rbac argo

README.md

@@ -57,7 +57,7 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 
 ### What's Inside
 
-- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets, Homepage (platform dashboard)
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
 - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
@@ -84,25 +84,24 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
 │
 ├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
-│   ├── base/                  # Base ArgoCD Application manifests (one dir per component)
-│   │   ├── kustomization.yaml # Aggregates all component subdirectories
-│   │   ├── traefik-application/
-│   │   │   ├── kustomization.yaml
-│   │   │   └── traefik-application.yaml
-│   │   ├── keycloak/
-│   │   │   ├── kustomization.yaml
-│   │   │   └── keycloak.yaml
-│   │   ├── grafana/
-│   │   ├── prometheus/
-│   │   ├── ...               # Each component in its own subdirectory
-│   │   └── secrets/
+│   ├── base/                  # Base ArgoCD Application manifests (EU defaults)
+│   │   ├── kustomization.yaml
+│   │   ├── traefik-application.yaml
+│   │   ├── keycloak.yaml
+│   │   ├── grafana.yaml
+│   │   ├── gitea.yaml
+│   │   ├── gitea-actions.yaml
+│   │   ├── tempo.yaml
+│   │   ├── renovate.yaml
+│   │   ├── ...                # All other Application manifests
+│   │   └── secrets.yaml
 │   ├── overlays/              # Per-cluster overrides (Kustomize)
-│   │   ├── upc-dev/           # UpCloud Dev — includes all base components
-│   │   ├── upc-prod/         # UpCloud Prod — all components + patches
-│   │   ├── aks-dev/          # Azure AKS Dev — selective components only
-│   │   ├── aks-prod/         # Azure AKS Prod
+│   │   ├── upc-dev/           # UpCloud Dev (uses base as-is)
+│   │   ├── upc-prod/         # UpCloud Prod (patches value paths)
 │   │   ├── eks-dev/           # AWS EKS Dev
 │   │   ├── eks-prod/         # AWS EKS Prod
+│   │   ├── aks-dev/        # Azure AKS Dev
+│   │   ├── aks-prod/       # Azure AKS Prod
 │   │   ├── gke-dev/          # GCP GKE Dev
 │   │   └── gke-prod/         # GCP GKE Prod
 │   ├── dashboards/            # Grafana dashboard ConfigMaps
@@ -117,18 +116,11 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 │       ├── gke-dev/          # GCP GKE Dev
 │       └── gke-prod/         # GCP GKE Prod
 │
-├── apps/                      # Business Applications (Kustomize, same pattern as infra)
-│   ├── base/                  # One subdirectory per app
-│   │   ├── kustomization.yaml
-│   │   ├── musicman/
-│   │   ├── mcp10x/
-│   │   ├── dot-ai-stack/
-│   │   ├── ts-mcp/
-│   │   └── argo-mcp/
-│   └── overlays/              # Per-cluster: cherry-pick or include all
-│       ├── upc-dev/           # All apps
-│       ├── upc-prod/         # All apps + patches
-│       └── aks-dev/          # Selective apps only
+├── apps/                      # Business Applications
+│   ├── mcp10x.yaml
+│   ├── musicman.yaml
+│   ├── dot-ai-stack.yaml
+│   └── argo-mcp.yaml
 │
 ├── cluster-resources/         # Cluster-wide Kubernetes resources
 │   ├── letsencrypt-issuer.yaml
@@ -380,7 +372,7 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts
 
 ### App-of-Apps Pattern
-`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Each component in `infra/base/` lives in its own subdirectory (e.g., `infra/base/grafana/`). Overlays can either include **all** components (via `../../base`) or **cherry-pick** specific ones (via `../../base/grafana`, `../../base/prometheus`, etc.). Per-cluster patches swap Helm value file paths. Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
+`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{cluster}/` render the base Applications with per-cluster patches (e.g., swapping value file paths). Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
 
 ### Multi-Source Pattern
 Applications reference both:

apps/base/argo-mcp/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- argo-mcp.yaml
-- argocdmcp-auth-oidc-sealed.yaml
-- argocd-mcp-credentials.yaml

apps/base/dot-ai-stack/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- dot-ai-stack.yaml
-- dot-ai-secrets.yaml

apps/base/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- dot-ai-stack
-- mcp10x
-- musicman
-- ts-mcp
-- argo-mcp
+- dot-ai-stack.yaml
+- mcp10x.yaml
+- musicman.yaml
+- ts-mcp.yaml
+- argo-mcp.yaml

apps/base/mcp10x/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- mcp10x.yaml
-- forte10x-app-credentials-sealed.yaml

apps/base/musicman.yaml

@@ -36,8 +36,13 @@ spec:
     automated:
       prune: true
       selfHeal: true
+      allowEmpty: false
+
     syncOptions:
     - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=false
+    - Replace=false
     retry:
       limit: 5
       backoff:

apps/base/musicman/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- musicman.yaml
-- musicman-credentials.yaml

apps/base/ts-mcp/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ts-mcp.yaml
-- ts-mcp-secrets-sealed.yaml

apps/overlays/aks-dev/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base/musicman

apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml

@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: dbunk-demo
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "12"
-  labels:
-    app.kubernetes.io/name: dbunk-demo
-    app.kubernetes.io/part-of: apps
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
-    path: forteapp
-    targetRevision: HEAD
-    helm:
-      valueFiles:
-      - $values/dbunk-demo/values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: dbunk-demo
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-    retry:
-      limit: 5
-      backoff:
-        duration: 5s
-        factor: 2
-        maxDuration: 3m

apps/overlays/upc-dev/dbunk-demo/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- dbunk-demo.yaml

apps/overlays/upc-dev/kustomization.yaml

@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
-- dbunk-demo
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster

bootstrap.sh

@@ -18,7 +18,7 @@ echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
 Bootstrap()
 {
     ArgoCd
-    Gitea
+#    Gitea
 }
 
 

cluster-resources/network/deny-external-egress-trivy.yaml

@@ -1,37 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: deny-external-egress
-  namespace: trivy-system
-  labels:
-    app.kubernetes.io/managed-by: argocd
-    app.kubernetes.io/part-of: network-policies
-spec:
-  endpointSelector: {}
-  egress:
-    # Allow DNS resolution
-    - toEndpoints:
-        - matchLabels:
-            io.kubernetes.pod.namespace: kube-system
-            k8s-app: kube-dns
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: UDP
-            - port: "53"
-              protocol: TCP
-
-    # Allow cluster-internal traffic (RFC1918)
-    - toCIDR:
-        - 10.0.0.0/8
-        - 172.16.0.0/12
-        - 192.168.0.0/16
-
-    # Allow Trivy vulnerability DB downloads (ghcr.io OCI registry)
-    - toFQDNs:
-        - matchName: ghcr.io
-        - matchName: pkg-containers.githubusercontent.com
-      toPorts:
-        - ports:
-            - port: "443"
-              protocol: TCP

clusters/aks-dev.yaml

@@ -1,12 +1,12 @@
 # Cluster config reference — values must match the corresponding overlay files.
 # Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: k8s-launchpad # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
-domain: example.com # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-argocdDomain: argocd.example.com # → infra/values/aks-dev/argocd-values.yaml (global.domain)
-grafanaDomain: grafana.example.com # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
-keycloakDomain: id.example.com # → infra/values/aks-dev/keycloak-values.yaml (ingress.hostname)
-dotaiDomain: kubemcp.example.com # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
-dotaiUiDomain: kubemcpui.example.com # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
-letsencryptEmail: admin@example.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+clusterName: dev-aks                     # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/aks-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/aks-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
 trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-dev/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
-cloudProvider: azure # → determines overlay directory and cloud-specific LB/storage annotations
+cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations

docs/GITOPS-ARCHITECTURE.md

@@ -120,25 +120,24 @@ launchpad/
 ├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
 │
 ├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
-│   ├── base/                         # Base Application manifests (one dir per component)
-│   │   ├── kustomization.yaml        # Aggregates all component subdirectories
-│   │   ├── traefik-application/
-│   │   │   ├── kustomization.yaml
-│   │   │   └── traefik-application.yaml
-│   │   ├── keycloak/
-│   │   │   ├── kustomization.yaml
-│   │   │   └── keycloak.yaml
-│   │   ├── grafana/
-│   │   ├── prometheus/
-│   │   ├── ...                       # Each component in its own subdirectory
-│   │   └── secrets/
+│   ├── base/                         # Base Application manifests (upc-dev defaults)
+│   │   ├── kustomization.yaml
+│   │   ├── traefik-application.yaml
+│   │   ├── keycloak.yaml
+│   │   ├── grafana.yaml
+│   │   ├── gitea.yaml
+│   │   ├── gitea-actions.yaml
+│   │   ├── tempo.yaml
+│   │   ├── renovate.yaml
+│   │   ├── ...                       # All other Application manifests
+│   │   └── secrets.yaml
 │   ├── overlays/                     # Per-cluster Kustomize overrides
-│   │   ├── upc-dev/                  # UpCloud Dev — includes all (resources: ../../base)
-│   │   ├── upc-prod/                # UpCloud Prod — all + patches
-│   │   ├── aks-dev/                 # Azure AKS Dev — selective components
-│   │   ├── aks-prod/               # Azure AKS Prod
+│   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
+│   │   ├── upc-prod/                # UpCloud Prod (patches value paths)
 │   │   ├── eks-dev/                  # AWS EKS Dev
 │   │   ├── eks-prod/                # AWS EKS Prod
+│   │   ├── aks-dev/               # Azure AKS Dev
+│   │   ├── aks-prod/              # Azure AKS Prod
 │   │   ├── gke-dev/                 # GCP GKE Dev
 │   │   └── gke-prod/               # GCP GKE Prod
 │   ├── dashboards/                   # Grafana dashboard ConfigMaps
@@ -150,17 +149,13 @@ launchpad/
 │       └── gcp-{dev,prod}/           # GCP: premium-rwo, L4 LB
 │
 ├── apps/                             # Business Application ArgoCD manifests (Kustomize)
-│   ├── base/                         # One subdirectory per app
+│   ├── base/                         # Base app manifests
 │   │   ├── kustomization.yaml
-│   │   ├── musicman/
-│   │   ├── mcp10x/
-│   │   ├── dot-ai-stack/
-│   │   ├── ts-mcp/
-│   │   └── argo-mcp/
+│   │   ├── dot-ai-stack.yaml
+│   │   └── ...
 │   └── overlays/
-│       ├── upc-dev/                  # All apps (resources: ../../base)
-│       ├── upc-prod/                # All apps + patches
-│       └── aks-dev/                 # Selective apps only
+│       ├── upc-dev/                  # Uses base as-is
+│       └── upc-prod/                # Patches value paths
 │
 ├── cluster-resources/                # Cluster-wide Kubernetes resources
 │   ├── ...
@@ -176,8 +171,6 @@ launchpad/
 
 **Key Points**:
 - `_app-of-apps-upc-dev.yaml` and `_app-of-apps-upc-prod.yaml` are the per-cluster root Applications
-- Each component in `base/` has its own subdirectory with a `kustomization.yaml`
-- Overlays can include **all** components (`resources: [../../base]`) or **cherry-pick** specific ones (`resources: [../../base/grafana, ../../base/prometheus]`)
 - Kustomize overlays in `infra/overlays/` render base Applications with per-cluster patches
 - Helm values are split: `values/base/` (shared) + `values/upc-dev/` or `values/upc-prod/` (cluster-specific)
 - `apps/` follows the same base/overlays pattern for business applications
@@ -360,30 +353,16 @@ spec:
 
 ### Multi-Cluster Pattern
 
-Kustomize overlays enable deploying the same Applications across clusters with different configurations.
-
-Each component in `infra/base/` and `apps/base/` lives in its own subdirectory. Overlays define **which components to include** and optionally **patch** them:
+Kustomize overlays enable deploying the same Applications across clusters with different configurations:
 
 ```yaml
-# Option 1: Include ALL components (full cluster)
-# infra/overlays/upc-dev/kustomization.yaml
-resources:
-- ../../base                    # Pulls in every component subdirectory
+# infra/base/ contains default (upc-dev) Applications
+# Helm values are layered: base + cluster-specific
+valueFiles:
+- $values/infra/values/base/traefik-values.yaml    # Shared config
+- $values/infra/values/upc-dev/traefik-values.yaml  # Cluster-specific
 
-# Option 2: Cherry-pick specific components (lightweight cluster)
-# infra/overlays/aks-dev/kustomization.yaml
-resources:
-- ../../base/traefik-application
-- ../../base/grafana
-- ../../base/prometheus
-- ../../base/loki
-# Only listed components are deployed — others are excluded
-```
-
-Per-cluster patches swap Helm value file paths:
-
-```yaml
-# infra/overlays/upc-prod/kustomization.yaml
+# infra/overlays/upc-prod/kustomization.yaml patches the second valueFile
 patches:
 - target:
     kind: Application

docs/REFERENCE.md

@@ -76,28 +76,33 @@ launchpad/
 ├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
 ├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
 │
-├── infra/                         # Infrastructure applications (Kustomize)
-│   ├── base/                      # One subdirectory per component
-│   │   ├── kustomization.yaml     # Aggregates all component subdirectories
-│   │   ├── traefik-application/
-│   │   │   ├── kustomization.yaml
-│   │   │   └── traefik-application.yaml
-│   │   ├── keycloak/
-│   │   │   ├── kustomization.yaml
-│   │   │   └── keycloak.yaml
-│   │   ├── grafana/
-│   │   ├── prometheus/
-│   │   ├── loki/
-│   │   ├── tempo/
-│   │   ├── gitea/
-│   │   ├── opencost/
-│   │   ├── ...                    # Each component in own directory
-│   │   └── secrets/
-│   ├── overlays/                  # Per-cluster: include all or cherry-pick
-│   │   ├── upc-dev/              # resources: [../../base] (all components)
-│   │   ├── upc-prod/            # resources: [../../base] + patches
-│   │   ├── aks-dev/             # resources: [../../base/grafana, ...] (selective)
-│   │   └── .../                  # 8 clusters total
+├── infra/                         # Infrastructure applications
+│   ├── cluster-resources-application.yaml
+│   ├── enterprise-apps.yaml
+│   ├── traefik-application.yaml
+│   ├── cert-manager-application.yaml
+│   ├── kyverno.yaml
+│   ├── kyverno-policies.yaml
+│   ├── prometheus.yaml
+│   ├── grafana.yaml
+│   ├── loki.yaml
+│   ├── tempo.yaml
+│   ├── fluent-bit.yaml
+│   ├── gitea.yaml
+│   ├── gitea-actions.yaml
+│   ├── sealedsecrets.yaml
+│   ├── secrets.yaml
+│   ├── renovate.yaml
+│   ├── base/                      # ArgoCD Application manifests (Kustomize base)
+│   │   ├── gitea.yaml
+│   │   ├── opencost.yaml
+│   │   ├── traefik-application.yaml
+│   │   ├── keycloak.yaml
+│   │   ├── grafana.yaml
+│   │   └── ...
+│   ├── overlays/
+│   │   └── upc-prod/
+│   │       └── kustomization.yaml # Patches upc-dev → upc-prod valueFile paths
 │   └── values/
 │       ├── base/                   # Cloud-agnostic Helm values
 │       │   ├── gitea-values.yaml
@@ -117,18 +122,11 @@ launchpad/
 │           ├── gitea-values.yaml
 │           └── opencost-values.yaml
 │
-├── apps/                          # Business applications (Kustomize)
-│   ├── base/                     # One subdirectory per app
-│   │   ├── kustomization.yaml
-│   │   ├── musicman/
-│   │   ├── mcp10x/
-│   │   ├── dot-ai-stack/
-│   │   ├── ts-mcp/
-│   │   └── argo-mcp/
-│   └── overlays/                 # Per-cluster: include all or cherry-pick
-│       ├── upc-dev/
-│       ├── upc-prod/
-│       └── aks-dev/              # Selective apps only
+├── apps/                          # Business applications
+│   ├── mcp10x.yaml
+│   ├── musicman.yaml
+│   ├── dot-ai-stack.yaml
+│   └── argo-mcp.yaml
 │
 ├── cluster-resources/             # Cluster-level resources
 │   ├── cert-manager-namespace.yaml
@@ -725,59 +723,6 @@ TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
 
 ## Infrastructure Components
 
-### Homepage (Platform Dashboard)
-
-**Chart**: `jameswynn/homepage`
-**Namespace**: `homepage`
-**URL**: `https://start.forteapps.net`
-
-Platform dashboard that auto-discovers deployed apps via Kubernetes service annotations.
-
-**Discovery mechanism**: Services annotated with `gethomepage.dev/enabled: "true"` appear in the dashboard. Apps not deployed = annotations absent = not shown. Fully dynamic per environment.
-
-**Annotated services**:
-| Service | Namespace | Group | Widget |
-|---------|-----------|-------|--------|
-| `gitea-http` | `gitea` | DevOps | `gitea` |
-| `argocd-server` | `argocd` | DevOps | `argocd` |
-| `keycloak` | `keycloak` | Identity | none |
-| `grafana` | `monitoring` | Monitoring | `grafana` |
-| `karpor-server` | `karpor` | DevOps | none |
-
-**Adding a new app**: Annotate the app's Service in its Helm values:
-```yaml
-service:
-  annotations:
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "My App"
-    gethomepage.dev/description: "What it does"
-    gethomepage.dev/group: "GroupName"
-    gethomepage.dev/icon: "icon-name"     # https://github.com/walkxcode/dashboard-icons
-    gethomepage.dev/href: "https://myapp.forteapps.net"
-    # Optional live widget:
-    gethomepage.dev/widget.type: "myapp"
-    gethomepage.dev/widget.url: "https://myapp.forteapps.net"
-    # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_MYAPP_TOKEN}}"
-```
-
-**Widget API credentials**: Inject via env vars into the Homepage pod:
-```yaml
-# In homepage-values.yaml per environment
-env:
-- name: HOMEPAGE_VAR_GRAFANA_TOKEN
-  valueFrom:
-    secretKeyRef:
-      name: homepage-widget-credentials
-      key: grafana-token
-```
-Then reference as `gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"`.
-
-**Values files**:
-- `infra/values/base/homepage-values.yaml` — RBAC, kubernetes mode, layout
-- `infra/values/{env}/homepage-values.yaml` — hostname per environment
-
----
-
 ### Traefik
 
 **Chart**: `traefik/traefik`
@@ -1063,102 +1008,6 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes
 
-### Vaultwarden
-
-**Chart**: `guerzon/vaultwarden`
-**Version**: 0.36.4 (app v1.36.0-alpine)
-**Namespace**: `vaultwarden`
-
-**Purpose**: Self-hosted Bitwarden-compatible password manager.
-
-**Configuration**:
-```yaml
-# infra/overlays/upc-dev/vaultwarden/ + infra/values/
-domain: "https://bitwarden.forteapps.net"
-
-ingress:
-  enabled: true
-  class: "traefik"
-  tls: true
-  tlsSecret: vaultwarden-tls
-  hostname: bitwarden.forteapps.net
-  additionalAnnotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-
-database:
-  type: postgresql
-  host: vaultwarden-postgresql  # StatefulSet in overlay
-  existingSecret: prod-db-creds
-
-storage:
-  data: 5Gi (ReadWriteOnce)
-  attachments: 5Gi (ReadWriteOnce)
-```
-
-**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc).
-
-**SSO**: Keycloak OIDC via `forte` realm (client ID: `vaultwarden`). Self-service client config Secret (`keycloak-client-vaultwarden`) triggers registrar to create KC client and sync credentials to `vaultwarden-oidc-credentials`. PKCE enabled.
-
-**Endpoints**:
-- Web UI: `https://bitwarden.forteapps.net`
-
-**Database**: Separate ArgoCD Application `vaultwarden-postgresql` (sync-wave `"0"`) deploys PostgreSQL 16 StatefulSet + SealedSecret before Vaultwarden (wave `"1"`). 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately.
-
-**Secrets**:
-- `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials
-- `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
-- `vaultwarden-tls` — auto-managed by cert-manager
-
-### Chibisafe
-
-**Chart**: `l4gdev/chibisafe`
-**Version**: 0.1.1 (app latest)
-**Namespace**: `chibisafe`
-
-**Purpose**: Self-hosted file upload and sharing service.
-
-**Configuration**:
-```yaml
-# infra/overlays/upc-dev/chibisafe/ + infra/values/
-ingress:
-  enabled: true
-  className: "traefik"
-  hosts:
-  - host: chibisafe.forteapps.net
-    paths:
-    - path: /
-      pathType: Prefix
-  tls:
-  - secretName: chibisafe-tls
-    hosts:
-    - chibisafe.forteapps.net
-
-persistence:
-  database:
-    enabled: true   # SQLite, 1Gi
-  uploads:
-    enabled: true   # User files, 10Gi
-```
-
-**Architecture**: Three-container pod — frontend (Next.js :8001), backend (API :8000), Caddy (reverse proxy :80). Auth sidecar injected via Kyverno policy (OIDC mode, port 9001).
-
-**Ingress**: IngressRoute (not chart's built-in Ingress) targeting sidecar port 9001 directly. Chart's `ingress.enabled: false`. Separate cert-manager Certificate resource for TLS.
-
-**Why IngressRoute**: Chart hardcodes Service `targetPort: http` → Caddy port 80. Cannot override via values. IngressRoute bypasses Service, routes directly to sidecar pod port.
-
-**TLS**: cert-manager Certificate resource with `letsencrypt-prod` ClusterIssuer.
-
-**Storage**: SQLite database (1Gi PVC) + uploads (10Gi PVC), both ReadWriteOnce — single replica only.
-
-**SSO**: Keycloak OIDC via `forte` realm (client ID: `chibisafe`). Self-service client config Secret (`keycloak-client-chibisafe`) triggers registrar to create KC client and sync credentials to `chibisafe-oidc-credentials`.
-
-**Endpoints**:
-- Web UI: `https://chibisafe.forteapps.net`
-
-**Secrets**:
-- `chibisafe-tls` — auto-managed by cert-manager
-- `chibisafe-oidc-credentials` (registrar-managed) — OIDC client ID + secret
-
 ### AI Code Review (ai-review)
 
 **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
@@ -1237,30 +1086,6 @@ ignore:
 - Check Gitea Actions tab for workflow run status and logs
 - Monitor Anthropic usage dashboard for token consumption
 
-### Keycloak Browser Flow (IdP Auto-Redirect)
-
-**File**: `infra/values/base/keycloak-values.yaml` (inside `forte-realm.json`)
-
-The realm uses a custom browser authentication flow (`browser-auto-idp`) that skips the Keycloak login page and redirects directly to the Entra ID identity provider.
-
-**Flow executions**:
-
-| Priority | Authenticator | Requirement | Purpose |
-|----------|--------------|-------------|---------|
-| 10 | `auth-cookie` | ALTERNATIVE | Reuse existing session (no redirect) |
-| 20 | `identity-provider-redirector` | ALTERNATIVE | Auto-redirect to `forte-entra` IdP |
-
-**Key fields in realm JSON**:
-- `"browserFlow": "browser-auto-idp"` — overrides the default `browser` flow at realm level
-- `"authenticationFlows"` — defines the custom flow with its executions
-- `"authenticatorConfig"` — sets `defaultProvider: "forte-entra"` on the redirector
-
-**Why custom flow**: The default KC browser flow shows a username/password form with an IdP button. Since all authentication is via Entra ID, the custom flow eliminates this step. The `auth-cookie` execution preserves session reuse so returning users aren't redirected again.
-
-**Important**: The `forte-entra` identity provider must exist in Keycloak (currently configured manually in the KC admin console). If the IdP alias changes, update the `defaultProvider` value in the realm JSON.
-
----
-
 ### Keycloak Client Registrar
 
 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)

infra/base/cert-manager-application/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- cert-manager-application.yaml

infra/base/cluster-resources-application/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- cluster-resources-application.yaml

infra/base/databunker/databunker.yaml

@@ -1,42 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: databunker
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: databunker
-    app.kubernetes.io/part-of: identity
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://securitybunker.github.io/databunkerpro-setup
-    chart: databunkerpro
-    targetRevision: "0.1.0"
-    helm:
-      releaseName: databunkerpro
-      valueFiles:
-      - $values/infra/values/base/databunker-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: databunker
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true

infra/base/databunker/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- databunker.yaml

infra/base/enterprise-apps/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- enterprise-apps.yaml

infra/base/fluent-bit/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- fluent-bit.yaml

infra/base/gitea-actions/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- gitea-actions.yaml

infra/base/gitea/kustomization.yaml

@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- gitea.yaml
-- gitea-backup-s3-sealed.yaml
-- gitea-credentials-sealed.yaml
-- gitea-runner-token-sealed.yaml
-- gitea-smtp-secret-sealed.yaml

infra/base/grafana-dashboards/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- grafana-dashboards.yaml

infra/base/grafana/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- grafana.yaml

infra/base/homepage/homepage-extra-rbac.yaml

@@ -1,21 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: homepage-services-reader
-rules:
-- apiGroups: [""]
-  resources: ["services"]
-  verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: homepage-services-reader
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: homepage-services-reader
-subjects:
-- kind: ServiceAccount
-  name: homepage
-  namespace: homepage

infra/base/homepage/homepage-widget-credentials-sealed.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: homepage-widget-credentials
-  namespace: homepage
-spec:
-  encryptedData:
-    HOMEPAGE_VAR_GITEA_TOKEN: AgAVN1C931EQpn+sodr3CpjlhORfJVTW8aUr+pGZQb+65Pb8QLGeVGVa7Jv60gDJUX3r+93/jMrEbCOeDL6I4qCz/V35wMCxFZLnXIdkmto0W4MKt6cK8To1/OP7EhQJOGBlSuOFsrwoy+HDtvLIqmyF0nrxhTusm9/NHrw+gCVwSTPhiAX1MCuSOSRWpbXvyNphW8j7aqUaV6ixDt424Fe4alEIShYELcS3EX/VPgsf2p2bhvBRCQOh3LEprkuxSFMuPfCBk06TPTbIN4saNVm0Ke0zW/pxkVNSiIxEnKjOmpPJtacsfWN7du+nQbx276G2qvWrf+iawJVq0Z/SLikA/NUFBL6EjSRfgE3cSOri8sbxsd0AycsFGyp98EM29wE+WOQl52M/lwl02EmCivqkICSO7Jp9pM1ScbmRMa5vcnupsGbVDxhRKLqxhAskt/BXDkRzvHN31gH3YmelES3JuqNMHV0urFxmX2oOX9Pxbtv63csc+zhy1Ui5aoex7TPnLdk7kYLSAE2MSrzT6wHvVhBC5kNnDYVrLehvJrT+eNh0MOLx2wkuJmIOxRAGUyNi5DfDnP6qnvj2aefEymLuOXAIUXH8DbeBtrjsd74HX2hhIfBlPkXvhJR3ks7i5RXjK2/YYHkgJ+nJoW80S9N7ciaRy103g74TNJZt6QzzL5Vb80qZ6yQOD4G081KmTLDmhHjJVIIv9M3nLh2s0IeBV3/Z5qHZmtjN7sSaKAn4MIr5FaH9quhx
-    HOMEPAGE_VAR_GRAFANA_TOKEN: AgBloBlOlP+R/4VizE1CGpj0wyiwU14BemAnuUpld7OvOGc67dwfDPyponkQXjAZg3UU2cZ70A51WUAuVlAr+25Ktlf/FW2OBqj+1BJOCqMMyu+kv026yjX2aB8dKGzlTxgF8aji+j1mC8vP3vvmgI4Zf2HQAH7uFwLfeo8+QnV5EyhcExSS0xDne+VtOP9jNXbPRayry0DdyRVtaeKAiZacO+45oAJWszWOwmoMTg9FZQkLjER6Q0tyI6NnoNObsFCnh56chZTdzBOYtmPnwld1bP2FjoJDqn8AfRwbPTIj7t0eFP7WLUO7GQKpxVl+pFwJLb5xCOw2+HNtp1BhNCu7icuc0P88IlvwzkbN0lXJbYigVOzyjEo8f/al1DXPM4WaB/Nqmr7Mtt8KTRh2WMVTgiX5jsu25D0rGDvY9gqfBBqswkRhCLsG0v0EN32zXj1/52KYdmB7pk/+2lMwSaGMS11MOenHeU1Z95fGxm9f3EGF0E8xlFr4FowgsNwr+tJQqpM0bT/4mZnaQbGWtKPFizMtsfQFm+rHFcNCrGaOuecslmiIJs8lTm18KlrncsGfxNS64tVXk+LvydU0rwybvpg2rQjEWtAl1IQsaaiz96OAlYxxK1MGxN7KE6F8R4kfnWTZ5Fs1KMmd/DOIVBXyCbqXxk8pbekmaIeNSfv92JNZ0QNJWsBa2vgQ24WI2pb4XiR0BvtLpt3BVlZUcSK92SzUblWmYWVMwHYCJkEeEUV1PhYEmyiN+V/Kq5Qb
-  template:
-    metadata:
-      creationTimestamp: null
-      name: homepage-widget-credentials
-      namespace: homepage

infra/base/homepage/homepage.yaml

@@ -1,43 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: homepage
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "3"
-  labels:
-    app.kubernetes.io/name: homepage
-    app.kubernetes.io/part-of: platform
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://jameswynn.github.io/helm-charts
-    chart: homepage
-    targetRevision: "2.1.0"
-    helm:
-      releaseName: homepage
-      valueFiles:
-      - $values/infra/values/base/homepage-values.yaml
-      - $values/infra/values/upc-dev/homepage-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: homepage
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true

infra/base/homepage/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- homepage.yaml
-- homepage-widget-credentials-sealed.yaml
-- homepage-extra-rbac.yaml

infra/base/keycloak.yaml

@@ -43,6 +43,10 @@ spec:
     - ServerSideApply=true
 
   ignoreDifferences:
+  - group: batch
+    kind: CronJob
+    jsonPointers:
+    - /spec/jobTemplate/spec/template/spec/containers/0/args
   - group: apps
     kind: StatefulSet
     jsonPointers:

infra/base/keycloak/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- keycloak.yaml
-- keycloak-credentials-sealed.yaml

infra/base/kustomization.yaml

@@ -1,25 +1,24 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- traefik-application
-- keycloak
-- grafana
-- cert-manager-application
-- kyverno
-- sealedsecrets
-- prometheus
-- loki
-- fluent-bit
-- enterprise-apps
-- cluster-resources-application
-- kyverno-policies
-- gitea
-- gitea-actions
-- opencost
-- renovate
-- tempo
-- grafana-dashboards
-- karpor
-- databunker
-- homepage
-- vault
+- traefik-application.yaml
+- keycloak.yaml
+- grafana.yaml
+- cert-manager-application.yaml
+- kyverno.yaml
+- sealedsecrets.yaml
+- prometheus.yaml
+- loki.yaml
+- fluent-bit.yaml
+- enterprise-apps.yaml
+- cluster-resources-application.yaml
+- kyverno-policies.yaml
+- secrets.yaml
+- gitea.yaml
+- gitea-actions.yaml
+- opencost.yaml
+- renovate.yaml
+- tempo.yaml
+- grafana-dashboards.yaml
+- network-policies-application.yaml
+- karpor.yaml

infra/base/kyverno-policies.yaml

@@ -27,6 +27,7 @@ spec:
     automated:
       prune: true
       selfHeal: true
+      allowEmpty: false
     syncOptions:
     - CreateNamespace=true
     - Validate=true

infra/base/kyverno-policies/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- kyverno-policies.yaml

infra/base/kyverno/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- kyverno.yaml

infra/base/loki.yaml

@@ -40,9 +40,3 @@ spec:
     - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates

infra/base/network-policies-application.yaml

@@ -1,20 +1,14 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: vaultwarden
----
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: vaultwarden-postgresql
+  name: network-policies
   namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
   labels:
-    app.kubernetes.io/name: vaultwarden-postgresql
-    app.kubernetes.io/part-of: security
+    app.kubernetes.io/name: network-policies
+    app.kubernetes.io/part-of: platform
     app.kubernetes.io/managed-by: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
   finalizers:
   - resources-finalizer.argocd.argoproj.io
 spec:
@@ -23,24 +17,17 @@ spec:
   source:
     repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
-    path: infra/overlays/upc-dev/vaultwarden-postgresql/resources
+    path: cluster-resources/network
 
   destination:
     server: https://kubernetes.default.svc
-    namespace: vaultwarden
 
   syncPolicy:
     automated:
       prune: true
       selfHeal: true
       allowEmpty: false
+
     syncOptions:
-    - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates

infra/base/opencost/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- opencost.yaml

infra/base/prometheus/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- prometheus.yaml

infra/base/renovate/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- renovate.yaml
-- renovate-env-sealed.yaml

infra/base/sealedsecrets/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- sealedsecrets.yaml
-- argocd-forte-helm-secret-sealed.yaml

infra/base/secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: secrets
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
+    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+  labels:
+    app.kubernetes.io/name: secrets
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    path: secrets/overlays/upc-dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: secrets
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

infra/base/tempo.yaml

@@ -40,9 +40,3 @@ spec:
     - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates

infra/base/traefik-application/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- traefik-application.yaml

infra/base/vault/vault.yaml

@@ -1,49 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vault
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://helm.releases.hashicorp.com
-    chart: vault
-    targetRevision: "0.32.0"
-    helm:
-      releaseName: vault
-      valueFiles:
-      - $values/infra/values/base/vault-values.yaml
-      - $values/infra/values/upc-dev/vault-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: vault
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates

infra/overlays/aks-dev/kustomization.yaml

@@ -1,31 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base/cert-manager-application
-- ../../base/cluster-resources-application
-- ../../base/grafana
-- ../../base/grafana-dashboards
-- ../../base/kyverno
-- ../../base/kyverno-policies
-- ../../base/loki
-- ../../base/enterprise-apps
-- ../../base/opencost
-- ../../base/prometheus
-- ../../base/sealedsecrets
-- ../../base/tempo
-- ../../base/homepage
-- ../../base/traefik-application
+- ../../base
 
 patches:
-# Homepage: swap upc-dev → aks-dev
-- target:
-    kind: Application
-    name: homepage
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-dev/homepage-values.yaml
-
 # Traefik: swap upc-dev → aks-dev
 - target:
     kind: Application
@@ -35,6 +13,15 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/aks-dev/traefik-values.yaml
 
+# Keycloak: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/keycloak-values.yaml
+
 # Grafana: swap upc-dev → aks-dev
 - target:
     kind: Application
@@ -44,6 +31,15 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/aks-dev/grafana-values.yaml
 
+# Gitea: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/gitea-values.yaml
+
 # OpenCost: swap upc-dev → aks-dev
 - target:
     kind: Application
@@ -53,7 +49,16 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/aks-dev/opencost-values.yaml
 
-# Ent apps: swap upc-dev → aks-prod
+# Secrets: change path to aks-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/aks-dev
+
+# Enterprise-apps: point to aks-dev overlay
 - target:
     kind: Application
     name: enterprise-apps

infra/overlays/aks-prod/kustomization.yaml

@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base/cert-manager-application
-- ../../base/cluster-resources-application
-- ../../base/grafana
-- ../../base/grafana-dashboards
-- ../../base/kyverno
-- ../../base/kyverno-policies
-- ../../base/loki
-- ../../base/opencost
-- ../../base/prometheus
-- ../../base/sealedsecrets
-- ../../base/tempo
-- ../../base/traefik-application
+- ../../base
 
 patches:
 # Traefik: swap upc-dev → aks-prod
@@ -24,7 +13,16 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/aks-prod/traefik-values.yaml
 
-# Grafana: swap upc-dev → aks-prod  
+# Keycloak: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → aks-prod
 - target:
     kind: Application
     name: grafana
@@ -33,6 +31,15 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/aks-prod/grafana-values.yaml
 
+# Gitea: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/gitea-values.yaml
+
 # OpenCost: swap upc-dev → aks-prod
 - target:
     kind: Application
@@ -41,3 +48,21 @@ patches:
     - op: replace
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/aks-prod/opencost-values.yaml
+
+# Secrets: change path to aks-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/aks-prod
+
+# Enterprise-apps: point to aks-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/aks-prod

infra/overlays/eks-dev/kustomization.yaml

@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base/cert-manager-application
-- ../../base/cluster-resources-application
-- ../../base/grafana
-- ../../base/grafana-dashboards
-- ../../base/kyverno
-- ../../base/kyverno-policies
-- ../../base/loki
-- ../../base/opencost
-- ../../base/prometheus
-- ../../base/sealedsecrets
-- ../../base/tempo
-- ../../base/traefik-application
+- ../../base
 
 patches:
 # Traefik: swap upc-dev → eks-dev
@@ -24,7 +13,16 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/eks-dev/traefik-values.yaml
 
-# Grafana: swap upc-dev → eks-dev  
+# Keycloak: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/keycloak-values.yaml
+
+# Grafana: swap upc-dev → eks-dev
 - target:
     kind: Application
     name: grafana
@@ -33,6 +31,15 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/eks-dev/grafana-values.yaml
 
+# Gitea: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/gitea-values.yaml
+
 # OpenCost: swap upc-dev → eks-dev
 - target:
     kind: Application
@@ -41,3 +48,21 @@ patches:
     - op: replace
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/eks-dev/opencost-values.yaml
+
+# Secrets: change path to eks-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/eks-dev
+
+# Enterprise-apps: point to eks-dev overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/eks-dev

infra/overlays/eks-prod/kustomization.yaml

@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base/cert-manager-application
-- ../../base/cluster-resources-application
-- ../../base/grafana
-- ../../base/grafana-dashboards
-- ../../base/kyverno
-- ../../base/kyverno-policies
-- ../../base/loki
-- ../../base/opencost
-- ../../base/prometheus
-- ../../base/sealedsecrets
-- ../../base/tempo
-- ../../base/traefik-application
+- ../../base
 
 patches:
 # Traefik: swap upc-dev → eks-prod
@@ -24,7 +13,16 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/eks-prod/traefik-values.yaml
 
-# Grafana: swap upc-dev → eks-prod  
+# Keycloak: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → eks-prod
 - target:
     kind: Application
     name: grafana
@@ -33,6 +31,15 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/eks-prod/grafana-values.yaml
 
+# Gitea: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/gitea-values.yaml
+
 # OpenCost: swap upc-dev → eks-prod
 - target:
     kind: Application
@@ -41,3 +48,21 @@ patches:
     - op: replace
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/eks-prod/opencost-values.yaml
+
+# Secrets: change path to eks-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/eks-prod
+
+# Enterprise-apps: point to eks-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/eks-prod

infra/overlays/gke-dev/kustomization.yaml

@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base/cert-manager-application
-- ../../base/cluster-resources-application
-- ../../base/grafana
-- ../../base/grafana-dashboards
-- ../../base/kyverno
-- ../../base/kyverno-policies
-- ../../base/loki
-- ../../base/opencost
-- ../../base/prometheus
-- ../../base/sealedsecrets
-- ../../base/tempo
-- ../../base/traefik-application
+- ../../base
 
 patches:
 # Traefik: swap upc-dev → gke-dev
@@ -24,7 +13,16 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/gke-dev/traefik-values.yaml
 
-# Grafana: swap upc-dev → gke-dev  
+# Keycloak: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/keycloak-values.yaml
+
+# Grafana: swap upc-dev → gke-dev
 - target:
     kind: Application
     name: grafana
@@ -33,6 +31,15 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/gke-dev/grafana-values.yaml
 
+# Gitea: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/gitea-values.yaml
+
 # OpenCost: swap upc-dev → gke-dev
 - target:
     kind: Application
@@ -41,3 +48,21 @@ patches:
     - op: replace
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/gke-dev/opencost-values.yaml
+
+# Secrets: change path to gke-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/gke-dev
+
+# Enterprise-apps: point to gke-dev overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/gke-dev

infra/overlays/gke-prod/kustomization.yaml

@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base/cert-manager-application
-- ../../base/cluster-resources-application
-- ../../base/grafana
-- ../../base/grafana-dashboards
-- ../../base/kyverno
-- ../../base/kyverno-policies
-- ../../base/loki
-- ../../base/opencost
-- ../../base/prometheus
-- ../../base/sealedsecrets
-- ../../base/tempo
-- ../../base/traefik-application
+- ../../base
 
 patches:
 # Traefik: swap upc-dev → gke-prod
@@ -24,7 +13,16 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/gke-prod/traefik-values.yaml
 
-# Grafana: swap upc-dev → gke-prod  
+# Keycloak: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → gke-prod
 - target:
     kind: Application
     name: grafana
@@ -33,6 +31,15 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/gke-prod/grafana-values.yaml
 
+# Gitea: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/gitea-values.yaml
+
 # OpenCost: swap upc-dev → gke-prod
 - target:
     kind: Application
@@ -41,3 +48,21 @@ patches:
     - op: replace
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/gke-prod/opencost-values.yaml
+
+# Secrets: change path to gke-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/gke-prod
+
+# Enterprise-apps: point to gke-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/gke-prod

infra/overlays/upc-dev/chibisafe/auth-oidc-secret.yaml

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: auth-oidc
-  namespace: chibisafe
-type: Opaque
-stringData:
-  cookie-secret: "gtwkoUMSp1wJa2o5Fo5CNByR8+kTocJOOuywuLexRO4="

infra/overlays/upc-dev/chibisafe/chibisafe.yaml

@@ -1,43 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: chibisafe
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: chibisafe
-    app.kubernetes.io/part-of: storage
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://l4gdev.github.io/helm-charts
-    chart: chibisafe
-    targetRevision: "0.1.1"
-    helm:
-      releaseName: chibisafe
-      valueFiles:
-      - $values/infra/values/base/chibisafe-values.yaml
-      - $values/infra/values/upc-dev/chibisafe-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: chibisafe
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true

infra/overlays/upc-dev/chibisafe/ingressroute.yaml

@@ -1,36 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: chibisafe-tls
-  namespace: chibisafe
-spec:
-  secretName: chibisafe-tls
-  issuerRef:
-    name: letsencrypt-prod
-    kind: ClusterIssuer
-  dnsNames:
-  - chibisafe.forteapps.net
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: chibisafe
-  namespace: chibisafe
-  annotations:
-    gethomepage.dev/enabled: "false"
-    gethomepage.dev/name: "Chibisafe"
-    gethomepage.dev/description: "File upload & sharing"
-    gethomepage.dev/group: "Storage"
-    gethomepage.dev/icon: "chibisafe"
-    gethomepage.dev/href: "https://chibisafe.forteapps.net"
-spec:
-  entryPoints:
-  - websecure
-  routes:
-  - match: Host(`chibisafe.forteapps.net`)
-    kind: Rule
-    services:
-    - name: chibisafe
-      port: 9001
-  tls:
-    secretName: chibisafe-tls

infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml

@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: keycloak-client-chibisafe
-  namespace: chibisafe
-  labels:
-    keycloak.forteapps.net/client-config: "true"
-stringData:
-  client.json: |
-    {
-      "clientId": "chibisafe",
-      "name": "Chibisafe",
-      "redirectUris": ["https://chibisafe.forteapps.net/*"],
-      "webOrigins": ["https://chibisafe.forteapps.net"],
-      "protocolMappers": [],
-      "secret": {
-        "namespace": "chibisafe",
-        "name": "chibisafe-oidc-credentials",
-        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
-      }
-    }

infra/overlays/upc-dev/chibisafe/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- chibisafe.yaml
-- keycloak-client-config.yaml
-- ingressroute.yaml
-- auth-oidc-secret.yaml

infra/overlays/upc-dev/kustomization.yaml

@@ -2,18 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
-- chibisafe
-- vaultwarden-postgresql
-- vaultwarden
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
-
-patches:
-- target:
-    kind: Application
-    name: databunker
-  patch: |
-    - op: add
-      path: /spec/sources/0/helm/valueFiles/-
-      value: $values/infra/values/upc-dev/databunker-values.yaml

infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- vaultwarden-postgresql.yaml

infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- postgresql.yaml
-- vaultwarden-db-secret-sealed.yaml

infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml

@@ -1,98 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: vaultwarden-postgresql
-  namespace: vaultwarden
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: vaultwarden
-    app.kubernetes.io/component: database
-spec:
-  type: ClusterIP
-  ports:
-  - name: tcp-postgresql
-    port: 5432
-    targetPort: tcp-postgresql
-  selector:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: vaultwarden
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: vaultwarden-postgresql
-  namespace: vaultwarden
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: vaultwarden
-    app.kubernetes.io/component: database
-spec:
-  serviceName: vaultwarden-postgresql
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: postgresql
-      app.kubernetes.io/instance: vaultwarden
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: postgresql
-        app.kubernetes.io/instance: vaultwarden
-        app.kubernetes.io/component: database
-    spec:
-      containers:
-      - name: postgresql
-        image: postgres:16-alpine
-        ports:
-        - name: tcp-postgresql
-          containerPort: 5432
-        env:
-        - name: POSTGRES_USER
-          valueFrom:
-            secretKeyRef:
-              name: prod-db-creds
-              key: pgusername
-        - name: POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: prod-db-creds
-              key: pgpassword
-        - name: POSTGRES_DB
-          value: vaultwarden
-        - name: PGDATA
-          value: /var/lib/postgresql/data/pgdata
-        volumeMounts:
-        - name: data
-          mountPath: /var/lib/postgresql/data
-        livenessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d vaultwarden
-          initialDelaySeconds: 30
-          periodSeconds: 10
-        readinessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d vaultwarden
-          initialDelaySeconds: 5
-          periodSeconds: 5
-        resources:
-          requests:
-            cpu: 100m
-            memory: 256Mi
-          limits:
-            cpu: 500m
-            memory: 512Mi
-  volumeClaimTemplates:
-  - metadata:
-      name: data
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi

infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml

@@ -1,20 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: prod-db-creds
-  namespace: vaultwarden
-spec:
-  encryptedData:
-    DATABASE_URL: AgAy1d//kBevUqZxB5KAXd+qxm8QykNxp5J1QP7Y30XCpE8hldPXF+NIx3w0B0PUyMAVsa+JrBmCMtzgibddIJqqF2upu/8EYxJZNusrJPOi47g3VcZIg1WyxoFfffH6jwhzv69TE/T8WGBXmWbD2vr+XWjE24Q+lgwLut0mocVfihUjpuYq0WDjgJx7pqLnY1VatTwgSkAv1uRRVqdi7e1M5isDNEpdItCbEoWwdvZhG5JIMAA/2vecY4/vEne3cg46lJAkv4ueZNATG6DOXGgQgz6h7zCKSGS1xTfGr+4A2V2/vSYpQ/r8Td37mlseoBvwN4H5O+FgHrVREm7N6aafDariYd+ZfqUIGObsZIXhxhDmAM96pjtP8ehYVwq1srWTU+SUewEmwLFWhVP1UFnTB5vgIuOWoKjHlS7dSUpStpw2u7/mQ6vhRhEaDqY6cNzJgM9hipQM/pt5an7z4ovWVeAeK8InGzKU+uxOpv/oxmi9N54B+5O4DVZC+BIbFXchxDvqivRcZrTK+CNjHjkk4We5MvN0qlhSuCYOGzEVaQ192yHciDoncw58D7fG4NicT2AcCJDVIwRGG05wqKal7g61g7Qg16oqdZIauKIU7ChSgBk7Xv33biZ4ZPe+JoSEmp9izJ8R7yyNO3KJgqH7iQ2UQzXDUqhfTr6w/oIdFST8sQtEIo7o1Z5JoXpzd4R1gVkcPWqtbbB22iRrDJsofeW+yvgGqyZLsWT2bKuDMLUn3GiqvaHaeQ9AbhNBnl6Qth3X8heBm2Zle1xxapFktisPwBQC7FDlukgvkiAOO7BywVI0+ITU4KLLOAftVqHmZ4fgDDqNFg8=
-    SMTP_PASSWORD: AgCbhM99+DbSTCcuxtcccOrZq99GjR51B5SkW6DNxz1jW2q4lgc6o21+gHEGGAamRDg/mWyu2UBBNgEzrW024558qP6SjVPwJclWhNZHyL4R4MCA0kv/kqNa43na2j3pq7kzT0MrqPAXD8IJrtYPxr+ngiuo7MCRef/TzEfwbwK+KgkeB1g+9ErwHWr5tU1B+3yAn5tfNeHmGFrLX230mra2ie+ntNx9kn80mb5TYoJ/mSaX7wv4bqZGEHkg7isXrMoMROXLBepCvP0zi3ta+SKJjHy73TvhKSzo7/ZHxapHw3oaazdpKJobeolWB7SziWsbXfT0gYYim3LrcieQeb7hhN3OAvSYx1Z/3UefEE1o3GFEzK1UV9ISwU/mBjMDZWyM7dK9lSbuPGvbpKU1jjP8qZWQP5v2SIT6Nb5TQgNeATdO3RkjoviqRzjJfpuu+oe5paXNeEIUSTskL7HuUjWj13DX1zDqQWTR1/Tb9ntxRtgIoAl2ymDsOednurnJeX71OJ3G++Oc8b5P2EkNQuEwaYb9raNHqZkCXeRpQVyEGIUh9sAGZUplUJSues/Jw25WuFoNBfMi/F022Mkvfnp/s0J+QrMIxSRvqiWS+7hODknvE3Zf2DI+DKClWxspfv084DAkOSV1Lq9fqNy/bKoJR/5MVHmxbW6teza6zXBnwn2nk+2DZ8IU20P15aVdtKR2zG9u8hnrqWrTQHTdvzb34WKjC0km4/MaIGKvboyw
-    SMTP_USERNAME: AgCijAuSvlGeMME1FyPXQdOTGKktyXfT8tjBK/ozt3X8O5hebFVvM61hNLDQTe9V/O/NLw6P1wbV4V+wtztqLs9TPDyq9L3D9JUEDjh97gWxVf7nFf8/d24F0PJoR8srKp3onb7+Rx02318RUp+gp7YsXbK6YBfkaOsoD08UgrFY3ARnP4eIirRICNCdouPgKkh038yAWcQDA20GBN2faJlQSejS4cr8WAa/ME1fRe40Q4tewgiX7hK5BWjt2eoovLrPzcHvbgTbfjwUWvmeiSicnF+VLrc3M56aKML2xuAggBk4vKtla/Af1pJfjv+Ut2z6VzECfIth12yQa6kIvKOE8aa3o/6oKLRJQRO8rQOOmLiInR+jQxrOmYw+OzkON07nBIeBon7nKYSIMiBt68kXKWJ9ZDexF7WGOHsFgUo4hA/z/c/Ccg6XHgxFt7uXZYLyziihQXy33zIsvu0rXOaczT5j3NJIhO60jz2Q8ig9JuWhd7+Dnd9EFMC0WJOM9kjpxeSjg4MYjH7VGnnEDF2GAQTlwDn5HwZJXRQFHfdCiHS5CCpfmak9MtIC9uoIsbPAnEhdTC20wDvIGlR5O4JGlQRyirKKmCdT1MJt8zi5d+EVQiicVZLGGD6nsqCNchvFYcx+glMYqWWsmyS6M+uVaYa/Fb/n+0QR6GNCF3Qi7voMJf2bFxFDk78fk76MG919XPQVAG/FPliNyWJJ7gEM+j/rDYuSrul14duV
-    adminToken: AgCVSgRK39WksTX6GogBvMZtPMd4XzMFkKSPhjTCm8pllzuc88pS2LXHxyGDWVLf+GZXRTCNrf5JLPst8/GTvOX17J9scRAjmhoyVVgzFNbcqGI/czLf9vH6JnhorMmUHxS+kWBm3oLZjhW3f/9vq0xzSbut87VDsyenaK4EcFLrYnfVRlMrwxL9oxPPTeB+Wah/uGoyLNfc7MMLK+/sUma4RO61VJ8YvmLUnwYNFosUcbF2B9hXMSzKKCJ+ihXYIdNIz2YWdMmj7a3D+Mor5x4jIjC+tunT4Zge5L1mx0i92KPgPkP48jKxayIZ/FxnYej+ggU6PmdYD1B6wgUbgLQV6ccwysjHce7ICvGWiM+PozFWI1qEVKqtNgp3kwInThD63Hyub9Euj0g/SE/nZcwy8DuIEhsLpLSdvxDT2lCps0VdXcb01kuta/3i4vgozSBvdIL1FrQKPLqF5+6ZEQ6BdZDkgxVqQ845WZoGbfqIyI03BMvsx/8HB5c+0Y0w0C6DRpEW55T9yRTZqzvqWUOpXy5/L2Nc9G4PCUK3lY0QPIFlPCBDl+cKgfP/XvKhMFcFpwp/Ssd0o+RhgOMBHJ5qk7RxAN1k2Y6Tkros39eUKWbM6UQ97LjrAdLcgJKX86ZkEChdeeKOnSxRmqHFXx5m4Wa6syixjipeQPwybCYQA9TgNBv0lToA7gi+lcVvXkoAgYIeB9Cp0j8UVEwdgvwWp8YgkpuWhPCAafhboH8qGhHhVfKADmlB05vUItZ0eoEVv7D9SqUTFueUmoZXwo67uyMLZhQo7eGr9+k8hiesCoEm11HCTa4DvF9zE54zgkyt0TMsKAEKmX47zJwnw76zidZC/K9e
-    pgpassword: AgCeQLwzajVBHW+o1ZSAcfbcJXny5K7UxxMfjud0j3hm9qx3TlLaFJrNoWd4XCuHAW1Ybl23ynWm+8kpXfZv95bXGkl0jZIm989MlAJQYKcaSTdhIM6Bkl3Cbr8kTVj2yrylGPJ96QISKNoiV7IetU82t8f21kxjyrNwt4lQEwWRFjW45jozb32qFXRkTioJ1WKaeJkyRSHWn7nLVitqZ4QjZzoN9AC7cUDOY/FffEiz7QRYSf6xaVPqQfCeH6QVtfmwtU5qNTcthOW0+/LQKpkg8i2nuoAsyOe7tsOYCENbDGkLckNTns2oPvDnH5eA8F5VDlnyJtROlwKjWfTC2zjazZynpA6cBH9XzX3Pg9P45G5HJ/4TVSUbTMCSVrbW8Ec+zdA2P4l3ytfVM2ER4N2/bQrUEVW2/ngDzhsKllmOPEN/M7b/VTed7U1xyJHsoT+AJEqVJO/vFBRxpI/ZacD+m5kWf3sp1SUWSgkUi+YWH8xuRurM2/kiUGwwUXu5ZMumjpMTkJBfX4NYRezq0DCsgaXdO2yI4xTfAysj78UikdU0PKyAXPcT8y55kJQ1jECszFauyeSYh0FpLu/XAmeB8dunlBqgISLszwnnman0/ThLeo96MFo6WPXoAeMTy8+GfTSH5tkmm8TVD7A+gRHprfFS66eY5Zi38OPU+VGRJS1J8yLSD2cNvCFR/sz1Br9VV7IySx1S+HvbEd7BwmdWrIoEcVUwIAD/U0Uxbw4sr7wLQ2wFQjDil4VItA==
-    pgusername: AgAcgel8GpdRVThE9i4EfFwcJYHEPnCyi4jHEaAltn4VMtub6hvhtH+ihxS97AhK6kgrTLEgtlfb07n1EZ3AK18A+ci9P5ulP0GgwMrMt1yxiHliqInvZPNb8vWC/2f2lZm7EFrBvYqMFRPV10YygtkW3Kku8h31l0xc2/DUKqZ2hMymIjx7hupabUOhnPJeF+IxVhTcsAa6SjhppX1ED0R/Im73pxTxbfLQETkHd5KcB4h6RLIPvuNiG5uftkPP8qjJqFIhNew+0IxMrsTzJbyLx90vqI6LHHtsrNDAsOHqWGnyZqIdkK+Bagm84VlpBfIdz8Fs0YqzBQaZts4+QXByzkcQZBDy11Hg9FCjdUVk3VgVLDQj+hL+aWTeJ0Iui4zW4LMSB0Dk0ZQeQa4BtwuDllky5GUA7sLmkbceAWymBNzNXSOeeAi1qfR6h6rNnh0x5yOnSN8soReNaCEYBSa8HjUamvuzu4yn+fKOJyI50QEJ7hKLXLaqyiNpa5bJw4FQvGM7qESkZW2BZLEvkq4mlKjzvSm891DozA44Zy1s/3CvytFsUtaWmquSvqqHWUxqEEemJ8zOCFXEYo1TjEfkYIUipM5KJ+PrpQGTgjdnL8FbAv3r3NG7DoucQtVeJJVeaBqOZcfEQw4Xz15grsdjggFunhmz+ZjWjgEwV4G/dCmeus3SBWJWLMOoPWCvBWrQZRQq9KVj
-  template:
-    metadata:
-      creationTimestamp: null
-      name: prod-db-creds
-      namespace: vaultwarden

infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml

@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: keycloak-client-vaultwarden
-  namespace: vaultwarden
-  labels:
-    keycloak.forteapps.net/client-config: "true"
-stringData:
-  client.json: |
-    {
-      "clientId": "vaultwarden",
-      "name": "Vaultwarden",
-      "redirectUris": ["https://vaultwarden.forteapps.net/*"],
-      "webOrigins": ["https://vaultwarden.forteapps.net"],
-      "protocolMappers": [],
-      "secret": {
-        "namespace": "vaultwarden",
-        "name": "vaultwarden-oidc-credentials",
-        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
-      }
-    }

infra/overlays/upc-dev/vaultwarden/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- vaultwarden.yaml
-- keycloak-client-config.yaml

infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml

@@ -1,43 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vaultwarden
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: vaultwarden
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://guerzon.github.io/vaultwarden
-    chart: vaultwarden
-    targetRevision: "0.36.4"
-    helm:
-      releaseName: vaultwarden
-      valueFiles:
-      - $values/infra/values/base/vaultwarden-values.yaml
-      - $values/infra/values/upc-dev/vaultwarden-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: vaultwarden
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true

infra/overlays/upc-prod/kustomization.yaml

@@ -1,21 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base/cert-manager-application
-- ../../base/cluster-resources-application
-- ../../base/grafana
-- ../../base/grafana-dashboards
-- ../../base/kyverno
-- ../../base/kyverno-policies
-- ../../base/loki
-- ../../base/opencost
-- ../../base/prometheus
-- ../../base/sealedsecrets
-- ../../base/tempo
-- ../../base/traefik-application
+- ../../base
 
 patches:
-# Traefik: swap upc-dev → upc-prod
+# Traefik: swap upc-dev → upc-prod in valueFiles
 - target:
     kind: Application
     name: traefik
@@ -24,7 +13,16 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/upc-prod/traefik-values.yaml
 
-# Grafana: swap upc-dev → upc-prod  
+# Keycloak: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → upc-prod
 - target:
     kind: Application
     name: grafana
@@ -33,6 +31,15 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/upc-prod/grafana-values.yaml
 
+# Gitea: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/gitea-values.yaml
+
 # OpenCost: swap upc-dev → upc-prod
 - target:
     kind: Application
@@ -41,3 +48,21 @@ patches:
     - op: replace
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/upc-prod/opencost-values.yaml
+
+# Secrets: change path to upc-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/overlays/upc-prod
+
+# Enterprise-apps: point to upc-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/upc-prod

infra/values/aks-dev/argocd-values.yaml

@@ -1,5 +0,0 @@
-global:
-  domain: argocd.127.0.0.1.nip.io
-notifications:
-  context:
-    clusterName: "aks-dev-launchpad"

infra/values/aks-dev/homepage-values.yaml

@@ -1,15 +0,0 @@
-ingress:
-  main:
-    enabled: true
-    ingressClassName: traefik
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-    hosts:
-    - host: start.forteapps.net
-      paths:
-      - path: /
-        pathType: Prefix
-    tls:
-    - secretName: homepage-tls
-      hosts:
-      - start.forteapps.net

infra/values/base/argocd-values.yaml

@@ -35,12 +35,6 @@ server:
     ingressClassName: traefik
     annotations:
       cert-manager.io/cluster-issuer: letsencrypt-prod
-      gethomepage.dev/enabled: "true"
-      gethomepage.dev/name: "ArgoCD"
-      gethomepage.dev/description: "GitOps continuous delivery"
-      gethomepage.dev/group: "DevOps"
-      gethomepage.dev/icon: "argo-cd"
-      gethomepage.dev/href: "https://argocd.forteapps.net"
     tls: true
   extraArgs:
   - --insecure

infra/values/base/chibisafe-values.yaml

@@ -1,45 +0,0 @@
-replicaCount: 1
-
-frontend:
-  image:
-    repository: chibisafe/chibisafe
-    tag: "latest"
-    pullPolicy: IfNotPresent
-
-backend:
-  image:
-    repository: chibisafe/chibisafe-server
-    tag: "latest"
-    pullPolicy: IfNotPresent
-
-caddy:
-  image:
-    repository: caddy
-    tag: "2-alpine"
-    pullPolicy: IfNotPresent
-
-persistence:
-  database:
-    enabled: true
-    size: 1Gi
-    accessModes:
-    - ReadWriteOnce
-
-  uploads:
-    enabled: true
-    size: 10Gi
-    accessModes:
-    - ReadWriteOnce
-
-  logs:
-    enabled: false
-
-service:
-  type: ClusterIP
-  port: 80
-
-networkPolicy:
-  enabled: false
-
-podDisruptionBudget:
-  enabled: false

infra/values/base/databunker-values.yaml

@@ -1,42 +0,0 @@
-# Default values for databunkerpro
-image:
-  tag: 0.14.15
-
-ingress:
-  enabled: false # Set to true to enable ingress
-  className: traefik
-  # Set host to enable ingress
-  host: databunker.example.com
-  annotations:
-    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: "letsencrypt-prod" # or your cluster issuer
-    traefik.ingress.kubernetes.io/ssl-redirect: "true"
-    traefik.ingress.kubernetes.io/force-ssl-redirect: "true"
-    traefik.ingress.kubernetes.io/ssl-passthrough: "false"
-    # Security headers
-    traefik.ingress.kubernetes.io/configuration-snippet: |
-      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-      add_header X-Frame-Options DENY always;
-      add_header X-Content-Type-Options nosniff always;
-      add_header X-XSS-Protection "1; mode=block" always;
-  # TLS configuration
-  tls:
-    enabled: true # Set to true to enable TLS
-    secretName: "databunker-tls" # Name of the secret containing TLS certificate
-
-# Pin PostgreSQL password — chart uses randAlphaNum without lookup,
-# so each ArgoCD sync would regenerate the password while PVC keeps the old one.
-# Same issue as Backstage PostgreSQL (see MEMORY.md).
-internal:
-  postgresql:
-    auth:
-      password: "databunker-pg-pass-2026"
-
-resources:
-  # Uncomment and adjust these values based on your requirements
-  # requests:
-  #   memory: "512Mi"
-  #   cpu: "250m"
-  # limits:
-  #   memory: "1Gi"
-  #   cpu: "500m"

infra/values/base/gitea-values.yaml

@@ -41,7 +41,6 @@ gitea:
     oauth2:
       ENABLED: true
       ENABLE_AUTO_REGISTRATION: true
-      ACCOUNT_LINKING: auto
       USERNAME: email
 
     session:
@@ -115,15 +114,6 @@ ingress:
   className: traefik
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "Gitea"
-    gethomepage.dev/description: "Git hosting & CI/CD"
-    gethomepage.dev/group: "DevOps"
-    gethomepage.dev/icon: "gitea"
-    gethomepage.dev/href: "https://git.forteapps.net"
-    gethomepage.dev/widget.type: "gitea"
-    gethomepage.dev/widget.url: "https://git.forteapps.net"
-    gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GITEA_TOKEN}}"
   hosts:
   - host: git.forteapps.net
     paths:

infra/values/base/grafana-values.yaml

@@ -3,21 +3,11 @@ ingress:
   ingressClassName: traefik
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "Grafana"
-    gethomepage.dev/description: "Metrics & observability dashboards"
-    gethomepage.dev/group: "Monitoring"
-    gethomepage.dev/icon: "grafana"
-    gethomepage.dev/href: "https://grafana.forteapps.net"
   tls:
   - secretName: grafana-tls
     hosts:
     - grafana.forteapps.net
 
-persistence:
-  enabled: true
-  size: 1Gi
-
 resources:
   requests:
     cpu: 50m

infra/values/base/homepage-values.yaml

@@ -1,72 +0,0 @@
-# Homepage Helm Values
-# Chart: jameswynn/homepage — https://gethomepage.dev
-# Discovery: K8s service annotations (gethomepage.dev/*)
-# Each deployed app annotates its own Service — apps not deployed = not visible.
-
-# RBAC ClusterRole — required for cluster-wide service annotation scanning
-enableRbac: true
-
-serviceAccount:
-  create: true
-  name: homepage
-
-config:
-  # Scan all namespaces for services with gethomepage.dev/enabled: "true"
-  kubernetes:
-    mode: cluster
-    traefik: true
-
-  settings:
-    title: "Platform"
-    headerStyle: clean
-    layout:
-      Apps:
-        style: row
-        columns: 3
-      Security:
-        style: row
-        columns: 3
-      Tools:
-        style: row
-        header: false
-        columns: 2
-        DevOps:
-          style: column
-          rows: 2
-        Monitoring:
-          style: column
-          rows: 1
-
-  # Top-of-page cluster overview widget
-  widgets:
-  - kubernetes:
-      cluster:
-        show: true
-        cpu: true
-        memory: true
-        showLabel: true
-        label: "Cluster"
-      nodes:
-        show: true
-        cpu: true
-        memory: true
-        showLabel: true
-  # In-cluster entries come from K8s service annotations.
-  # External (out-of-cluster) services are listed here statically.
-  bookmarks: []
-  services: []
-
-resources:
-  requests:
-    cpu: 10m
-    memory: 128Mi
-  limits:
-    cpu: 100m
-    memory: 256Mi
-
-env:
-- name: HOMEPAGE_ALLOWED_HOSTS
-  value: start.forteapps.net
-envFrom:
-- secretRef:
-    name: homepage-widget-credentials

infra/values/base/keycloak-values.yaml

@@ -18,12 +18,6 @@ ingress:
   ingressClassName: traefik
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "Keycloak"
-    gethomepage.dev/description: "Identity & access management"
-    gethomepage.dev/group: "Security"
-    gethomepage.dev/icon: "keycloak"
-    gethomepage.dev/href: "https://id.forteapps.net/admin/forte-test/console/"
 
 metrics:
   enabled: true
@@ -58,9 +52,6 @@ keycloakConfigCli:
   enabled: true
   image:
     repository: bitnamilegacy/keycloak-config-cli
-  extraEnvVars:
-  - name: IMPORT_MANAGED_PROTOCOL_MAPPER
-    value: "no-delete"
   configuration:
     forte-realm.json: |
       {
@@ -104,18 +95,6 @@ keycloakConfigCli:
                   "access.token.claim": "true",
                   "userinfo.token.claim": "true"
                 }
-              },
-              {
-                "name": "groups",
-                "protocol": "openid-connect",
-                "protocolMapper": "oidc-group-membership-mapper",
-                "config": {
-                  "claim.name": "groups",
-                  "full.path": "false",
-                  "id.token.claim": "true",
-                  "access.token.claim": "true",
-                  "userinfo.token.claim": "true"
-                }
               }
             ]
           },
@@ -188,54 +167,7 @@ keycloakConfigCli:
             ]
           }
         ],
-        "browserFlow": "browser-auto-idp",
-        "authenticationFlows": [
-          {
-            "alias": "browser-auto-idp",
-            "description": "Browser flow with auto-redirect to Forte Entra IdP",
-            "providerId": "basic-flow",
-            "topLevel": true,
-            "builtIn": false,
-            "authenticationExecutions": [
-              {
-                "authenticator": "auth-cookie",
-                "authenticatorFlow": false,
-                "requirement": "ALTERNATIVE",
-                "priority": 10
-              },
-              {
-                "authenticator": "identity-provider-redirector",
-                "authenticatorFlow": false,
-                "requirement": "ALTERNATIVE",
-                "priority": 20,
-                "authenticatorConfig": "forte-entra-redirector"
-              }
-            ]
-          }
-        ],
-        "authenticatorConfig": [
-          {
-            "alias": "forte-entra-redirector",
-            "config": {
-              "defaultProvider": "forte-entra"
-            }
-          }
-        ],
         "groups": [
-          {
-            "name": "k8s",
-            "path": "/k8s",
-            "clientRoles": {
-              "grafana": ["Editor"]
-            }
-          },
-          {
-            "name": "dev",
-            "path": "/dev",
-            "clientRoles": {
-              "grafana": ["Viewer"]
-            }
-          },
           {
             "name": "ArgoCD Admins",
             "path": "/ArgoCD Admins"
@@ -505,10 +437,10 @@ extraDeploy:
                   CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"')
 
                   # Check if credential Secret already exists in target namespace
-                  CRED_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
+                  CRED_EXISTS=$(curl -sf -o /dev/null -w "%{http_code}" \
                     --cacert "$CA_CERT" \
                     -H "Authorization: Bearer ${SA_TOKEN}" \
-                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}" || echo "000")
+                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")
 
                   # Skip if hash matches and credential Secret exists
                   if [ "$CONFIG_HASH" = "$EXISTING_HASH" ] && [ "$CRED_EXISTS" = "200" ]; then
@@ -528,47 +460,44 @@ extraDeploy:
                     publicClient: false,
                     redirectUris: .redirectUris,
                     webOrigins: .webOrigins,
+                    defaultClientScopes: .defaultClientScopes,
                     protocolMappers: (.protocolMappers // [])
-                  } | with_entries(select(.value != null))')
+                  }')
 
                   # Check if client already exists
-                  EXISTING_RESPONSE=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
-                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" || true)
-                  EXISTING=$(echo "$EXISTING_RESPONSE" | jq -r '.[0].id // empty' 2>/dev/null || true)
+                  EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
+                    | jq -r '.[0].id // empty')
 
                   if [ -n "$EXISTING" ]; then
                     echo "  Updating existing Keycloak client (uuid: ${EXISTING})"
-                    RESPONSE=$(curl -s -w "\n%{http_code}" \
+                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
                       -H "Authorization: Bearer ${TOKEN}" \
                       -H "Content-Type: application/json" \
                       -X PUT -d "$KC_CLIENT" \
-                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}" || true)
-                    HTTP_CODE=$(echo "$RESPONSE" | tail -1)
-                    RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}")
                     if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "200" ]; then
-                      echo "  ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
+                      echo "  ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
                       annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                       continue
                     fi
                     CLIENT_UUID="$EXISTING"
                   else
                     echo "  Creating new Keycloak client '${CLIENT_ID}'"
-                    RESPONSE=$(curl -s -w "\n%{http_code}" \
+                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
                       -H "Authorization: Bearer ${TOKEN}" \
                       -H "Content-Type: application/json" \
                       -X POST -d "$KC_CLIENT" \
-                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients" || true)
-                    HTTP_CODE=$(echo "$RESPONSE" | tail -1)
-                    RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
                     if [ "$HTTP_CODE" != "201" ]; then
-                      echo "  ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
+                      echo "  ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
                       annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                       continue
                     fi
                     # Fetch the newly created client's UUID
-                    CLIENT_UUID=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                    CLIENT_UUID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                       "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
-                      | jq -r '.[0].id' || true)
+                      | jq -r '.[0].id')
                   fi
 
                   # Sync credentials to target namespace

infra/values/base/vault-values.yaml

@@ -1,36 +0,0 @@
-# HashiCorp Vault Helm Chart Values
-# Chart: hashicorp/vault v0.32.0
-
-server:
-  standalone:
-    enabled: true
-
-  dataStorage:
-    enabled: true
-    size: 5Gi
-
-  resources:
-    requests:
-      cpu: 100m
-      memory: 128Mi
-    limits:
-      cpu: 250m
-      memory: 256Mi
-
-  ingress:
-    enabled: true
-    ingressClassName: traefik
-    pathType: Prefix
-    activeService: true
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-      gethomepage.dev/enabled: "true"
-      gethomepage.dev/name: "Vault"
-      gethomepage.dev/description: "Secrets management"
-      gethomepage.dev/group: "Security"
-      gethomepage.dev/icon: "vault"
-      gethomepage.dev/href: "https://vault.forteapps.net"
-
-ui:
-  enabled: true
-  serviceType: ClusterIP

infra/values/base/vaultwarden-values.yaml

@@ -1,3 +0,0 @@
-image:
-  tag: "1.36.0-alpine"
-domain: "https://vaultwarden.forteapps.net"

infra/values/upc-dev/chibisafe-values.yaml

@@ -1,11 +0,0 @@
-podAnnotations:
-  policies.forteapps.io/auth: "true"
-  policies.forteapps.io/auth-type: "oidc"
-  policies.forteapps.io/auth-oidc-authority: "https://id.forteapps.net/realms/forte"
-  policies.forteapps.io/auth-oidc-client-id: "chibisafe"
-  policies.forteapps.io/auth-oidc-callback-path: "https://chibisafe.forteapps.net/auth/callback"
-  policies.forteapps.io/auth-oidc-credentials-secret: "chibisafe-oidc-credentials"
-
-# Ingress disabled — using IngressRoute to target sidecar port directly
-ingress:
-  enabled: false

infra/values/upc-dev/databunker-values.yaml

@@ -1,10 +0,0 @@
-ingress:
-  enabled: true
-  host: databunker.forteapps.net
-  annotations:
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "Databunker"
-    gethomepage.dev/description: "Secure Database for PII and PCI Records"
-    gethomepage.dev/group: "Security"
-    gethomepage.dev/icon: "double-take"
-    gethomepage.dev/href: "https://databunker.forteapps.net"

infra/values/upc-dev/homepage-values.yaml

@@ -1,65 +0,0 @@
-ingress:
-  main:
-    enabled: true
-    ingressClassName: traefik
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-    hosts:
-    - host: start.forteapps.net
-      paths:
-      - path: /
-        pathType: Prefix
-    tls:
-    - secretName: homepage-tls
-      hosts:
-      - start.forteapps.net
-
-config:
-  settings:
-    title: "Forte Platform"
-    headerStyle: clean
-    layout:
-      Apps:
-        style: row
-        columns: 2
-      Security:
-        style: row
-        columns: 3
-      Tools:
-        style: row
-        header: false
-        columns: 2
-        DevOps:
-          style: column
-          rows: 2
-        Monitoring:
-          style: column
-          rows: 1
-
-  # Top-of-page cluster overview widget
-  widgets:
-  - kubernetes:
-      cluster:
-        show: true
-        cpu: true
-        memory: true
-        showLabel: true
-        label: "Cluster"
-      nodes:
-        show: true
-        cpu: true
-        memory: true
-        showLabel: true
-  # In-cluster entries come from K8s service annotations.
-  # External (out-of-cluster) services are listed here statically.
-  bookmarks: []
-  services:
-  - Apps:
-    - Forte Benken:
-        href: https://benken.hackathon.forteapps.net
-        description: Teknisk kompetanse fra offentlige anbud
-        icon: forte
-    - Forte Feedback:
-        href: https://feedback.forteapps.net
-        description: Fortes internal feedback app
-        icon: forte