argocd-values.yaml
@@ -1,5 +1,5 @@
 global:
-  domain: argocd.127.0.0.1.nip.io
+  domain: argocd.forteapps.net
 notifications:
  context:
    clusterName: "dev-fd-eu-no-svg1"
--- a/infra/values/upc-dev/databunker-values.yaml
+++ b/infra/values/upc-dev/databunker-values.yaml
@@ -0,0 +1,3 @@
 ingress:
  enabled: true
  host: databunker.forteapps.net
--- a/infra/values/upc-dev/homepage-values.yaml
+++ b/infra/values/upc-dev/homepage-values.yaml
@@ -0,0 +1,15 @@
 ingress:
  main:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
    - host: start.forteapps.net
      paths:
      - path: /
        pathType: Prefix
    tls:
    - secretName: homepage-tls
      hosts:
      - start.forteapps.net
--- a/secrets/base/kustomization.yaml
+++ b/secrets/base/kustomization.yaml
@@ -1,16 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - argocd-forte-helm-secret-sealed.yaml
 - argocd-mcp-credentials.yaml
 - argocdmcp-auth-oidc-sealed.yaml
 - dot-ai-secrets.yaml
 - forte10x-app-credentials-sealed.yaml
 - gitea-backup-s3-sealed.yaml
 - gitea-credentials-sealed.yaml
 - gitea-runner-token-sealed.yaml
 - gitea-smtp-secret-sealed.yaml
 - keycloak-credentials-sealed.yaml
 - musicman-credentials.yaml
 - renovate-env-sealed.yaml
 - ts-mcp-secrets-sealed.yaml
--- a/secrets/overlays/gke-dev/kustomization.yaml
+++ b/secrets/overlays/gke-dev/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
--- a/secrets/overlays/gke-prod/kustomization.yaml
+++ b/secrets/overlays/gke-prod/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Danijel Simeunovic	516498651b	homepage annotations	2026-04-28 14:10:12 +02:00
Danijel Simeunovic	230c160870	more mem homepage	2026-04-28 14:03:21 +02:00
Danijel Simeunovic	d1588975dc	homepage	2026-04-28 13:58:34 +02:00
Danijel Simeunovic	7132f5000e	docs	2026-04-27 20:35:27 +02:00
Danijel Simeunovic	b4100bd456	mm ns	2026-04-27 20:16:06 +02:00
Danijel Simeunovic	fff117a500	ns	2026-04-27 17:40:46 +02:00
Danijel Simeunovic	03c75fc4cd	mm ns	2026-04-27 17:40:05 +02:00
Danijel Simeunovic	df73c4bdc0	mm sync pol	2026-04-27 17:37:54 +02:00
Danijel Simeunovic	6a7de704f2	enterprise-apps	2026-04-27 17:34:43 +02:00
Danijel Simeunovic	be8bbd2c12	aksapps	2026-04-27 17:33:47 +02:00
Danijel Simeunovic	c469ab44b0	ent apps	2026-04-27 17:28:48 +02:00
Danijel Simeunovic	290c8b91f8	db pass	2026-04-27 14:05:38 +02:00
Danijel Simeunovic	a776bae4bd	image tag	2026-04-27 13:00:37 +02:00
Danijel Simeunovic	7405ce27dd	chart name	2026-04-27 12:55:20 +02:00
Danijel Simeunovic	1281e8ef37	databunker	2026-04-27 12:54:18 +02:00
Danijel Simeunovic	c497c54e8e	fix	2026-04-27 12:28:47 +02:00
Danijel Simeunovic	b57459cf85	rm secrets2	2026-04-27 12:25:25 +02:00
Danijel Simeunovic	e8dd213685	rm secrets	2026-04-27 12:24:14 +02:00
Danijel Simeunovic	1d879c82f9	secrets shuffle	2026-04-27 12:21:50 +02:00
Danijel Simeunovic	94c8265475	overlays2	2026-04-27 12:01:59 +02:00
Danijel Simeunovic	17d7c4a655	overlays	2026-04-27 11:49:10 +02:00
Danijel Simeunovic	f3dba72c5d	aks-dev	2026-04-27 11:33:24 +02:00
Danijel Simeunovic	cc9c9049eb	ignore diff	2026-04-26 23:55:55 +02:00
Danijel Simeunovic	9f6c5105af	netpol all remove	2026-04-25 16:04:13 +02:00
Danijel Simeunovic	45e502d74d	argocd tls	2026-04-25 11:49:17 +02:00
		`@@ -0,0 +1,2 @@`
							`# Force LF line endings for shell scripts`
							`*.sh text eol=lf`