merge

forte-drop, forte-drop-mcp and forte-drop-postgresql lived under apps/base/
but were only ever wired into the upc-dev overlay (never listed in
apps/base/kustomization.yaml). They carry hackathon-domain hardcoded values
and must not sync to upc-prod, so they belong in the overlay alongside
dbunk-demo — per danijel.simeunovic's review on PR #18.

- git mv the three dirs into apps/overlays/upc-dev/ (history preserved)
- rewrite overlay kustomization refs from ../../base/forte-drop* to local
- repoint forte-drop-postgresql Application path
  apps/base/... -> apps/overlays/upc-dev/forte-drop-postgresql/resources

Render-verified: kubectl kustomize apps/overlays/upc-dev differs only by the
postgres path line; apps/overlays/upc-prod render byte-identical (forte-drop
never reaches prod).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitea/workflows/scan.yaml

@@ -1,20 +0,0 @@
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-    - name: Install TruffleHog
-      run: |
-        curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh \
-          | sh -s -- -b /usr/local/bin
-    - name: Secret Scanning
-      run: trufflehog git file://. --fail --no-update --results=verified,unknown

.tofu/platforms/upc/prod/main.tf

@@ -1,3 +1,64 @@
+# =============================================================================
+# UpCloud Workload Cluster
+# =============================================================================
+# A lean UCS cluster for running application workloads. No managed data
+# services — those live on the platform cluster. ArgoCD (on the platform
+# cluster) deploys apps to this cluster via the app-of-apps pattern.
+#
+# Platform components deployed by deploy-workload.sh:
+#   nginx-ingress, cert-manager, external-dns, external-secrets, alloy
+#
+# Usage:
+#   tofu init && tofu plan && tofu apply
+#   ./sync-tofu-outputs.sh --env upcloud-workload
+#   ./deploy-workload.sh --env upcloud-workload
+# =============================================================================
+
+variable "prefix" {
+  description = "Prefix for resource names"
+  type        = string
+  default     = "clst-workload"
+}
+
+variable "zone" {
+  description = "UpCloud zone"
+  type        = string
+  default     = "no-svg1"
+}
+
+variable "node_plan" {
+  description = "UpCloud server plan for worker nodes"
+  type        = string
+  default     = "2xCPU-4GB"
+}
+
+variable "node_count" {
+  description = "Number of worker nodes"
+  type        = number
+  default     = 2
+}
+
+variable "network_cidr" {
+  description = "CIDR block for the private network"
+  type        = string
+  default     = "10.110.0.0/24"
+}
+
+variable "control_plane_ip_filter" {
+  description = "CIDRs allowed to access the K8s API"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
+variable "tags" {
+  description = "Labels to apply to resources"
+  type        = map(string)
+  default = {
+    Environment = "workload"
+    ManagedBy   = "tofu"
+  }
+}
+
 module "cluster" {
   source = "../modules/cluster"
 
@@ -15,3 +76,45 @@ module "cluster" {
     ManagedBy   = "tofu"
   }
 }
+
+# ─── Networking ───────────────────────────────────────────────────────
+
+resource "upcloud_router" "kubernetes" {
+  name = "${var.prefix}-workload-router"
+}
+
+resource "upcloud_gateway" "kubernetes" {
+  name     = "${var.prefix}-workload-gateway"
+  zone     = var.zone
+  features = ["nat"]
+  router {
+    id = upcloud_router.kubernetes.id
+  }
+}
+
+resource "upcloud_network" "kubernetes" {
+  name   = "${var.prefix}-workload-network"
+  zone   = var.zone
+  router = upcloud_router.kubernetes.id
+
+  ip_network {
+    address            = var.network_cidr
+    dhcp               = true
+    dhcp_default_route = true
+    family             = "IPv4"
+    gateway            = cidrhost(var.network_cidr, 1)
+  }
+
+  depends_on = [upcloud_gateway.kubernetes]
+}
+
+# ─── Kubernetes Cluster ───────────────────────────────────────────────
+
+resource "upcloud_kubernetes_cluster" "main-prod" {
+  name                    = "${var.prefix}-workload"
+  zone                    = var.zone
+  network                 = upcloud_network.kubernetes.id
+  control_plane_ip_filter = var.control_plane_ip_filter
+
+  private_node_groups = true
+}

.tofu/scripts/get-kubeconfig.sh

@@ -5,56 +5,9 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 TOFU_ROOT="$(dirname "$SCRIPT_DIR")"
 PROJECT_ROOT="$(dirname "$TOFU_ROOT")"
 
-usage() {
-  cat <<EOF
-Usage: $0 <cluster> --envtype <dev|prod|workload>
-
-  Fetch (or reuse) a kubeconfig for the given cluster.
-  Platform is read from the cluster prefix (<platform>-...).
-  Env type must be supplied explicitly — it is no longer inferred
-  from the cluster name, so names like 'upc-forte-group' work.
-
-  Examples:
-    $0 aks-dev          --envtype dev
-    $0 upc-forte-group  --envtype prod
-    $0 eks-workload     --envtype workload
-EOF
-  exit "${1:-0}"
-}
-
-CLUSTER=""
-ENVTYPE=""
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --envtype)    ENVTYPE="${2:-}"; shift 2 ;;
-    --envtype=*)  ENVTYPE="${1#*=}"; shift ;;
-    -h|--help)    usage 0 ;;
-    -*)           echo "Unknown option: $1"; usage 1 ;;
-    *)
-      if [[ -z "$CLUSTER" ]]; then
-        CLUSTER="$1"; shift
-      else
-        echo "Error: unexpected argument '$1'"; usage 1
-      fi
-      ;;
-  esac
-done
-
-[[ -z "$CLUSTER" ]] && { echo "Error: <cluster> argument required"; usage 1; }
-[[ -z "$ENVTYPE" ]] && { echo "Error: --envtype <dev|prod|workload> required"; usage 1; }
-
-case "$ENVTYPE" in
-  dev|prod|workload) ;;
-  *) echo "Error: invalid --envtype '$ENVTYPE'. Expected: dev, prod, workload"; exit 1 ;;
-esac
-
+CLUSTER="${1:?Usage: $0 <cluster> (e.g., aks-dev, eks-prod)}"
 PLATFORM="${CLUSTER%%-*}"
-ENV="$ENVTYPE"
-
-case "$PLATFORM" in
-  aks|eks|gke|upc) ;;
-  *) echo "Error: unknown platform '$PLATFORM'. Expected: aks, eks, gke, upc"; exit 1 ;;
-esac
+ENV="${CLUSTER#*-}"
 
 KUBECONFIG_FILE="$PROJECT_ROOT/private/$CLUSTER/kubeconfig"
 
@@ -100,6 +53,10 @@ else
       CLUSTER_ID=$(tofu output -raw cluster_id 2>/dev/null || echo "${UPCLOUD_CLUSTER_ID:-}")
       upctl kubernetes config "$CLUSTER_ID" > "$KUBECONFIG_FILE"
       ;;
+    *)
+      echo "Error: unknown platform '$PLATFORM'"
+      exit 1
+      ;;
   esac
 
   chmod 600 "$KUBECONFIG_FILE"

.tofu/scripts/setup-cluster.sh

@@ -8,33 +8,25 @@ PROJECT_ROOT="$(dirname "$TOFU_ROOT")"
 # ─── Usage ────────────────────────────────────────────────────────────
 usage() {
   cat <<EOF
-Usage: $0 <cluster> --envtype <dev|prod|workload> [options]
+Usage: $0 <cluster> [options]
 
   Provision a Kubernetes cluster using OpenTofu.
-  Cluster name is opaque — platform is read from its prefix
-  (<platform>-...), env is taken from --envtype.
+  Mirrors bootstrap.sh convention: cluster = <platform>-<env>
 
-  Platforms (inferred from cluster prefix):
-    aks | eks | gke | upc
-
-  Env types (required via --envtype):
-    dev       Platform cluster, development
-    prod      Platform cluster, production
-    workload  Lean cluster for application workloads (no managed data
-              services — those run on the platform cluster)
+  Clusters:   aks-dev | aks-prod | eks-dev | eks-prod
+              gke-dev | gke-prod | upc-dev | upc-prod
+              <platform>-workload (for workload clusters)
 
   Options:
-    --envtype <type>   dev | prod | workload  (required)
-    --plan             Plan only, don't apply
-    --destroy          Destroy the cluster (use teardown-cluster.sh instead)
-    --auto             Skip confirmation prompts
-    -h, --help         Show this help
+    --plan        Plan only, don't apply
+    --destroy     Destroy the cluster (use teardown-cluster.sh instead)
+    --auto        Skip confirmation prompts
+    -h, --help    Show this help
 
   Examples:
-    $0 aks-dev          --envtype dev
-    $0 eks-prod         --envtype prod --plan
-    $0 upc-forte-group  --envtype prod --auto
-    $0 upc-workload     --envtype workload
+    $0 aks-dev
+    $0 eks-prod --plan
+    $0 upc-dev --auto
 
   Prerequisites:
     - tofu, kubectl, helm installed
@@ -49,20 +41,17 @@ EOF
 
 # ─── Parse arguments ──────────────────────────────────────────────────
 CLUSTER=""
-ENVTYPE=""
 PLAN_ONLY=false
 DESTROY=false
 AUTO_APPROVE=false
 
 while [[ $# -gt 0 ]]; do
   case "$1" in
-    --plan)        PLAN_ONLY=true; shift ;;
-    --destroy)     DESTROY=true; shift ;;
-    --auto)        AUTO_APPROVE=true; shift ;;
-    --envtype)     ENVTYPE="${2:-}"; shift 2 ;;
-    --envtype=*)   ENVTYPE="${1#*=}"; shift ;;
-    -h|--help)     usage 0 ;;
-    -*)            echo "Unknown option: $1"; usage 1 ;;
+    --plan)       PLAN_ONLY=true; shift ;;
+    --destroy)    DESTROY=true; shift ;;
+    --auto)       AUTO_APPROVE=true; shift ;;
+    -h|--help)    usage 0 ;;
+    -*)           echo "Unknown option: $1"; usage 1 ;;
     *)
       if [[ -z "$CLUSTER" ]]; then
         CLUSTER="$1"
@@ -76,16 +65,10 @@ while [[ $# -gt 0 ]]; do
 done
 
 [[ -z "$CLUSTER" ]] && { echo "Error: <cluster> argument required"; usage 1; }
-[[ -z "$ENVTYPE" ]] && { echo "Error: --envtype <dev|prod|workload> required"; usage 1; }
 
-case "$ENVTYPE" in
-  dev|prod|workload) ;;
-  *) echo "Error: invalid --envtype '$ENVTYPE'. Expected: dev, prod, workload"; exit 1 ;;
-esac
-
-# ─── Resolve platform + env ───────────────────────────────────────────
-PLATFORM="${CLUSTER%%-*}"   # cluster prefix → platform (e.g. upc-forte-group → upc)
-ENV="$ENVTYPE"              # env comes from --envtype, not the cluster name
+# ─── Map cluster → platform + env ────────────────────────────────────
+PLATFORM="${CLUSTER%%-*}"   # aks-dev → aks
+ENV="${CLUSTER#*-}"         # aks-dev → dev
 
 case "$PLATFORM" in
   aks|eks|gke|upc) ;;

_app-of-apps-upc-forte-group.yaml

@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: infrastructure-apps
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: infrastructure-apps
-    app.kubernetes.io/part-of: platform
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/upc-forte-group
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true

apps/base/kustomization.yaml

@@ -1,6 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base/mcp10x
-- ../../base/ts-mcp
-
+- dot-ai-stack
+- mcp10x
+- musicman
+- ts-mcp
+- argo-mcp

apps/overlays/upc-dev/forte-drop/forte-drop.yaml

@@ -5,9 +5,9 @@ metadata:
   namespace: argocd
   annotations:
     argocd.argoproj.io/sync-wave: "1"
-#    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
-#    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
-#    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
+    notifications.argoproj.io/subscribe.on-degraded.slack: ""
   labels:
     app.kubernetes.io/name: forte-drop
     app.kubernetes.io/part-of: apps

apps/overlays/upc-dev/forte-drop/keycloak-client-forte-drop.yaml

@@ -1,3 +1,8 @@
+# Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it
+# to the keycloak namespace; a CronJob registers the OIDC client in the forte
+# realm and writes the credentials back as forte-drop-oidc-credentials in THIS
+# namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that
+# registrar-created Secret automatically — no manual SealedSecret step needed.
 apiVersion: v1
 kind: Secret
 metadata:
@@ -19,8 +24,8 @@ stringData:
       "directAccessGrantsEnabled": false,
       "serviceAccountsEnabled": false,
       "publicClient": false,
-      "redirectUris": ["https://drop.forteapps.net/auth/callback"],
-      "webOrigins": ["https://drop.forteapps.net"],
+      "redirectUris": ["https://drop-k8s.hackathon.forteapps.net/auth/callback"],
+      "webOrigins": ["https://drop-k8s.hackathon.forteapps.net"],
       "defaultClientScopes": ["openid","email","profile"],
       "secret": {
         "namespace": "forte-drop",

apps/overlays/upc-dev/forte-drop/kustomization.yaml

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+- namespace.yaml
 - forte-drop.yaml
 - keycloak-client-forte-drop.yaml
 - forte-drop-pdb.yaml

apps/overlays/upc-dev/forte-drop/namespace.yaml

@@ -0,0 +1,17 @@
+# Owns the forte-drop namespace shared by the web + mcp deployments and the
+# postgres StatefulSet (infra overlay). sync-wave -1 ensures the namespace exists
+# before the namespaced Secrets/PDB in this base apply (avoids a first-sync
+# "namespaces forte-drop not found" race when the business-apps parent syncs).
+# Prune=false so removing this base never cascade-deletes the namespace (and with
+# it postgres data + the mcp deployment) — matches the earlier decision to keep
+# namespace ownership decoupled from any single workload.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: forte-drop
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+    argocd.argoproj.io/sync-options: Prune=false
+  labels:
+    app.kubernetes.io/managed-by: argocd
+    app.kubernetes.io/part-of: apps

apps/overlays/upc-dev/kustomization.yaml

@@ -1,19 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base/musicman
-- ../../base/dot-ai-stack
-- ../../base/argo-mcp
+- ../../base
 - forte-drop-postgresql
 - forte-drop
 - forte-drop-mcp
 
-patches:
-# dot-ai-stack: swap upc-dev → upc-forte-group
-- target:
-    kind: Application
-    name: dot-ai-stack
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/upc-dev/dot-ai-stack-values.yaml
+# No patches needed — base apps already default to "upc-dev" value paths
+# (upc-dev is the default/base cluster).
+# forte-drop (postgres + web + mcp) and dbunk-demo are upc-dev-only apps — they
+# have hackathon-domain hardcoded values and must not sync to upc-prod, so they
+# live here in the overlay rather than in apps/base/.

apps/overlays/upc-prod/kustomization.yaml

@@ -2,3 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
+
+patches:
+# dot-ai-stack: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: dot-ai-stack
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/dot-ai-stack-values.yaml

bootstrap.sh

@@ -3,7 +3,7 @@
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
 
-CLUSTER="${1:?Usage: ./bootstrap.sh <cluster>  # e.g. upc-dev, upc-prod, upc-forte-group, aks-dev, eks-prod, gke-dev — must match clusters/<cluster>.yaml}"
+CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod|aks-dev|aks-prod|eks-dev|eks-prod|gke-dev|gke-prod)}"
 
 echo "running $0 for cluster: ${CLUSTER}..."
 

clusters/upc-forte-group.yaml

@@ -1,12 +0,0 @@
-# Cluster config reference — values must match the corresponding overlay files.
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: prod-fd-no-svg1             # → infra/values/upc-forte-group/argocd-values.yaml (notifications.context.clusterName)
-domain: fortedigital.com                 # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-forte-group/argocd-values.yaml (global.domain)
-grafanaDomain: grafana.fortedigital.com  # → infra/values/upc-forte-group/grafana-values.yaml (ingress.hosts)
-keycloakDomain: id.fortedigital.com      # → infra/values/upc-forte-group/keycloak-values.yaml (ingress.hostname)
-dotaiDomain: kubemcp.fortedigital.com    # → infra/values/upc-forte-group/dot-ai-stack-values.yaml (dot-ai.ingress.host)
-dotaiUiDomain: kubemcpui.fortedigital.com # → infra/values/upc-forte-group/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
-letsencryptEmail: danijel.simeunovic@fortedigital.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
-trustedIPs: "172.16.1.0/24"             # → infra/values/upc-forte-group/traefik-values.yaml (ports.*.trustedIPs)
-cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations

infra/base/gitea/gitea.yaml

@@ -17,7 +17,7 @@ spec:
   sources:
   - repoURL: https://dl.gitea.com/charts
     chart: gitea
-    targetRevision: "12.6.0"
+    targetRevision: "12.5.0"
     helm:
       releaseName: gitea
       valueFiles:

infra/overlays/upc-dev/kustomization.yaml

@@ -28,3 +28,12 @@ resources:
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
+
+patches:
+- target:
+    kind: Application
+    name: databunker
+  patch: |
+    - op: add
+      path: /spec/sources/0/helm/valueFiles/-
+      value: $values/infra/values/upc-dev/databunker-values.yaml

infra/overlays/upc-forte-group/kustomization.yaml

@@ -1,61 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base/cert-manager-application
-- ../../base/cluster-resources-application
-- ../../base/enterprise-apps
-- ../../base/fluent-bit
-- ../../base/gitea
-- ../../base/gitea-actions
-- ../../base/grafana
-- ../../base/grafana-dashboards
-- ../../base/homepage
-- ../../base/karpor
-- ../../base/keycloak
-- ../../base/kyverno
-- ../../base/kyverno-policies
-- ../../base/loki
-- ../../base/opencost
-- ../../base/prometheus
-- ../../base/renovate
-- ../../base/sealedsecrets
-- ../../base/tempo
-- ../../base/traefik-application
-- ../../base/vault
-
-patches:
-# Traefik: swap upc-dev → upc-forte-group
-- target:
-    kind: Application
-    name: traefik
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/upc-forte-group/traefik-values.yaml
-
-# Grafana: swap upc-dev → upc-forte-group  
-- target:
-    kind: Application
-    name: grafana
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/upc-forte-group/grafana-values.yaml
-
-# OpenCost: swap upc-dev → upc-forte-group
-- target:
-    kind: Application
-    name: opencost
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/upc-forte-group/opencost-values.yaml
-
-# Gitea: swap upc-dev → upc-forte-group
-- target:
-    kind: Application
-    name: gitea
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/upc-forte-group/gitea-values.yaml

infra/values/upc-dev/homepage-values.yaml

@@ -59,6 +59,10 @@ config:
         href: https://benken.hackathon.forteapps.net
         description: Teknisk kompetanse fra offentlige anbud
         icon: forte
+    - Forte Drop:
+        href: https://drop.hackathon.forteapps.net
+        description: Self-hosted HTML-drops + MCP for Claude
+        icon: forte
     - Forte Feedback:
         href: https://feedback.forteapps.net
         description: Fortes internal feedback app

infra/values/upc-forte-group/argocd-values.yaml

@@ -1,5 +0,0 @@
-global:
-  domain: argocd.fortedigital.com
-notifications:
-  context:
-    clusterName: "prod-fd-no-svg1"

infra/values/upc-forte-group/gitea-values.yaml

@@ -1,50 +0,0 @@
-# UpCloud storage class for Gitea and its embedded PostgreSQL
-persistence:
-  storageClass: upcloud-block-storage-maxiops
-postgresql:
-  primary:
-    persistence:
-      storageClass: upcloud-block-storage-maxiops
-
-gitea:
-  # -- Gitea app.ini configuration
-  config:
-    APP_NAME: "Forte Git"
-
-    server:
-      DOMAIN: source.forteapps.net
-      ROOT_URL: https://source.forteapps.net
-      SSH_DOMAIN: source.forteapps.net
-
-
-# -- Ingress via Traefik with Let's Encrypt TLS
-ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "Gitea"
-    gethomepage.dev/description: "Git hosting & CI/CD"
-    gethomepage.dev/group: "DevOps"
-    gethomepage.dev/icon: "gitea"
-    gethomepage.dev/href: "https://source.forteapps.net"
-    gethomepage.dev/widget.type: "gitea"
-    gethomepage.dev/widget.url: "https://source.forteapps.net"
-    gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GITEA_TOKEN}}"
-  hosts:
-  - host: source.forteapps.net
-    paths:
-    - path: /
-      pathType: Prefix
-  tls:
-  - secretName: gitea-tls
-    hosts:
-    - source.forteapps.net
-
-# -- Git repository storage
-persistence:
-  enabled: true
-  size: 20Gi
-  accessModes:
-  - ReadWriteOnce

infra/values/upc-forte-group/grafana-values.yaml

@@ -1,3 +0,0 @@
-ingress:
-  hosts:
-  - grafana.fortedigital.com

infra/values/upc-forte-group/keycloak-values.yaml

@@ -1,2 +0,0 @@
-ingress:
-  hostname: id.forteapps.com

infra/values/upc-forte-group/opencost-values.yaml

@@ -1,15 +0,0 @@
-# UpCloud custom pricing (no native OpenCost integration)
-opencost:
-  exporter:
-    customPricing:
-      enabled: true
-      provider: custom
-      costModel:
-        description: "UpCloud 4-node cluster pricing"
-        CPU: "5.86"
-        RAM: "1.46"
-        GPU: "0"
-        storage: "0.34"
-        zoneNetworkEgress: "0"
-        regionNetworkEgress: "0"
-        internetNetworkEgress: "0"

infra/values/upc-forte-group/traefik-values.yaml

@@ -1,13 +0,0 @@
-service:
-  annotations: {}
-ports:
-  web:
-    proxyProtocol:
-      trustedIPs: "10.0.0.0/16"
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/16"
-  websecure:
-    proxyProtocol:
-      trustedIPs: "10.0.0.0/16"
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/16"

infra/values/upc-prod/dot-ai-stack-values.yaml

@@ -0,0 +1,8 @@
+dot-ai:
+  ingress:
+    host: kubemcp.fortedigital.com
+  webUI:
+    baseUrl: http://kubemcpui.fortedigital.com
+dot-ai-ui:
+  ingress:
+    host: kubemcpui.fortedigital.com