repo url

Co-authored-by: gitea_admin <admin@forteapps.net>
Reviewed-on: #7
Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Co-committed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>

.gitea/workflows/ai-review.yaml

@@ -0,0 +1,47 @@
+name: AI Code Review
+
+on:
+  pull_request:
+    types: [ labeled, synchronize ]
+
+jobs:
+  ai-review:
+    if: >-
+      (github.event.action == 'synchronized' && contains(toJSON(github.event.pull_request.labels), 'ai-review')) || contains(toJSON(gitea.event.changes.added_labels), 'ai-review')
+    runs-on: ubuntu-latest
+
+    env:
+      AI_REVIEW_CONFIG_FILE_YAML: ./shared-prompts/iac/.ai-review.yaml
+      # VCS configuration
+      VCS__PROVIDER: GITEA
+      VCS__PIPELINE__OWNER: ${{ github.repository_owner }}
+      VCS__PIPELINE__REPO: ${{ github.event.repository.name }}
+      VCS__PIPELINE__PULL_NUMBER: ${{ github.event.pull_request.number }}
+      VCS__HTTP_CLIENT__API_URL: https://git.forteapps.net/api/v1
+      VCS__HTTP_CLIENT__API_TOKEN: ${{ secrets.AI_REVIEW_TOKEN }}
+      # Review — disable fallback to see real Gitea API errors
+      REVIEW__INLINE_COMMENT_FALLBACK: "false"
+      # LLM configuration
+      LLM__PROVIDER: CLAUDE
+      LLM__META__MODEL: claude-sonnet-4-20250514
+      LLM__META__MAX_TOKENS: "4096"
+      LLM__HTTP_CLIENT__API_URL: https://api.anthropic.com
+      LLM__HTTP_CLIENT__API_TOKEN: ${{ secrets.ANTHROPIC_API_KEY }}
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        submodules: true
+        fetch-depth: 0
+        token: ${{ secrets.AI_REVIEW_TOKEN }}
+
+    - name: Run inline review
+      uses: docker://nikitafilonov/ai-review:v0.64.0
+      with:
+        args: ai-review run-inline
+
+    - name: Run summary review
+      uses: docker://nikitafilonov/ai-review:v0.64.0
+      with:
+        args: ai-review run-summary

.github/workflows/docs.yml

@@ -1,34 +0,0 @@
-name: Deploy Gitea Pages
-
-on:
-  push:
-    branches: [ main ]
-    paths:
-    - 'docs/**'
-    - 'mkdocs.yml'
-  workflow_dispatch:
-
-
-jobs:
-  build-and-deploy:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-
-    - name: Install dependencies
-      run: |
-        apt-get update -qq
-        apt-get install -y -qq python3-pip
-        pip3 install --break-system-packages mkdocs mkdocs-material
-
-    - run: mkdocs build
-
-    - name: Deploy to Gitea Pages
-      run: |
-        cd site
-        git init
-        git config user.name "gitea-actions"
-        git config user.email "actions@forteapps.net"
-        git add .
-        git commit -m "Deploy docs"
-        git push --force "https://x-token:${{ secrets.GITEA_TOKEN }}@git.forteapps.net/Forte/launchpad.git" HEAD:gitea-pages

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "shared-prompts"]
+	path = shared-prompts
+	url = https://git.forteapps.net/Forte/ai-review-prompts.git

.project-standards.yaml

@@ -1,7 +0,0 @@
-standards_version: "2025.1"
-last_configured: "2026-04-04"
-components:
-  github-pages: "2025.1"
-  github-pages-generator: "mkdocs"
-  github-pages-source: "docs/"
-  github-pages-theme: "material"

README.md

@@ -146,12 +146,12 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 |------------|---------|-----------|-----------|
 | **[launchpad](https://git.forteapps.net/Forte/launchpad)** (this repo) | ArgoCD Applications, cluster resources | Platform / DevOps engineers | ✅ Often |
 | **[forte-helm](https://git.forteapps.net/Forte/forte-helm)** | Generic Helm chart templates | Platform engineers | ❌ Rarely |
-| **[helm-values](ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git)** | App-specific configuration & versions | Developers / CI pipelines | ✅ Sometimes |
+| **[helm-prod-values](ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git)** | App-specific configuration & versions | Developers / CI pipelines | ✅ Sometimes |
 
 ### GitOps Workflow
 
 ```
-Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD syncs → Deployed to cluster
+Developer commits code → CI/CD builds image → Updates helm-prod-values → ArgoCD syncs → Deployed to cluster
 ```
 
 **Learn more**: [GitOps Architecture - GitOps Workflow](docs/GITOPS-ARCHITECTURE.md#gitops-workflow)
@@ -166,7 +166,7 @@ Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD
 
 **Quick version**:
 1. Create `apps/myapp.yaml` (ArgoCD Application manifest)
-2. Create `helm-values/myapp/values.yaml` (configuration)
+2. Create `helm-prod-values/myapp/values.yaml` (configuration)
 3. Create sealed secrets if needed
 4. Commit and push - ArgoCD auto-syncs!
 
@@ -175,8 +175,8 @@ Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD
 **See detailed guide**: [Developer Guide - Updating an Existing Application](docs/DEVELOPER-GUIDE.md#updating-an-existing-application)
 
 **Quick version**:
-- **Update code**: Push to app repo → CI/CD updates image tag in helm-values
+- **Update code**: Push to app repo → CI/CD updates image tag in helm-prod-values
-- **Update config**: Edit `helm-values/myapp/values.yaml` → commit → push
+- **Update config**: Edit `helm-prod-values/myapp/values.yaml` → commit → push
 
 ### Manage Secrets
 
@@ -204,7 +204,7 @@ git push
 
 **Quick version**:
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 
 # Token-based auth (simple)
 auth:
@@ -366,7 +366,7 @@ kubectl patch application myapp -n argocd \
 ### Multi-Source Pattern
 Applications reference both:
 1. **Helm charts** from `forte-helm` (templates)
-2. **Values** from `helm-values` (configuration)
+2. **Values** from `helm-prod-values` (configuration)
 
 This separates reusable templates from environment-specific config.
 
@@ -435,7 +435,7 @@ Applications deploy in order using `argocd.argoproj.io/sync-wave`:
 ### Adding a New Application
 1. Read [Developer Guide - Deploying Your First Application](docs/DEVELOPER-GUIDE.md#deploying-your-first-application)
 2. Create ArgoCD Application manifest in `apps/`
-3. Create Helm values in `helm-values/`
+3. Create Helm values in `helm-prod-values/`
 4. Create sealed secrets if needed
 5. Commit and push - ArgoCD handles the rest!
 
@@ -485,8 +485,8 @@ Documentation lives in `docs/`. To update:
 - [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
 
 ### Related Repositories
-- [forte-helm](https://github.com/fortedigital/forte-helm) - Helm chart templates
+- [forte-helm](https://git.forteapps.net/Forte/forte-helm) - Helm chart templates
-- [helm-values](git@github.com:fortedigital/helm-values.git) - Application values
+- [helm-prod-values](git@github.com:fortedigital/helm-prod-values.git) - Application values
 
 ---
 

_app-of-apps-aks-dev.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/aks-dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-aks-prod.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/aks-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-eks-dev.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/eks-dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-eks-prod.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/eks-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-gke-dev.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/gke-dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-gke-prod.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/gke-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-upc-prod.yaml

@@ -18,7 +18,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
     path: infra/overlays/upc-prod
   destination:

apps/base/dot-ai-stack.yaml

@@ -37,7 +37,7 @@ spec:
       - $values/infra/values/base/dot-ai-stack-values.yaml
       - $values/infra/values/upc-dev/dot-ai-stack-values.yaml
 
-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
     ref: values
 

apps/base/kustomization.yaml

@@ -4,5 +4,4 @@ resources:
 - dot-ai-stack.yaml
 - mcp10x.yaml
 - musicman.yaml
-- mcpcoder.yaml
 - argo-mcp.yaml

bootstrap.sh

@@ -2,7 +2,7 @@
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
 
-CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (eu|us)}"
+CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod|aks-dev|aks-prod|eks-dev|eks-prod|gke-dev|gke-prod)}"
 
 echo "running $0 for cluster: ${CLUSTER}..."
 
@@ -17,18 +17,18 @@ echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
 Bootstrap()
 {
     ArgoCd
-#    Github
+#    Gitea
 }
 
 
 ############################################################
-# Github                                                     #
+# Gitea                                                     #
 ############################################################
-Github()
+Gitea()
 {
     echo "Installing secret..."
-    kubectl apply -f private/github-${CLUSTER}.yaml
+    kubectl apply -f private/gitea-repo-main.yaml
-    kubectl apply -f private/main-${CLUSTER}.key
+    kubectl apply -f private/main.key
 }
 
 ############################################################

cluster-resources/gitea-backup-cronjob.yaml

@@ -57,17 +57,17 @@ spec:
                 - sh
                 - -c
                 - |
-                  mc alias set upcloud "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}"
+                  mc alias set s3 "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}"
 
                   TIMESTAMP=$(date +%Y%m%d-%H%M%S)
                   KEY="gitea-dump-${TIMESTAMP}.zip"
                   echo "Uploading ${KEY}..."
-                  mc cp /backup/gitea-dump.zip "upcloud/${S3_BUCKET}/${KEY}" && \
+                  mc cp /backup/gitea-dump.zip "s3/${S3_BUCKET}/${KEY}" && \
                   echo "Upload complete."
 
                   # Prune backups older than 7 days
                   echo "Pruning backups older than 7 days..."
-                  mc rm --older-than 7d --force "upcloud/${S3_BUCKET}/" 2>&1 || true
+                  mc rm --older-than 7d --force "s3/${S3_BUCKET}/" 2>&1 || true
                   echo "Pruning complete."
               envFrom:
                 - secretRef:

clusters/aks-dev.yaml

@@ -0,0 +1,10 @@
+clusterName: dev-fd-aks
+domain: forteapps.net
+argocdDomain: argocd.127.0.0.1.nip.io
+grafanaDomain: grafana.forteapps.net
+keycloakDomain: id.forteapps.net
+dotaiDomain: kubemcp.forteapps.net
+dotaiUiDomain: kubemcpui.forteapps.net
+letsencryptEmail: danijels@gmail.com
+trustedIPs: "10.0.0.0/8"
+cloudProvider: azure

clusters/aks-prod.yaml

@@ -0,0 +1,10 @@
+clusterName: prod-fd-aks
+domain: fortedigital.com
+argocdDomain: argocd.127.0.0.1.nip.io
+grafanaDomain: grafana.fortedigital.com
+keycloakDomain: id.fortedigital.com
+dotaiDomain: kubemcp.fortedigital.com
+dotaiUiDomain: kubemcpui.fortedigital.com
+letsencryptEmail: danijel.simeunovic@fortedigital.com
+trustedIPs: "10.0.0.0/8"
+cloudProvider: azure

clusters/eks-dev.yaml

@@ -0,0 +1,10 @@
+clusterName: dev-fd-eks
+domain: forteapps.net
+argocdDomain: argocd.127.0.0.1.nip.io
+grafanaDomain: grafana.forteapps.net
+keycloakDomain: id.forteapps.net
+dotaiDomain: kubemcp.forteapps.net
+dotaiUiDomain: kubemcpui.forteapps.net
+letsencryptEmail: danijels@gmail.com
+trustedIPs: "10.0.0.0/8"
+cloudProvider: aws

clusters/eks-prod.yaml

@@ -0,0 +1,10 @@
+clusterName: prod-fd-eks
+domain: fortedigital.com
+argocdDomain: argocd.127.0.0.1.nip.io
+grafanaDomain: grafana.fortedigital.com
+keycloakDomain: id.fortedigital.com
+dotaiDomain: kubemcp.fortedigital.com
+dotaiUiDomain: kubemcpui.fortedigital.com
+letsencryptEmail: danijel.simeunovic@fortedigital.com
+trustedIPs: "10.0.0.0/8"
+cloudProvider: aws

clusters/gke-dev.yaml

@@ -0,0 +1,10 @@
+clusterName: dev-fd-gke
+domain: forteapps.net
+argocdDomain: argocd.127.0.0.1.nip.io
+grafanaDomain: grafana.forteapps.net
+keycloakDomain: id.forteapps.net
+dotaiDomain: kubemcp.forteapps.net
+dotaiUiDomain: kubemcpui.forteapps.net
+letsencryptEmail: danijels@gmail.com
+trustedIPs: "10.0.0.0/8"
+cloudProvider: gcp

clusters/gke-prod.yaml

@@ -0,0 +1,10 @@
+clusterName: prod-fd-gke
+domain: fortedigital.com
+argocdDomain: argocd.127.0.0.1.nip.io
+grafanaDomain: grafana.fortedigital.com
+keycloakDomain: id.fortedigital.com
+dotaiDomain: kubemcp.fortedigital.com
+dotaiUiDomain: kubemcpui.fortedigital.com
+letsencryptEmail: danijel.simeunovic@fortedigital.com
+trustedIPs: "10.0.0.0/8"
+cloudProvider: gcp

clusters/upc-prod.yaml

@@ -1,10 +1,10 @@
-clusterName: dev-fd-us-east1
+clusterName: prod-fd-no-svg1
-domain: us.forteapps.net
+domain: fortedigital.com
-argocdDomain: argocd.us.forteapps.net
+argocdDomain: argocd.127.0.0.1.nip.io
-grafanaDomain: grafana.us.forteapps.net
+grafanaDomain: grafana.fortedigital.com
-keycloakDomain: id.us.forteapps.net
+keycloakDomain: id.fortedigital.com
-dotaiDomain: kubemcp.us.forteapps.net
+dotaiDomain: kubemcp.fortedigital.com
-dotaiUiDomain: kubemcpui.us.forteapps.net
+dotaiUiDomain: kubemcpui.fortedigital.com
-letsencryptEmail: danijels@gmail.com
+letsencryptEmail: danijel.simeunovic@fortedigital.com
-trustedIPs: "10.0.0.0/16"
+trustedIPs: "172.16.1.0/24"
-cloudProvider: tbd
+cloudProvider: upcloud

docs/DEVELOPER-GUIDE.md

@@ -96,10 +96,10 @@ You'll need read/write access to these repositories:
    cd launchpad
    ```
 
-2. **helm-values** (Values repo)
+2. **helm-prod-values** (Values repo)
    ```bash
    git clone https://git.forteapps.net/Forte/helm-prod-values.git
-   cd helm-values
+   cd helm-prod-values
    ```
 
 3. **forte-helm** (Chart repo - read-only for most developers)
@@ -175,13 +175,13 @@ npm run dev
 │  - GitHub Actions builds image                                  │
 │  - Pushes to container registry (GHCR, Docker Hub)              │
 │  - Tags with version (e.g., v2.0.4)                             │
-│  - Updates helm-values repository with new tag                  │
+│  - Updates helm-prod-values repository with new tag                  │
 └─────────────────────────────────────────────────────────────────┘
                             │
                             ▼
 ┌─────────────────────────────────────────────────────────────────┐
 │  Step 3: GitOps Sync (Automated)                                │
-│  - ArgoCD detects change in helm-values                         │
+│  - ArgoCD detects change in helm-prod-values                         │
 │  - Pulls updated configuration                                  │
 │  - Syncs to Kubernetes cluster                                  │
 │  - Sends Slack notification on success/failure                  │
@@ -201,7 +201,7 @@ Our setup uses three repositories:
 | Repository | Purpose | Who Edits | How Often |
 |------------|---------|-----------|-----------|
 | **forte-helm** | Helm chart templates (generic, reusable) | Platform engineers | ❌ Rarely |
-| **helm-values** | Application configuration (image tag, env vars) | Developers / CI pipelines | ✅ Sometimes |
+| **helm-prod-values** | Application configuration (image tag, env vars) | Developers / CI pipelines | ✅ Sometimes |
 | **launchpad** | ArgoCD Applications (what gets deployed) | Platform / DevOps engineers | ✅ Per new app |
 
 ### Example: Deploying "myapp"
@@ -223,7 +223,7 @@ spec:
       value: {{ .Values.app.port }}
 ```
 
-#### Repository: `helm-values` (Your App Config)
+#### Repository: `helm-prod-values` (Your App Config)
 ```yaml
 # myapp/values.yaml
 # Your app's specific configuration
@@ -248,13 +248,13 @@ metadata:
   namespace: argocd
 spec:
   sources:
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
     path: forteapp
     helm:
       valueFiles:
       - $values/myapp/values.yaml
 
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
     ref: values
 
   destination:
@@ -316,10 +316,10 @@ Ensure your app repository has:
              docker build -t ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }} .
              docker push ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }}
 
-         - name: Update helm-values
+         - name: Update helm-prod-values
            run: |
-             git clone git@github.com:fortedigital/helm-values.git
+             git clone git@github.com:fortedigital/helm-prod-values.git
-             cd helm-values
+             cd helm-prod-values
              mkdir -p hello-world
              cat > hello-world/values.yaml <<EOF
              app:
@@ -334,7 +334,7 @@ Ensure your app repository has:
 
 ### Step 2: Create Helm Values
 
-Create a folder in `helm-values` repository:
+Create a folder in `helm-prod-values` repository:
 
 ```bash
 cd ~/dev/k8s/helm-prod-values
@@ -412,7 +412,7 @@ spec:
 
   sources:
   # Source 1: Helm chart templates
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
     path: forteapp
     targetRevision: HEAD
     helm:
@@ -420,7 +420,7 @@ spec:
       - $values/hello-world/values.yaml
 
   # Source 2: Helm values
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
     targetRevision: HEAD
     ref: values
 
@@ -528,7 +528,7 @@ git push origin main
 2. ✅ Builds new Docker image
 3. ✅ Tags with new version (e.g., `v20260316-143022`)
 4. ✅ Pushes to container registry
-5. ✅ Updates `helm-values/myapp/values.yaml` with new tag
+5. ✅ Updates `helm-prod-values/myapp/values.yaml` with new tag
 6. ✅ ArgoCD detects change
 7. ✅ Syncs new version to cluster
 8. ✅ Sends Slack notification
@@ -683,7 +683,7 @@ git push
 
 #### Step 4: Reference Secret in Application
 
-Update your `helm-values/myapp/values.yaml`:
+Update your `helm-prod-values/myapp/values.yaml`:
 
 ```yaml
 app:
@@ -791,7 +791,7 @@ Three authentication modes are supported:
 #### Step 1: Configure Helm Values
 
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 auth:
   enabled: true
   type: token                    # Token mode (default)
@@ -913,7 +913,7 @@ rm private/myapp-auth-oidc.yaml
 #### Step 3: Configure Helm Values
 
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 auth:
   enabled: true
   type: oidc                     # OIDC mode
@@ -1049,7 +1049,7 @@ policies.forteapps.io/auth-image-version: "v1.2.3"
 #### Example 1: Internal API with Token Auth
 
 ```yaml
-# helm-values/internal-api/values.yaml
+# helm-prod-values/internal-api/values.yaml
 app:
   image:
     repository: ghcr.io/company/internal-api
@@ -1077,7 +1077,7 @@ curl -H "Authorization: Bearer d4f88f..." \
 #### Example 2: User-Facing App with OIDC
 
 ```yaml
-# helm-values/web-app/values.yaml
+# helm-prod-values/web-app/values.yaml
 app:
   image:
     repository: ghcr.io/company/web-app
@@ -1112,7 +1112,7 @@ kubectl create secret generic auth-oidc \
 #### Example 3: MCP Server with OAuth 2.0
 
 ```yaml
-# helm-values/mcp-server/values.yaml
+# helm-prod-values/mcp-server/values.yaml
 app:
   image:
     repository: ghcr.io/company/mcp-server
@@ -1136,7 +1136,7 @@ The MCP auth mode implements RFC 9728 (OAuth 2.0 Protected Resource Metadata) fo
 #### Example 4: Disabling Authentication
 
 ```yaml
-# helm-values/public-api/values.yaml
+# helm-prod-values/public-api/values.yaml
 auth:
   enabled: false                 # No authentication
 
@@ -1500,7 +1500,7 @@ kubectl exec -n myapp <pod-name> -- env
 # Check if secrets exist
 kubectl get secrets -n myapp
 
-# Increase resources in helm-values
+# Increase resources in helm-prod-values
 vim ~/dev/k8s/helm-prod-values/myapp/values.yaml
 ```
 
@@ -1649,7 +1649,7 @@ If you're stuck:
 ### Configuration Management
 
 ✅ **DO**:
-- Keep configuration in `helm-values` repository
+- Keep configuration in `helm-prod-values` repository
 - Use environment variables for config
 - Document what each value does
 - Use reasonable resource limits

docs/GITOPS-ARCHITECTURE.md

@@ -47,7 +47,7 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
          │                            │                          │
          │                            │                          │
          └────────► Update image tag ─┴──────────────────────────┘
-                    in helm-values                               │
+                    in helm-prod-values                               │
                                                                  │
                                                                  ▼
                                            ┌────────────────────────────────┐
@@ -184,7 +184,7 @@ launchpad/
 ---
 
 ### 2. **Helm Charts Repository**
-**Repository**: `https://github.com/fortedigital/forte-helm`
+**Repository**: `https://git.forteapps.net/Forte/forte-helm`
 **Purpose**: Reusable Helm chart templates for Forte applications
 **Location**: `C:\dev\k8s\forte-helm`
 
@@ -218,7 +218,7 @@ forte-helm/
 ---
 
 ### 3. **Helm Values Repository**
-**Repository**: `git@github.com:fortedigital/helm-values.git`
+**Repository**: `git@github.com:fortedigital/helm-prod-values.git`
 **Purpose**: Environment-specific configuration for each application
 **Location**: `C:\dev\k8s\helm-prod-values`
 
@@ -228,8 +228,6 @@ helm-prod-values/
 │   └── values.yaml                   # MCP 10X configuration
 ├── musicman/
 │   └── values.yaml                   # Music Man configuration
-├── mcpcoder/
-│   └── values.yaml                   # MCP Coder configuration
 └── argocd-mcp/
     └── values.yaml                   # ArgoCD MCP configuration
 ```
@@ -279,7 +277,7 @@ app-repository/
 2. Build Docker image
 3. Tag with version (e.g., `v2.0.4`)
 4. Push to container registry (GHCR, Docker Hub, etc.)
-5. Update image tag in `helm-values` repository
+5. Update image tag in `helm-prod-values` repository
 6. ArgoCD detects change and syncs automatically
 
 ---
@@ -340,13 +338,13 @@ Applications like `mcp10x` and `musicman` use multiple sources:
 ```yaml
 spec:
   sources:
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
     path: forteapp                     # Helm chart templates
     helm:
       valueFiles:
       - $values/mcp10x/values.yaml     # Reference to second source
 
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
     targetRevision: HEAD
     ref: values                        # Named reference
 ```
@@ -414,8 +412,8 @@ jobs:
 
       - name: Update Helm values
         run: |
-          git clone git@github.com:fortedigital/helm-values.git
+          git clone git@github.com:fortedigital/helm-prod-values.git
-          cd helm-values/app
+          cd helm-prod-values/app
           sed -i "s/tag: .*/tag: $VERSION/" values.yaml
           git commit -am "Update app to $VERSION"
           git push
@@ -432,7 +430,7 @@ jobs:
    - Syncs application to cluster
 
 2. **Helm Values Change**:
-   - CI/CD updates `helm-values/myapp/values.yaml`
+   - CI/CD updates `helm-prod-values/myapp/values.yaml`
    - ArgoCD detects change
    - Pulls new Helm chart with updated values
    - Applies to cluster
@@ -639,7 +637,7 @@ Notifications include:
 ✅ **DO**:
 - Follow the `forteapp` chart pattern
 - Use semantic versioning for image tags
-- Update helm-values via CI/CD
+- Update helm-prod-values via CI/CD
 - Test locally with Docker Compose
 - Document environment variables
 

docs/OPERATIONS-RUNBOOK.md

@@ -85,7 +85,8 @@ kubectl get applications -n argocd
 
 1. **Configure DNS** for ingress domains:
    - `argocd.127.0.0.1.nip.io` (local dev)
-   - `*.forteapps.net` (production)
+   - `*.forteapps.net` (dev)
+   - `*.fortedigital.com` (production)
 
 2. **Verify Let's Encrypt certificates**:
    ```bash
@@ -107,7 +108,7 @@ kubectl get applications -n argocd
 
 ### ArgoCD Repository Access Setup
 
-ArgoCD needs SSH access to private Git repositories to pull manifests and Helm values. This section covers setting up deploy keys for GitHub repositories.
+ArgoCD needs SSH access to private Git repositories to pull manifests and Helm values. This section covers setting up deploy keys for Gitea repositories.
 
 #### Why Deploy Keys?
 
@@ -119,7 +120,7 @@ ArgoCD needs SSH access to private Git repositories to pull manifests and Helm v
 #### Prerequisites
 
 - kubectl access to the cluster
-- Write access to the GitHub repository
+- Write access to the Gitea repository
 - ArgoCD installed and running
 
 #### Setup Procedure
@@ -138,16 +139,16 @@ ssh-keygen -t rsa -b 4096 -C "argocd-deploy-key-launchpad" -f argocd-deploy-key
 
 This creates two files:
 - `argocd-deploy-key` - Private key (keep secret)
-- `argocd-deploy-key.pub` - Public key (add to GitHub)
+- `argocd-deploy-key.pub` - Public key (add to Gitea)
 
-**Step 2: Add Public Key to GitHub**
+**Step 2: Add Public Key to Gitea**
 
 1. Copy the public key:
    ```bash
    cat argocd-deploy-key.pub
    ```
 
-2. Go to GitHub repository settings:
+2. Go to Gitea repository settings:
    - Navigate to: `https://git.forteapps.net/Forte/launchpad/settings/keys`
    - Or: Repository → Settings → Deploy keys
 
@@ -157,12 +158,12 @@ This creates two files:
    - ☐ Allow write access (leave unchecked - read-only is sufficient)
    - Click **"Add key"**
 
-4. Repeat for the `helm-values` repository if it's private:
+4. Repeat for the `helm-prod-values` repository if it's private:
    ```bash
-   # Generate separate key for helm-values repo
+   # Generate separate key for helm-prod-values repo
-   ssh-keygen -t ed25519 -C "argocd-deploy-key-helm-values" -f argocd-helm-values-key -N ""
+   ssh-keygen -t ed25519 -C "argocd-deploy-key-helm-prod-values" -f argocd-helm-prod-values-key -N ""
 
-   # Add to: https://github.com/fortedigital/helm-values/settings/keys
+   # Add to: https://git.forteapps.net/Forte/helm-prod-values/settings/keys
    ```
 
 **Step 3: Create Kubernetes Secret**
@@ -270,7 +271,7 @@ rm /tmp/test-repo-access.yaml
    # Generate new key
    ssh-keygen -t ed25519 -C "argocd-deploy-key-$(date +%Y%m)" -f argocd-new-key -N ""
 
-   # Add new public key to GitHub (keep old key for now)
+   # Add new public key to Gitea (keep old key for now)
 
    # Update Kubernetes secret
    kubectl create secret generic repo-launchpad \
@@ -278,7 +279,7 @@ rm /tmp/test-repo-access.yaml
      --namespace=argocd \
      --dry-run=client -o yaml | kubectl apply -f -
 
-   # Test access, then remove old deploy key from GitHub
+   # Test access, then remove old deploy key from Gitea
 
    # Clean up
    shred -u argocd-new-key
@@ -289,7 +290,7 @@ rm /tmp/test-repo-access.yaml
    # List all repository secrets
    kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=repository
 
-   # Review deploy keys in GitHub
+   # Review deploy keys in Gitea
    # Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
    ```
 
@@ -312,16 +313,16 @@ kubectl get secret repo-launchpad -n argocd -o yaml | grep argocd.argoproj.io/se
 # Check ArgoCD application controller logs
 kubectl logs -n argocd deployment/argocd-application-controller | grep -i "permission denied"
 
-# Verify deploy key is added to GitHub
+# Verify deploy key is added to Gitea
 # Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
 ```
 
 **Issue: "Host key verification failed"**
 
 ```bash
-# Add GitHub to known_hosts
+# Add Gitea to known_hosts
 kubectl exec -n argocd deployment/argocd-repo-server -- \
-  ssh-keyscan github.com >> ~/.ssh/known_hosts
+  ssh-keyscan git.forteapps.net >> ~/.ssh/known_hosts
 
 # Or disable strict host key checking (less secure)
 kubectl patch secret repo-launchpad -n argocd \
@@ -346,16 +347,16 @@ kubectl rollout restart deployment argocd-application-controller -n argocd
 
 #### Multiple Repository Setup
 
-For the three-repository pattern (launchpad, forte-helm, helm-values):
+For the three-repository pattern (launchpad, forte-helm, helm-prod-values):
 
 ```bash
 # 1. launchpad (main config repo)
 ssh-keygen -t ed25519 -C "argocd-launchpad" -f key-sturdy -N ""
 # Add key-sturdy.pub to: https://git.forteapps.net/Forte/launchpad/settings/keys
 
-# 2. helm-values (private values repo)
+# 2. helm-prod-values (private values repo)
-ssh-keygen -t ed25519 -C "argocd-helm-values" -f key-helm-values -N ""
+ssh-keygen -t ed25519 -C "argocd-helm-prod-values" -f key-helm-prod-values -N ""
-# Add key-helm-values.pub to: https://github.com/fortedigital/helm-values/settings/keys
+# Add key-helm-prod-values.pub to: https://git.forteapps.net/Forte/helm-prod-values/settings/keys
 
 # 3. forte-helm (private helm charts repo)
 
@@ -366,14 +367,14 @@ kubectl create secret generic repo-launchpad \
   kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
   kubectl apply -f -
 
-kubectl create secret generic repo-helm-values \
+kubectl create secret generic repo-helm-prod-values \
-  --from-file=sshPrivateKey=key-helm-values \
+  --from-file=sshPrivateKey=key-helm-prod-values \
   --namespace=argocd --dry-run=client -o yaml | \
   kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
   kubectl apply -f -
 
 # Clean up keys
-shred -u key-sturdy key-helm-values
+shred -u key-sturdy key-helm-prod-values
 ```
 
 #### Converting HTTPS to SSH
@@ -390,7 +391,7 @@ If you're currently using HTTPS and want to switch to SSH:
 #   repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
 
 # 3. Update and commit
-find . -name "*.yaml" -type f -exec sed -i 's|https://github.com/fortedigital/|git@github.com:fortedigital/|g' {} +
+find . -name "*.yaml" -type f -exec sed -i 's|https://git.forteapps.net/Forte/|git@git.forteapps.net:Forte/|g' {} +
 
 git add .
 git commit -m "Switch from HTTPS to SSH for repository access"
@@ -494,7 +495,7 @@ spec:
 See [Developer Guide](DEVELOPER-GUIDE.md#deploying-your-first-application) for detailed steps.
 
 **Quick checklist:**
-- [ ] Create `helm-values/myapp/values.yaml`
+- [ ] Create `helm-prod-values/myapp/values.yaml`
 - [ ] Create `apps/myapp.yaml` in config repo
 - [ ] Create SealedSecret if needed
 - [ ] Commit and push changes
@@ -559,7 +560,7 @@ kubectl scale deployment myapp -n myapp --replicas=3
 
 #### GitOps Scaling
 
-Update `helm-values/myapp/values.yaml`:
+Update `helm-prod-values/myapp/values.yaml`:
 
 ```yaml
 app:
@@ -573,7 +574,7 @@ Commit and push - ArgoCD will sync.
 Enable Horizontal Pod Autoscaler:
 
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 app:
   hpa:
     enabled: true
@@ -622,7 +623,7 @@ kubectl rollout undo deployment myapp -n myapp
 #### Option 3: Change Image Tag
 
 ```bash
-# Edit helm-values
+# Edit helm-prod-values
 cd ~/dev/k8s/helm-prod-values
 vim myapp/values.yaml
 
@@ -642,7 +643,7 @@ git push
 #### Update Resource Limits
 
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 app:
   resources:
     requests:
@@ -656,7 +657,7 @@ app:
 #### Enable Database
 
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 db:
   enabled: true
   persistence:
@@ -1266,7 +1267,7 @@ spec:
 **What Needs Backup**:
 - ❌ Cluster state (not backed up - recreate via GitOps)
 - ❌ Persistent volumes (currently not critical)
-- ✅ Git repositories (GitHub provides backup)
+- ✅ Git repositories (Gitea provides backup)
 - ⚠️ Secrets (sealed secrets in Git, unseal keys need safekeeping)
 
 ### Cluster Rebuild
@@ -1561,7 +1562,7 @@ git push
 kubectl scale deployment myapp -n myapp --replicas=0
 
 # Update Git
-vim helm-values/myapp/values.yaml
+vim helm-prod-values/myapp/values.yaml
 # Set replicaCount: 0
 git commit -am "Scale down myapp for maintenance"
 git push
@@ -1634,7 +1635,7 @@ echo "Remember to delete: $SECRET_FILE"
 
 - [ ] Application code repository created
 - [ ] Dockerfile created and tested
-- [ ] GitHub Actions workflow configured
+- [ ] Gitea Actions workflow configured
 - [ ] Helm values created in `helm-prod-values/`
 - [ ] ArgoCD application manifest created in `apps/`
 - [ ] Secrets created and sealed

docs/REFERENCE.md

@@ -9,6 +9,7 @@
 - [Kyverno Policies](#kyverno-policies)
 - [Configuration Reference](#configuration-reference)
 - [API Endpoints](#api-endpoints)
+- [Cloud Overlay Pattern](#cloud-overlay-pattern)
 - [Glossary](#glossary)
 
 ---
@@ -19,9 +20,9 @@
 
 | Component | Value |
 |-----------|-------|
-| **Provider** | UpCloud Managed Kubernetes |
+| **Provider** | Multi-cloud (UpCloud, AKS, EKS, GKE) |
-| **Environment** | Production (internal use) |
+| **Environment** | Dev + Production per cloud |
-| **Cluster Count** | Multi-cluster (upc-dev, upc-prod) |
+| **Cluster Count** | Multi-cluster (upc-dev/prod, aks-dev/prod, eks-dev/prod, gke-dev/prod) |
 | **GitOps Tool** | ArgoCD |
 | **Ingress Controller** | Traefik v2 |
 | **Certificate Management** | Cert-Manager + Let's Encrypt |
@@ -92,16 +93,34 @@ launchpad/
 │   ├── sealedsecrets.yaml
 │   ├── secrets.yaml
 │   ├── renovate.yaml
+│   ├── base/                      # ArgoCD Application manifests (Kustomize base)
+│   │   ├── gitea.yaml
+│   │   ├── opencost.yaml
+│   │   ├── traefik-application.yaml
+│   │   ├── keycloak.yaml
+│   │   ├── grafana.yaml
+│   │   └── ...
+│   ├── overlays/
+│   │   └── upc-prod/
+│   │       └── kustomization.yaml # Patches upc-dev → upc-prod valueFile paths
 │   └── values/
-│       ├── argocd-values.yaml
+│       ├── base/                   # Cloud-agnostic Helm values
-│       ├── prometheus-values.yaml
+│       │   ├── gitea-values.yaml
-│       ├── grafana-values.yaml
+│       │   ├── opencost-values.yaml
-│       ├── loki-values.yaml
+│       │   ├── prometheus-values.yaml
-│       ├── tempo-values.yaml
+│       │   └── ...
-│       ├── gitea-values.yaml
+│       ├── upc-dev/               # UpCloud dev overlay values
-│       ├── gitea-actions-values.yaml
+│       │   ├── traefik-values.yaml
-│       ├── fluent-bit-values.yaml
+│       │   ├── keycloak-values.yaml
-│       └── renovate-values.yaml
+│       │   ├── grafana-values.yaml
+│       │   ├── gitea-values.yaml
+│       │   └── opencost-values.yaml
+│       └── upc-prod/              # UpCloud prod overlay values
+│           ├── traefik-values.yaml
+│           ├── keycloak-values.yaml
+│           ├── grafana-values.yaml
+│           ├── gitea-values.yaml
+│           └── opencost-values.yaml
 │
 ├── apps/                          # Business applications
 │   ├── mcp10x.yaml
@@ -135,6 +154,15 @@ launchpad/
 │   ├── mcp10x-credentials-sealed.yaml
 │   └── musicman-credentials.yaml
 │
+├── scripts/                       # Operational helper scripts
+│   ├── gitea-backup.sh            # S3 backup helper (list/download)
+│   ├── gitea-restore.sh
+│   └── backup/                    # Per-cloud backup reference scripts
+│       ├── s3-minio.sh            # S3-compatible (UpCloud, MinIO, Wasabi)
+│       ├── aws-s3.sh              # Native AWS S3
+│       ├── azure-blob.sh          # Azure Blob Storage
+│       └── gcp-gcs.sh             # GCP Cloud Storage
+│
 ├── private/                       # Local-only (Git-ignored)
 │   ├── *.yaml
 │   └── *.sh
@@ -190,7 +218,7 @@ spec:
 
 ### Helm Charts Repository: `forte-helm`
 
-**URL**: `https://github.com/fortedigital/forte-helm`
+**URL**: `https://git.forteapps.net/Forte/forte-helm`
 
 #### Chart: `forteapp`
 
@@ -337,20 +365,18 @@ configmap: []                    # Application ConfigMap key-value pairs
 
 ---
 
-### Helm Values Repository: `helm-values`
+### Helm Values Repository: `helm-prod-values`
 
-**URL**: `https://github.com/fortedigital/helm-values.git`
+**URL**: `https://git.forteapps.net/Forte/helm-prod-values.git`
 
 #### Structure
 
 ```
-helm-values/
+helm-prod-values/
 ├── mcp10x/
 │   └── values.yaml
 ├── musicman/
 │   └── values.yaml
-├── mcpcoder/
-│   └── values.yaml
 └── argocd-mcp/
     └── values.yaml
 ```
@@ -526,14 +552,14 @@ spec:
 
   # Multi-source configuration
   sources:
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
     path: forteapp
     targetRevision: HEAD
     helm:
       valueFiles:
       - $values/<app-name>/values.yaml
 
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
     targetRevision: HEAD
     ref: values
 
@@ -817,12 +843,21 @@ postgresql:
 
 **Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`). Protocol mapper: `email_verified` hardcoded claim (`true`, boolean) on ID token, Access token, and Userinfo.
 
+**External User Sync**: Disabled (`cron.sync_external_users.ENABLED: false`). This Gitea cron job is designed for LDAP and deactivates OIDC-only users because it cannot enumerate them — causing "Sign-in prohibited" errors after the sync runs.
+
+**Email Notifications**: Enabled (`ENABLE_NOTIFY_MAIL: true`). SMTP credentials injected via `gitea-smtp-secret` using `additionalConfigFromEnvs` with `GITEA__mailer__USER` / `GITEA__mailer__PASSWD` environment variables.
+
+**Auto-Watch**: Disabled (`AUTO_WATCH_ON_CHANGES: false`, `AUTO_WATCH_NEW_REPOS: false`). Prevents contributors from being auto-subscribed to repo notifications on push, reducing email noise from CI bots (e.g., ai-review PR comments). Users who were already watching before this change need to manually unwatch or switch to "Only participating".
+
 **Endpoints**:
 - Web UI: `https://git.forteapps.net`
 - SSH: port 22 (ClusterIP)
 - Metrics: `/metrics` (Prometheus scrape)
 
-**Secrets**: `gitea-credentials` (SealedSecret) containing `admin-password`, `postgres-password`, `secret` (OIDC client secret)
+**Secrets**:
+- `gitea-credentials` (SealedSecret) — admin password
+- `gitea-oidc-credentials` (registrar-managed) — OIDC client ID + secret
+- `gitea-smtp-secret` (SealedSecret) — SMTP username + password
 
 ### Gitea Actions Runners
 
@@ -871,6 +906,84 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes
 
+### AI Code Review (ai-review)
+
+**Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
+**Trigger**: `pull_request` events (`opened`, `synchronize`)
+**Runner**: `ubuntu-latest` (container: `nikitafilonov/ai-review:latest`)
+
+**Purpose**: Automated AI-powered code review on pull requests using Claude (Anthropic). Posts inline comments on changed lines and a PR summary comment highlighting infrastructure impact.
+
+**Architecture**:
+- Uses [xai-review](https://github.com/nicktechnologies/xai-review) Docker image
+- Shared configuration and prompts live in the `shared-prompts` Git submodule (→ `Forte/ai-review-prompts`)
+- Review mode: `ONLY_ADDED_WITH_CONTEXT` — reviews only new/changed lines plus surrounding context (token-efficient)
+- Agent mode: disabled (one-shot review, no multi-turn reasoning)
+- LLM: Claude Sonnet (`claude-sonnet-4-20250514`)
+
+**Shared Prompts Structure** (submodule: `Forte/ai-review-prompts`):
+```
+shared-prompts/
+  base/
+    security.md          # org-wide security rules (all profiles)
+  iac/
+    .ai-review.yaml      # IaC/GitOps profile config
+    inline.md            # inline review prompt
+    summary.md           # PR summary prompt
+  # future profiles: backend/, frontend/, etc.
+```
+
+**Configuration** (`shared-prompts/iac/.ai-review.yaml`):
+```yaml
+llm:
+  provider: CLAUDE
+  model: claude-sonnet-4-20250514
+vcs:
+  provider: GITEA
+review:
+  mode: ONLY_ADDED_WITH_CONTEXT
+agent:
+  enabled: false
+prompt:
+  inline_prompt_files:            # concatenated in order
+    - ./shared-prompts/base/security.md
+    - ./shared-prompts/iac/inline.md
+  summary_prompt_files:
+    - ./shared-prompts/iac/summary.md
+ignore:
+  - "*.sealed.yaml"
+  - "*.lock"
+  - "docs/**"
+```
+
+**Custom Prompts** (IaC profile):
+- `shared-prompts/base/security.md` — org-wide security rules, concatenated before every inline review prompt
+- `shared-prompts/iac/inline.md` — IaC-specific inline review (YAML, Helm, K8s manifests, shell scripts), max 7 comments
+- `shared-prompts/iac/summary.md` — PR summary: affected services/namespaces, infrastructure impact, security flags
+
+**Prompt composition**: ai-review does not support Jinja includes. Instead, list multiple files under `inline_prompt_files` / `summary_prompt_files` — they are concatenated in order with double newlines.
+
+**Adding a new profile**: Create a new directory (e.g., `backend/`) with its own `.ai-review.yaml`, `inline.md`, and `summary.md`. The `inline_prompt_files` list should include `base/security.md` first, then the profile-specific prompt. Reference it in the consuming repo's workflow: `AI_REVIEW_CONFIG_FILE_YAML=./shared-prompts/backend/.ai-review.yaml`
+
+**Required Secrets** (configure in Gitea repo or org settings):
+
+| Secret | Purpose |
+|--------|---------|
+| `ANTHROPIC_API_KEY` | Claude API key (from Anthropic console) |
+| `AI_REVIEW_TOKEN` | Gitea API token with `write:repository` + `read:repository` scopes (use a bot/service account) |
+
+**Setup Steps**:
+1. Create a Gitea bot/service account and generate an API token with `write:repository` + `read:repository` scopes
+2. Add `AI_REVIEW_TOKEN` secret in Gitea repo settings → Actions → Secrets
+3. Add `ANTHROPIC_API_KEY` secret with your Anthropic API key
+4. Ensure the `shared-prompts` submodule is initialized (`git submodule update --init`)
+5. Push the workflow file — it triggers automatically on PR creation/update
+
+**Verification**:
+- Open a PR with infrastructure changes → workflow runs → inline comments + summary appear
+- Check Gitea Actions tab for workflow run status and logs
+- Monitor Anthropic usage dashboard for token consumption
+
 ### Keycloak Client Registrar
 
 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
@@ -1536,6 +1649,87 @@ POST /loki/api/v1/push
 
 ---
 
+## Cloud Overlay Pattern
+
+### Overview
+
+Cloud-specific configuration (StorageClass, LoadBalancer annotations, pricing models, etc.) lives in per-cloud overlay value files, **not** in `base/`. Adding a new cloud provider only requires a new overlay directory — no base changes.
+
+### Supported Clouds
+
+| Cloud | Dev overlay | Prod overlay | StorageClass | LB type |
+|-------|-----------|-------------|-------------|---------|
+| **UpCloud** | `upc-dev` | `upc-prod` | `upcloud-block-storage-maxiops` | UpCloud LB (proxy protocol v2) |
+| **Azure AKS** | `aks-dev` | `aks-prod` | `managed-csi-premium` | Azure LB |
+| **AWS EKS** | `eks-dev` | `eks-prod` | `gp3` | AWS NLB (proxy protocol) |
+| **GCP GKE** | `gke-dev` | `gke-prod` | `premium-rwo` | GCP NEG |
+
+Bootstrap any cluster with: `./bootstrap.sh <cluster>` (e.g., `./bootstrap.sh aks-dev`)
+
+### How It Works
+
+Each ArgoCD Application uses **multi-source Helm values** with two value files:
+
+```yaml
+# infra/base/gitea.yaml (example)
+helm:
+  valueFiles:
+  - $values/infra/values/base/gitea-values.yaml      # [0] cloud-agnostic
+  - $values/infra/values/upc-dev/gitea-values.yaml    # [1] cloud-specific (default: upc-dev)
+```
+
+The `upc-prod` Kustomize overlay patches index `[1]` to swap the cloud-specific file:
+
+```yaml
+# infra/overlays/upc-prod/kustomization.yaml
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/gitea-values.yaml
+```
+
+### Components Using Cloud Overlays
+
+| Component | Cloud-specific config | Overlay value file |
+|-----------|----------------------|-------------------|
+| **Traefik** | LB annotations, proxy protocol IPs | `traefik-values.yaml` |
+| **Keycloak** | Hostname, TLS settings | `keycloak-values.yaml` |
+| **Grafana** | Hostname, datasource URLs | `grafana-values.yaml` |
+| **Gitea** | StorageClass (persistence + PostgreSQL) | `gitea-values.yaml` |
+| **OpenCost** | Custom pricing model (CPU/RAM/storage rates) | `opencost-values.yaml` |
+
+### Backup CronJob
+
+The `gitea-backup` CronJob uses a generic `s3` alias for `minio/mc`. The actual endpoint and credentials come from the `gitea-backup-s3` Sealed Secret, which is per-cloud. Reference scripts for different cloud providers are in `scripts/backup/`:
+
+| Script | Provider | Tool |
+|--------|----------|------|
+| `s3-minio.sh` | S3-compatible (UpCloud, MinIO, Wasabi) | `minio/mc` |
+| `aws-s3.sh` | AWS S3 | `aws` CLI |
+| `azure-blob.sh` | Azure Blob Storage | `az` CLI |
+| `gcp-gcs.sh` | GCP Cloud Storage | `gsutil` |
+
+### Adding a New Cloud Provider
+
+To add support for a new cloud (e.g., `oci-dev` for Oracle Cloud):
+
+1. **Cluster config**: `clusters/oci-dev.yaml` — clusterName, domain, trustedIPs, cloudProvider
+2. **Overlay value files** in `infra/values/oci-dev/`:
+   - `traefik-values.yaml` — LB annotations, proxy protocol config
+   - `keycloak-values.yaml` — hostname
+   - `grafana-values.yaml` — hostname
+   - `gitea-values.yaml` — `storageClass` for persistence + PostgreSQL
+   - `opencost-values.yaml` — pricing model or cloud billing integration
+3. **Kustomize overlay**: `infra/overlays/oci-dev/kustomization.yaml` — patch `valueFiles[1]` for each Application
+4. **App-of-apps**: `_app-of-apps-oci-dev.yaml` — points to `infra/overlays/oci-dev`
+5. **Sealed Secrets**: `secrets/oci-dev/` — TLS certs, credentials, backup S3 config
+6. **Bootstrap**: `./bootstrap.sh oci-dev`
+
+---
+
 ## Glossary
 
 ### Terms

infra/base/gitea.yaml

@@ -22,6 +22,7 @@ spec:
       releaseName: gitea
       valueFiles:
       - $values/infra/values/base/gitea-values.yaml
+      - $values/infra/values/upc-dev/gitea-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/base/kustomization.yaml

@@ -17,6 +17,7 @@ resources:
 - secrets.yaml
 - gitea.yaml
 - gitea-actions.yaml
+- opencost.yaml
 - renovate.yaml
 - tempo.yaml
 - grafana-dashboards.yaml

infra/base/opencost.yaml

@@ -21,7 +21,8 @@ spec:
     helm:
       releaseName: opencost
       valueFiles:
-      - $values/infra/values/opencost-values.yaml
+      - $values/infra/values/base/opencost-values.yaml
+      - $values/infra/values/upc-dev/opencost-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/base/traefik-application.yaml

@@ -31,7 +31,7 @@ spec:
       - $values/infra/values/base/traefik-values.yaml
       - $values/infra/values/upc-dev/traefik-values.yaml
 
-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
     ref: values
 

infra/overlays/aks-dev/kustomization.yaml

@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/traefik-values.yaml
+
+# Keycloak: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/keycloak-values.yaml
+
+# Grafana: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/grafana-values.yaml
+
+# Gitea: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/gitea-values.yaml
+
+# OpenCost: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/opencost-values.yaml
+
+# Secrets: change path to aks-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/aks-dev
+
+# Enterprise-apps: point to aks-dev overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/aks-dev

infra/overlays/aks-prod/kustomization.yaml

@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/traefik-values.yaml
+
+# Keycloak: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/grafana-values.yaml
+
+# Gitea: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/opencost-values.yaml
+
+# Secrets: change path to aks-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/aks-prod
+
+# Enterprise-apps: point to aks-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/aks-prod

infra/overlays/eks-dev/kustomization.yaml

@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/traefik-values.yaml
+
+# Keycloak: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/keycloak-values.yaml
+
+# Grafana: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/grafana-values.yaml
+
+# Gitea: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/gitea-values.yaml
+
+# OpenCost: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/opencost-values.yaml
+
+# Secrets: change path to eks-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/eks-dev
+
+# Enterprise-apps: point to eks-dev overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/eks-dev

infra/overlays/eks-prod/kustomization.yaml

@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/traefik-values.yaml
+
+# Keycloak: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/grafana-values.yaml
+
+# Gitea: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/opencost-values.yaml
+
+# Secrets: change path to eks-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/eks-prod
+
+# Enterprise-apps: point to eks-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/eks-prod

infra/overlays/gke-dev/kustomization.yaml

@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/traefik-values.yaml
+
+# Keycloak: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/keycloak-values.yaml
+
+# Grafana: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/grafana-values.yaml
+
+# Gitea: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/gitea-values.yaml
+
+# OpenCost: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/opencost-values.yaml
+
+# Secrets: change path to gke-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/gke-dev
+
+# Enterprise-apps: point to gke-dev overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/gke-dev

infra/overlays/gke-prod/kustomization.yaml

@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/traefik-values.yaml
+
+# Keycloak: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/grafana-values.yaml
+
+# Gitea: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/opencost-values.yaml
+
+# Secrets: change path to gke-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/gke-prod
+
+# Enterprise-apps: point to gke-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/gke-prod

infra/overlays/upc-prod/kustomization.yaml

@@ -31,6 +31,24 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/upc-prod/grafana-values.yaml
 
+# Gitea: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/opencost-values.yaml
+
 # Secrets: change path to upc-prod
 - target:
     kind: Application

infra/values/aks-dev/gitea-values.yaml

@@ -0,0 +1,7 @@
+# AKS-specific: Azure managed disk storage class
+persistence:
+  storageClass: managed-csi-premium
+postgresql:
+  primary:
+    persistence:
+      storageClass: managed-csi-premium

infra/values/aks-dev/grafana-values.yaml

@@ -0,0 +1,4 @@
+# AKS-specific: Grafana hostname
+ingress:
+  hosts:
+  - grafana.forteapps.net

infra/values/aks-dev/keycloak-values.yaml

@@ -0,0 +1,3 @@
+# AKS-specific: Keycloak hostname
+ingress:
+  hostname: id.forteapps.net

infra/values/aks-dev/opencost-values.yaml

@@ -0,0 +1,8 @@
+# AKS-specific: Azure pricing via Cloud Billing API
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    azure:
+      secretName: opencost-azure-billing

infra/values/aks-dev/traefik-values.yaml

@@ -0,0 +1,11 @@
+# AKS-specific: Azure Load Balancer for Traefik
+service:
+  annotations:
+    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
+ports:
+  web:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/aks-prod/gitea-values.yaml

@@ -0,0 +1,7 @@
+# AKS-specific: Azure managed disk storage class (prod)
+persistence:
+  storageClass: managed-csi-premium
+postgresql:
+  primary:
+    persistence:
+      storageClass: managed-csi-premium

infra/values/aks-prod/grafana-values.yaml

@@ -0,0 +1,4 @@
+# AKS-specific: Grafana hostname (prod)
+ingress:
+  hosts:
+  - grafana.fortedigital.com

infra/values/aks-prod/keycloak-values.yaml

@@ -0,0 +1,3 @@
+# AKS-specific: Keycloak hostname (prod)
+ingress:
+  hostname: id.fortedigital.com

infra/values/aks-prod/opencost-values.yaml

@@ -0,0 +1,8 @@
+# AKS-specific: Azure pricing via Cloud Billing API (prod)
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    azure:
+      secretName: opencost-azure-billing

infra/values/aks-prod/traefik-values.yaml

@@ -0,0 +1,12 @@
+# AKS-specific: Azure Load Balancer for Traefik (prod)
+service:
+  annotations:
+    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
+    service.beta.kubernetes.io/azure-load-balancer-internal: "false"
+ports:
+  web:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/base/gitea-values.yaml

@@ -29,7 +29,10 @@ gitea:
       ALLOW_ONLY_EXTERNAL_REGISTRATION: true
       ENABLE_BASIC_AUTHENTICATION: true
       ENABLE_PASSWORD_SIGNIN_FORM: false
-      ENABLE_NOTIFY_MAIL: true
+      AUTO_WATCH_ON_CHANGES: false
+      AUTO_WATCH_NEW_REPOS: false
+      ENABLE_NOTIFY_MAIL: false
+      ENABLE_TIMETRACKING: false
 
     openid:
       ENABLE_OPENID_SIGNIN: false
@@ -127,7 +130,6 @@ persistence:
   size: 10Gi
   accessModes:
   - ReadWriteOnce
-  storageClass: upcloud-block-storage-maxiops
 
 # -- Recreate strategy to avoid Multi-Attach errors with RWO volumes
 strategy:
@@ -153,7 +155,6 @@ postgresql:
     persistence:
       enabled: true
       size: 8Gi
-      storageClass: upcloud-block-storage-maxiops
     resources:
       requests:
         cpu: 100m

infra/values/base/opencost-values.yaml

@@ -10,18 +10,6 @@ opencost:
         serviceName: prometheus-server
         namespaceName: monitoring
         port: 80
-    customPricing:
-      enabled: true
-      provider: custom
-      costModel:
-        description: "UpCloud 4-node cluster pricing"
-        CPU: "5.86"
-        RAM: "1.46"
-        GPU: "0"
-        storage: "0.34"
-        zoneNetworkEgress: "0"
-        regionNetworkEgress: "0"
-        internetNetworkEgress: "0"
   ui:
     enabled: false
 service:

infra/values/base/traefik-values.yaml

@@ -2,6 +2,8 @@ providers:
   kubernetesIngress:
     publishedService: # Fixes ArgoCD health checks for LoadBalancer services
       enabled: true
+  kubernetesCRD:
+    allowCrossNamespace: true
 deployment:
   replicas: 2
 
@@ -48,3 +50,26 @@ ports:
       accessLogs: true
       metrics: true
       tracing: true
+
+  gitea-ssh:
+    port: 2222
+    expose:
+      default: true
+    exposedPort: 2222
+    protocol: TCP
+
+# -- IngressRouteTCP for Gitea SSH (cross-namespace to gitea/gitea-ssh service)
+extraObjects:
+- apiVersion: traefik.io/v1alpha1
+  kind: IngressRouteTCP
+  metadata:
+    name: gitea-ssh
+  spec:
+    entryPoints:
+    - gitea-ssh
+    routes:
+    - match: HostSNI(`*`)
+      services:
+      - name: gitea-ssh
+        namespace: gitea
+        port: 22

infra/values/eks-dev/gitea-values.yaml

@@ -0,0 +1,7 @@
+# EKS-specific: gp3 storage class
+persistence:
+  storageClass: gp3
+postgresql:
+  primary:
+    persistence:
+      storageClass: gp3

infra/values/eks-dev/grafana-values.yaml

@@ -0,0 +1,4 @@
+# EKS-specific: Grafana hostname
+ingress:
+  hosts:
+  - grafana.forteapps.net

infra/values/eks-dev/keycloak-values.yaml

@@ -0,0 +1,3 @@
+# EKS-specific: Keycloak hostname
+ingress:
+  hostname: id.forteapps.net

infra/values/eks-dev/opencost-values.yaml

@@ -0,0 +1,11 @@
+# EKS-specific: AWS pricing via Cost and Usage Report
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    aws:
+      spot_data_region: ""
+      spot_data_bucket: ""
+      spot_data_prefix: ""
+      account_id: ""

infra/values/eks-dev/traefik-values.yaml

@@ -0,0 +1,17 @@
+# EKS-specific: AWS NLB for Traefik
+service:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+ports:
+  web:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/eks-prod/gitea-values.yaml

@@ -0,0 +1,7 @@
+# EKS-specific: gp3 storage class (prod)
+persistence:
+  storageClass: gp3
+postgresql:
+  primary:
+    persistence:
+      storageClass: gp3

infra/values/eks-prod/grafana-values.yaml

@@ -0,0 +1,4 @@
+# EKS-specific: Grafana hostname (prod)
+ingress:
+  hosts:
+  - grafana.fortedigital.com

infra/values/eks-prod/keycloak-values.yaml

@@ -0,0 +1,3 @@
+# EKS-specific: Keycloak hostname (prod)
+ingress:
+  hostname: id.fortedigital.com

infra/values/eks-prod/opencost-values.yaml

@@ -0,0 +1,11 @@
+# EKS-specific: AWS pricing via Cost and Usage Report (prod)
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    aws:
+      spot_data_region: ""
+      spot_data_bucket: ""
+      spot_data_prefix: ""
+      account_id: ""

infra/values/eks-prod/traefik-values.yaml

@@ -0,0 +1,18 @@
+# EKS-specific: AWS NLB for Traefik (prod)
+service:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+ports:
+  web:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/gke-dev/gitea-values.yaml

@@ -0,0 +1,7 @@
+# GKE-specific: SSD persistent disk storage class
+persistence:
+  storageClass: premium-rwo
+postgresql:
+  primary:
+    persistence:
+      storageClass: premium-rwo

infra/values/gke-dev/grafana-values.yaml

@@ -0,0 +1,4 @@
+# GKE-specific: Grafana hostname
+ingress:
+  hosts:
+  - grafana.forteapps.net

infra/values/gke-dev/keycloak-values.yaml

@@ -0,0 +1,3 @@
+# GKE-specific: Keycloak hostname
+ingress:
+  hostname: id.forteapps.net

infra/values/gke-dev/opencost-values.yaml

@@ -0,0 +1,10 @@
+# GKE-specific: GCP pricing via BigQuery billing export
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    google:
+      key: ""
+      project_id: ""
+      billing_account: ""

infra/values/gke-dev/traefik-values.yaml

@@ -0,0 +1,12 @@
+# GKE-specific: Google Cloud Load Balancer for Traefik
+service:
+  annotations:
+    cloud.google.com/neg: '{"ingress":true}'
+    networking.gke.io/load-balancer-type: External
+ports:
+  web:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/gke-prod/gitea-values.yaml

@@ -0,0 +1,7 @@
+# GKE-specific: SSD persistent disk storage class (prod)
+persistence:
+  storageClass: premium-rwo
+postgresql:
+  primary:
+    persistence:
+      storageClass: premium-rwo

infra/values/gke-prod/grafana-values.yaml

@@ -0,0 +1,4 @@
+# GKE-specific: Grafana hostname (prod)
+ingress:
+  hosts:
+  - grafana.fortedigital.com

infra/values/gke-prod/keycloak-values.yaml

@@ -0,0 +1,3 @@
+# GKE-specific: Keycloak hostname (prod)
+ingress:
+  hostname: id.fortedigital.com

infra/values/gke-prod/opencost-values.yaml

@@ -0,0 +1,10 @@
+# GKE-specific: GCP pricing via BigQuery billing export (prod)
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    google:
+      key: ""
+      project_id: ""
+      billing_account: ""

infra/values/gke-prod/traefik-values.yaml

@@ -0,0 +1,12 @@
+# GKE-specific: Google Cloud Load Balancer for Traefik (prod)
+service:
+  annotations:
+    cloud.google.com/neg: '{"ingress":true}'
+    networking.gke.io/load-balancer-type: External
+ports:
+  web:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/upc-dev/gitea-values.yaml

@@ -0,0 +1,7 @@
+# UpCloud-specific: block storage class for Gitea + PostgreSQL
+persistence:
+  storageClass: upcloud-block-storage-maxiops
+postgresql:
+  primary:
+    persistence:
+      storageClass: upcloud-block-storage-maxiops

infra/values/upc-dev/opencost-values.yaml

@@ -0,0 +1,15 @@
+# UpCloud-specific: custom pricing model
+opencost:
+  exporter:
+    customPricing:
+      enabled: true
+      provider: custom
+      costModel:
+        description: "UpCloud 4-node cluster pricing"
+        CPU: "5.86"
+        RAM: "1.46"
+        GPU: "0"
+        storage: "0.34"
+        zoneNetworkEgress: "0"
+        regionNetworkEgress: "0"
+        internetNetworkEgress: "0"

infra/values/upc-dev/traefik-values.yaml

@@ -10,6 +10,10 @@ service:
               {
                   "name": "websecure",
                   "mode": "tcp"
+              },
+              {
+                  "name": "gitea-ssh",
+                  "mode": "tcp"
               }
           ],
           "backends": [
@@ -24,6 +28,9 @@ service:
                   "properties": {
                       "outbound_proxy_protocol": "v2"
                   }
+              },
+              {
+                  "name": "gitea-ssh"
               }
           ]
       }

infra/values/upc-prod/argocd-values.yaml

@@ -1,5 +1,5 @@
 global:
-  domain: argocd.us.forteapps.net
+  domain: argocd.fortedigital.com
 notifications:
   context:
-    clusterName: "dev-fd-us-east1"
+    clusterName: "prod-fd-no-svg1"

infra/values/upc-prod/dot-ai-stack-values.yaml

@@ -1,8 +1,8 @@
 dot-ai:
   ingress:
-    host: kubemcp.us.forteapps.net
+    host: kubemcp.fortedigital.com
   webUI:
-    baseUrl: http://kubemcpui.us.forteapps.net
+    baseUrl: http://kubemcpui.fortedigital.com
 dot-ai-ui:
   ingress:
-    host: kubemcpui.us.forteapps.net
+    host: kubemcpui.fortedigital.com

infra/values/upc-prod/gitea-values.yaml

@@ -0,0 +1,7 @@
+# UpCloud-specific: block storage class for Gitea + PostgreSQL
+persistence:
+  storageClass: upcloud-block-storage-maxiops
+postgresql:
+  primary:
+    persistence:
+      storageClass: upcloud-block-storage-maxiops

infra/values/upc-prod/grafana-values.yaml

@@ -1,3 +1,3 @@
 ingress:
   hosts:
-  - grafana.us.forteapps.net
+  - grafana.fortedigital.com

infra/values/upc-prod/keycloak-values.yaml

@@ -1,2 +1,2 @@
 ingress:
-  hostname: id.us.forteapps.net
+  hostname: id.fortedigital.com

infra/values/upc-prod/opencost-values.yaml

@@ -0,0 +1,15 @@
+# UpCloud-specific: custom pricing model
+opencost:
+  exporter:
+    customPricing:
+      enabled: true
+      provider: custom
+      costModel:
+        description: "UpCloud 4-node cluster pricing"
+        CPU: "5.86"
+        RAM: "1.46"
+        GPU: "0"
+        storage: "0.34"
+        zoneNetworkEgress: "0"
+        regionNetworkEgress: "0"
+        internetNetworkEgress: "0"

mkdocs.yml

@@ -1,43 +0,0 @@
-site_name: K8s Launchpad
-site_description: Documentation for the GitOps-managed Kubernetes cluster
-repo_url: https://git.forteapps.net/Forte/launchpad
-repo_name: Forte/launchpad
-
-theme:
-  name: material
-  palette:
-  - scheme: default
-    primary: indigo
-    toggle:
-      icon: material/brightness-7
-      name: Switch to dark mode
-  - scheme: slate
-    primary: indigo
-    toggle:
-      icon: material/brightness-4
-      name: Switch to light mode
-  features:
-  - navigation.instant
-  - navigation.sections
-  - navigation.top
-  - search.highlight
-  - content.code.copy
-
-nav:
-- Home: README.md
-- GitOps Architecture: GITOPS-ARCHITECTURE.md
-- Developer Guide: DEVELOPER-GUIDE.md
-- Operations Runbook: OPERATIONS-RUNBOOK.md
-- Technical Reference: REFERENCE.md
-
-markdown_extensions:
-- tables
-- toc:
-    permalink: true
-- pymdownx.highlight:
-    anchor_linenums: true
-- pymdownx.superfences
-- pymdownx.tabbed:
-    alternate_style: true
-- admonition
-- pymdownx.details

scripts/backup/aws-s3.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# AWS S3 backup upload (native AWS CLI)
+# Uses: aws cli v2
+# Env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION, S3_BUCKET
+
+BACKUP_FILE="${1:?Usage: $0 <backup-file>}"
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+KEY="gitea-dump-${TIMESTAMP}.zip"
+
+echo "Uploading ${KEY}..."
+aws s3 cp "$BACKUP_FILE" "s3://${S3_BUCKET}/${KEY}"
+echo "Upload complete."
+
+# Prune backups older than 7 days
+echo "Pruning backups older than 7 days..."
+CUTOFF=$(date -d '7 days ago' +%Y-%m-%dT%H:%M:%S 2>/dev/null || date -v-7d +%Y-%m-%dT%H:%M:%S)
+aws s3api list-objects-v2 --bucket "${S3_BUCKET}" --query "Contents[?LastModified<'${CUTOFF}'].Key" --output text \
+  | tr '\t' '\n' \
+  | while read -r key; do
+      [ -n "$key" ] && aws s3 rm "s3://${S3_BUCKET}/${key}" && echo "Deleted: ${key}"
+    done
+echo "Pruning complete."

scripts/backup/azure-blob.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Azure Blob Storage backup upload
+# Uses: az cli
+# Env: AZURE_STORAGE_ACCOUNT, AZURE_STORAGE_KEY, AZURE_CONTAINER
+
+BACKUP_FILE="${1:?Usage: $0 <backup-file>}"
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+KEY="gitea-dump-${TIMESTAMP}.zip"
+
+echo "Uploading ${KEY}..."
+az storage blob upload \
+  --account-name "${AZURE_STORAGE_ACCOUNT}" \
+  --account-key "${AZURE_STORAGE_KEY}" \
+  --container-name "${AZURE_CONTAINER}" \
+  --name "${KEY}" \
+  --file "$BACKUP_FILE" \
+  --overwrite
+echo "Upload complete."
+
+# Prune backups older than 7 days
+echo "Pruning backups older than 7 days..."
+CUTOFF=$(date -d '7 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-7d +%Y-%m-%dT%H:%M:%SZ)
+az storage blob list \
+  --account-name "${AZURE_STORAGE_ACCOUNT}" \
+  --account-key "${AZURE_STORAGE_KEY}" \
+  --container-name "${AZURE_CONTAINER}" \
+  --query "[?properties.lastModified<'${CUTOFF}'].name" -o tsv \
+  | while read -r name; do
+      [ -n "$name" ] && az storage blob delete \
+        --account-name "${AZURE_STORAGE_ACCOUNT}" \
+        --account-key "${AZURE_STORAGE_KEY}" \
+        --container-name "${AZURE_CONTAINER}" \
+        --name "$name" && echo "Deleted: ${name}"
+    done
+echo "Pruning complete."

scripts/backup/gcp-gcs.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# GCP Cloud Storage backup upload
+# Uses: gsutil (gcloud SDK)
+# Env: GCS_BUCKET (e.g. gs://my-bucket)
+
+BACKUP_FILE="${1:?Usage: $0 <backup-file>}"
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+KEY="gitea-dump-${TIMESTAMP}.zip"
+
+echo "Uploading ${KEY}..."
+gsutil cp "$BACKUP_FILE" "${GCS_BUCKET}/${KEY}"
+echo "Upload complete."
+
+# Prune backups older than 7 days — GCS lifecycle rules are preferred,
+# but this works as a manual fallback
+echo "Pruning backups older than 7 days..."
+CUTOFF=$(date -d '7 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-7d +%Y-%m-%dT%H:%M:%SZ)
+gsutil ls -l "${GCS_BUCKET}/" \
+  | grep 'gitea-dump-' \
+  | while read -r size date name; do
+      if [[ "$date" < "$CUTOFF" ]]; then
+        gsutil rm "$name" && echo "Deleted: ${name}"
+      fi
+    done
+echo "Pruning complete."

scripts/backup/s3-minio.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# S3-compatible backup upload (UpCloud Objects, MinIO, Wasabi, etc.)
+# Uses: minio/mc
+# Env: S3_ENDPOINT, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, S3_BUCKET
+
+BACKUP_FILE="${1:?Usage: $0 <backup-file>}"
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+KEY="gitea-dump-${TIMESTAMP}.zip"
+
+mc alias set s3 "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}"
+
+echo "Uploading ${KEY}..."
+mc cp "$BACKUP_FILE" "s3/${S3_BUCKET}/${KEY}"
+echo "Upload complete."
+
+# Prune backups older than 7 days
+echo "Pruning backups older than 7 days..."
+mc rm --older-than 7d --force "s3/${S3_BUCKET}/" 2>&1 || true
+echo "Pruning complete."

scripts/gitea-backup.sh

@@ -13,7 +13,7 @@ NAMESPACE="gitea"
 SECRET="gitea-backup-s3"
 IMAGE="minio/mc:latest"
 POD_NAME="gitea-backup-helper"
-ALIAS_CMD='mc alias set upcloud ${S3_ENDPOINT} ${AWS_ACCESS_KEY_ID} ${AWS_SECRET_ACCESS_KEY} > /dev/null'
+ALIAS_CMD='mc alias set s3 ${S3_ENDPOINT} ${AWS_ACCESS_KEY_ID} ${AWS_SECRET_ACCESS_KEY} > /dev/null'
 
 cleanup() {
   kubectl -n "$NAMESPACE" delete pod "$POD_NAME" --ignore-not-found --grace-period=0 > /dev/null 2>&1 || true
@@ -41,7 +41,7 @@ mc_run() {
 case "${1:-help}" in
   list)
     echo "Listing backups..."
-    mc_run 'mc ls upcloud/${S3_BUCKET}/'
+    mc_run 'mc ls s3/${S3_BUCKET}/'
     ;;
 
   download)
@@ -49,7 +49,7 @@ case "${1:-help}" in
 
     if [ "$FILE" = "latest" ]; then
       echo "Finding latest backup..."
-      FILE=$(mc_run 'mc ls upcloud/${S3_BUCKET}/' | sort | tail -1 | awk '{print $NF}' | tr -d '[:space:]')
+      FILE=$(mc_run 'mc ls s3/${S3_BUCKET}/' | sort | tail -1 | awk '{print $NF}' | tr -d '[:space:]')
       if [ -z "$FILE" ]; then
         echo "No backups found."
         exit 1
@@ -74,7 +74,7 @@ case "${1:-help}" in
     kubectl -n "$NAMESPACE" wait --for=condition=Ready "pod/$POD_NAME" --timeout=60s > /dev/null 2>&1
 
     echo "Saving to ./$FILE ..."
-    kubectl -n "$NAMESPACE" exec "$POD_NAME" -- sh -c "${ALIAS_CMD} && mc cat upcloud/\${S3_BUCKET}/$FILE" > "./$FILE"
+    kubectl -n "$NAMESPACE" exec "$POD_NAME" -- sh -c "${ALIAS_CMD} && mc cat s3/\${S3_BUCKET}/$FILE" > "./$FILE"
     cleanup
 
     echo "Downloaded: ./$FILE"