secrets

docs/REFERENCE.md

@@ -1109,56 +1109,6 @@ storage:
 - `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
 - `vaultwarden-tls` — auto-managed by cert-manager
 
-### Chibisafe
-
-**Chart**: `l4gdev/chibisafe`
-**Version**: 0.1.1 (app latest)
-**Namespace**: `chibisafe`
-
-**Purpose**: Self-hosted file upload and sharing service.
-
-**Configuration**:
-```yaml
-# infra/overlays/upc-dev/chibisafe/ + infra/values/
-ingress:
-  enabled: true
-  className: "traefik"
-  hosts:
-  - host: chibisafe.forteapps.net
-    paths:
-    - path: /
-      pathType: Prefix
-  tls:
-  - secretName: chibisafe-tls
-    hosts:
-    - chibisafe.forteapps.net
-
-persistence:
-  database:
-    enabled: true   # SQLite, 1Gi
-  uploads:
-    enabled: true   # User files, 10Gi
-```
-
-**Architecture**: Three-container pod — frontend (Next.js :8001), backend (API :8000), Caddy (reverse proxy :80). Auth sidecar injected via Kyverno policy (OIDC mode, port 9001).
-
-**Ingress**: IngressRoute (not chart's built-in Ingress) targeting sidecar port 9001 directly. Chart's `ingress.enabled: false`. Separate cert-manager Certificate resource for TLS.
-
-**Why IngressRoute**: Chart hardcodes Service `targetPort: http` → Caddy port 80. Cannot override via values. IngressRoute bypasses Service, routes directly to sidecar pod port.
-
-**TLS**: cert-manager Certificate resource with `letsencrypt-prod` ClusterIssuer.
-
-**Storage**: SQLite database (1Gi PVC) + uploads (10Gi PVC), both ReadWriteOnce — single replica only.
-
-**SSO**: Keycloak OIDC via `forte` realm (client ID: `chibisafe`). Self-service client config Secret (`keycloak-client-chibisafe`) triggers registrar to create KC client and sync credentials to `chibisafe-oidc-credentials`.
-
-**Endpoints**:
-- Web UI: `https://chibisafe.forteapps.net`
-
-**Secrets**:
-- `chibisafe-tls` — auto-managed by cert-manager
-- `chibisafe-oidc-credentials` (registrar-managed) — OIDC client ID + secret
-
 ### AI Code Review (ai-review)
 
 **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)

infra/overlays/upc-dev/chibisafe/auth-oidc-secret.yaml

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: auth-oidc
-  namespace: chibisafe
-type: Opaque
-stringData:
-  cookie-secret: "gtwkoUMSp1wJa2o5Fo5CNByR8+kTocJOOuywuLexRO4="

infra/overlays/upc-dev/chibisafe/ingressroute.yaml

@@ -1,36 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: chibisafe-tls
-  namespace: chibisafe
-spec:
-  secretName: chibisafe-tls
-  issuerRef:
-    name: letsencrypt-prod
-    kind: ClusterIssuer
-  dnsNames:
-  - chibisafe.forteapps.net
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: chibisafe
-  namespace: chibisafe
-  annotations:
-    gethomepage.dev/enabled: "false"
-    gethomepage.dev/name: "Chibisafe"
-    gethomepage.dev/description: "File upload & sharing"
-    gethomepage.dev/group: "Storage"
-    gethomepage.dev/icon: "chibisafe"
-    gethomepage.dev/href: "https://chibisafe.forteapps.net"
-spec:
-  entryPoints:
-  - websecure
-  routes:
-  - match: Host(`chibisafe.forteapps.net`)
-    kind: Rule
-    services:
-    - name: chibisafe
-      port: 9001
-  tls:
-    secretName: chibisafe-tls

infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml

@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: keycloak-client-chibisafe
-  namespace: chibisafe
-  labels:
-    keycloak.forteapps.net/client-config: "true"
-stringData:
-  client.json: |
-    {
-      "clientId": "chibisafe",
-      "name": "Chibisafe",
-      "redirectUris": ["https://chibisafe.forteapps.net/*"],
-      "webOrigins": ["https://chibisafe.forteapps.net"],
-      "protocolMappers": [],
-      "secret": {
-        "namespace": "chibisafe",
-        "name": "chibisafe-oidc-credentials",
-        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
-      }
-    }

infra/overlays/upc-dev/chibisafe/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- chibisafe.yaml
-- keycloak-client-config.yaml
-- ingressroute.yaml
-- auth-oidc-secret.yaml

infra/overlays/upc-dev/kustomization.yaml

@@ -2,9 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
-- chibisafe
 - vaultwarden-postgresql
 - vaultwarden
+- passwordpusher-postgresql
+- passwordpusher
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster

infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- passwordpusher-postgresql.yaml

infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: passwordpusher
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: passwordpusher-postgresql
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  labels:
+    app.kubernetes.io/name: passwordpusher-postgresql
+    app.kubernetes.io/part-of: security
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/upc-dev/passwordpusher-postgresql/resources
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: passwordpusher
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates

infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- postgresql.yaml
+- passwordpusher-db-secret-sealed.yaml
+- passwordpusher-smtp-secret-sealed.yaml

infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: passwordpusher-db-creds
+  namespace: passwordpusher
+spec:
+  encryptedData:
+    DATABASE_URL: AgBeCVhdJoq18FFbP/8CUFFHBu3cUHisStmqeU3stH33qRgm0sh1Agw87QaiECBlKGp9yEjDVgQEjU/h9vEqs5L13vnzTvzmzEIMy23m1nWEyX6pY06O/ISDD6AVeW73SX6ctgZ4wabv8zZhEQ/GiKTLq8indTrNglINpItUKdjpZ5IhJWNScOkykZdIN/OyJxxzKQ5fM48ZVfL8HnTNQ+sqEJQ/P4CEHVwJQaEuIKsS+P1PKNmOxzI7IB7PegkZwORMKA83r1oufiV5q+/wY2eMujt/PkZxkokj9jdI9ATGwXfOVgPR16BXrKRIKO2AwObL1ter+Y0LnNGxl9gAz8q65b4KHdM//sKSscLo9rPWKq0R0y4octiC1FlQEvsbMZnNntDLR1vBiqRUz5YaoKcEH6nlLpubCrBpIve8f5Ty3w2YUk7k4dpQzITgZqpJirmw5RAY9OIQQldB8NHjfmKkTtlHxW1Bif/yo+XqCKX4+1xh4nbWb6z2VQtUeQHm++ITZokxAV5as/EEZyEfCfqLbQbQkk5xuPpc3B6VjyGNbAIyQQz3Ktx5t2bqa/qf2YQQTVMZaBijHV6jaK3YzyWyheefZAqliF3xUY8mm2zrOAK4+JaKbRKSQzvCzpYtcwxVO5hCV0Wki4qbMXCWbLV0SmUgiJeL/SC/iXSPBmdQIw2P8Pao1gPzhtJl/rGzdw+Nx0VtYeCID8PlsvjUO3oiv3wYFVE/Xb9oYkoQnadOrnBmUNoXATvPLb6bN/cxlZ6c5bDAReY5M5k4Im9XMWDUDiH/9bIk+V8C
+    pgpassword: AgBneCXX9h7cFbvVcqk9bNSgHqPGpYQmDxDHmI2CdgIPXwogVA/HxGpaR/HnByUwXbk9PBzHuNJHTWB5XtbEgd7EVvhmhNkEuW9cfBpO6RhSYWr4yQsEQ4tRIDicCMnCh3qWFxMJKPxhN4+gB+KY0HxVQXlr/TkPEnHGNILCrwJsSP9JYufYy5xcL25c949X6M2iSi1i8OFDOYC7s72VZmS2iAEIdnY01yDJ/pW5UYNi53rtAYWZ0tzRJbl55NdWeZGJdmKEQ0OvywW50So97R0ceC6QCkBzzRin4IP5dWuWbqm/D9FL4pxUfIvNuXbMd2fGbn1DjgqfeiN9QSfgLeHqMWbFAmelA/ETKGZBJJkp8MQta7PYk30yDo9cD147AnfLSjR74plGCZBFt0tn/8fGE00G70ymo1FPqWqnVMvlrnaWwdgdlKeKbamPWw0Uo6ZHcglFlHq5ke2kEhRG4yFvk8PuuUygHShGe7uQAlWcqLw4H4/WZyy/bBVTyUfmXTg0ArEKdbb7iI/izGgGMv2NtSiV9/DutkiqmrGoc+gO6fYGfUc66XJMpAlH/FUs3Ebqk0ZSIR4j8NyygwgY+1Jm3yuSQCs6+MVH5nrf1VoAYGadMiB40lfmn1FkZwrkdWm+C00/exVqT2dys+AjMfpAFfmGY2LDjSavvqJXKYyX1x/kZ6D+gndhP2FcT9qscnScGjys8JrH
+    pgusername: AgBUzpTtG8uIRRCjX3xN5UEvCybo2sgMk2v6SwoaO0TDVNMwZNKEjNigWeaD0nOX/gXu14X2KPX12YfXyaag+1CmaprUAVZzQDmF3Rseaz5MzqQnJlYfYdlWM4O+x0j2KLj+hKiw30P0T3IxZyngRw+T5c8hevYA2tXU0dvdmXZhs7L5M1mO1DJcef0tH/170RQ/8klUxaj/reWibK3DNxqCU/BOkJvUMoDkmb+hGlX4i4f0cPWEIYRjjXejDtL+LO7bMxzESqmb8VDPlDiIBvCYyBNdkN/F4ngfIAWxKBiMQTvsD8O7W3qdMDy55qHW3gPZY6ugLEyw/un6MtsaYSBame6kbjjEoy0pyyjB+SGWB6xxUIZ2Lfzflu8rZBnKEi2fkxsIAE71vhnLzcXn0WYjF3Hgh/fWQ6GYqJK9M5Ieiq6WVnWvztvWKuscZmVlHtRO9HtucCyiArvZE2yLRUDwI6NAws4R6gELadfjSECp1CRaOc53MrPHvYjIE/WWq1uI+0f0spaPV09mYEl5qGgcPW7V5ADXcmxIXHqtOfhEevrckILr9U9G/FU2q3ohveUiUUxBaMOzgAJ9mO64oDfLbit2WJqaqmdKy4xiVWwzxVDmWmNKFAs3DHNK7y9QNvYmrbM6370Pw2zsxc89yl0PvqCtzj57uUDh3ohNE3ZrTUHWsHkEniKiSCVRZD5LG9dEJKMD1nE=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: passwordpusher-db-creds
+      namespace: passwordpusher

infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: passwordpusher-smtp-creds
+  namespace: passwordpusher
+spec:
+  encryptedData:
+    PWP__MAIL_SMTP_PASSWORD: AgBgRYGOS6O5u6WDXxfqkLsVClufJe8O0K3/NBWKEnwKFKd/yeQVnkB/sd2apIFADK6auge+G5uFv9TejWJuqkU3QHbkvmnjnMtinRkt/lh0GrrCygmvzvwTQKCXefeqWHT5yvGtN0z6mLP73yOLoJmAMnZk9/QGHuw9jfuLEDREZ3cSrdYAAIWhospSPpvau2UNN2/yanjhmH0Yux2fZVkwKtDcS6YHFtL+s4VR7wcB/cvMaCX4vSezMtyQJhgHcmFLNHnNjjVdMEQVGMtrZ7XocbWJ0ZkvKotkuOFf/XMq5AM9ZVgaJB9di39JLweqpsfGVQJftgGW/f/edDSlbiOTjDO2cM93xY9OD9T2kts5MkeX1jLD+Q+V0OXL7+nor1jAfv/CwZ5sBibnQFKYaQpCRCw4c4pYX73VjbRsEcTHXJyfUpTJdlw8Jd3yPPL1Uqb6ga5xxUO7YsgfdH4HZYWuLR/x8Pk1Ne/qpctzHZcUkRto6MKPhkK1IW83qSJPGT3wNHgYcx6uMW9f9L/ox7k00GGWZ3Pj79khv9NJ8PXO0thsTuZktjskHYBmZk044CWpSiill0318pCaIXW6mpg5adGbeZLa+LZ9GNxMWP+iOJIcFyYNZs3GmlV08OQ741S2cbumOQhxppJkcWTdpkZrZlAanLa4XZsmW+PXmsujOsMLEuto3PpJxpujYAt3s6Nv7O79FlGqrfisRipdFw==
+    PWP__MAIL_SMTP_USER_NAME: AgAli4SWEtNSiuRvbhuAYdRtBPpPYQfVp1cjiPXUqX7CxBG6bOdlMFzUPnjmZ3RVDq8UaRbwF1eJisnLt1nRCh5+DzpOXNgiU8ex2uZx7mQPf/nr/5p1HwJHbMZUo6Qieqo8NIwA0fwapQPsLizI90wI2J8f4m4nk4SXb0FW0h23SpulEJV99w92TPdOd/KuovVzEFltWeCWOsaHdVufKDsKLMFc4SNrkBwYxaCkuGnM6zICiLc7+5lF7cza8JukfGXsF12U04CkqgMDOOQG4GNNIeGSOc2GGtngpmYbuKZA1vk8ZnG3K+nVyD12bW2JhvWOBpNSc+29gLbizkNGI8QLhlxet3HznjYal9aqiIR2/glZgIUsnmgwmVg+VpxnM6A/R47sljeIzyzY0dkVxDyG1fDfKiWmXIWQU/7750Ct8XgMsVIkyDGQAK2g8o97a75lSnTngGq88VvTBLCiSEgumhPrMYf4n7ot4tSM1lfGuxmYdrOKXqXNkhBF+jxe27pd4ayCzcXniibZKRqhCozZZkAoYoo+V8tnIlewrTJhzm9THgKL849Df3Va9tI7EOvqHy82FjwTL++jCpUrOe1Emp11WpUJElnn+PUWRJnW02Xz+a0vP+mJMjC1XsylDM78i31a6Tw8Rfu7W4G7yuwzgU9GDCDL6dt7nsGUSNuucZz7CVx2pePFLWJBC8DmcuuWh/UlnrNp8IY/9kC34DAbwuBTQuFhYne1xWSA
+  template:
+    metadata:
+      creationTimestamp: null
+      name: passwordpusher-smtp-creds
+      namespace: passwordpusher

infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml

@@ -0,0 +1,98 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: passwordpusher-postgresql
+  namespace: passwordpusher
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: passwordpusher
+    app.kubernetes.io/component: database
+spec:
+  type: ClusterIP
+  ports:
+  - name: tcp-postgresql
+    port: 5432
+    targetPort: tcp-postgresql
+  selector:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: passwordpusher
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: passwordpusher-postgresql
+  namespace: passwordpusher
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: passwordpusher
+    app.kubernetes.io/component: database
+spec:
+  serviceName: passwordpusher-postgresql
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/instance: passwordpusher
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: postgresql
+        app.kubernetes.io/instance: passwordpusher
+        app.kubernetes.io/component: database
+    spec:
+      containers:
+      - name: postgresql
+        image: postgres:16-alpine
+        ports:
+        - name: tcp-postgresql
+          containerPort: 5432
+        env:
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: passwordpusher-db-creds
+              key: pgusername
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: passwordpusher-db-creds
+              key: pgpassword
+        - name: POSTGRES_DB
+          value: passwordpusher
+        - name: PGDATA
+          value: /var/lib/postgresql/data/pgdata
+        volumeMounts:
+        - name: data
+          mountPath: /var/lib/postgresql/data
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 2Gi

infra/overlays/upc-dev/passwordpusher/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- passwordpusher.yaml

infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml

@@ -1,13 +1,13 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: chibisafe
+  name: passwordpusher
   namespace: argocd
   annotations:
     argocd.argoproj.io/sync-wave: "1"
   labels:
-    app.kubernetes.io/name: chibisafe
+    app.kubernetes.io/name: passwordpusher
-    app.kubernetes.io/part-of: storage
+    app.kubernetes.io/part-of: security
     app.kubernetes.io/managed-by: argocd
   finalizers:
   - resources-finalizer.argocd.argoproj.io
@@ -15,14 +15,14 @@ spec:
   project: default
 
   sources:
-  - repoURL: https://l4gdev.github.io/helm-charts
+  - repoURL: https://pglombardo.github.io/passwordpusher-charts
-    chart: chibisafe
+    chart: password-pusher
-    targetRevision: "0.1.1"
+    targetRevision: "1.4.4"
     helm:
-      releaseName: chibisafe
+      releaseName: passwordpusher
       valueFiles:
-      - $values/infra/values/base/chibisafe-values.yaml
+      - $values/infra/values/base/passwordpusher-values.yaml
-      - $values/infra/values/upc-dev/chibisafe-values.yaml
+      - $values/infra/values/upc-dev/passwordpusher-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
@@ -30,7 +30,7 @@ spec:
 
   destination:
     server: https://kubernetes.default.svc
-    namespace: chibisafe
+    namespace: passwordpusher
 
   syncPolicy:
     automated:

infra/values/base/chibisafe-values.yaml

@@ -1,45 +0,0 @@
-replicaCount: 1
-
-frontend:
-  image:
-    repository: chibisafe/chibisafe
-    tag: "latest"
-    pullPolicy: IfNotPresent
-
-backend:
-  image:
-    repository: chibisafe/chibisafe-server
-    tag: "latest"
-    pullPolicy: IfNotPresent
-
-caddy:
-  image:
-    repository: caddy
-    tag: "2-alpine"
-    pullPolicy: IfNotPresent
-
-persistence:
-  database:
-    enabled: true
-    size: 1Gi
-    accessModes:
-    - ReadWriteOnce
-
-  uploads:
-    enabled: true
-    size: 10Gi
-    accessModes:
-    - ReadWriteOnce
-
-  logs:
-    enabled: false
-
-service:
-  type: ClusterIP
-  port: 80
-
-networkPolicy:
-  enabled: false
-
-podDisruptionBudget:
-  enabled: false

infra/values/base/passwordpusher-values.yaml

@@ -0,0 +1,7 @@
+image:
+  repository: docker.io/pglombardo/pwpush
+  tag: "release-1.51.0"
+
+# Disable the bundled postgresql subchart — we run our own StatefulSet
+postgresql:
+  enabled: false

infra/values/upc-dev/chibisafe-values.yaml

@@ -1,11 +0,0 @@
-podAnnotations:
-  policies.forteapps.io/auth: "true"
-  policies.forteapps.io/auth-type: "oidc"
-  policies.forteapps.io/auth-oidc-authority: "https://id.forteapps.net/realms/forte"
-  policies.forteapps.io/auth-oidc-client-id: "chibisafe"
-  policies.forteapps.io/auth-oidc-callback-path: "https://chibisafe.forteapps.net/auth/callback"
-  policies.forteapps.io/auth-oidc-credentials-secret: "chibisafe-oidc-credentials"
-
-# Ingress disabled — using IngressRoute to target sidecar port directly
-ingress:
-  enabled: false

infra/values/upc-dev/passwordpusher-values.yaml

@@ -0,0 +1,50 @@
+env:
+  PWP__HOST_DOMAIN: pwpush.forteapps.net
+  PWP__HOST_PROTOCOL: https
+  PWP__ENABLE_LOGINS: "true"
+  PWP__ALLOW_ANONYMOUS: "false"
+  PWP__SIGNUPS_ENABLED: "false"
+  PWP__MAIL_RAISE_DELIVERY_ERRORS: "false"
+  PWP__MAIL_SMTP_ADDRESS: smtp.office365.com
+  PWP__MAIL_SMTP_PORT: "587"
+  PWP__MAIL_SMTP_AUTHENTICATION: login
+  PWP__MAIL_SMTP_STARTTLS: "true"
+  PWP__MAIL_SMTP_DOMAIN: fortedigital.com
+  PWP__MAIL_SENDER: noreply@fortedigital.com
+
+envFrom:
+- secretRef:
+    name: passwordpusher-db-creds
+- secretRef:
+    name: passwordpusher-smtp-creds
+
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/name: "PasswordPusher"
+    gethomepage.dev/description: "Share passwords securely with expiring links"
+    gethomepage.dev/group: "Security"
+    gethomepage.dev/icon: "passwordpusher"
+    gethomepage.dev/href: "https://pwpush.forteapps.net"
+  hosts:
+  - host: pwpush.forteapps.net
+    paths:
+    - path: /
+      pathType: Prefix
+  tls:
+  - secretName: passwordpusher-tls
+    hosts:
+    - pwpush.forteapps.net
+
+resources:
+  requests:
+    cpu: 100m
+    memory: 256Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
+
+replicaCount: 1