details

Merge branch 'feature/cloud-agnostic' into feature/multi-cloud
sync
2026-04-22 22:26:57 +02:00 · 2026-04-22 22:06:31 +02:00 · 2026-04-22 21:56:43 +02:00 · 2026-04-22 21:53:44 +02:00 · 2026-04-22 21:48:02 +02:00 · 2026-04-22 14:45:23 +02:00
107 changed files with 2407 additions and 1288 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +0,0 @@
 # Force LF line endings for shell scripts
 *.sh text eol=lf
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ### What's Inside
- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets, Homepage (platform dashboard)
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
 - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
@@ -84,25 +84,24 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
 │
 ├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
-│   ├── base/                  # Base ArgoCD Application manifests (one dir per component)
+│   ├── base/                  # Base ArgoCD Application manifests (EU defaults)
-│   │   ├── kustomization.yaml # Aggregates all component subdirectories
+│   │   ├── kustomization.yaml
-│   │   ├── traefik-application/
+│   │   ├── traefik-application.yaml
-│   │   │   ├── kustomization.yaml
+│   │   ├── keycloak.yaml
-│   │   │   └── traefik-application.yaml
+│   │   ├── grafana.yaml
-│   │   ├── keycloak/
+│   │   ├── gitea.yaml
-│   │   │   ├── kustomization.yaml
+│   │   ├── gitea-actions.yaml
-│   │   │   └── keycloak.yaml
+│   │   ├── tempo.yaml
-│   │   ├── grafana/
+│   │   ├── renovate.yaml
-│   │   ├── prometheus/
+│   │   ├── ...                # All other Application manifests
-│   │   ├── ...               # Each component in its own subdirectory
+│   │   └── secrets.yaml
 │   │   └── secrets/
 │   ├── overlays/              # Per-cluster overrides (Kustomize)
-│   │   ├── upc-dev/           # UpCloud Dev — includes all base components
+│   │   ├── upc-dev/           # UpCloud Dev (uses base as-is)
-│   │   ├── upc-prod/         # UpCloud Prod — all components + patches
+│   │   ├── upc-prod/         # UpCloud Prod (patches value paths)
 │   │   ├── aks-dev/          # Azure AKS Dev — selective components only
 │   │   ├── aks-prod/         # Azure AKS Prod
 │   │   ├── eks-dev/           # AWS EKS Dev
 │   │   ├── eks-prod/         # AWS EKS Prod
 │   │   ├── aks-dev/        # Azure AKS Dev
 │   │   ├── aks-prod/       # Azure AKS Prod
 │   │   ├── gke-dev/          # GCP GKE Dev
 │   │   └── gke-prod/         # GCP GKE Prod
 │   ├── dashboards/            # Grafana dashboard ConfigMaps
@@ -117,18 +116,11 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 │       ├── gke-dev/          # GCP GKE Dev
 │       └── gke-prod/         # GCP GKE Prod
 │
-├── apps/                      # Business Applications (Kustomize, same pattern as infra)
+├── apps/                      # Business Applications
-│   ├── base/                  # One subdirectory per app
+│   ├── mcp10x.yaml
-│   │   ├── kustomization.yaml
+│   ├── musicman.yaml
-│   │   ├── musicman/
+│   ├── dot-ai-stack.yaml
-│   │   ├── mcp10x/
+│   └── argo-mcp.yaml
 │   │   ├── dot-ai-stack/
 │   │   ├── ts-mcp/
 │   │   └── argo-mcp/
 │   └── overlays/              # Per-cluster: cherry-pick or include all
 │       ├── upc-dev/           # All apps
 │       ├── upc-prod/         # All apps + patches
 │       └── aks-dev/          # Selective apps only
 │
 ├── cluster-resources/         # Cluster-wide Kubernetes resources
 │   ├── letsencrypt-issuer.yaml
@@ -363,6 +355,7 @@ kubectl patch application myapp -n argocd \
 | **Fluent-Bit** | Log shipping | `monitoring` | DaemonSet |
 | **OpenCost** | Cost monitoring | `monitoring` | 1 |
 | **Renovate** | Dependency updates | `renovate` | CronJob |
 | **Trivy** | Vulnerability scanning | `trivy-system` | 1 |
 **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components)
@@ -380,7 +373,7 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts
 ### App-of-Apps Pattern
-`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Each component in `infra/base/` lives in its own subdirectory (e.g., `infra/base/grafana/`). Overlays can either include **all** components (via `../../base`) or **cherry-pick** specific ones (via `../../base/grafana`, `../../base/prometheus`, etc.). Per-cluster patches swap Helm value file paths. Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
+`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{cluster}/` render the base Applications with per-cluster patches (e.g., swapping value file paths). Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
 ### Multi-Source Pattern
 Applications reference both:
--- a/apps/base/argo-mcp/argo-mcp.yaml
+++ b/apps/base/argo-mcp/argo-mcp.yaml
--- a/apps/base/argo-mcp/kustomization.yaml
+++ b/apps/base/argo-mcp/kustomization.yaml
@@ -1,6 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - argo-mcp.yaml
 - argocdmcp-auth-oidc-sealed.yaml
 - argocd-mcp-credentials.yaml
--- a/apps/base/dot-ai-stack/dot-ai-stack.yaml
+++ b/apps/base/dot-ai-stack/dot-ai-stack.yaml
--- a/apps/base/dot-ai-stack/kustomization.yaml
+++ b/apps/base/dot-ai-stack/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - dot-ai-stack.yaml
 - dot-ai-secrets.yaml
--- a/apps/base/kustomization.yaml
+++ b/apps/base/kustomization.yaml
@@ -1,8 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- dot-ai-stack
+- dot-ai-stack.yaml
- mcp10x
+- mcp10x.yaml
- musicman
+- musicman.yaml
- ts-mcp
+- argo-mcp.yaml
 - argo-mcp
--- a/apps/base/mcp10x/mcp10x.yaml
+++ b/apps/base/mcp10x/mcp10x.yaml
--- a/apps/base/mcp10x/kustomization.yaml
+++ b/apps/base/mcp10x/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - mcp10x.yaml
 - forte10x-app-credentials-sealed.yaml
--- a/apps/base/musicman/musicman.yaml
+++ b/apps/base/musicman/musicman.yaml
@@ -36,8 +36,13 @@ spec:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=false
    - Replace=false
    retry:
      limit: 5
      backoff:
--- a/apps/base/musicman/kustomization.yaml
+++ b/apps/base/musicman/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - musicman.yaml
 - musicman-credentials.yaml
--- a/apps/base/ts-mcp/kustomization.yaml
+++ b/apps/base/ts-mcp/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ts-mcp.yaml
 - ts-mcp-secrets-sealed.yaml
--- a/apps/base/ts-mcp/ts-mcp-secrets-sealed.yaml
+++ b/apps/base/ts-mcp/ts-mcp-secrets-sealed.yaml
@@ -1,13 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: ts-mcp-secrets
  namespace: ts-mcp
 spec:
  encryptedData:
    AZURE_CLIENT_SECRET: AgCWj525+NHkZ8XG97hEe4RS0SDC0QIGDXmEvzSlIqJQ9XVZEeKxVuAYmJ+w/HH7zBXD3qlZISeOPKn3FbMEeRukmYK0d5PsH26tRUMPoMzwWCuQkZIQ83uX9Pz/wMiqW8aZFIxpdEiUgVdanxHSFoDRPC1VlSEtV9B9yN2MgXBID5s0oje5BM9ttc4WVRe6+9pMeaOC6u+YUgcfY7xPLetZfC9nQO4zn4jYhoQXfAddwMzNODvQNGPzIv6PXDXJweTwdmtGaxM6eDdcCJI/30bEV9prA5m6UlgTZ/Qp+onU70KdkBA9gM9tMMVUR6j/2sbWzqMP/rVaFLeUH1PjHv15n4EieWyuDyYEfmZNDFXc7O9RIK6P0jCIE+t3myxK2ZQ7cfXprdOSj94au0qP6leat0UUVoc9CFJHHtrNxXYWl7IYVhwvIQCMSgO2qoAXkdW4wKVJAcbJadJjoL2pWxzjaD4GgnUaAxWBANqZI2lD8CED4VfUVMB0ZUYRS/zvy/eqIGlT8WbzwTYFi3YDZRvAUIknxaWEavIG4x52d0FqTmFYY06W53fGYfBrUjJI54GWYyBpKdZTf7b/AlAN0+kwkk6OqsUWwWDqxR7LVCcPhjSIKd/THp+Tbq9z5TiPIHxOO9V60u51f8IoQrEgQfNov7CEGQZ8B9HUGObjNc5MhujzBJasMhrUcd2Ddk6KWk07B7223p/gIEM+81ZWQYUcc29+U/j1dQyRNZy/TC56ywe5DDBJSoGp
  template:
    metadata:
      name: ts-mcp-secrets
      namespace: ts-mcp
--- a/apps/overlays/aks-dev/kustomization.yaml
+++ b/apps/overlays/aks-dev/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base/musicman
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -1,5 +1,4 @@
 #!/bin/zsh
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
@@ -18,7 +17,7 @@ echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
 Bootstrap()
 {
    ArgoCd
-    Gitea
+#    Gitea
 }
@@ -28,9 +27,8 @@ Bootstrap()
 Gitea()
 {
    echo "Installing secret..."
-    kubectl apply -f "secrets/"
+    kubectl apply -f private/gitea-repo-main.yaml
-    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
+    kubectl apply -f private/main.key
    kubectl apply -f "private/${CLUSTER}/main.key"
 }
 ############################################################
@@ -38,15 +36,10 @@ Gitea()
 ############################################################
 ArgoCd()
 {
    # Pre-create ConfigMap for repo-server env (must exist before Helm upgrade)
    kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
    kubectl apply -f cluster-resources/argocd-repo-server-config.yaml
    # install argocd
    echo "Installing ArgoCD..."
    helm upgrade --install argocd argo-cd \
            --repo https://argoproj.github.io/argo-helm \
            --version "7.8.0" \
            --namespace argocd --create-namespace \
            --values infra/values/base/argocd-values.yaml \
            --values "infra/values/${CLUSTER}/argocd-values.yaml" \
@@ -56,4 +49,4 @@ ArgoCd()
    kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }
-Bootstrap
+# Bootstrap
--- a/cluster-resources/argocd-oidc-secret-sync.yaml
+++ b/cluster-resources/argocd-oidc-secret-sync.yaml
@@ -1,83 +0,0 @@
 # CronJob: syncs OIDC client secret from registrar-managed
 # argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
 # Runs every 2 min. No-ops if source secret doesn't exist yet
 # (safe for fresh deploys before Keycloak is up).
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
  verbs: ["get", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argocd-oidc-sync
 subjects:
 - kind: ServiceAccount
  name: argocd-oidc-sync
  namespace: argocd
 ---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 spec:
  schedule: "*/2 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        spec:
          serviceAccountName: argocd-oidc-sync
          restartPolicy: Never
          containers:
          - name: sync
            image: bitnami/kubectl:latest
            command: ["/bin/sh", "-c"]
            args:
            - |
              set -e
              # Exit gracefully if source secret doesn't exist yet
              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
                exit 0
              fi
              # Read current OIDC client secret
              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
                -o jsonpath='{.data.client-secret}' | base64 -d)
              # Read current value in argocd-secret (if any)
              CURRENT=$(kubectl get secret argocd-secret -n argocd \
                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")
              # Only patch if changed
              if [ "$NEW_SECRET" = "$CURRENT" ]; then
                echo "oidc.clientSecret already up to date"
                exit 0
              fi
              kubectl patch secret argocd-secret -n argocd --type merge \
                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
              echo "Patched argocd-secret with oidc.clientSecret"
--- a/cluster-resources/argocd-repo-server-config.yaml
+++ b/cluster-resources/argocd-repo-server-config.yaml
@@ -1,9 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: argocd-repo-server-config
  namespace: argocd
 data:
  # Disable git submodule checkout - submodules (e.g. shared-prompts)
  # are not needed for K8s manifest generation
  ARGOCD_GIT_MODULES_ENABLED: "false"
--- a/cluster-resources/policies/label-checker.yaml
+++ b/cluster-resources/policies/label-checker.yaml
@@ -26,6 +26,7 @@ spec:
          - monitoring
          - secrets
          - kyverno
          - trivy-system
    match:
      any:
      - resources:
--- a/cluster-resources/policies/secret-cloner.yaml
+++ b/cluster-resources/policies/secret-cloner.yaml
@@ -16,6 +16,7 @@ spec:
      - resources:
          namespaces:
          - kube-system
          - trivy-system
          - monitoring
          - argocd
          - cert-manager
--- a/clusters/aks-dev.yaml
+++ b/clusters/aks-dev.yaml
@@ -1,12 +1,12 @@
 # Cluster config reference — values must match the corresponding overlay files.
 # Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: k8s-launchpad # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
+clusterName: dev-aks                     # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
-domain: example.com # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-argocdDomain: argocd.example.com # → infra/values/aks-dev/argocd-values.yaml (global.domain)
+argocdDomain: argocd.example.com         # → infra/values/aks-dev/argocd-values.yaml (global.domain)
-grafanaDomain: grafana.example.com # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
+grafanaDomain: grafana.example.com       # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
-keycloakDomain: id.example.com # → infra/values/aks-dev/keycloak-values.yaml (ingress.hostname)
+keycloakDomain: id.example.com           # → infra/values/aks-dev/keycloak-values.yaml (ingress.hostname)
-dotaiDomain: kubemcp.example.com # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiDomain: kubemcp.example.com         # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
-dotaiUiDomain: kubemcpui.example.com # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
-letsencryptEmail: admin@example.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
 trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-dev/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
-cloudProvider: azure # → determines overlay directory and cloud-specific LB/storage annotations
+cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations
--- a/devbox.json
+++ b/devbox.json
@@ -1,32 +0,0 @@
 {
  "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.16.0/.schema/devbox.schema.json",
  "packages": [
    "kubectl@1.33.2",
    "kubernetes-helm@3.18.4",
    "k9s@0.50.7",
    "kubeseal@0.30.0",
    "argocd@2.14.11",
    "kubecm@0.33.1",
    "kubectl-tree@0.4.3",
    "kind@0.29.0",
    "kustomize@5.7.0",
    "kyverno@1.14.3",
    "syft@1.29.0",
    "grype@0.92.2",
    "traefik@3.6.7",
    "claude-code@latest",
    "go@latest",
    "dotnet-sdk@latest",
    "opentofu@1.11.6"
  ],
  "shell": {
    "init_hook": [
      "echo 'Welcome to devbox!' > /dev/null"
    ],
    "scripts": {
      "test": [
        "echo \"Error: no test specified\" && exit 1"
      ]
    }
  }
 }
--- a/docs/DEVELOPER-GUIDE.md
+++ b/docs/DEVELOPER-GUIDE.md
@@ -654,11 +654,21 @@ kubectl create secret generic myapp-credentials \
 #### Step 2: Seal the Secret
 Get the public certificate (one-time setup):
 ```bash
 # Fetch public cert from cluster
 kubeseal --fetch-cert \
  --controller-name=sealed-secrets-controller \
  --controller-namespace=kube-system \
  > pub-cert.pem
 ```
 Seal your secret:
 ```bash
 kubeseal --format=yaml \
-  --namespace=myapp \
+  --cert=pub-cert.pem \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
 ```
@@ -701,7 +711,7 @@ kubectl create secret generic myapp-credentials \
 # 2. Seal it
 kubeseal --format=yaml \
-  --namespace=myapp \
+  --cert=pub-cert.pem \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
@@ -952,46 +962,6 @@ User sees application (authenticated)
 ---
 ### Accessing Authenticated User Information
 The auth sidecar handles all authentication before requests reach your application. Your app never sees unauthenticated traffic — the sidecar returns 401 or redirects to the IdP first.
 After successful authentication, the sidecar forwards the request to your application with user identity injected as HTTP headers:
 | Header | Description | Available in |
 |--------|-------------|-------------|
 | `X-Auth-User` | Username or display name | Token, OIDC, MCP |
 | `X-Auth-Email` | User email address | OIDC |
 | `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
 | `X-Auth-Groups` | Comma-separated group memberships | OIDC (if scope includes `groups`) |
 | `X-Auth-Token` | The validated access token | All modes |
 **Your application reads these headers — no auth library needed:**
 ```javascript
 // Express.js example
 app.get('/profile', (req, res) => {
  const user = req.headers['x-auth-user'];
  const email = req.headers['x-auth-email'];
  res.json({ user, email });
 });
 ```
 ```python
 # Flask example
@app.route('/profile')
 def profile():
    user = request.headers.get('X-Auth-User')
    email = request.headers.get('X-Auth-Email')
    return jsonify(user=user, email=email)
 ```
 **Why this is safe**: The Kyverno-generated NetworkPolicy restricts ingress to the sidecar port only. Traffic cannot bypass the sidecar to reach the application port directly, so the `X-Auth-*` headers can be trusted unconditionally.
 **Key principle**: Your application is zero-trust-unaware by design. It reads headers and renders UI. All authentication complexity lives in the sidecar and Kyverno policy.
 ---
 ### Authentication Configuration Reference
 #### Helm Values Schema
--- a/docs/GITOPS-ARCHITECTURE.md
+++ b/docs/GITOPS-ARCHITECTURE.md
@@ -120,25 +120,24 @@ launchpad/
 ├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
 │
 ├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
-│   ├── base/                         # Base Application manifests (one dir per component)
+│   ├── base/                         # Base Application manifests (upc-dev defaults)
-│   │   ├── kustomization.yaml        # Aggregates all component subdirectories
+│   │   ├── kustomization.yaml
-│   │   ├── traefik-application/
+│   │   ├── traefik-application.yaml
-│   │   │   ├── kustomization.yaml
+│   │   ├── keycloak.yaml
-│   │   │   └── traefik-application.yaml
+│   │   ├── grafana.yaml
-│   │   ├── keycloak/
+│   │   ├── gitea.yaml
-│   │   │   ├── kustomization.yaml
+│   │   ├── gitea-actions.yaml
-│   │   │   └── keycloak.yaml
+│   │   ├── tempo.yaml
-│   │   ├── grafana/
+│   │   ├── renovate.yaml
-│   │   ├── prometheus/
+│   │   ├── ...                       # All other Application manifests
-│   │   ├── ...                       # Each component in its own subdirectory
+│   │   └── secrets.yaml
 │   │   └── secrets/
 │   ├── overlays/                     # Per-cluster Kustomize overrides
-│   │   ├── upc-dev/                  # UpCloud Dev — includes all (resources: ../../base)
+│   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
-│   │   ├── upc-prod/                # UpCloud Prod — all + patches
+│   │   ├── upc-prod/                # UpCloud Prod (patches value paths)
 │   │   ├── aks-dev/                 # Azure AKS Dev — selective components
 │   │   ├── aks-prod/               # Azure AKS Prod
 │   │   ├── eks-dev/                  # AWS EKS Dev
 │   │   ├── eks-prod/                # AWS EKS Prod
 │   │   ├── aks-dev/               # Azure AKS Dev
 │   │   ├── aks-prod/              # Azure AKS Prod
 │   │   ├── gke-dev/                 # GCP GKE Dev
 │   │   └── gke-prod/               # GCP GKE Prod
 │   ├── dashboards/                   # Grafana dashboard ConfigMaps
@@ -150,17 +149,13 @@ launchpad/
 │       └── gcp-{dev,prod}/           # GCP: premium-rwo, L4 LB
 │
 ├── apps/                             # Business Application ArgoCD manifests (Kustomize)
-│   ├── base/                         # One subdirectory per app
+│   ├── base/                         # Base app manifests
 │   │   ├── kustomization.yaml
-│   │   ├── musicman/
+│   │   ├── dot-ai-stack.yaml
-│   │   ├── mcp10x/
+│   │   └── ...
 │   │   ├── dot-ai-stack/
 │   │   ├── ts-mcp/
 │   │   └── argo-mcp/
 │   └── overlays/
-│       ├── upc-dev/                  # All apps (resources: ../../base)
+│       ├── upc-dev/                  # Uses base as-is
-│       ├── upc-prod/                # All apps + patches
+│       └── upc-prod/                # Patches value paths
 │       └── aks-dev/                 # Selective apps only
 │
 ├── cluster-resources/                # Cluster-wide Kubernetes resources
 │   ├── ...
@@ -176,8 +171,6 @@ launchpad/
 **Key Points**:
 - `_app-of-apps-upc-dev.yaml` and `_app-of-apps-upc-prod.yaml` are the per-cluster root Applications
 - Each component in `base/` has its own subdirectory with a `kustomization.yaml`
 - Overlays can include **all** components (`resources: [../../base]`) or **cherry-pick** specific ones (`resources: [../../base/grafana, ../../base/prometheus]`)
 - Kustomize overlays in `infra/overlays/` render base Applications with per-cluster patches
 - Helm values are split: `values/base/` (shared) + `values/upc-dev/` or `values/upc-prod/` (cluster-specific)
 - `apps/` follows the same base/overlays pattern for business applications
@@ -360,30 +353,16 @@ spec:
 ### Multi-Cluster Pattern
-Kustomize overlays enable deploying the same Applications across clusters with different configurations.
+Kustomize overlays enable deploying the same Applications across clusters with different configurations:
 Each component in `infra/base/` and `apps/base/` lives in its own subdirectory. Overlays define **which components to include** and optionally **patch** them:
 ```yaml
-# Option 1: Include ALL components (full cluster)
+# infra/base/ contains default (upc-dev) Applications
-# infra/overlays/upc-dev/kustomization.yaml
+# Helm values are layered: base + cluster-specific
-resources:
+valueFiles:
- ../../base                    # Pulls in every component subdirectory
+- $values/infra/values/base/traefik-values.yaml    # Shared config
 - $values/infra/values/upc-dev/traefik-values.yaml  # Cluster-specific
-# Option 2: Cherry-pick specific components (lightweight cluster)
+# infra/overlays/upc-prod/kustomization.yaml patches the second valueFile
 # infra/overlays/aks-dev/kustomization.yaml
 resources:
 - ../../base/traefik-application
 - ../../base/grafana
 - ../../base/prometheus
 - ../../base/loki
 # Only listed components are deployed — others are excluded
 ```
 Per-cluster patches swap Helm value file paths:
 ```yaml
 # infra/overlays/upc-prod/kustomization.yaml
 patches:
 - target:
    kind: Application
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -76,28 +76,34 @@ launchpad/
 ├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
 ├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
 │
-├── infra/                         # Infrastructure applications (Kustomize)
+├── infra/                         # Infrastructure applications
-│   ├── base/                      # One subdirectory per component
+│   ├── cluster-resources-application.yaml
-│   │   ├── kustomization.yaml     # Aggregates all component subdirectories
+│   ├── enterprise-apps.yaml
-│   │   ├── traefik-application/
+│   ├── traefik-application.yaml
-│   │   │   ├── kustomization.yaml
+│   ├── cert-manager-application.yaml
-│   │   │   └── traefik-application.yaml
+│   ├── kyverno.yaml
-│   │   ├── keycloak/
+│   ├── kyverno-policies.yaml
-│   │   │   ├── kustomization.yaml
+│   ├── prometheus.yaml
-│   │   │   └── keycloak.yaml
+│   ├── grafana.yaml
-│   │   ├── grafana/
+│   ├── loki.yaml
-│   │   ├── prometheus/
+│   ├── tempo.yaml
-│   │   ├── loki/
+│   ├── fluent-bit.yaml
-│   │   ├── tempo/
+│   ├── trivy.yaml
-│   │   ├── gitea/
+│   ├── gitea.yaml
-│   │   ├── opencost/
+│   ├── gitea-actions.yaml
-│   │   ├── ...                    # Each component in own directory
+│   ├── sealedsecrets.yaml
-│   │   └── secrets/
+│   ├── secrets.yaml
-│   ├── overlays/                  # Per-cluster: include all or cherry-pick
+│   ├── renovate.yaml
-│   │   ├── upc-dev/              # resources: [../../base] (all components)
+│   ├── base/                      # ArgoCD Application manifests (Kustomize base)
-│   │   ├── upc-prod/            # resources: [../../base] + patches
+│   │   ├── gitea.yaml
-│   │   ├── aks-dev/             # resources: [../../base/grafana, ...] (selective)
+│   │   ├── opencost.yaml
-│   │   └── .../                  # 8 clusters total
+│   │   ├── traefik-application.yaml
 │   │   ├── keycloak.yaml
 │   │   ├── grafana.yaml
 │   │   └── ...
 │   ├── overlays/
 │   │   └── upc-prod/
 │   │       └── kustomization.yaml # Patches upc-dev → upc-prod valueFile paths
 │   └── values/
 │       ├── base/                   # Cloud-agnostic Helm values
 │       │   ├── gitea-values.yaml
@@ -117,18 +123,11 @@ launchpad/
 │           ├── gitea-values.yaml
 │           └── opencost-values.yaml
 │
-├── apps/                          # Business applications (Kustomize)
+├── apps/                          # Business applications
-│   ├── base/                     # One subdirectory per app
+│   ├── mcp10x.yaml
-│   │   ├── kustomization.yaml
+│   ├── musicman.yaml
-│   │   ├── musicman/
+│   ├── dot-ai-stack.yaml
-│   │   ├── mcp10x/
+│   └── argo-mcp.yaml
 │   │   ├── dot-ai-stack/
 │   │   ├── ts-mcp/
 │   │   └── argo-mcp/
 │   └── overlays/                 # Per-cluster: include all or cherry-pick
 │       ├── upc-dev/
 │       ├── upc-prod/
 │       └── aks-dev/              # Selective apps only
 │
 ├── cluster-resources/             # Cluster-level resources
 │   ├── cert-manager-namespace.yaml
@@ -149,30 +148,12 @@ launchpad/
 │       └── auth-sidecar-injector.yaml
 │
 ├── secrets/                       # Application secrets (sealed)
-│   ├── base/                     # All SealedSecrets (shared across clouds)
+│   ├── argocd-mcp-credentials.yaml
-│   │   ├── kustomization.yaml
+│   ├── dot-ai-secrets.yaml
-│   │   ├── argocd-forte-helm-secret-sealed.yaml
+│   ├── gitea-credentials-sealed.yaml
-│   │   ├── argocd-mcp-credentials.yaml
+│   ├── gitea-runner-token-sealed.yaml
-│   │   ├── argocdmcp-auth-oidc-sealed.yaml
+│   ├── mcp10x-credentials-sealed.yaml
-│   │   ├── dot-ai-secrets.yaml
+│   └── musicman-credentials.yaml
 │   │   ├── forte10x-app-credentials-sealed.yaml
 │   │   ├── gitea-backup-s3-sealed.yaml
 │   │   ├── gitea-credentials-sealed.yaml
 │   │   ├── gitea-runner-token-sealed.yaml
 │   │   ├── gitea-smtp-secret-sealed.yaml
 │   │   ├── keycloak-credentials-sealed.yaml
 │   │   ├── musicman-auth-oidc-sealed.yaml
 │   │   ├── musicman-credentials.yaml
 │   │   └── renovate-env-sealed.yaml
 │   └── overlays/                 # Per-cloud overlays (reference base)
 │       ├── aks-dev/kustomization.yaml
 │       ├── aks-prod/kustomization.yaml
 │       ├── eks-dev/kustomization.yaml
 │       ├── eks-prod/kustomization.yaml
 │       ├── gke-dev/kustomization.yaml
 │       ├── gke-prod/kustomization.yaml
 │       ├── upc-dev/kustomization.yaml
 │       └── upc-prod/kustomization.yaml
 │
 ├── scripts/                       # Operational helper scripts
 │   ├── gitea-backup.sh            # S3 backup helper (list/download)
@@ -650,134 +631,10 @@ retry:
 4. 40 seconds
 5. 80 seconds (capped at 3 minutes)
 ### Global Settings (`argocd-cm`)
 | Setting | Value | Purpose |
 |---------|-------|---------|
 | `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
 | `timeout.reconciliation` | `60s` | Reconciliation interval |
 | `admin.enabled` | `false` | Admin login disabled (SSO-only) |
 | `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
 **Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
 ```yaml
 configs:
  params:
    "reposerver.enable.git.submodule": "false"
 ```
 This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
 **Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
 ```bash
 # Enable admin login
 kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
 # Log in as admin, do what's needed, then disable again
 kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
 ```
 ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
 **OIDC Authentication** (Keycloak):
 ```yaml
 configs:
  cm:
    oidc.config: |
      name: Forte SSO
      issuer: https://id.forteapps.net/realms/forte
      clientID: argocd
      clientSecret: $oidc.clientSecret
      requestedScopes: ["openid", "email", "profile"]
  rbacConfig:
    policy.csv: |
      g, ArgoCD Admins, role:admin
      g, ArgoCD Viewers, role:readonly
    # Deny users not in any declared KC group
    policy.default: ""
    scopes: '[groups]'
 ```
 **Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console.
 - ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
 - Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
 - `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
 - OIDC secret is synced by CronJob `argocd-oidc-sync` (see `cluster-resources/argocd-oidc-secret-sync.yaml`)
 - The CronJob bridges `argocd-oidc-credentials` (from KC registrar) → `argocd-secret` every 2 min
 - Safe for fresh deploys: no-ops if source secret doesn't exist yet
 **Ingress** (Traefik + TLS):
 ```yaml
 server:
  ingress:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    tls: true
  extraArgs:
  - --insecure
 configs:
  params:
    "server.insecure": true
 ```
 TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
 ---
 ## Infrastructure Components
 ### Homepage (Platform Dashboard)
 **Chart**: `jameswynn/homepage`
 **Namespace**: `homepage`
 **URL**: `https://start.forteapps.net`
 Platform dashboard that auto-discovers deployed apps via Kubernetes service annotations.
 **Discovery mechanism**: Services annotated with `gethomepage.dev/enabled: "true"` appear in the dashboard. Apps not deployed = annotations absent = not shown. Fully dynamic per environment.
 **Annotated services**:
 | Service | Namespace | Group | Widget |
 |---------|-----------|-------|--------|
 | `gitea-http` | `gitea` | DevOps | `gitea` |
 | `argocd-server` | `argocd` | DevOps | `argocd` |
 | `keycloak` | `keycloak` | Identity | none |
 | `grafana` | `monitoring` | Monitoring | `grafana` |
 | `karpor-server` | `karpor` | DevOps | none |
 **Adding a new app**: Annotate the app's Service in its Helm values:
 ```yaml
 service:
  annotations:
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "My App"
    gethomepage.dev/description: "What it does"
    gethomepage.dev/group: "GroupName"
    gethomepage.dev/icon: "icon-name"     # https://github.com/walkxcode/dashboard-icons
    gethomepage.dev/href: "https://myapp.forteapps.net"
    # Optional live widget:
    gethomepage.dev/widget.type: "myapp"
    gethomepage.dev/widget.url: "https://myapp.forteapps.net"
    # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_MYAPP_TOKEN}}"
 ```
 **Widget API credentials**: Inject via env vars into the Homepage pod:
 ```yaml
 # In homepage-values.yaml per environment
 env:
 - name: HOMEPAGE_VAR_GRAFANA_TOKEN
  valueFrom:
    secretKeyRef:
      name: homepage-widget-credentials
      key: grafana-token
 ```
 Then reference as `gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"`.
 **Values files**:
 - `infra/values/base/homepage-values.yaml` — RBAC, kubernetes mode, layout
 - `infra/values/{env}/homepage-values.yaml` — hostname per environment
 ---
 ### Traefik
 **Chart**: `traefik/traefik`
@@ -849,10 +706,6 @@ spec:
 **Chart**: `sealed-secrets/sealed-secrets-controller`
 **Namespace**: `kube-system`
 **Directory Structure**: `secrets/base/` contains all SealedSecrets with a `kustomization.yaml`. Per-cloud overlays in `secrets/overlays/<cloud>/` reference the base via Kustomize. The ArgoCD `secrets` Application points to the active overlay (e.g., `secrets/overlays/upc-dev`), and `infra/overlays/upc-prod` patches the path to `secrets/overlays/upc-prod`.
 To add cloud-specific secrets, create a new SealedSecret in the overlay directory and add it to the overlay's `kustomization.yaml`.
 **Public Certificate**:
 ```bash
 kubeseal --fetch-cert \
@@ -893,15 +746,6 @@ kubeStateMetrics:
 - Loki
 - Tempo
 **Ingress**: Exposed via Traefik at `https://grafana.forteapps.net` with cert-manager TLS.
 **OIDC Authentication** (Keycloak):
 - Uses `grafana.ini.auth.generic_oauth` with KC `grafana` client
 - Secret `grafana-oidc-credentials` synced by KC registrar, loaded via `envFromSecrets`
 - SSO-only mode: `auth.disable_login_form: true` + `auth.generic_oauth.auto_login: true`
 - Role mapping via JMESPath on `resource_access.grafana.roles` claim (requires KC client role mapper)
 - Roles: KC client roles `Admin`/`Editor` map to Grafana roles; default is `Viewer`
 ### Loki
 **Chart**: `grafana/loki-stack`
@@ -1254,33 +1098,6 @@ kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.ann
 **See**: [Developer Guide - Adding a New Keycloak Client](DEVELOPER-GUIDE.md#adding-a-new-keycloak-client)
 ### Karpor
 **Chart**: `karpor` from `https://kusionstack.github.io/charts`
 **Version**: 0.7.6 (app v0.6.4)
 **Namespace**: `karpor`
 **Sync Wave**: 1
 **Purpose**: Kubernetes visualization and intelligence tool. Provides cross-cluster resource search, compliance checking, and topology visualization. Gives platform engineers a unified view of all cluster resources and their relationships.
 **Architecture** (4 components):
 - **Server** — main Karpor API/UI (port 7443)
 - **Syncer** — syncs cluster state into the search index
 - **ElasticSearch** — search backend for resource indexing
 - **etcd** — persistent key-value store (10Gi PVC)
 **Configuration** (`infra/values/base/karpor-values.yaml`):
 - `namespaceEnabled: false` — ArgoCD manages namespace creation
 - Default resource limits tuned for small clusters
 - ElasticSearch: 2 CPU / 4Gi memory (the heaviest component)
 - AI features available but not enabled (requires `server.ai.authToken` + backend config)
 **Access**: Port-forward to reach the UI:
 ```bash
 kubectl port-forward svc/karpor-release-server -n karpor 7443:7443
 # Open https://localhost:7443
 ```
 ### Renovate
 **Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`)
@@ -1728,23 +1545,7 @@ Forward to Application (localhost:3000)
 Application processes request
 ```
-#### Forwarded Headers
+**See**: [Developer Guide - Enabling Authentication](DEVELOPER-GUIDE.md#enabling-authentication-for-applications) for usage examples.
 After successful authentication, the sidecar injects user identity as HTTP headers before forwarding the request to the application container:
 | Header | Description | Auth Modes |
 |--------|-------------|------------|
 | `X-Auth-User` | Username or display name | Token, OIDC, MCP |
 | `X-Auth-Email` | User email address | OIDC |
 | `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
 | `X-Auth-Groups` | Comma-separated group memberships | OIDC (if `groups` scope) |
 | `X-Auth-Token` | The validated access token | All modes |
 These headers are trustworthy because the auto-generated `NetworkPolicy` restricts pod ingress to the sidecar port only — external traffic cannot reach the application container directly, so headers cannot be spoofed.
 Applications should read these headers to obtain authenticated user information (e.g. for display, authorisation decisions, or audit logging) instead of implementing their own authentication.
 **See**: [Developer Guide - Accessing Authenticated User Information](DEVELOPER-GUIDE.md#accessing-authenticated-user-information) for code examples.
 ---
@@ -1933,9 +1734,8 @@ To add support for a new cloud (e.g., `oci-dev` for Oracle Cloud):
   - `opencost-values.yaml` — pricing model or cloud billing integration
 3. **Kustomize overlay**: `infra/overlays/oci-dev/kustomization.yaml` — patch `valueFiles[1]` for each Application
 4. **App-of-apps**: `_app-of-apps-oci-dev.yaml` — points to `infra/overlays/oci-dev`
-5. **Secrets overlay**: `secrets/overlays/oci-dev/kustomization.yaml` — references `../../base`, add cloud-specific SealedSecrets if needed
+5. **Sealed Secrets**: `secrets/oci-dev/` — TLS certs, credentials, backup S3 config
-6. **Secrets patch**: Add patch to `infra/overlays/oci-dev/kustomization.yaml` to swap secrets path to `secrets/overlays/oci-dev`
+6. **Bootstrap**: `./bootstrap.sh oci-dev`
 7. **Bootstrap**: `./bootstrap.sh oci-dev`
 ---
--- a/infra/base/cert-manager-application/cert-manager-application.yaml
+++ b/infra/base/cert-manager-application/cert-manager-application.yaml
--- a/infra/base/cert-manager-application/kustomization.yaml
+++ b/infra/base/cert-manager-application/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - cert-manager-application.yaml
--- a/infra/base/cluster-resources-application/cluster-resources-application.yaml
+++ b/infra/base/cluster-resources-application/cluster-resources-application.yaml
--- a/infra/base/cluster-resources-application/kustomization.yaml
+++ b/infra/base/cluster-resources-application/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - cluster-resources-application.yaml
--- a/infra/base/databunker/kustomization.yaml
+++ b/infra/base/databunker/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - databunker.yaml
--- a/infra/base/enterprise-apps/enterprise-apps.yaml
+++ b/infra/base/enterprise-apps/enterprise-apps.yaml
--- a/infra/base/enterprise-apps/kustomization.yaml
+++ b/infra/base/enterprise-apps/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - enterprise-apps.yaml
--- a/infra/base/fluent-bit/fluent-bit.yaml
+++ b/infra/base/fluent-bit/fluent-bit.yaml
--- a/infra/base/fluent-bit/kustomization.yaml
+++ b/infra/base/fluent-bit/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - fluent-bit.yaml
--- a/infra/base/gitea-actions/gitea-actions.yaml
+++ b/infra/base/gitea-actions/gitea-actions.yaml
--- a/infra/base/gitea-actions/kustomization.yaml
+++ b/infra/base/gitea-actions/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gitea-actions.yaml
--- a/infra/base/gitea/gitea.yaml
+++ b/infra/base/gitea/gitea.yaml
--- a/infra/base/gitea/kustomization.yaml
+++ b/infra/base/gitea/kustomization.yaml
@@ -1,8 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gitea.yaml
 - gitea-backup-s3-sealed.yaml
 - gitea-credentials-sealed.yaml
 - gitea-runner-token-sealed.yaml
 - gitea-smtp-secret-sealed.yaml
--- a/infra/base/grafana-dashboards/grafana-dashboards.yaml
+++ b/infra/base/grafana-dashboards/grafana-dashboards.yaml
--- a/infra/base/grafana-dashboards/kustomization.yaml
+++ b/infra/base/grafana-dashboards/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - grafana-dashboards.yaml
--- a/infra/base/grafana/grafana.yaml
+++ b/infra/base/grafana/grafana.yaml
--- a/infra/base/grafana/kustomization.yaml
+++ b/infra/base/grafana/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - grafana.yaml
--- a/infra/base/homepage/homepage.yaml
+++ b/infra/base/homepage/homepage.yaml
@@ -1,43 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: homepage
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "3"
  labels:
    app.kubernetes.io/name: homepage
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: https://jameswynn.github.io/helm-charts
    chart: homepage
    targetRevision: "2.1.0"
    helm:
      releaseName: homepage
      valueFiles:
      - $values/infra/values/base/homepage-values.yaml
      - $values/infra/values/upc-dev/homepage-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: homepage
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
--- a/infra/base/homepage/kustomization.yaml
+++ b/infra/base/homepage/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - homepage.yaml
--- a/infra/base/karpor/karpor.yaml
+++ b/infra/base/karpor/karpor.yaml
@@ -1,48 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: karpor
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  labels:
    app.kubernetes.io/name: karpor
    app.kubernetes.io/part-of: developer-portal
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: https://kusionstack.github.io/charts
    chart: karpor
    targetRevision: "0.7.6"
    helm:
      releaseName: karpor
      valueFiles:
      - $values/infra/values/base/karpor-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: karpor
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/karpor/kustomization.yaml
+++ b/infra/base/karpor/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - karpor.yaml
--- a/infra/base/keycloak/keycloak.yaml
+++ b/infra/base/keycloak/keycloak.yaml
@@ -15,7 +15,7 @@ spec:
  project: default
  sources:
-  - repoURL: registry-1.docker.io/bitnamicharts
+  - repoURL: https://charts.bitnami.com/bitnami
    chart: keycloak
    targetRevision: "25.2.0"
    helm:
@@ -47,7 +47,3 @@ spec:
    kind: CronJob
    jsonPointers:
    - /spec/jobTemplate/spec/template/spec/containers/0/args
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/keycloak/kustomization.yaml
+++ b/infra/base/keycloak/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - keycloak.yaml
 - keycloak-credentials-sealed.yaml
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -1,24 +1,24 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- traefik-application
+- traefik-application.yaml
- keycloak
+- keycloak.yaml
- grafana
+- grafana.yaml
- cert-manager-application
+- cert-manager-application.yaml
- kyverno
+- kyverno.yaml
- sealedsecrets
+- sealedsecrets.yaml
- prometheus
+- prometheus.yaml
- loki
+- loki.yaml
- fluent-bit
+- fluent-bit.yaml
- enterprise-apps
+- trivy.yaml
- cluster-resources-application
+- enterprise-apps.yaml
- kyverno-policies
+- cluster-resources-application.yaml
- gitea
+- kyverno-policies.yaml
- gitea-actions
+- secrets.yaml
- opencost
+- gitea.yaml
- renovate
+- gitea-actions.yaml
- tempo
+- opencost.yaml
- grafana-dashboards
+- renovate.yaml
- karpor
+- tempo.yaml
- databunker
+- grafana-dashboards.yaml
- homepage
+- network-policies-application.yaml
--- a/infra/base/kyverno-policies/kyverno-policies.yaml
+++ b/infra/base/kyverno-policies/kyverno-policies.yaml
--- a/infra/base/kyverno-policies/kustomization.yaml
+++ b/infra/base/kyverno-policies/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - kyverno-policies.yaml
--- a/infra/base/kyverno/kyverno.yaml
+++ b/infra/base/kyverno/kyverno.yaml
--- a/infra/base/kyverno/kustomization.yaml
+++ b/infra/base/kyverno/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - kyverno.yaml
--- a/infra/base/loki/loki.yaml
+++ b/infra/base/loki/loki.yaml
@@ -40,9 +40,3 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/loki/kustomization.yaml
+++ b/infra/base/loki/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - loki.yaml
--- a/infra/base/network-policies-application.yaml
+++ b/infra/base/network-policies-application.yaml
@@ -1,42 +1,33 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: databunker
+  name: network-policies
  namespace: argocd
  labels:
    app.kubernetes.io/name: network-policies
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  labels:
    app.kubernetes.io/name: databunker
    app.kubernetes.io/part-of: identity
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
-  sources:
+  source:
-  - repoURL: https://securitybunker.github.io/databunkerpro-setup
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    chart: databunkerpro
    targetRevision: "0.1.0"
    helm:
      releaseName: databunkerpro
      valueFiles:
      - $values/infra/values/base/databunker-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    ref: values
+    path: cluster-resources/network
  destination:
    server: https://kubernetes.default.svc
    namespace: databunker
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
--- a/infra/base/opencost/opencost.yaml
+++ b/infra/base/opencost/opencost.yaml
--- a/infra/base/opencost/kustomization.yaml
+++ b/infra/base/opencost/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - opencost.yaml
--- a/infra/base/prometheus/prometheus.yaml
+++ b/infra/base/prometheus/prometheus.yaml
--- a/infra/base/prometheus/kustomization.yaml
+++ b/infra/base/prometheus/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - prometheus.yaml
--- a/infra/base/renovate/renovate.yaml
+++ b/infra/base/renovate/renovate.yaml
--- a/infra/base/renovate/kustomization.yaml
+++ b/infra/base/renovate/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - renovate.yaml
 - renovate-env-sealed.yaml
--- a/infra/base/sealedsecrets/sealedsecrets.yaml
+++ b/infra/base/sealedsecrets/sealedsecrets.yaml
--- a/infra/base/sealedsecrets/kustomization.yaml
+++ b/infra/base/sealedsecrets/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - sealedsecrets.yaml
 - argocd-forte-helm-secret-sealed.yaml
--- a/apps/base/ts-mcp/ts-mcp.yaml
+++ b/apps/base/ts-mcp/ts-mcp.yaml
@@ -1,37 +1,27 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: ts-mcp
+  name: secrets
  namespace: argocd
  annotations:
-    argocd.argoproj.io/sync-wave: "11"
+    argocd.argoproj.io/sync-wave: "2"
    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
    notifications.argoproj.io/subscribe.on-degraded.slack: ""
  labels:
-    app.kubernetes.io/name: ts-mcp
+    app.kubernetes.io/name: secrets
-    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
-  sources:
+  source:
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    path: forteapp
+    path: secrets/upc-dev
    targetRevision: HEAD
    helm:
      valueFiles:
      - $values/ts-mcp/values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
-    namespace: ts-mcp
+    namespace: secrets
  syncPolicy:
    automated:
      prune: true
--- a/infra/base/tempo/tempo.yaml
+++ b/infra/base/tempo/tempo.yaml
@@ -40,9 +40,3 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/tempo/kustomization.yaml
+++ b/infra/base/tempo/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - tempo.yaml
--- a/infra/base/traefik-application/traefik-application.yaml
+++ b/infra/base/traefik-application/traefik-application.yaml
--- a/infra/base/traefik-application/kustomization.yaml
+++ b/infra/base/traefik-application/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - traefik-application.yaml
--- a/infra/base/trivy.yaml
+++ b/infra/base/trivy.yaml
@@ -0,0 +1,67 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: trivy-system
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: trivy-operator
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "0"
  labels:
    app.kubernetes.io/name: trivy-operator
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://aquasecurity.github.io/helm-charts
    chart: trivy-operator
    targetRevision: 0.31.0
    helm:
      releaseName: trivy-operator
      valuesObject:
        operator:
          targetNamespaces: ""
          excludeNamespaces: "argocd,trivy-system,kube-system,monitoring,kyverno,cert-manager"
          scanJobsInSameNamespace: true
          metricsVulnIdEnabled: true
          metricsImageInfo: true
        trivy:
          ignoreUnfixed: false
  destination:
    server: https://kubernetes.default.svc
    namespace: trivy-system
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m
  ignoreDifferences:
  - group: apiextensions.k8s.io
    kind: CustomResourceDefinition
    jsonPointers:
    - /metadata/labels
    - /metadata/annotations
    - /metadata/finalizers
--- a/infra/dashboards/kustomization.yaml
+++ b/infra/dashboards/kustomization.yaml
@@ -8,6 +8,9 @@ generatorOptions:
    grafana_dashboard: "1"
 configMapGenerator:
 - name: grafana-dashboard-trivy
  files:
  - trivy.json
 - name: grafana-dashboard-traefik-loki
  files:
  - traefik-loki.json
--- a/infra/dashboards/trivy.json
+++ b/infra/dashboards/trivy.json
--- a/infra/overlays/aks-dev/kustomization.yaml
+++ b/infra/overlays/aks-dev/kustomization.yaml
@@ -1,31 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/enterprise-apps
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/homepage
 - ../../base/traefik-application
 patches:
 # Homepage: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: homepage
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/homepage-values.yaml
 # Traefik: swap upc-dev → aks-dev
 - target:
    kind: Application
@@ -35,6 +13,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/traefik-values.yaml
 # Keycloak: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/keycloak-values.yaml
 # Grafana: swap upc-dev → aks-dev
 - target:
    kind: Application
@@ -44,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/grafana-values.yaml
 # Gitea: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/gitea-values.yaml
 # OpenCost: swap upc-dev → aks-dev
 - target:
    kind: Application
@@ -53,7 +49,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/opencost-values.yaml
-# Ent apps: swap upc-dev → aks-prod
+# Secrets: change path to aks-dev
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/aks-dev
 # Enterprise-apps: point to aks-dev overlay
 - target:
    kind: Application
    name: enterprise-apps
--- a/infra/overlays/aks-prod/kustomization.yaml
+++ b/infra/overlays/aks-prod/kustomization.yaml
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → aks-prod
@@ -24,7 +13,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/traefik-values.yaml
-# Grafana: swap upc-dev → aks-prod  
+# Keycloak: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: grafana
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/grafana-values.yaml
 # Gitea: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → aks-prod
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/opencost-values.yaml
 # Secrets: change path to aks-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/aks-prod
 # Enterprise-apps: point to aks-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/aks-prod
--- a/infra/overlays/eks-dev/kustomization.yaml
+++ b/infra/overlays/eks-dev/kustomization.yaml
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → eks-dev
@@ -24,7 +13,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/traefik-values.yaml
-# Grafana: swap upc-dev → eks-dev  
+# Keycloak: swap upc-dev → eks-dev
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/keycloak-values.yaml
 # Grafana: swap upc-dev → eks-dev
 - target:
    kind: Application
    name: grafana
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/grafana-values.yaml
 # Gitea: swap upc-dev → eks-dev
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/gitea-values.yaml
 # OpenCost: swap upc-dev → eks-dev
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/opencost-values.yaml
 # Secrets: change path to eks-dev
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/eks-dev
 # Enterprise-apps: point to eks-dev overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/eks-dev
--- a/infra/overlays/eks-prod/kustomization.yaml
+++ b/infra/overlays/eks-prod/kustomization.yaml
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → eks-prod
@@ -24,7 +13,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/traefik-values.yaml
-# Grafana: swap upc-dev → eks-prod  
+# Keycloak: swap upc-dev → eks-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → eks-prod
 - target:
    kind: Application
    name: grafana
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/grafana-values.yaml
 # Gitea: swap upc-dev → eks-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → eks-prod
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/opencost-values.yaml
 # Secrets: change path to eks-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/eks-prod
 # Enterprise-apps: point to eks-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/eks-prod
--- a/infra/overlays/gke-dev/kustomization.yaml
+++ b/infra/overlays/gke-dev/kustomization.yaml
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → gke-dev
@@ -24,7 +13,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/traefik-values.yaml
-# Grafana: swap upc-dev → gke-dev  
+# Keycloak: swap upc-dev → gke-dev
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/keycloak-values.yaml
 # Grafana: swap upc-dev → gke-dev
 - target:
    kind: Application
    name: grafana
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/grafana-values.yaml
 # Gitea: swap upc-dev → gke-dev
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/gitea-values.yaml
 # OpenCost: swap upc-dev → gke-dev
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/opencost-values.yaml
 # Secrets: change path to gke-dev
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/gke-dev
 # Enterprise-apps: point to gke-dev overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/gke-dev
--- a/infra/overlays/gke-prod/kustomization.yaml
+++ b/infra/overlays/gke-prod/kustomization.yaml
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → gke-prod
@@ -24,7 +13,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/traefik-values.yaml
-# Grafana: swap upc-dev → gke-prod  
+# Keycloak: swap upc-dev → gke-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → gke-prod
 - target:
    kind: Application
    name: grafana
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/grafana-values.yaml
 # Gitea: swap upc-dev → gke-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → gke-prod
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/opencost-values.yaml
 # Secrets: change path to gke-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/gke-prod
 # Enterprise-apps: point to gke-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/gke-prod
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -5,12 +5,3 @@ resources:
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
 patches:
 - target:
    kind: Application
    name: databunker
  patch: |
    - op: add
      path: /spec/sources/0/helm/valueFiles/-
      value: $values/infra/values/upc-dev/databunker-values.yaml
--- a/infra/overlays/upc-prod/kustomization.yaml
+++ b/infra/overlays/upc-prod/kustomization.yaml
@@ -1,21 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
-# Traefik: swap upc-dev → upc-prod
+# Traefik: swap upc-dev → upc-prod in valueFiles
 - target:
    kind: Application
    name: traefik
@@ -24,7 +13,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/traefik-values.yaml
-# Grafana: swap upc-dev → upc-prod  
+# Keycloak: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: grafana
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/grafana-values.yaml
 # Gitea: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → upc-prod
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/opencost-values.yaml
 # Secrets: change path to upc-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/upc-prod
 # Enterprise-apps: point to upc-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/upc-prod
--- a/infra/values/aks-dev/argocd-values.yaml
+++ b/infra/values/aks-dev/argocd-values.yaml
@@ -1,5 +0,0 @@
 global:
  domain: argocd.127.0.0.1.nip.io
 notifications:
  context:
    clusterName: "aks-dev-launchpad"
--- a/infra/values/aks-dev/homepage-values.yaml
+++ b/infra/values/aks-dev/homepage-values.yaml
@@ -1,15 +0,0 @@
 ingress:
  main:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
    - host: start.forteapps.net
      paths:
      - path: /
        pathType: Prefix
    tls:
    - secretName: homepage-tls
      hosts:
      - start.forteapps.net
--- a/infra/values/base/argocd-values.yaml
+++ b/infra/values/base/argocd-values.yaml
@@ -2,49 +2,16 @@ configs:
  secret:
    createSecret: true
    argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
    # oidc.clientSecret managed by argocd-oidc-sync CronJob
    # (reads from argocd-oidc-credentials, patches argocd-secret)
  ssh:
    knownHosts: |
      [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
  cm:
    application.resourceTrackingMethod: annotation
    timeout.reconciliation: 60s
-    # Admin login disabled — SSO only. Break-glass: kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
+    admin.enabled: "true"
    admin.enabled: "false"
    url: https://argocd.forteapps.net
    oidc.config: |
      name: Forte SSO
      issuer: https://id.forteapps.net/realms/forte
      clientID: argocd
      clientSecret: $oidc.clientSecret
      requestedScopes: ["openid", "email", "profile"]
  rbac:
    policy.csv: |
      g, ArgoCD Admins, role:admin
      g, ArgoCD Viewers, role:readonly
    # Deny users not in any declared KC group (ArgoCD Admins / ArgoCD Viewers)
    policy.default: ""
    scopes: '[groups]'
  params:
    "server.insecure": true
    "reposerver.enable.git.submodule": "false"
 server:
  ingress:
-    enabled: true
+    enabled: false
-    ingressClassName: traefik
+    ingressClassName: nginx
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
      gethomepage.dev/enabled: "true"
      gethomepage.dev/name: "ArgoCD"
      gethomepage.dev/description: "GitOps continuous delivery"
      gethomepage.dev/group: "DevOps"
      gethomepage.dev/icon: "argocd"
      gethomepage.dev/href: "https://argocd.forteapps.net"
      gethomepage.dev/widget.type: "argocd"
      gethomepage.dev/widget.url: "https://argocd.forteapps.net"
      # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_ARGOCD_TOKEN}}"
    tls: true
  extraArgs:
  - --insecure
--- a/infra/values/base/databunker-values.yaml
+++ b/infra/values/base/databunker-values.yaml
@@ -1,42 +0,0 @@
 # Default values for databunkerpro
 image:
  tag: 0.14.15
 ingress:
  enabled: false # Set to true to enable ingress
  className: traefik
  # Set host to enable ingress
  host: databunker.example.com
  annotations:
    kubernetes.io/ingress.class: traefik
    cert-manager.io/cluster-issuer: "letsencrypt-prod" # or your cluster issuer
    traefik.ingress.kubernetes.io/ssl-redirect: "true"
    traefik.ingress.kubernetes.io/force-ssl-redirect: "true"
    traefik.ingress.kubernetes.io/ssl-passthrough: "false"
    # Security headers
    traefik.ingress.kubernetes.io/configuration-snippet: |
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
      add_header X-Frame-Options DENY always;
      add_header X-Content-Type-Options nosniff always;
      add_header X-XSS-Protection "1; mode=block" always;
  # TLS configuration
  tls:
    enabled: true # Set to true to enable TLS
    secretName: "databunker-tls" # Name of the secret containing TLS certificate
 # Pin PostgreSQL password — chart uses randAlphaNum without lookup,
 # so each ArgoCD sync would regenerate the password while PVC keeps the old one.
 # Same issue as Backstage PostgreSQL (see MEMORY.md).
 internal:
  postgresql:
    auth:
      password: "databunker-pg-pass-2026"
 resources:
  # Uncomment and adjust these values based on your requirements
  # requests:
  #   memory: "512Mi"
  #   cpu: "250m"
  # limits:
  #   memory: "1Gi"
  #   cpu: "500m"
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -77,7 +77,7 @@ gitea:
      FROM: "noreply@fortedigital.com"
    admin:
-      DEFAULT_EMAIL_NOTIFICATIONS: onmention
+      DEFAULT_EMAIL_NOTIFICATIONS: enabled
  # -- SMTP credentials injected from secret (USER and PASSWD)
  additionalConfigFromEnvs:
@@ -98,7 +98,7 @@ gitea:
    existingSecret: gitea-oidc-credentials
    key: gitea
    autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
-    scopes: "email profile organization"
+    scopes: "openid email profile organization"
    groupClaimName: "groups"
    adminGroup: ""
    restrictedGroup: ""
@@ -114,15 +114,6 @@ ingress:
  className: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "Gitea"
    gethomepage.dev/description: "Git hosting & CI/CD"
    gethomepage.dev/group: "DevOps"
    gethomepage.dev/icon: "gitea"
    gethomepage.dev/href: "https://git.forteapps.net"
    gethomepage.dev/widget.type: "gitea"
    gethomepage.dev/widget.url: "https://git.forteapps.net"
    # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GITEA_TOKEN}}"
  hosts:
  - host: git.forteapps.net
    paths:
--- a/infra/values/base/grafana-values.yaml
+++ b/infra/values/base/grafana-values.yaml
@@ -1,23 +1,5 @@
 ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "Grafana"
    gethomepage.dev/description: "Metrics & observability dashboards"
    gethomepage.dev/group: "Monitoring"
    gethomepage.dev/icon: "grafana"
    gethomepage.dev/href: "https://grafana.forteapps.net"
    gethomepage.dev/widget.type: "grafana"
    gethomepage.dev/widget.url: "https://grafana.forteapps.net"
    # gethomepage.dev/widget.username: "{{HOMEPAGE_VAR_GRAFANA_USER}}"
    # gethomepage.dev/widget.password: "{{HOMEPAGE_VAR_GRAFANA_PASSWORD}}"
  tls:
  - secretName: grafana-tls
    hosts:
    - grafana.forteapps.net
 resources:
  requests:
    cpu: 50m
@@ -29,29 +11,6 @@ resources:
 adminUser: admin
 adminPassword: "forte"
 envFromSecrets:
 - name: grafana-oidc-credentials
 grafana.ini:
  server:
    root_url: https://grafana.forteapps.net
  auth.generic_oauth:
    enabled: true
    name: Forte SSO
    allow_sign_up: true
    client_id: ${client-id}
    client_secret: ${client-secret}
    scopes: openid email profile
    auth_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/auth
    token_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/token
    api_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/userinfo
    role_attribute_path: "contains(resource_access.grafana.roles[*], 'Admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor' || 'Viewer'"
    role_attribute_strict: true
    allow_assign_grafana_admin: true
    auto_login: true
  auth:
    disable_login_form: true
 datasources:
  datasources.yaml:
    apiVersion: 1
--- a/infra/values/base/homepage-values.yaml
+++ b/infra/values/base/homepage-values.yaml
@@ -1,57 +0,0 @@
 # Homepage Helm Values
 # Chart: jameswynn/homepage — https://gethomepage.dev
 # Discovery: K8s service annotations (gethomepage.dev/*)
 # Each deployed app annotates its own Service — apps not deployed = not visible.
 # RBAC ClusterRole — required for cluster-wide service annotation scanning
 enableRbac: true
 serviceAccount:
  create: true
  name: homepage
 config:
  # Scan all namespaces for services with gethomepage.dev/enabled: "true"
  kubernetes:
    mode: cluster
  settings:
    title: "Forte Platform"
    headerStyle: clean
    layout:
      DevOps:
        style: row
        columns: 4
      Identity:
        style: row
        columns: 4
      Monitoring:
        style: row
        columns: 4
  # Top-of-page cluster overview widget
  widgets:
  - kubernetes:
      cluster:
        show: true
        cpu: true
        memory: true
        showLabel: true
        label: "Cluster"
      nodes:
        show: false
  # Both empty — all entries come from K8s service annotations
  bookmarks: []
  services: []
  # Widget API credentials (optional — add via SealedSecret + envFrom below)
  # Homepage reads HOMEPAGE_VAR_* env vars and substitutes them in widget annotations.
  # Example: gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"
  # To enable: create a sealed secret and add envFrom to load it.
 resources:
  requests:
    cpu: 10m
    memory: 128Mi
  limits:
    cpu: 100m
    memory: 256Mi
--- a/infra/values/base/karpor-values.yaml
+++ b/infra/values/base/karpor-values.yaml
@@ -1,44 +0,0 @@
 # Karpor - Kubernetes Visualization & Intelligence Tool
 # Helm chart: https://github.com/KusionStack/charts/tree/master/charts/karpor
 # Let the ArgoCD Application manage the namespace
 namespaceEnabled: false
 server:
  replicas: 1
  port: 7443
  resources:
    requests:
      cpu: 250m
      memory: 256Mi
    limits:
      cpu: 500m
      memory: 1Gi
 syncer:
  replicas: 1
  port: 7443
  resources:
    requests:
      cpu: 250m
      memory: 256Mi
    limits:
      cpu: 500m
      memory: 1Gi
 elasticsearch:
  replicas: 1
  port: 9200
  resources:
    requests:
      cpu: 500m
      memory: 2Gi
    limits:
      cpu: "2"
      memory: 4Gi
 etcd:
  replicas: 1
  port: 2379
  persistence:
    size: 5Gi
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -18,12 +18,6 @@ ingress:
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "Keycloak"
    gethomepage.dev/description: "Identity & access management"
    gethomepage.dev/group: "Identity"
    gethomepage.dev/icon: "keycloak"
    gethomepage.dev/href: "https://id.forteapps.net"
 metrics:
  enabled: true
@@ -81,6 +75,7 @@ keycloakConfigCli:
            "publicClient": false,
            "redirectUris": ["https://git.forteapps.net/*"],
            "webOrigins": ["https://git.forteapps.net"],
            "defaultClientScopes": ["openid", "email", "profile"],
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "gitea",
@@ -103,84 +98,6 @@ keycloakConfigCli:
                }
              }
            ]
          },
          {
            "clientId": "grafana",
            "name": "Grafana",
            "enabled": true,
            "protocol": "openid-connect",
            "clientAuthenticatorType": "client-secret",
            "standardFlowEnabled": true,
            "directAccessGrantsEnabled": false,
            "publicClient": false,
            "redirectUris": ["https://grafana.forteapps.net/*"],
            "webOrigins": ["https://grafana.forteapps.net"],
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "monitoring",
              "k8s.secret.name": "grafana-oidc-credentials",
              "k8s.secret.client-id-key": "client-id",
              "k8s.secret.client-secret-key": "client-secret"
            },
            "protocolMappers": [
              {
                "name": "client-roles",
                "protocol": "openid-connect",
                "protocolMapper": "oidc-usermodel-client-role-mapper",
                "config": {
                  "claim.name": "resource_access.grafana.roles",
                  "jsonType.label": "String",
                  "multivalued": "true",
                  "usermodel.clientRoleMapping.clientId": "grafana",
                  "id.token.claim": "true",
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
              }
            ]
          },
          {
            "clientId": "argocd",
            "name": "ArgoCD",
            "enabled": true,
            "protocol": "openid-connect",
            "clientAuthenticatorType": "client-secret",
            "standardFlowEnabled": true,
            "directAccessGrantsEnabled": false,
            "publicClient": false,
            "redirectUris": ["https://argocd.forteapps.net/auth/callback"],
            "webOrigins": ["https://argocd.forteapps.net"],
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "argocd",
              "k8s.secret.name": "argocd-oidc-credentials",
              "k8s.secret.client-id-key": "client-id",
              "k8s.secret.client-secret-key": "client-secret"
            },
            "protocolMappers": [
              {
                "name": "groups",
                "protocol": "openid-connect",
                "protocolMapper": "oidc-group-membership-mapper",
                "config": {
                  "claim.name": "groups",
                  "full.path": "false",
                  "id.token.claim": "true",
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
              }
            ]
          }
        ],
        "groups": [
          {
            "name": "ArgoCD Admins",
            "path": "/ArgoCD Admins"
          },
          {
            "name": "ArgoCD Viewers",
            "path": "/ArgoCD Viewers"
          }
        ]
      }
@@ -199,12 +116,12 @@ extraDeploy:
  metadata:
    name: keycloak-client-registrar
  rules:
-  - apiGroups: [ "" ]
+  - apiGroups: [""]
-    resources: [ "secrets" ]
+    resources: ["secrets"]
-    verbs: [ "get", "list", "create", "update", "patch" ]
+    verbs: ["get", "list", "create", "update", "patch"]
-  - apiGroups: [ "" ]
+  - apiGroups: [""]
-    resources: [ "namespaces" ]
+    resources: ["namespaces"]
-    verbs: [ "get", "list" ]
+    verbs: ["get", "list"]
 # -- ClusterRoleBinding for the registrar ServiceAccount
 - apiVersion: rbac.authorization.k8s.io/v1
@@ -241,7 +158,7 @@ extraDeploy:
            containers:
            - name: registrar
              image: alpine:3.20
-              command: [ "/bin/sh", "-c" ]
+              command: ["/bin/sh", "-c"]
              args:
              - |
                set -e
--- a/infra/values/base/prometheus-values.yaml
+++ b/infra/values/base/prometheus-values.yaml
@@ -36,6 +36,28 @@ extraScrapeConfigs: |
      - source_labels: [__meta_kubernetes_namespace]
        target_label: namespace
  - job_name: trivy-operator
    scrape_interval: 30s
    metrics_path: /metrics
    kubernetes_sd_configs:
      - role: pod
        namespaces:
          names:
            - trivy-system
    relabel_configs:
      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name]
        regex: trivy-operator
        action: keep
      - source_labels: [__meta_kubernetes_pod_container_port_number]
        regex: "8080"
        action: keep
      - source_labels: [__meta_kubernetes_pod_name]
        target_label: pod
      - source_labels: [__meta_kubernetes_namespace]
        target_label: namespace
      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance]
        target_label: instance
  - job_name: traefik
    scrape_interval: 15s
    metrics_path: /metrics
--- a/infra/values/upc-dev/argocd-values.yaml
+++ b/infra/values/upc-dev/argocd-values.yaml
@@ -1,5 +1,5 @@
 global:
-  domain: argocd.forteapps.net
+  domain: argocd.127.0.0.1.nip.io
 notifications:
  context:
    clusterName: "dev-fd-eu-no-svg1"
--- a/infra/values/upc-dev/databunker-values.yaml
+++ b/infra/values/upc-dev/databunker-values.yaml
@@ -1,3 +0,0 @@
 ingress:
  enabled: true
  host: databunker.forteapps.net
--- a/infra/values/upc-dev/homepage-values.yaml
+++ b/infra/values/upc-dev/homepage-values.yaml
@@ -1,15 +0,0 @@
 ingress:
  main:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
    - host: start.forteapps.net
      paths:
      - path: /
        pathType: Prefix
    tls:
    - secretName: homepage-tls
      hosts:
      - start.forteapps.net
--- a/infra/base/sealedsecrets/argocd-forte-helm-secret-sealed.yaml
+++ b/infra/base/sealedsecrets/argocd-forte-helm-secret-sealed.yaml
--- a/secrets/dot-ai-secrets-sealed.yaml
+++ b/secrets/dot-ai-secrets-sealed.yaml
@@ -0,0 +1,18 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: dot-ai-secrets
  namespace: dot-ai
 spec:
  encryptedData:
    anthropic-api-key: AgAdnPQzl2SNSqyAZkoBdEEGEjXfpMJUNMg4e040vxri4jbjoTnmwQ/DjmmIGtoInjhQA3NZRUKcIuDrO7nGMXFOPY9tSfhpdaAMWTji1CVZvmdJnrQwZY1LFBwgbozq3RSZZQQcZd2EPrhhsU5UlmacKk2WpuQdq76twfdU5WVD8xalxbt0H5UDvihuQa3sYX/rUIDZK2Th5IfaFqYZk5JvaxR8PFwBh9IOooGewWXWrsxVT510lxHRotSDIgKt/jl8ymsVA7IpddnbQHr6K77it7BxR6fLvDGaTQeQW0RtPZwsLvB268OTwp338RQ2sjmVuUDErWViLuk1V6UFmj5vhRR0X2dy/EipkWEJwR0Zf8JCW+vAXJ4NFiVFjmOsiTXoLHCYp0k01EwFcPQpnswKSdaQ3tuCEa4Q+rHu2DiXyfSuZ1MnWnTyLSx9H51VYUgIPwQa+BUVoVnAswypw4yLQHrfLu9TSvsNl/OonP0dSmgSGaByTc1RzwpvHBUAaOYII2LuuvkF90oA4cChGkGe1KuYKHFqiBdaT9jrsfeBUpgqFAH0uH9DNjBjU5EjlUtV3bdO7wXDHct9EOBZniKMH7cIbXfT2TBaormeHNqFtXxSRXy1szDpXiDD1QDoAJx0ylrwwqix7XPBlqSt91OZ8N1VPSUPvfnTQf7zirVWJNckU9fW6tsnQ+GDOOEwERPEAhqxWuw6V0HMab4VzpbGgWuvtQY5CsI2bFUYWSZAIJ6H8E5ip3lb8ilWtYadhx8QZD3aKi7k5h4bFWd6M0rg0uj7bfbW8YXauTS6Uz4b9FlvgrAPkmcWG84um/jsmP6a0YhvJDGKHMHoUmY=
    auth-token: AgBq/MM/+fqi1H6L5o/xFeKYMfcn6+bmbkepbq97O0Ob+dFKWuyfXmzqM2Dha+NKpXcu47qSBbLpaOdLS5ONq7JDIcZ2byW0ae9khBuL7k2mCa5ZPh96LS46c+v1qNJb6F4NQe+jWSx2H9LIShoihom+lRueBT1/uthW3hnUUUgQMgXU3NYimDNAg6JK6VgX3yKkI7ePLPAet7+ykaL1aPXwcfCAldcobPmls0vxMQDtgd+o4nLqx2sKArFplnwZ9G1SEz2dRXNFm8HI4HhgtOBdv1ISjXO8XGRZWnFqgX3s3BqcwFcPqVuFGHo+2ZvAUW+mdkuAEJOloJEoZXJkFCP+l7/yMV7/FmFAhntqfdTwijEJ+rP/sUbUNSzn6BKM2ITRGXEJkOeNq4xfpgS16AOs+O0DWkIAr0kWCJG+mkn94U7ALCGYQXtKLy0g/87MJ3IwaUU7gowVawHoDmpY0QoAYDJwpbIa9yMnlPOzJANkc99dl85sbLeQMvkkb4RqQlbMc80gkFFhbU5/0kKX483ylqhRi0b4ZjGHgl72s/8+FhxTDkSXJQ2HbrNPGlna+B7TAgxYZ9IS1cpw4wSNzSCk23Rt3STHnXuu/QXRLeMijXGBDFNJgU0JNKLp63JC1gftHcNhqRL6lxK1tLyo5+0Cnh/KJN64b1DpPXZnzdaeR25GQFSDxsymjLm2BFATtufRPJqeIT7tn5TRGTr97fH6LQv/LuJ4VnjS6WLsQoFdUhDuNug2LDuyLHjpKg==
    openai-api-key: AgCQR+HezEHwiwFD1pIkla1Byzz91SBoUyaWVTTuBrBDq201KvlLmqahjQwpKWs4YvqhmKkbF/mXKuMSyFut72IwH025tfmzzmTryOD6bOQDxI0Ws5NndnztzKv2qw2Js0c+6lAOJR+lEuo1ynGlG3hfS+bGShShvLZIDcD/hDa8IfhQBh7fKyFslJ52KxKK+zeEFDVQcx6Lrq/zP9IPH2QXz0bVQYlRyrQ4vqONO9h2pjxNAhDxuJ5FPk+Hb4ClGjyRPHFT34ZYsYdvHUgkjL3nOeaOUrc0GGJOKYZChfsK/JrqX8iOqgbE+0vQvMX+q8Tr6Ynr0KRKMcGPr6ak3eCNknJaZ1EABtkyUS2u5TzKqMzYq5DF4kpvPApIvaQW+VS05zD8piTQSZEFNRwwXDpyru/R4MmPvwt7OdSM0SJpQ8kR7tsuRgBPFY2Eduk6fhrDmMVgHze3AoRaqyh87CeqR3Z7/XofbdgZBqEp2vwiY425ArB6yMLpVvO6eB+yoTgCJ/UpfOxBDHE1M6U3goJhk/YeOy9UpTfRD1VyA2OuzJliDNtC784wxnGAsOk3qKk1bjjBqUzwITK41mOWqNLKCn4Ol9lXZtbbqLIiU4lXv4Pl93mVSuPLOIXINLGMRFl0rlvDICEjrrfE+JmwKx6i45sqsk3/hz1Fb+/bKFo7pl9JnAXvr5WfDW/rflwBrokfJVeYsSm6R2yxGWlosrKZIwIRctOut1EbbylurI5pIPp6vHguyIvZDDxwj3Qk3ewU/WVAcI9989aLR++UrZ5FGXt3apMk8BY9bq7DIQOUtgfPO98+cVPdoZSIh5bhQpCHAVPMGcGTdIPkuQbxSai0FsP8ipdHx0fluI6p/4v1Rv/BqZH0X8dnwPQoqUhSD+C575w511Fc8PEzgaG63S9hHx5Azw==
    ui-auth-token: AgBgKRwErv5MtWIdqSN5BSQ/deHFE4469gzqL6gwp/3JidtBEiAAyuOIbc9dRCWuJNcdtixKOZT1rKuI8O/e6oJ6ABGAx+ckDfH468VKsR4AJhdZGcxub5j79NKccbNA5MKTnqxlU05zukUOkgw3wdsOyuQr3RnfL31GFbEVyDMej+Xr7Rs0fWrfqpasCi45/PEi8fkofMg45kGc+LMfDgovNtkKla2MAXwYlUk24SA+lgCFoG2DHB50GdTK2byCks4Px4J3jQqqHdLUfC+/gyqimPoVUsVGb5SY0xeNepKfTz7lHEkmDOB9R1wfv7pUaLMapc+eVrVN7reLHKOA47IEedDpnlLm/fyEfPe7ktkejc59tPyIyxBubrN+Vb/+6bDgi7xsXy/N5uD/2sPqWVgI2D7veWOJEjM+GYOYeb2iRbf7KlrokCXD/gRMiQBKqYyUdjWx40MjrhxzPArOa+cL0kb1CUgwuyjmqq5hNIUO2wo6/kkeNtUeT7r067LE5rtMoZG2EAfw/xrL1CI2F+3c72JzRd//aClt1MsSfPPPoFz0TlWSSc7qNDhYHuQf//G/Zd29Nk/Ac52HVwdkl2AXJE/GIFdwi+ypqK5mjmSUTn/JVE0ZaA3OpHOF/01meISuqBo+HuAWCV8sw6en0F8AF+DF8rw8t5hDdexScXep5QuJmm4CYgqThyjz2V5xME9oMmGA+Yiu/MJ4AlkLowijpXkKEWpEOBRpRRhu2q2szhZqmx1oKJw+qJ40CQ==
  template:
    metadata:
      creationTimestamp: null
      name: dot-ai-secrets
      namespace: dot-ai
--- a/infra/base/gitea/gitea-backup-s3-sealed.yaml
+++ b/infra/base/gitea/gitea-backup-s3-sealed.yaml
--- a/infra/base/gitea/gitea-credentials-sealed.yaml
+++ b/infra/base/gitea/gitea-credentials-sealed.yaml
--- a/infra/base/gitea/gitea-runner-token-sealed.yaml
+++ b/infra/base/gitea/gitea-runner-token-sealed.yaml
--- a/infra/base/gitea/gitea-smtp-secret-sealed.yaml
+++ b/infra/base/gitea/gitea-smtp-secret-sealed.yaml
--- a/secrets/musicman-auth-oidc-sealed.yaml
+++ b/secrets/musicman-auth-oidc-sealed.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: auth-oidc
  namespace: music-man
 spec:
  encryptedData:
    client-secret: AgAKQ24qP43Dopfb6LfH0o7RIQjK3IMjII8knmdpfL5ldXJRGaYYYQDjZJcIE5HiLoEFXKkLHm39k83l6sJ1fn1RCbbskSGmosYNenJgxOqTZdlyC911km1PVMu890N2JEqUVRQb4YTn8+1dYUglWPL+zaAki3wJ84G5uM6ZY0R7mMEp/5J8RFEeByzdTiHLtB9U2fPnBJiGdKfFN/ysnoZOLN0nAHvvnTEa4pkO2BXNrrhVl7Nje/y9IDmQntCNIHomF9Fy4bo1SpChj1vRXWbLETlMdFkRINHMVWAvemoIDv+CaHVRaaoy/XtTngqA5lyZZwiwiix+HBIDPE5HAnGE/Zqgc2L+ByR3ak33H6O6iGJoVdR79uu9PiW0iaWJwruXgSfm7Fq0KuOHNg0QzfTqsZf0jgT5RhT4apSGHZOl2g4QUkMUee6BPuFM435ZZFdOfDZw1YRdqdFvI6OJgx7+G+kwwnEa125LuBgbJzqLRVxH0LbD9HoBoEqZUB4H0V+0PUY7uVSKcpZUi0RwiLjcoHJzaJlgJdaEc9GrDhh8OvDXOxsBJcRrJDmAH5WbGLXbq7+HUknfbJFkcl6rg9bPWDah0DDf98weqUdafpn0TTt7qoOGW1z27yVApGn9bm9B7ykCa/i9QtX/6G9RTaoslTU45pYzA1Clw9ccRNxv7O+2afU5KZORZPYNXCho4K7tpR7Hw788Rj68x1GYxrZh82+s0fs/SYpvzvN6EiFxKY8R+f1azefD
    cookie-secret: AgAPJomNWVV2m8izVg8CQ78mnXP9qQaXh1WaIELv4JzwyUIcMOddDDq8PWzmAiWfV24iYj/oy9QB0jruI8+78H5nU6QsF5KB3DlZiDjzwaUeNOs1q4wPsQ/aU9JygYpWD2dYUn4pBYqQQxJyf/gJ1u6jbGMbjsO5J3kkK4RaFiTNt+A3151nmYVgWToknTPPcTaFgpH0xumhQHicO9MyaNsSKOJ1c2AeUiWHqc/0a39tuchCgq4Gm1FOKjXXfevcZw/IamnRiEegoAr5qgSPl7e1xfZeG49FJacsfpWEuQhmKGsaePTHok141VnkKHhlmFdewe3Sn+kSWJbtAx6jky0sqClUKqopVjxfj5IKwcucE0NjxxX2HXmQb/e9nY3BLQ1CRjQQVCNa+JJy6DvAbcERHs7t9T7ATXm4S5lawp9fp8UB1ySy++q4Qvmc+4/16tgugqVEths/n+gSYLWAM8Ibd42RhNXlWqjzvpAUXmHX3Dt/26wNy+5ZnRlcwOIotPBdDqQKlp3fGKc2loC2JHcyN1PH31EwY5+h4pdU/sGSU+EsPd43hALUHq3XzvibHVDQTzyerJgC77NX6kvu2W+V5iWN9LYAAVjMh5yzLYjfgoC/zzIiOIe9yRf6zJzW0nhSkdcoC8EH0lcwEEDp0d/CuO0A6AwWOBaer+tnQtjHeZse9RdKEfyisJDDa7xUNj4T9e8Z+shdkU94vladQpVP1lyRd4auXF7B+T0+1Pkmvac8wDHDk67iomi+1BpS+/2jdJUGJO+91+qIdCFLPi1Y
  template:
    metadata:
      creationTimestamp: null
      name: auth-oidc
      namespace: music-man
--- a/infra/base/renovate/renovate-env-sealed.yaml
+++ b/infra/base/renovate/renovate-env-sealed.yaml
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Danijel Simeunovic	a89f2f30ce	details	2026-04-22 22:26:57 +02:00
Danijel Simeunovic	9a7e03b794	Merge branch 'feature/cloud-agnostic' into feature/multi-cloud	2026-04-22 22:06:31 +02:00
Danijel Simeunovic	f1dd61cece	sync	2026-04-22 21:56:43 +02:00
Danijel Simeunovic	acc9bb1a85	sync	2026-04-22 21:53:44 +02:00
Danijel Simeunovic	c8c2dedea5	rename	2026-04-22 21:48:02 +02:00
Danijel Simeunovic	a471f11740	repo url	2026-04-22 14:45:23 +02:00
Danijel Simeunovic	92ddc22322	azure>aks	2026-04-22 14:42:02 +02:00
Danijel Simeunovic	7d2fb8bc0c	azure>aks	2026-04-22 14:41:42 +02:00
Danijel Simeunovic	79f9c62012	azure>aks	2026-04-22 14:35:59 +02:00
Danijel Simeunovic	dea54e469e	repo url	2026-04-22 14:34:20 +02:00
Danijel Simeunovic	333acdea26	multi-cloud overlays All checks were successful AI Code Review / ai-review (pull_request) Successful in 6s Details	2026-04-22 14:30:13 +02:00
gitea_admin	03d526208b	Merge branch 'main' into feature/cloud-agnostic All checks were successful AI Code Review / ai-review (pull_request) Successful in 7s Details	2026-04-22 12:08:08 +00:00
gitea_admin	458f7b23ad	Merge branch 'main' into feature/multi-cloud All checks were successful AI Code Review / ai-review (pull_request) Successful in 28s Details	2026-04-22 11:55:05 +00:00
gitea_admin	41c8b85bf8	Merge branch 'main' into feature/multi-cloud All checks were successful AI Code Review / ai-review (pull_request) Successful in 26s Details	2026-04-22 11:52:22 +00:00
Danijel Simeunovic	c3f723333b	Merge branch 'feature/cloud-agnostic' of ssh://git.forteapps.net:2222/Forte/launchpad into feature/cloud-agnostic All checks were successful AI Code Review / ai-review (pull_request) Successful in 1m3s Details	2026-04-22 13:43:09 +02:00
Danijel Simeunovic	4144b1c1ac	token	2026-04-22 13:39:43 +02:00
Danijel Simeunovic	16eadbe181	Merge remote-tracking branch 'origin/main' into feature/cloud-agnostic	2026-04-22 13:38:55 +02:00
Danijel Simeunovic	4e6a84785a	token All checks were successful AI Code Review / ai-review (pull_request) Successful in 28s Details	2026-04-22 13:37:32 +02:00
Danijel Simeunovic	e0bdaab422	multi-cloud + mcp Some checks failed AI Code Review / ai-review (pull_request) Failing after 2s Details	2026-04-22 13:34:48 +02:00
Danijel Simeunovic	230ea7ebeb	Merge branch 'main' into feature/cloud-agnostic Some checks failed AI Code Review / ai-review (pull_request) Failing after 3s Details	2026-04-22 11:33:03 +00:00
Danijel Simeunovic	cab0866e14	multi-cloud no mcp	2026-04-22 13:31:09 +02:00
		`@@ -1,2 +0,0 @@`
			`# Force LF line endings for shell scripts`
			`*.sh text eol=lf`