rbac argo

Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Reviewed-on: #14

.gitattributes

@@ -0,0 +1,2 @@
+# Force LF line endings for shell scripts
+*.sh text eol=lf

.gitea/workflows/ai-review.yaml

@@ -34,6 +34,7 @@ jobs:
       with:
         submodules: true
         fetch-depth: 0
+        token: ${{ secrets.AI_REVIEW_TOKEN }}
 
     - name: Run inline review
       uses: docker://nikitafilonov/ai-review:v0.64.0

README.md

@@ -1,9 +1,9 @@
 # Kubernetes Cluster - GitOps Configuration
 
-> **Kubernetes cluster bootstrapping and GitOps configuration repository** using ArgoCD for UpCloud Managed Kubernetes
+> **Kubernetes cluster bootstrapping and GitOps configuration repository** using ArgoCD for multi-cloud Kubernetes (UpCloud, AWS EKS, Azure AKS, GCP GKE)
 
 [![GitOps](https://img.shields.io/badge/GitOps-ArgoCD-blue)](https://argoproj.github.io/cd/)
-[![Kubernetes](https://img.shields.io/badge/Kubernetes-UpCloud-orange)](https://upcloud.com/)
+[![Kubernetes](https://img.shields.io/badge/Kubernetes-Multi--Cloud-orange)]()
 
 ---
 
@@ -95,14 +95,26 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 │   │   ├── renovate.yaml
 │   │   ├── ...                # All other Application manifests
 │   │   └── secrets.yaml
-│   ├── overlays/              # Per-cluster overrides
+│   ├── overlays/              # Per-cluster overrides (Kustomize)
-│   │   ├── upc-dev/           # UpCloud Dev cluster (uses base as-is)
+│   │   ├── upc-dev/           # UpCloud Dev (uses base as-is)
-│   │   └── upc-prod/         # UpCloud Prod cluster (patches value paths)
+│   │   ├── upc-prod/         # UpCloud Prod (patches value paths)
+│   │   ├── eks-dev/           # AWS EKS Dev
+│   │   ├── eks-prod/         # AWS EKS Prod
+│   │   ├── aks-dev/        # Azure AKS Dev
+│   │   ├── aks-prod/       # Azure AKS Prod
+│   │   ├── gke-dev/          # GCP GKE Dev
+│   │   └── gke-prod/         # GCP GKE Prod
 │   ├── dashboards/            # Grafana dashboard ConfigMaps
 │   └── values/                # Helm value overrides
-│       ├── base/              # Shared values (all clusters)
+│       ├── base/              # Shared cloud-agnostic values
-│       ├── upc-dev/           # UpCloud Dev-specific values
+│       ├── upc-dev/           # UpCloud Dev (storage, LB, pricing)
-│       └── upc-prod/         # UpCloud Prod-specific values
+│       ├── upc-prod/         # UpCloud Prod
+│       ├── eks-dev/           # AWS EKS Dev
+│       ├── eks-prod/         # AWS EKS Prod
+│       ├── aks-dev/        # Azure AKS Dev
+│       ├── aks-prod/       # Azure AKS Prod
+│       ├── gke-dev/          # GCP GKE Dev
+│       └── gke-prod/         # GCP GKE Prod
 │
 ├── apps/                      # Business Applications
 │   ├── mcp10x.yaml
@@ -343,7 +355,6 @@ kubectl patch application myapp -n argocd \
 | **Fluent-Bit** | Log shipping | `monitoring` | DaemonSet |
 | **OpenCost** | Cost monitoring | `monitoring` | 1 |
 | **Renovate** | Dependency updates | `renovate` | CronJob |
-| **Trivy** | Vulnerability scanning | `trivy-system` | 1 |
 
 **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components)
 
@@ -361,7 +372,7 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts
 
 ### App-of-Apps Pattern
-`_app-of-apps.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{upc-dev,upc-prod}/` render the base Applications with per-cluster patches (e.g., swapping value file paths from `upc-dev` to `upc-prod`).
+`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{cluster}/` render the base Applications with per-cluster patches (e.g., swapping value file paths). Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
 
 ### Multi-Source Pattern
 Applications reference both:
@@ -458,16 +469,14 @@ Documentation lives in `docs/`. To update:
 ## 📝 Notes
 
 ### Current Environment
-- **Provider**: UpCloud Managed Kubernetes
+- **Provider**: Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE)
+- **Active clusters**: UpCloud (upc-dev, upc-prod)
 - **Environment**: Production (internal use only)
-- **Clusters**: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays
 - **Auth**: Disabled for ArgoCD (internal access)
-- **Backup**: None (cluster rebuildable via GitOps)
+- **Backup**: Gitea daily backup to S3-compatible storage
 
 ### Known Limitations
-- No automated backups (yet)
 - Secret rotation not automated
-- Multi-cluster limited to upc-dev and upc-prod environments
 - DNS management is manual
 
 **Future improvements**: See [Operations Runbook - Disaster Recovery](docs/OPERATIONS-RUNBOOK.md#disaster-recovery)
@@ -504,7 +513,7 @@ Internal use only. Not for public distribution.
 
 ---
 
-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-22
 **Documentation Version**: 1.0.0
 
 **🚀 Ready to get started? Check out the [Documentation Index](docs/README.md)!**

_app-of-apps-aks-dev.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/aks-dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-aks-prod.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/aks-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-eks-dev.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/eks-dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-eks-prod.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/eks-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-gke-dev.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/gke-dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-gke-prod.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/gke-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

_app-of-apps-upc-prod.yaml

@@ -18,7 +18,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
     path: infra/overlays/upc-prod
   destination:

apps/base/dot-ai-stack.yaml

@@ -37,7 +37,7 @@ spec:
       - $values/infra/values/base/dot-ai-stack-values.yaml
       - $values/infra/values/upc-dev/dot-ai-stack-values.yaml
 
-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
     ref: values
 

bootstrap.sh

@@ -1,8 +1,9 @@
 #!/bin/zsh
+
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
 
-CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod)}"
+CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod|aks-dev|aks-prod|eks-dev|eks-prod|gke-dev|gke-prod)}"
 
 echo "running $0 for cluster: ${CLUSTER}..."
 
@@ -27,8 +28,8 @@ Bootstrap()
 Gitea()
 {
     echo "Installing secret..."
-    kubectl apply -f private/gitea-repo-main.yaml
+    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
-    kubectl apply -f private/main.key
+    kubectl apply -f "private/${CLUSTER}/main.key"
 }
 
 ############################################################
@@ -36,10 +37,15 @@ Gitea()
 ############################################################
 ArgoCd()
 {
+    # Pre-create ConfigMap for repo-server env (must exist before Helm upgrade)
+    kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
+    kubectl apply -f cluster-resources/argocd-repo-server-config.yaml
+
     # install argocd
     echo "Installing ArgoCD..."
     helm upgrade --install argocd argo-cd \
             --repo https://argoproj.github.io/argo-helm \
+            --version "7.8.0" \
             --namespace argocd --create-namespace \
             --values infra/values/base/argocd-values.yaml \
             --values "infra/values/${CLUSTER}/argocd-values.yaml" \
@@ -49,4 +55,4 @@ ArgoCd()
     kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }
 
-# Bootstrap
+Bootstrap

cluster-resources/argocd-oidc-secret-sync.yaml

@@ -0,0 +1,83 @@
+# CronJob: syncs OIDC client secret from registrar-managed
+# argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
+# Runs every 2 min. No-ops if source secret doesn't exist yet
+# (safe for fresh deploys before Keycloak is up).
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
+  verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-oidc-sync
+subjects:
+- kind: ServiceAccount
+  name: argocd-oidc-sync
+  namespace: argocd
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+spec:
+  schedule: "*/2 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        spec:
+          serviceAccountName: argocd-oidc-sync
+          restartPolicy: Never
+          containers:
+          - name: sync
+            image: bitnami/kubectl:latest
+            command: ["/bin/sh", "-c"]
+            args:
+            - |
+              set -e
+
+              # Exit gracefully if source secret doesn't exist yet
+              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
+                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
+                exit 0
+              fi
+
+              # Read current OIDC client secret
+              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
+                -o jsonpath='{.data.client-secret}' | base64 -d)
+
+              # Read current value in argocd-secret (if any)
+              CURRENT=$(kubectl get secret argocd-secret -n argocd \
+                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")
+
+              # Only patch if changed
+              if [ "$NEW_SECRET" = "$CURRENT" ]; then
+                echo "oidc.clientSecret already up to date"
+                exit 0
+              fi
+
+              kubectl patch secret argocd-secret -n argocd --type merge \
+                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
+              echo "Patched argocd-secret with oidc.clientSecret"

cluster-resources/argocd-repo-server-config.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-repo-server-config
+  namespace: argocd
+data:
+  # Disable git submodule checkout - submodules (e.g. shared-prompts)
+  # are not needed for K8s manifest generation
+  ARGOCD_GIT_MODULES_ENABLED: "false"

cluster-resources/gitea-backup-cronjob.yaml

@@ -57,17 +57,17 @@ spec:
                 - sh
                 - -c
                 - |
-                  mc alias set upcloud "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}"
+                  mc alias set s3 "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}"
 
                   TIMESTAMP=$(date +%Y%m%d-%H%M%S)
                   KEY="gitea-dump-${TIMESTAMP}.zip"
                   echo "Uploading ${KEY}..."
-                  mc cp /backup/gitea-dump.zip "upcloud/${S3_BUCKET}/${KEY}" && \
+                  mc cp /backup/gitea-dump.zip "s3/${S3_BUCKET}/${KEY}" && \
                   echo "Upload complete."
 
                   # Prune backups older than 7 days
                   echo "Pruning backups older than 7 days..."
-                  mc rm --older-than 7d --force "upcloud/${S3_BUCKET}/" 2>&1 || true
+                  mc rm --older-than 7d --force "s3/${S3_BUCKET}/" 2>&1 || true
                   echo "Pruning complete."
               envFrom:
                 - secretRef:

cluster-resources/network/deny-external-egress-trivy.yaml

@@ -1,37 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: deny-external-egress
-  namespace: trivy-system
-  labels:
-    app.kubernetes.io/managed-by: argocd
-    app.kubernetes.io/part-of: network-policies
-spec:
-  endpointSelector: {}
-  egress:
-    # Allow DNS resolution
-    - toEndpoints:
-        - matchLabels:
-            io.kubernetes.pod.namespace: kube-system
-            k8s-app: kube-dns
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: UDP
-            - port: "53"
-              protocol: TCP
-
-    # Allow cluster-internal traffic (RFC1918)
-    - toCIDR:
-        - 10.0.0.0/8
-        - 172.16.0.0/12
-        - 192.168.0.0/16
-
-    # Allow Trivy vulnerability DB downloads (ghcr.io OCI registry)
-    - toFQDNs:
-        - matchName: ghcr.io
-        - matchName: pkg-containers.githubusercontent.com
-      toPorts:
-        - ports:
-            - port: "443"
-              protocol: TCP

cluster-resources/policies/label-checker.yaml

@@ -26,7 +26,6 @@ spec:
           - monitoring
           - secrets
           - kyverno
-          - trivy-system
     match:
       any:
       - resources:

cluster-resources/policies/secret-cloner.yaml

@@ -16,7 +16,6 @@ spec:
       - resources:
           namespaces:
           - kube-system
-          - trivy-system
           - monitoring
           - argocd
           - cert-manager

clusters/aks-dev.yaml

@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: dev-aks                     # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/aks-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/aks-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-dev/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
+cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations

clusters/aks-prod.yaml

@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-aks                    # → infra/values/aks-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/aks-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/aks-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/aks-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-prod/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
+cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations

clusters/eks-dev.yaml

@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: dev-eks                     # → infra/values/eks-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/eks-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/eks-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/eks-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8"                # → infra/values/eks-dev/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
+cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations

clusters/eks-prod.yaml

@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-eks                    # → infra/values/eks-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/eks-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/eks-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/eks-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8"                # → infra/values/eks-prod/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
+cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations

clusters/gke-dev.yaml

@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: dev-gke                     # → infra/values/gke-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/gke-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/gke-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/gke-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-dev/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
+cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations

clusters/gke-prod.yaml

@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-gke                    # → infra/values/gke-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/gke-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/gke-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/gke-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-prod/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
+cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations

clusters/upc-dev.yaml

@@ -1,10 +1,12 @@
-clusterName: dev-fd-no-svg1
+# Cluster config reference — values must match the corresponding overlay files.
-domain: forteapps.net
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-argocdDomain: argocd.127.0.0.1.nip.io
+clusterName: dev-fd-no-svg1              # → infra/values/upc-dev/argocd-values.yaml (notifications.context.clusterName)
-grafanaDomain: grafana.forteapps.net
+domain: forteapps.net                    # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-keycloakDomain: id.forteapps.net
+argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-dev/argocd-values.yaml (global.domain)
-dotaiDomain: kubemcp.forteapps.net
+grafanaDomain: grafana.forteapps.net     # → infra/values/upc-dev/grafana-values.yaml (ingress.hosts)
-dotaiUiDomain: kubemcpui.forteapps.net
+keycloakDomain: id.forteapps.net         # → infra/values/upc-dev/keycloak-values.yaml (ingress.hostname)
-letsencryptEmail: danijels@gmail.com
+dotaiDomain: kubemcp.forteapps.net       # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host)
-trustedIPs: "172.16.1.0/24"
+dotaiUiDomain: kubemcpui.forteapps.net   # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
-cloudProvider: upcloud
+letsencryptEmail: danijels@gmail.com     # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "172.16.1.0/24"             # → infra/values/upc-dev/traefik-values.yaml (ports.*.trustedIPs)
+cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations

clusters/upc-prod.yaml

@@ -1,10 +1,12 @@
-clusterName: prod-fd-no-svg1
+# Cluster config reference — values must match the corresponding overlay files.
-domain: fortedigital.com
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-argocdDomain: argocd.127.0.0.1.nip.io
+clusterName: prod-fd-no-svg1             # → infra/values/upc-prod/argocd-values.yaml (notifications.context.clusterName)
-grafanaDomain: grafana.fortedigital.com
+domain: fortedigital.com                 # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-keycloakDomain: id.fortedigital.com
+argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-prod/argocd-values.yaml (global.domain)
-dotaiDomain: kubemcp.fortedigital.com
+grafanaDomain: grafana.fortedigital.com  # → infra/values/upc-prod/grafana-values.yaml (ingress.hosts)
-dotaiUiDomain: kubemcpui.fortedigital.com
+keycloakDomain: id.fortedigital.com      # → infra/values/upc-prod/keycloak-values.yaml (ingress.hostname)
-letsencryptEmail: danijel.simeunovic@fortedigital.com
+dotaiDomain: kubemcp.fortedigital.com    # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host)
-trustedIPs: "172.16.1.0/24"
+dotaiUiDomain: kubemcpui.fortedigital.com # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
-cloudProvider: upcloud
+letsencryptEmail: danijel.simeunovic@fortedigital.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "172.16.1.0/24"             # → infra/values/upc-prod/traefik-values.yaml (ports.*.trustedIPs)
+cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations

devbox.json

@@ -0,0 +1,32 @@
+{
+  "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.16.0/.schema/devbox.schema.json",
+  "packages": [
+    "kubectl@1.33.2",
+    "kubernetes-helm@3.18.4",
+    "k9s@0.50.7",
+    "kubeseal@0.30.0",
+    "argocd@2.14.11",
+    "kubecm@0.33.1",
+    "kubectl-tree@0.4.3",
+    "kind@0.29.0",
+    "kustomize@5.7.0",
+    "kyverno@1.14.3",
+    "syft@1.29.0",
+    "grype@0.92.2",
+    "traefik@3.6.7",
+    "claude-code@latest",
+    "go@latest",
+    "dotnet-sdk@latest",
+    "opentofu@1.11.6"
+  ],
+  "shell": {
+    "init_hook": [
+      "echo 'Welcome to devbox!' > /dev/null"
+    ],
+    "scripts": {
+      "test": [
+        "echo \"Error: no test specified\" && exit 1"
+      ]
+    }
+  }
+}

docs/DEVELOPER-GUIDE.md

@@ -654,21 +654,11 @@ kubectl create secret generic myapp-credentials \
 
 #### Step 2: Seal the Secret
 
-Get the public certificate (one-time setup):
-
-```bash
-# Fetch public cert from cluster
-kubeseal --fetch-cert \
-  --controller-name=sealed-secrets-controller \
-  --controller-namespace=kube-system \
-  > pub-cert.pem
-```
-
 Seal your secret:
 
 ```bash
 kubeseal --format=yaml \
-  --cert=pub-cert.pem \
+  --namespace=myapp \
   < private/myapp-credentials.yaml \
   > secrets/myapp-credentials-sealed.yaml
 ```
@@ -711,7 +701,7 @@ kubectl create secret generic myapp-credentials \
 
 # 2. Seal it
 kubeseal --format=yaml \
-  --cert=pub-cert.pem \
+  --namespace=myapp \
   < private/myapp-credentials.yaml \
   > secrets/myapp-credentials-sealed.yaml
 

docs/GITOPS-ARCHITECTURE.md

@@ -12,11 +12,11 @@
 
 ## Overview
 
-This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where Git repositories serve as the single source of truth for both infrastructure and application deployments. The cluster is running on **UpCloud Managed Kubernetes** but is designed to be cloud-agnostic.
+This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where Git repositories serve as the single source of truth for both infrastructure and application deployments. The cluster setup is **cloud-agnostic**, with ready-to-use configurations for **UpCloud**, **AWS EKS**, **Azure AKS**, and **GCP GKE**.
 
 ### Key Characteristics
 - **Environment**: Production (internal use only)
-- **Cluster Type**: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays
+- **Cluster Type**: Multi-cloud, multi-cluster via Kustomize overlays (UpCloud, AWS, Azure, GCP)
 - **GitOps Tool**: ArgoCD
 - **Deployment Pattern**: App-of-Apps
 - **Secret Management**: Sealed Secrets (kubeseal)
@@ -63,7 +63,7 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
                                                         ▼
                                            ┌────────────────────────────────┐
                                            │   Kubernetes Clusters          │
-                                           │   (UpCloud: upc-dev, upc-prod) │
+                                           │   (UpCloud, AWS, Azure, GCP)    │
                                            │                                │
                                            │  ┌──────────────────────────┐  │
                                            │  │    ArgoCD                │  │
@@ -131,26 +131,22 @@ launchpad/
 │   │   ├── renovate.yaml
 │   │   ├── ...                       # All other Application manifests
 │   │   └── secrets.yaml
-│   ├── overlays/                     # Per-cluster overrides
+│   ├── overlays/                     # Per-cluster Kustomize overrides
 │   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
-│   │   └── upc-prod/                # UpCloud Prod (patches value paths)
+│   │   ├── upc-prod/                # UpCloud Prod (patches value paths)
+│   │   ├── eks-dev/                  # AWS EKS Dev
+│   │   ├── eks-prod/                # AWS EKS Prod
+│   │   ├── aks-dev/               # Azure AKS Dev
+│   │   ├── aks-prod/              # Azure AKS Prod
+│   │   ├── gke-dev/                 # GCP GKE Dev
+│   │   └── gke-prod/               # GCP GKE Prod
 │   ├── dashboards/                   # Grafana dashboard ConfigMaps
 │   └── values/                       # Helm value overrides for infra
-│       ├── base/                     # Shared values (all clusters)
+│       ├── base/                     # Cloud-agnostic shared values
-│       │   ├── traefik-values.yaml
+│       ├── upc-{dev,prod}/           # UpCloud: storage class, LB, pricing
-│       │   ├── keycloak-values.yaml
+│       ├── aws-{dev,prod}/           # AWS: gp3, NLB, CUR pricing
-│       │   ├── grafana-values.yaml
+│       ├── aks-{dev,prod}/         # Azure: managed-csi-premium, Standard LB
-│       │   ├── prometheus-values.yaml
+│       └── gcp-{dev,prod}/           # GCP: premium-rwo, L4 LB
-│       │   ├── gitea-values.yaml
-│       │   └── ...
-│       ├── upc-dev/                  # upc-dev cluster-specific values
-│       │   ├── traefik-values.yaml
-│       │   ├── keycloak-values.yaml
-│       │   └── grafana-values.yaml
-│       └── upc-prod/                # upc-prod cluster-specific values
-│           ├── traefik-values.yaml
-│           ├── keycloak-values.yaml
-│           └── grafana-values.yaml
 │
 ├── apps/                             # Business Application ArgoCD manifests (Kustomize)
 │   ├── base/                         # Base app manifests
@@ -287,7 +283,7 @@ app-repository/
 ### The App-of-Apps Pattern
 
 ```
-_app-of-apps-{upc-dev,upc-prod}.yaml (Root, per cluster)
+_app-of-apps-{cluster}.yaml (Root, per cluster — e.g. upc-dev, eks-prod, gke-dev)
     │
     ├── infrastructure-apps (manages infra/)
     │   ├── cluster-resources-application
@@ -377,6 +373,15 @@ patches:
       value: $values/infra/values/upc-prod/traefik-values.yaml
 ```
 
+Cloud-specific values (storage classes, load balancer annotations, cost model) are isolated in per-cluster value files. Base values are fully cloud-agnostic:
+
+| Cloud | Storage Class | Load Balancer | OpenCost Provider |
+|-------|--------------|---------------|-------------------|
+| **UpCloud** | `upcloud-block-storage-maxiops` | UpCloud LB (ProxyProtocol v2) | Custom pricing |
+| **AWS EKS** | `gp3` (EBS CSI) | NLB (ProxyProtocol v2) | AWS CUR |
+| **Azure AKS** | `managed-csi-premium` | Standard LB (`externalTrafficPolicy: Local`) | Azure Billing API |
+| **GCP GKE** | `premium-rwo` (PD CSI) | L4 passthrough NLB | GCP Cloud Billing |
+
 **Benefits**:
 - Single source of truth for Application definitions
 - Cluster-specific values isolated per overlay
@@ -658,6 +663,6 @@ Notifications include:
 
 ---
 
-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-22
 **Maintained By**: Platform Team
 **Questions?**: Contact #platform-support on Slack

docs/OPERATIONS-RUNBOOK.md

@@ -37,7 +37,7 @@ Bootstrap a new cluster from scratch:
 
 #### Prerequisites
 
-1. **Kubernetes cluster running** (UpCloud or any K8s cluster)
+1. **Kubernetes cluster running** (UpCloud, AWS EKS, Azure AKS, GCP GKE, or any K8s cluster)
 2. **kubectl configured** with admin access
 3. **Repositories cloned** locally
 
@@ -54,11 +54,13 @@ kubectl get nodes
 git clone https://git.forteapps.net/Forte/launchpad
 cd launchpad
 
-# 2. Set cluster name (optional)
+# 2. Run bootstrap script with cluster target
-export CLUSTER_NAME="prod-cluster-01"
+# Available clusters: upc-dev, upc-prod, eks-dev, eks-prod,
+#                     aks-dev, aks-prod, gke-dev, gke-prod
+./bootstrap.sh upc-dev
 
-# 3. Run bootstrap script
+# Cluster config is loaded from clusters/<cluster>.yaml
-./bootstrap.sh
+# (cloudProvider, trustedIPs, domain, etc.)
 ```
 
 **What Happens:**
@@ -1262,13 +1264,21 @@ spec:
 
 ### Backup Strategy
 
-**Current State**: No automated backups
+**Current State**: Gitea daily backups to S3-compatible storage
 
-**What Needs Backup**:
+**What Is Backed Up**:
-- ❌ Cluster state (not backed up - recreate via GitOps)
+- ✅ Gitea repositories + database: Daily CronJob (`cluster-resources/gitea-backup-cronjob.yaml`) uploads to S3-compatible storage with 7-day retention
-- ❌ Persistent volumes (currently not critical)
+- ✅ Git repositories: Full cluster config recoverable from Git
-- ✅ Git repositories (Gitea provides backup)
+- ⚠️ Secrets: Sealed secrets in Git; unseal keys need safekeeping
-- ⚠️ Secrets (sealed secrets in Git, unseal keys need safekeeping)
+
+**What Is NOT Backed Up**:
+- ❌ Cluster state (recreate via GitOps)
+- ❌ Other persistent volumes (Prometheus, Loki, Tempo data)
+
+**Per-cloud backup scripts** (manual restore helpers):
+- UpCloud/AWS: `scripts/gitea-backup.sh` / `scripts/gitea-backup-eks.sh` (MinIO CLI, S3-compatible)
+- Azure: `scripts/gitea-backup-aks.sh` (Azure CLI + Blob Storage)
+- GCP: `scripts/gitea-backup-gke.sh` (gsutil + GCS)
 
 ### Cluster Rebuild
 
@@ -1370,6 +1380,9 @@ kubectl get pods -n argocd
 
 ```bash
 # UpCloud: Upgrade via control panel or CLI
+# AWS EKS: eksctl upgrade cluster / AWS Console
+# Azure AKS: az aks upgrade / Azure Portal
+# GCP GKE: gcloud container clusters upgrade / Cloud Console
 
 # After upgrade, verify cluster
 kubectl version
@@ -1507,18 +1520,35 @@ git push
 
 ### Multi-Cluster Setup
 
-The repository supports multiple clusters via Kustomize overlays:
+The repository supports multiple clusters across multiple clouds via Kustomize overlays:
 
+**Active clusters:**
 - **upc-dev** (default): `infra/overlays/upc-dev/` — uses base Applications as-is
 - **upc-prod**: `infra/overlays/upc-prod/` — patches value file paths from `upc-dev` to `upc-prod`
 
-Each cluster has its own:
+**Cloud-ready templates (fill in `clusters/*.yaml` before use):**
-- Root app-of-apps file: `_app-of-apps-upc-dev.yaml` / `_app-of-apps-upc-prod.yaml`
+- **eks-dev** / **eks-prod**: AWS EKS with NLB, gp3 storage, AWS CUR pricing
-- Cluster-specific Helm values: `infra/values/upc-dev/` / `infra/values/upc-prod/`
+- **aks-dev** / **aks-prod**: Azure AKS with Standard LB, managed-csi-premium storage
-- Sealed secrets: `secrets/upc-dev/` (others as needed)
+- **gke-dev** / **gke-prod**: GCP GKE with L4 LB, premium-rwo storage
-- Apps overlay: `apps/overlays/upc-dev/` / `apps/overlays/upc-prod/`
 
-To add a new cluster, create a new overlay directory (e.g., `infra/overlays/upc-staging/`) with patches that swap the value file paths.
+Each cluster has its own:
+- Root app-of-apps: `_app-of-apps-{cluster}.yaml`
+- Cluster config: `clusters/{cluster}.yaml` (domain, trustedIPs, cloudProvider)
+- Kustomize overlay: `infra/overlays/{cluster}/kustomization.yaml`
+- Helm value overrides: `infra/values/{cluster}/` (traefik, gitea, opencost)
+- Sealed secrets: `secrets/{cluster}/` (as needed)
+- Apps overlay: `apps/overlays/{cluster}/`
+
+Cloud-specific values handled per-cluster:
+
+| Concern | UpCloud | AWS EKS | Azure AKS | GCP GKE |
+|---------|---------|---------|-----------|---------|
+| **Storage class** | `upcloud-block-storage-maxiops` | `gp3` | `managed-csi-premium` | `premium-rwo` |
+| **Load balancer** | UpCloud LB + ProxyProtocol v2 | NLB + ProxyProtocol v2 | Standard LB + `externalTrafficPolicy: Local` | L4 passthrough NLB |
+| **Cost monitoring** | Custom pricing | AWS CUR | Azure Billing API | GCP Cloud Billing |
+| **Backup storage** | UpCloud S3-compat | AWS S3 (native) | Azure Blob Storage | GCS |
+
+To add a new cluster, create a new overlay directory (e.g., `infra/overlays/eks-staging/`) with patches that swap the value file paths, and a matching `clusters/eks-staging.yaml`.
 
 ### Blue-Green Deployments
 
@@ -1661,6 +1691,6 @@ echo "Remember to delete: $SECRET_FILE"
 
 ---
 
-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-22
 **Maintained By**: Platform Team
 **Emergency Contact**: #platform-support on Slack

docs/README.md

@@ -180,7 +180,7 @@ Reference for:
                             │
                             ▼
 ┌──────────────────────────────────────────────────────────────┐
-│          Kubernetes Clusters (UpCloud: upc-dev, upc-prod)     │
+│          Kubernetes Clusters (UpCloud, AWS, Azure, GCP)       │
 │  ┌──────────────────────────────────────────────────────┐    │
 │  │  Infrastructure: Traefik, Cert-Manager, Kyverno     │    │
 │  ├──────────────────────────────────────────────────────┤    │
@@ -194,7 +194,7 @@ Reference for:
 ### Key Technologies
 
 - **GitOps**: ArgoCD
-- **Kubernetes**: UpCloud Managed Kubernetes (multi-cluster: upc-dev, upc-prod)
+- **Kubernetes**: Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE)
 - **Ingress**: Traefik v2
 - **Certificates**: Cert-Manager + Let's Encrypt
 - **Policies**: Kyverno
@@ -299,11 +299,16 @@ docs/
 ## 🔄 Documentation Versions
 
 **Current Version**: 1.0.0
-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-22
 **Maintained By**: Platform Team
 
 ### Changelog
 
+- **v1.1.0 (2026-04-22)**: Multi-cloud support
+  - Cloud-agnostic base values (storage, LB, pricing moved to per-cluster overlays)
+  - Added AWS EKS, Azure AKS, GCP GKE configurations
+  - Per-cloud backup scripts
+  - Updated all documentation
 - **v1.0.0 (2026-03-16)**: Initial comprehensive documentation release
   - GitOps Architecture guide
   - Developer Onboarding guide

docs/REFERENCE.md

@@ -9,6 +9,7 @@
 - [Kyverno Policies](#kyverno-policies)
 - [Configuration Reference](#configuration-reference)
 - [API Endpoints](#api-endpoints)
+- [Cloud Overlay Pattern](#cloud-overlay-pattern)
 - [Glossary](#glossary)
 
 ---
@@ -19,9 +20,10 @@
 
 | Component | Value |
 |-----------|-------|
-| **Provider** | UpCloud Managed Kubernetes |
+| **Provider** | Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE) |
-| **Environment** | Production (internal use) |
+| **Environment** | Dev + Production per cloud |
-| **Cluster Count** | Multi-cluster (upc-dev, upc-prod) |
+| **Active clusters** | UpCloud (upc-dev, upc-prod) |
+| **Cloud-ready templates** | EKS, AKS, GKE (dev + prod each) |
 | **GitOps Tool** | ArgoCD |
 | **Ingress Controller** | Traefik v2 |
 | **Certificate Management** | Cert-Manager + Let's Encrypt |
@@ -42,7 +44,7 @@ Internet
 [DNS: *.forteapps.net]
    │
    ▼
-[UpCloud LoadBalancer]
+[Cloud Load Balancer]
    │
    ▼
 [Traefik Ingress Controller]
@@ -86,22 +88,39 @@ launchpad/
 │   ├── loki.yaml
 │   ├── tempo.yaml
 │   ├── fluent-bit.yaml
-│   ├── trivy.yaml
 │   ├── gitea.yaml
 │   ├── gitea-actions.yaml
 │   ├── sealedsecrets.yaml
 │   ├── secrets.yaml
 │   ├── renovate.yaml
+│   ├── base/                      # ArgoCD Application manifests (Kustomize base)
+│   │   ├── gitea.yaml
+│   │   ├── opencost.yaml
+│   │   ├── traefik-application.yaml
+│   │   ├── keycloak.yaml
+│   │   ├── grafana.yaml
+│   │   └── ...
+│   ├── overlays/
+│   │   └── upc-prod/
+│   │       └── kustomization.yaml # Patches upc-dev → upc-prod valueFile paths
 │   └── values/
-│       ├── argocd-values.yaml
+│       ├── base/                   # Cloud-agnostic Helm values
-│       ├── prometheus-values.yaml
+│       │   ├── gitea-values.yaml
+│       │   ├── opencost-values.yaml
+│       │   ├── prometheus-values.yaml
+│       │   └── ...
+│       ├── upc-dev/               # UpCloud dev overlay values
+│       │   ├── traefik-values.yaml
+│       │   ├── keycloak-values.yaml
+│       │   ├── grafana-values.yaml
+│       │   ├── gitea-values.yaml
+│       │   └── opencost-values.yaml
+│       └── upc-prod/              # UpCloud prod overlay values
+│           ├── traefik-values.yaml
+│           ├── keycloak-values.yaml
 │           ├── grafana-values.yaml
-│       ├── loki-values.yaml
-│       ├── tempo-values.yaml
 │           ├── gitea-values.yaml
-│       ├── gitea-actions-values.yaml
+│           └── opencost-values.yaml
-│       ├── fluent-bit-values.yaml
-│       └── renovate-values.yaml
 │
 ├── apps/                          # Business applications
 │   ├── mcp10x.yaml
@@ -128,12 +147,39 @@ launchpad/
 │       └── auth-sidecar-injector.yaml
 │
 ├── secrets/                       # Application secrets (sealed)
-│   ├── argocd-mcp-credentials.yaml
+│   ├── base/                     # All SealedSecrets (shared across clouds)
-│   ├── dot-ai-secrets.yaml
+│   │   ├── kustomization.yaml
-│   ├── gitea-credentials-sealed.yaml
+│   │   ├── argocd-forte-helm-secret-sealed.yaml
-│   ├── gitea-runner-token-sealed.yaml
+│   │   ├── argocd-mcp-credentials.yaml
-│   ├── mcp10x-credentials-sealed.yaml
+│   │   ├── argocdmcp-auth-oidc-sealed.yaml
-│   └── musicman-credentials.yaml
+│   │   ├── dot-ai-secrets.yaml
+│   │   ├── forte10x-app-credentials-sealed.yaml
+│   │   ├── gitea-backup-s3-sealed.yaml
+│   │   ├── gitea-credentials-sealed.yaml
+│   │   ├── gitea-runner-token-sealed.yaml
+│   │   ├── gitea-smtp-secret-sealed.yaml
+│   │   ├── keycloak-credentials-sealed.yaml
+│   │   ├── musicman-auth-oidc-sealed.yaml
+│   │   ├── musicman-credentials.yaml
+│   │   └── renovate-env-sealed.yaml
+│   └── overlays/                 # Per-cloud overlays (reference base)
+│       ├── aks-dev/kustomization.yaml
+│       ├── aks-prod/kustomization.yaml
+│       ├── eks-dev/kustomization.yaml
+│       ├── eks-prod/kustomization.yaml
+│       ├── gke-dev/kustomization.yaml
+│       ├── gke-prod/kustomization.yaml
+│       ├── upc-dev/kustomization.yaml
+│       └── upc-prod/kustomization.yaml
+│
+├── scripts/                       # Operational helper scripts
+│   ├── gitea-backup.sh            # S3 backup helper (list/download)
+│   ├── gitea-restore.sh
+│   └── backup/                    # Per-cloud backup reference scripts
+│       ├── s3-minio.sh            # S3-compatible (UpCloud, MinIO, Wasabi)
+│       ├── aws-s3.sh              # Native AWS S3
+│       ├── azure-blob.sh          # Azure Blob Storage
+│       └── gcp-gcs.sh             # GCP Cloud Storage
 │
 ├── private/                       # Local-only (Git-ignored)
 │   ├── *.yaml
@@ -608,8 +654,70 @@ retry:
 |---------|-------|---------|
 | `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
 | `timeout.reconciliation` | `60s` | Reconciliation interval |
-| `admin.enabled` | `true` | Enable admin account |
+| `admin.enabled` | `false` | Admin login disabled (SSO-only) |
-| `git.submodule.enabled` | `false` | Disable git submodule checkout — submodules are not needed for manifest generation |
+| `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
+
+**Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
+```yaml
+configs:
+  params:
+    "reposerver.enable.git.submodule": "false"
+```
+This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
+
+**Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
+```bash
+# Enable admin login
+kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
+# Log in as admin, do what's needed, then disable again
+kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
+```
+ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
+
+**OIDC Authentication** (Keycloak):
+```yaml
+configs:
+  cm:
+    oidc.config: |
+      name: Forte SSO
+      issuer: https://id.forteapps.net/realms/forte
+      clientID: argocd
+      clientSecret: $oidc.clientSecret
+      requestedScopes: ["openid", "email", "profile"]
+  rbacConfig:
+    policy.csv: |
+      g, ArgoCD Admins, role:admin
+      g, ArgoCD Viewers, role:readonly
+    # Deny users not in any declared KC group
+    policy.default: ""
+    scopes: '[groups]'
+```
+
+**Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console.
+
+- ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
+- Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
+- `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
+- OIDC secret is synced by CronJob `argocd-oidc-sync` (see `cluster-resources/argocd-oidc-secret-sync.yaml`)
+- The CronJob bridges `argocd-oidc-credentials` (from KC registrar) → `argocd-secret` every 2 min
+- Safe for fresh deploys: no-ops if source secret doesn't exist yet
+
+**Ingress** (Traefik + TLS):
+```yaml
+server:
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls: true
+  extraArgs:
+  - --insecure
+configs:
+  params:
+    "server.insecure": true
+```
+TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
 
 ---
 
@@ -686,6 +794,10 @@ spec:
 **Chart**: `sealed-secrets/sealed-secrets-controller`
 **Namespace**: `kube-system`
 
+**Directory Structure**: `secrets/base/` contains all SealedSecrets with a `kustomization.yaml`. Per-cloud overlays in `secrets/overlays/<cloud>/` reference the base via Kustomize. The ArgoCD `secrets` Application points to the active overlay (e.g., `secrets/overlays/upc-dev`), and `infra/overlays/upc-prod` patches the path to `secrets/overlays/upc-prod`.
+
+To add cloud-specific secrets, create a new SealedSecret in the overlay directory and add it to the overlay's `kustomization.yaml`.
+
 **Public Certificate**:
 ```bash
 kubeseal --fetch-cert \
@@ -726,6 +838,15 @@ kubeStateMetrics:
 - Loki
 - Tempo
 
+**Ingress**: Exposed via Traefik at `https://grafana.forteapps.net` with cert-manager TLS.
+
+**OIDC Authentication** (Keycloak):
+- Uses `grafana.ini.auth.generic_oauth` with KC `grafana` client
+- Secret `grafana-oidc-credentials` synced by KC registrar, loaded via `envFromSecrets`
+- SSO-only mode: `auth.disable_login_form: true` + `auth.generic_oauth.auto_login: true`
+- Role mapping via JMESPath on `resource_access.grafana.roles` claim (requires KC client role mapper)
+- Roles: KC client roles `Admin`/`Editor` map to Grafana roles; default is `Viewer`
+
 ### Loki
 
 **Chart**: `grafana/loki-stack`
@@ -1602,14 +1723,22 @@ Recommended resource allocation:
 
 ### Storage Classes
 
-Default storage class used: **UpCloud default** (varies by provider)
+Storage classes are cloud-specific and configured in per-cluster value overrides (`infra/values/{cluster}/gitea-values.yaml`):
+
+| Cloud | Storage Class | Driver |
+|-------|--------------|--------|
+| **UpCloud** | `upcloud-block-storage-maxiops` | UpCloud CSI |
+| **AWS EKS** | `gp3` | EBS CSI |
+| **Azure AKS** | `managed-csi-premium` | Azure Disk CSI |
+| **GCP GKE** | `premium-rwo` | PD CSI |
 
 ```yaml
+# Example: base values omit storageClass (set in per-cluster overlay)
 persistence:
   enabled: true
-  storageClass: ""     # Uses default
   accessMode: ReadWriteOnce
   size: 5Gi
+  # storageClass set by infra/values/{cluster}/gitea-values.yaml
 ```
 
 ---
@@ -1673,6 +1802,88 @@ POST /loki/api/v1/push
 
 ---
 
+## Cloud Overlay Pattern
+
+### Overview
+
+Cloud-specific configuration (StorageClass, LoadBalancer annotations, pricing models, etc.) lives in per-cloud overlay value files, **not** in `base/`. Adding a new cloud provider only requires a new overlay directory — no base changes.
+
+### Supported Clouds
+
+| Cloud | Dev overlay | Prod overlay | StorageClass | LB type |
+|-------|-----------|-------------|-------------|---------|
+| **UpCloud** | `upc-dev` | `upc-prod` | `upcloud-block-storage-maxiops` | UpCloud LB (proxy protocol v2) |
+| **Azure AKS** | `aks-dev` | `aks-prod` | `managed-csi-premium` | Azure LB |
+| **AWS EKS** | `eks-dev` | `eks-prod` | `gp3` | AWS NLB (proxy protocol) |
+| **GCP GKE** | `gke-dev` | `gke-prod` | `premium-rwo` | GCP NEG |
+
+Bootstrap any cluster with: `./bootstrap.sh <cluster>` (e.g., `./bootstrap.sh aks-dev`)
+
+### How It Works
+
+Each ArgoCD Application uses **multi-source Helm values** with two value files:
+
+```yaml
+# infra/base/gitea.yaml (example)
+helm:
+  valueFiles:
+  - $values/infra/values/base/gitea-values.yaml      # [0] cloud-agnostic
+  - $values/infra/values/upc-dev/gitea-values.yaml    # [1] cloud-specific (default: upc-dev)
+```
+
+The `upc-prod` Kustomize overlay patches index `[1]` to swap the cloud-specific file:
+
+```yaml
+# infra/overlays/upc-prod/kustomization.yaml
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/gitea-values.yaml
+```
+
+### Components Using Cloud Overlays
+
+| Component | Cloud-specific config | Overlay value file |
+|-----------|----------------------|-------------------|
+| **Traefik** | LB annotations, proxy protocol IPs | `traefik-values.yaml` |
+| **Keycloak** | Hostname, TLS settings | `keycloak-values.yaml` |
+| **Grafana** | Hostname, datasource URLs | `grafana-values.yaml` |
+| **Gitea** | StorageClass (persistence + PostgreSQL) | `gitea-values.yaml` |
+| **OpenCost** | Custom pricing model (CPU/RAM/storage rates) | `opencost-values.yaml` |
+
+### Backup CronJob
+
+The `gitea-backup` CronJob uses a generic `s3` alias for `minio/mc`. The actual endpoint and credentials come from the `gitea-backup-s3` Sealed Secret, which is per-cloud. Reference scripts for different cloud providers are in `scripts/backup/`:
+
+| Script | Provider | Tool |
+|--------|----------|------|
+| `s3-minio.sh` | S3-compatible (UpCloud, MinIO, Wasabi) | `minio/mc` |
+| `aws-s3.sh` | AWS S3 | `aws` CLI |
+| `azure-blob.sh` | Azure Blob Storage | `az` CLI |
+| `gcp-gcs.sh` | GCP Cloud Storage | `gsutil` |
+
+### Adding a New Cloud Provider
+
+To add support for a new cloud (e.g., `oci-dev` for Oracle Cloud):
+
+1. **Cluster config**: `clusters/oci-dev.yaml` — clusterName, domain, trustedIPs, cloudProvider
+2. **Overlay value files** in `infra/values/oci-dev/`:
+   - `traefik-values.yaml` — LB annotations, proxy protocol config
+   - `keycloak-values.yaml` — hostname
+   - `grafana-values.yaml` — hostname
+   - `gitea-values.yaml` — `storageClass` for persistence + PostgreSQL
+   - `opencost-values.yaml` — pricing model or cloud billing integration
+3. **Kustomize overlay**: `infra/overlays/oci-dev/kustomization.yaml` — patch `valueFiles[1]` for each Application
+4. **App-of-apps**: `_app-of-apps-oci-dev.yaml` — points to `infra/overlays/oci-dev`
+5. **Secrets overlay**: `secrets/overlays/oci-dev/kustomization.yaml` — references `../../base`, add cloud-specific SealedSecrets if needed
+6. **Secrets patch**: Add patch to `infra/overlays/oci-dev/kustomization.yaml` to swap secrets path to `secrets/overlays/oci-dev`
+7. **Bootstrap**: `./bootstrap.sh oci-dev`
+
+---
+
 ## Glossary
 
 ### Terms
@@ -1805,6 +2016,6 @@ team: platform
 
 ---
 
-**Last Updated**: 2026-04-16
+**Last Updated**: 2026-04-22
 **Maintained By**: Platform Team
 **Version**: 1.0.0

infra/base/gitea.yaml

@@ -22,6 +22,7 @@ spec:
       releaseName: gitea
       valueFiles:
       - $values/infra/values/base/gitea-values.yaml
+      - $values/infra/values/upc-dev/gitea-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/base/keycloak.yaml

@@ -15,7 +15,7 @@ spec:
   project: default
 
   sources:
-  - repoURL: https://charts.bitnami.com/bitnami
+  - repoURL: registry-1.docker.io/bitnamicharts
     chart: keycloak
     targetRevision: "25.2.0"
     helm:
@@ -47,3 +47,7 @@ spec:
     kind: CronJob
     jsonPointers:
     - /spec/jobTemplate/spec/template/spec/containers/0/args
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates

infra/base/kustomization.yaml

@@ -10,7 +10,6 @@ resources:
 - prometheus.yaml
 - loki.yaml
 - fluent-bit.yaml
-- trivy.yaml
 - enterprise-apps.yaml
 - cluster-resources-application.yaml
 - kyverno-policies.yaml

infra/base/opencost.yaml

@@ -22,8 +22,9 @@ spec:
       releaseName: opencost
       valueFiles:
       - $values/infra/values/base/opencost-values.yaml
+      - $values/infra/values/upc-dev/opencost-values.yaml
 
-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
     ref: values
 

infra/base/secrets.yaml

@@ -18,7 +18,7 @@ spec:
   project: default
   source:
     repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    path: secrets/upc-dev
+    path: secrets/overlays/upc-dev
   destination:
     server: https://kubernetes.default.svc
     namespace: secrets

infra/base/traefik-application.yaml

@@ -31,7 +31,7 @@ spec:
       - $values/infra/values/base/traefik-values.yaml
       - $values/infra/values/upc-dev/traefik-values.yaml
 
-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
     ref: values
 

infra/base/trivy.yaml

@@ -1,67 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: trivy-system
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: trivy-operator
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  labels:
-    app.kubernetes.io/name: trivy-operator
-    app.kubernetes.io/part-of: platform
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: https://aquasecurity.github.io/helm-charts
-    chart: trivy-operator
-    targetRevision: 0.31.0
-    helm:
-      releaseName: trivy-operator
-      valuesObject:
-        operator:
-          targetNamespaces: ""
-          excludeNamespaces: "argocd,trivy-system,kube-system,monitoring,kyverno,cert-manager"
-          scanJobsInSameNamespace: true
-          metricsVulnIdEnabled: true
-          metricsImageInfo: true
-        trivy:
-          ignoreUnfixed: false
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: trivy-system
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-    retry:
-      limit: 5
-      backoff:
-        duration: 5s
-        factor: 2
-        maxDuration: 3m
-
-  ignoreDifferences:
-  - group: apiextensions.k8s.io
-    kind: CustomResourceDefinition
-    jsonPointers:
-    - /metadata/labels
-    - /metadata/annotations
-    - /metadata/finalizers

infra/dashboards/kustomization.yaml

@@ -8,9 +8,6 @@ generatorOptions:
     grafana_dashboard: "1"
 
 configMapGenerator:
-- name: grafana-dashboard-trivy
-  files:
-  - trivy.json
 - name: grafana-dashboard-traefik-loki
   files:
   - traefik-loki.json

infra/overlays/aks-dev/kustomization.yaml

@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/traefik-values.yaml
+
+# Keycloak: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/keycloak-values.yaml
+
+# Grafana: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/grafana-values.yaml
+
+# Gitea: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/gitea-values.yaml
+
+# OpenCost: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/opencost-values.yaml
+
+# Secrets: change path to aks-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/aks-dev
+
+# Enterprise-apps: point to aks-dev overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/aks-dev

infra/overlays/aks-prod/kustomization.yaml

@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/traefik-values.yaml
+
+# Keycloak: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/grafana-values.yaml
+
+# Gitea: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/opencost-values.yaml
+
+# Secrets: change path to aks-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/aks-prod
+
+# Enterprise-apps: point to aks-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/aks-prod

infra/overlays/eks-dev/kustomization.yaml

@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/traefik-values.yaml
+
+# Keycloak: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/keycloak-values.yaml
+
+# Grafana: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/grafana-values.yaml
+
+# Gitea: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/gitea-values.yaml
+
+# OpenCost: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/opencost-values.yaml
+
+# Secrets: change path to eks-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/eks-dev
+
+# Enterprise-apps: point to eks-dev overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/eks-dev

infra/overlays/eks-prod/kustomization.yaml

@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/traefik-values.yaml
+
+# Keycloak: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/grafana-values.yaml
+
+# Gitea: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/opencost-values.yaml
+
+# Secrets: change path to eks-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/eks-prod
+
+# Enterprise-apps: point to eks-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/eks-prod

infra/overlays/gke-dev/kustomization.yaml

@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/traefik-values.yaml
+
+# Keycloak: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/keycloak-values.yaml
+
+# Grafana: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/grafana-values.yaml
+
+# Gitea: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/gitea-values.yaml
+
+# OpenCost: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/opencost-values.yaml
+
+# Secrets: change path to gke-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/gke-dev
+
+# Enterprise-apps: point to gke-dev overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/gke-dev

infra/overlays/gke-prod/kustomization.yaml

@@ -0,0 +1,68 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/traefik-values.yaml
+
+# Keycloak: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/grafana-values.yaml
+
+# Gitea: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/opencost-values.yaml
+
+# Secrets: change path to gke-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/gke-prod
+
+# Enterprise-apps: point to gke-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/gke-prod

infra/overlays/upc-prod/kustomization.yaml

@@ -31,6 +31,24 @@ patches:
       path: /spec/sources/0/helm/valueFiles/1
       value: $values/infra/values/upc-prod/grafana-values.yaml
 
+# Gitea: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/opencost-values.yaml
+
 # Secrets: change path to upc-prod
 - target:
     kind: Application
@@ -38,7 +56,7 @@ patches:
   patch: |
     - op: replace
       path: /spec/source/path
-      value: secrets/upc-prod
+      value: secrets/overlays/upc-prod
 
 # Enterprise-apps: point to upc-prod overlay
 - target:

infra/values/aks-dev/gitea-values.yaml

@@ -0,0 +1,7 @@
+# AKS-specific: Azure managed disk storage class
+persistence:
+  storageClass: managed-csi-premium
+postgresql:
+  primary:
+    persistence:
+      storageClass: managed-csi-premium

infra/values/aks-dev/grafana-values.yaml

@@ -0,0 +1,4 @@
+# AKS-specific: Grafana hostname
+ingress:
+  hosts:
+  - grafana.forteapps.net

infra/values/aks-dev/keycloak-values.yaml

@@ -0,0 +1,3 @@
+# AKS-specific: Keycloak hostname
+ingress:
+  hostname: id.forteapps.net

infra/values/aks-dev/opencost-values.yaml

@@ -0,0 +1,8 @@
+# AKS-specific: Azure pricing via Cloud Billing API
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    azure:
+      secretName: opencost-azure-billing

infra/values/aks-dev/traefik-values.yaml

@@ -0,0 +1,11 @@
+# AKS-specific: Azure Load Balancer for Traefik
+service:
+  annotations:
+    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
+ports:
+  web:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/aks-prod/gitea-values.yaml

@@ -0,0 +1,7 @@
+# AKS-specific: Azure managed disk storage class (prod)
+persistence:
+  storageClass: managed-csi-premium
+postgresql:
+  primary:
+    persistence:
+      storageClass: managed-csi-premium

infra/values/aks-prod/grafana-values.yaml

@@ -0,0 +1,4 @@
+# AKS-specific: Grafana hostname (prod)
+ingress:
+  hosts:
+  - grafana.fortedigital.com

infra/values/aks-prod/keycloak-values.yaml

@@ -0,0 +1,3 @@
+# AKS-specific: Keycloak hostname (prod)
+ingress:
+  hostname: id.fortedigital.com

infra/values/aks-prod/opencost-values.yaml

@@ -0,0 +1,8 @@
+# AKS-specific: Azure pricing via Cloud Billing API (prod)
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    azure:
+      secretName: opencost-azure-billing

infra/values/aks-prod/traefik-values.yaml

@@ -0,0 +1,12 @@
+# AKS-specific: Azure Load Balancer for Traefik (prod)
+service:
+  annotations:
+    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
+    service.beta.kubernetes.io/azure-load-balancer-internal: "false"
+ports:
+  web:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/base/argocd-values.yaml

@@ -2,25 +2,40 @@ configs:
   secret:
     createSecret: true
     argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
+    # oidc.clientSecret managed by argocd-oidc-sync CronJob
+    # (reads from argocd-oidc-credentials, patches argocd-secret)
   ssh:
     knownHosts: |
       [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
   cm:
     application.resourceTrackingMethod: annotation
     timeout.reconciliation: 60s
-    admin.enabled: "true"
+    # Admin login disabled — SSO only. Break-glass: kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
+    admin.enabled: "false"
+    url: https://argocd.forteapps.net
+    oidc.config: |
+      name: Forte SSO
+      issuer: https://id.forteapps.net/realms/forte
+      clientID: argocd
+      clientSecret: $oidc.clientSecret
+      requestedScopes: ["openid", "email", "profile"]
+  rbac:
+    policy.csv: |
+      g, ArgoCD Admins, role:admin
+      g, ArgoCD Viewers, role:readonly
+    # Deny users not in any declared KC group (ArgoCD Admins / ArgoCD Viewers)
+    policy.default: ""
+    scopes: '[groups]'
   params:
     "server.insecure": true
-repoServer:
+    "reposerver.enable.git.submodule": "false"
-  env:
-  # Disable git submodule checkout - submodules (e.g. shared-prompts)
-  # are not needed for K8s manifest generation
-  - name: ARGOCD_GIT_MODULES_ENABLED
-    value: "false"
 server:
   ingress:
-    enabled: false
+    enabled: true
-    ingressClassName: nginx
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls: true
   extraArgs:
   - --insecure
 

infra/values/base/gitea-values.yaml

@@ -77,7 +77,7 @@ gitea:
       FROM: "noreply@fortedigital.com"
 
     admin:
-      DEFAULT_EMAIL_NOTIFICATIONS: enabled
+      DEFAULT_EMAIL_NOTIFICATIONS: onmention
 
   # -- SMTP credentials injected from secret (USER and PASSWD)
   additionalConfigFromEnvs:
@@ -98,7 +98,7 @@ gitea:
     existingSecret: gitea-oidc-credentials
     key: gitea
     autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
-    scopes: "openid email profile organization"
+    scopes: "email profile organization"
     groupClaimName: "groups"
     adminGroup: ""
     restrictedGroup: ""
@@ -130,7 +130,6 @@ persistence:
   size: 10Gi
   accessModes:
   - ReadWriteOnce
-  storageClass: upcloud-block-storage-maxiops
 
 # -- Recreate strategy to avoid Multi-Attach errors with RWO volumes
 strategy:
@@ -156,7 +155,6 @@ postgresql:
     persistence:
       enabled: true
       size: 8Gi
-      storageClass: upcloud-block-storage-maxiops
     resources:
       requests:
         cpu: 100m

infra/values/base/grafana-values.yaml

@@ -1,5 +1,13 @@
 ingress:
   enabled: true
+  ingressClassName: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  tls:
+  - secretName: grafana-tls
+    hosts:
+    - grafana.forteapps.net
+
 resources:
   requests:
     cpu: 50m
@@ -11,6 +19,29 @@ resources:
 adminUser: admin
 adminPassword: "forte"
 
+envFromSecrets:
+- name: grafana-oidc-credentials
+
+grafana.ini:
+  server:
+    root_url: https://grafana.forteapps.net
+  auth.generic_oauth:
+    enabled: true
+    name: Forte SSO
+    allow_sign_up: true
+    client_id: ${client-id}
+    client_secret: ${client-secret}
+    scopes: openid email profile
+    auth_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/auth
+    token_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/token
+    api_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/userinfo
+    role_attribute_path: "contains(resource_access.grafana.roles[*], 'Admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor' || 'Viewer'"
+    role_attribute_strict: true
+    allow_assign_grafana_admin: true
+    auto_login: true
+  auth:
+    disable_login_form: true
+
 datasources:
   datasources.yaml:
     apiVersion: 1

infra/values/base/keycloak-values.yaml

@@ -75,7 +75,6 @@ keycloakConfigCli:
             "publicClient": false,
             "redirectUris": ["https://git.forteapps.net/*"],
             "webOrigins": ["https://git.forteapps.net"],
-            "defaultClientScopes": ["openid", "email", "profile"],
             "attributes": {
               "k8s.secret.sync": "true",
               "k8s.secret.namespace": "gitea",
@@ -98,6 +97,84 @@ keycloakConfigCli:
                 }
               }
             ]
+          },
+          {
+            "clientId": "grafana",
+            "name": "Grafana",
+            "enabled": true,
+            "protocol": "openid-connect",
+            "clientAuthenticatorType": "client-secret",
+            "standardFlowEnabled": true,
+            "directAccessGrantsEnabled": false,
+            "publicClient": false,
+            "redirectUris": ["https://grafana.forteapps.net/*"],
+            "webOrigins": ["https://grafana.forteapps.net"],
+            "attributes": {
+              "k8s.secret.sync": "true",
+              "k8s.secret.namespace": "monitoring",
+              "k8s.secret.name": "grafana-oidc-credentials",
+              "k8s.secret.client-id-key": "client-id",
+              "k8s.secret.client-secret-key": "client-secret"
+            },
+            "protocolMappers": [
+              {
+                "name": "client-roles",
+                "protocol": "openid-connect",
+                "protocolMapper": "oidc-usermodel-client-role-mapper",
+                "config": {
+                  "claim.name": "resource_access.grafana.roles",
+                  "jsonType.label": "String",
+                  "multivalued": "true",
+                  "usermodel.clientRoleMapping.clientId": "grafana",
+                  "id.token.claim": "true",
+                  "access.token.claim": "true",
+                  "userinfo.token.claim": "true"
+                }
+              }
+            ]
+          },
+          {
+            "clientId": "argocd",
+            "name": "ArgoCD",
+            "enabled": true,
+            "protocol": "openid-connect",
+            "clientAuthenticatorType": "client-secret",
+            "standardFlowEnabled": true,
+            "directAccessGrantsEnabled": false,
+            "publicClient": false,
+            "redirectUris": ["https://argocd.forteapps.net/auth/callback"],
+            "webOrigins": ["https://argocd.forteapps.net"],
+            "attributes": {
+              "k8s.secret.sync": "true",
+              "k8s.secret.namespace": "argocd",
+              "k8s.secret.name": "argocd-oidc-credentials",
+              "k8s.secret.client-id-key": "client-id",
+              "k8s.secret.client-secret-key": "client-secret"
+            },
+            "protocolMappers": [
+              {
+                "name": "groups",
+                "protocol": "openid-connect",
+                "protocolMapper": "oidc-group-membership-mapper",
+                "config": {
+                  "claim.name": "groups",
+                  "full.path": "false",
+                  "id.token.claim": "true",
+                  "access.token.claim": "true",
+                  "userinfo.token.claim": "true"
+                }
+              }
+            ]
+          }
+        ],
+        "groups": [
+          {
+            "name": "ArgoCD Admins",
+            "path": "/ArgoCD Admins"
+          },
+          {
+            "name": "ArgoCD Viewers",
+            "path": "/ArgoCD Viewers"
           }
         ]
       }
@@ -116,12 +193,12 @@ extraDeploy:
   metadata:
     name: keycloak-client-registrar
   rules:
-  - apiGroups: [""]
+  - apiGroups: [ "" ]
-    resources: ["secrets"]
+    resources: [ "secrets" ]
-    verbs: ["get", "list", "create", "update", "patch"]
+    verbs: [ "get", "list", "create", "update", "patch" ]
-  - apiGroups: [""]
+  - apiGroups: [ "" ]
-    resources: ["namespaces"]
+    resources: [ "namespaces" ]
-    verbs: ["get", "list"]
+    verbs: [ "get", "list" ]
 
 # -- ClusterRoleBinding for the registrar ServiceAccount
 - apiVersion: rbac.authorization.k8s.io/v1
@@ -158,7 +235,7 @@ extraDeploy:
             containers:
             - name: registrar
               image: alpine:3.20
-              command: ["/bin/sh", "-c"]
+              command: [ "/bin/sh", "-c" ]
               args:
               - |
                 set -e

infra/values/base/opencost-values.yaml

@@ -10,18 +10,8 @@ opencost:
         serviceName: prometheus-server
         namespaceName: monitoring
         port: 80
-    customPricing:
+    # Cloud-specific pricing is in per-cluster value overrides
-      enabled: true
+    # (e.g. infra/values/upc-dev/opencost-values.yaml)
-      provider: custom
-      costModel:
-        description: "UpCloud 4-node cluster pricing"
-        CPU: "5.86"
-        RAM: "1.46"
-        GPU: "0"
-        storage: "0.34"
-        zoneNetworkEgress: "0"
-        regionNetworkEgress: "0"
-        internetNetworkEgress: "0"
   ui:
     enabled: false
 service:

infra/values/base/prometheus-values.yaml

@@ -36,28 +36,6 @@ extraScrapeConfigs: |
       - source_labels: [__meta_kubernetes_namespace]
         target_label: namespace
 
-  - job_name: trivy-operator
-    scrape_interval: 30s
-    metrics_path: /metrics
-    kubernetes_sd_configs:
-      - role: pod
-        namespaces:
-          names:
-            - trivy-system
-    relabel_configs:
-      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name]
-        regex: trivy-operator
-        action: keep
-      - source_labels: [__meta_kubernetes_pod_container_port_number]
-        regex: "8080"
-        action: keep
-      - source_labels: [__meta_kubernetes_pod_name]
-        target_label: pod
-      - source_labels: [__meta_kubernetes_namespace]
-        target_label: namespace
-      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance]
-        target_label: instance
-
   - job_name: traefik
     scrape_interval: 15s
     metrics_path: /metrics

infra/values/eks-dev/gitea-values.yaml

@@ -0,0 +1,7 @@
+# EKS-specific: gp3 storage class
+persistence:
+  storageClass: gp3
+postgresql:
+  primary:
+    persistence:
+      storageClass: gp3

infra/values/eks-dev/grafana-values.yaml

@@ -0,0 +1,4 @@
+# EKS-specific: Grafana hostname
+ingress:
+  hosts:
+  - grafana.forteapps.net

infra/values/eks-dev/keycloak-values.yaml

@@ -0,0 +1,3 @@
+# EKS-specific: Keycloak hostname
+ingress:
+  hostname: id.forteapps.net

infra/values/eks-dev/opencost-values.yaml

@@ -0,0 +1,11 @@
+# EKS-specific: AWS pricing via Cost and Usage Report
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    aws:
+      spot_data_region: ""
+      spot_data_bucket: ""
+      spot_data_prefix: ""
+      account_id: ""

infra/values/eks-dev/traefik-values.yaml

@@ -0,0 +1,17 @@
+# EKS-specific: AWS NLB for Traefik
+service:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+ports:
+  web:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/eks-prod/gitea-values.yaml

@@ -0,0 +1,7 @@
+# EKS-specific: gp3 storage class (prod)
+persistence:
+  storageClass: gp3
+postgresql:
+  primary:
+    persistence:
+      storageClass: gp3

infra/values/eks-prod/grafana-values.yaml

@@ -0,0 +1,4 @@
+# EKS-specific: Grafana hostname (prod)
+ingress:
+  hosts:
+  - grafana.fortedigital.com

infra/values/eks-prod/keycloak-values.yaml

@@ -0,0 +1,3 @@
+# EKS-specific: Keycloak hostname (prod)
+ingress:
+  hostname: id.fortedigital.com

infra/values/eks-prod/opencost-values.yaml

@@ -0,0 +1,11 @@
+# EKS-specific: AWS pricing via Cost and Usage Report (prod)
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    aws:
+      spot_data_region: ""
+      spot_data_bucket: ""
+      spot_data_prefix: ""
+      account_id: ""

infra/values/eks-prod/traefik-values.yaml

@@ -0,0 +1,18 @@
+# EKS-specific: AWS NLB for Traefik (prod)
+service:
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+ports:
+  web:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/8"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/gke-dev/gitea-values.yaml

@@ -0,0 +1,7 @@
+# GKE-specific: SSD persistent disk storage class
+persistence:
+  storageClass: premium-rwo
+postgresql:
+  primary:
+    persistence:
+      storageClass: premium-rwo

infra/values/gke-dev/grafana-values.yaml

@@ -0,0 +1,4 @@
+# GKE-specific: Grafana hostname
+ingress:
+  hosts:
+  - grafana.forteapps.net

infra/values/gke-dev/keycloak-values.yaml

@@ -0,0 +1,3 @@
+# GKE-specific: Keycloak hostname
+ingress:
+  hostname: id.forteapps.net

infra/values/gke-dev/opencost-values.yaml

@@ -0,0 +1,10 @@
+# GKE-specific: GCP pricing via BigQuery billing export
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    google:
+      key: ""
+      project_id: ""
+      billing_account: ""

infra/values/gke-dev/traefik-values.yaml

@@ -0,0 +1,12 @@
+# GKE-specific: Google Cloud Load Balancer for Traefik
+service:
+  annotations:
+    cloud.google.com/neg: '{"ingress":true}'
+    networking.gke.io/load-balancer-type: External
+ports:
+  web:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/gke-prod/gitea-values.yaml

@@ -0,0 +1,7 @@
+# GKE-specific: SSD persistent disk storage class (prod)
+persistence:
+  storageClass: premium-rwo
+postgresql:
+  primary:
+    persistence:
+      storageClass: premium-rwo

infra/values/gke-prod/grafana-values.yaml

@@ -0,0 +1,4 @@
+# GKE-specific: Grafana hostname (prod)
+ingress:
+  hosts:
+  - grafana.fortedigital.com

infra/values/gke-prod/keycloak-values.yaml

@@ -0,0 +1,3 @@
+# GKE-specific: Keycloak hostname (prod)
+ingress:
+  hostname: id.fortedigital.com

infra/values/gke-prod/opencost-values.yaml

@@ -0,0 +1,10 @@
+# GKE-specific: GCP pricing via BigQuery billing export (prod)
+opencost:
+  exporter:
+    cloudProviderApiKey: ""
+    customPricing:
+      enabled: false
+    google:
+      key: ""
+      project_id: ""
+      billing_account: ""

infra/values/gke-prod/traefik-values.yaml

@@ -0,0 +1,12 @@
+# GKE-specific: Google Cloud Load Balancer for Traefik (prod)
+service:
+  annotations:
+    cloud.google.com/neg: '{"ingress":true}'
+    networking.gke.io/load-balancer-type: External
+ports:
+  web:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"
+  websecure:
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/8"

infra/values/upc-dev/argocd-values.yaml

@@ -1,5 +1,5 @@
 global:
-  domain: argocd.127.0.0.1.nip.io
+  domain: argocd.forteapps.net
 notifications:
   context:
     clusterName: "dev-fd-eu-no-svg1"

infra/values/upc-dev/gitea-values.yaml

@@ -0,0 +1,7 @@
+# UpCloud storage class for Gitea and its embedded PostgreSQL
+persistence:
+  storageClass: upcloud-block-storage-maxiops
+postgresql:
+  primary:
+    persistence:
+      storageClass: upcloud-block-storage-maxiops

infra/values/upc-dev/opencost-values.yaml

@@ -0,0 +1,15 @@
+# UpCloud custom pricing (no native OpenCost integration)
+opencost:
+  exporter:
+    customPricing:
+      enabled: true
+      provider: custom
+      costModel:
+        description: "UpCloud 4-node cluster pricing"
+        CPU: "5.86"
+        RAM: "1.46"
+        GPU: "0"
+        storage: "0.34"
+        zoneNetworkEgress: "0"
+        regionNetworkEgress: "0"
+        internetNetworkEgress: "0"

infra/values/upc-prod/gitea-values.yaml

@@ -0,0 +1,7 @@
+# UpCloud storage class for Gitea and its embedded PostgreSQL
+persistence:
+  storageClass: upcloud-block-storage-maxiops
+postgresql:
+  primary:
+    persistence:
+      storageClass: upcloud-block-storage-maxiops

infra/values/upc-prod/opencost-values.yaml

@@ -0,0 +1,15 @@
+# UpCloud custom pricing (no native OpenCost integration)
+opencost:
+  exporter:
+    customPricing:
+      enabled: true
+      provider: custom
+      costModel:
+        description: "UpCloud 4-node cluster pricing"
+        CPU: "5.86"
+        RAM: "1.46"
+        GPU: "0"
+        storage: "0.34"
+        zoneNetworkEgress: "0"
+        regionNetworkEgress: "0"
+        internetNetworkEgress: "0"

scripts/backup/aws-s3.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# AWS S3 backup upload (native AWS CLI)
+# Uses: aws cli v2
+# Env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION, S3_BUCKET
+
+BACKUP_FILE="${1:?Usage: $0 <backup-file>}"
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+KEY="gitea-dump-${TIMESTAMP}.zip"
+
+echo "Uploading ${KEY}..."
+aws s3 cp "$BACKUP_FILE" "s3://${S3_BUCKET}/${KEY}"
+echo "Upload complete."
+
+# Prune backups older than 7 days
+echo "Pruning backups older than 7 days..."
+CUTOFF=$(date -d '7 days ago' +%Y-%m-%dT%H:%M:%S 2>/dev/null || date -v-7d +%Y-%m-%dT%H:%M:%S)
+aws s3api list-objects-v2 --bucket "${S3_BUCKET}" --query "Contents[?LastModified<'${CUTOFF}'].Key" --output text \
+  | tr '\t' '\n' \
+  | while read -r key; do
+      [ -n "$key" ] && aws s3 rm "s3://${S3_BUCKET}/${key}" && echo "Deleted: ${key}"
+    done
+echo "Pruning complete."

scripts/backup/azure-blob.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Azure Blob Storage backup upload
+# Uses: az cli
+# Env: AZURE_STORAGE_ACCOUNT, AZURE_STORAGE_KEY, AZURE_CONTAINER
+
+BACKUP_FILE="${1:?Usage: $0 <backup-file>}"
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+KEY="gitea-dump-${TIMESTAMP}.zip"
+
+echo "Uploading ${KEY}..."
+az storage blob upload \
+  --account-name "${AZURE_STORAGE_ACCOUNT}" \
+  --account-key "${AZURE_STORAGE_KEY}" \
+  --container-name "${AZURE_CONTAINER}" \
+  --name "${KEY}" \
+  --file "$BACKUP_FILE" \
+  --overwrite
+echo "Upload complete."
+
+# Prune backups older than 7 days
+echo "Pruning backups older than 7 days..."
+CUTOFF=$(date -d '7 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-7d +%Y-%m-%dT%H:%M:%SZ)
+az storage blob list \
+  --account-name "${AZURE_STORAGE_ACCOUNT}" \
+  --account-key "${AZURE_STORAGE_KEY}" \
+  --container-name "${AZURE_CONTAINER}" \
+  --query "[?properties.lastModified<'${CUTOFF}'].name" -o tsv \
+  | while read -r name; do
+      [ -n "$name" ] && az storage blob delete \
+        --account-name "${AZURE_STORAGE_ACCOUNT}" \
+        --account-key "${AZURE_STORAGE_KEY}" \
+        --container-name "${AZURE_CONTAINER}" \
+        --name "$name" && echo "Deleted: ${name}"
+    done
+echo "Pruning complete."

scripts/backup/gcp-gcs.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# GCP Cloud Storage backup upload
+# Uses: gsutil (gcloud SDK)
+# Env: GCS_BUCKET (e.g. gs://my-bucket)
+
+BACKUP_FILE="${1:?Usage: $0 <backup-file>}"
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+KEY="gitea-dump-${TIMESTAMP}.zip"
+
+echo "Uploading ${KEY}..."
+gsutil cp "$BACKUP_FILE" "${GCS_BUCKET}/${KEY}"
+echo "Upload complete."
+
+# Prune backups older than 7 days — GCS lifecycle rules are preferred,
+# but this works as a manual fallback
+echo "Pruning backups older than 7 days..."
+CUTOFF=$(date -d '7 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-7d +%Y-%m-%dT%H:%M:%SZ)
+gsutil ls -l "${GCS_BUCKET}/" \
+  | grep 'gitea-dump-' \
+  | while read -r size date name; do
+      if [[ "$date" < "$CUTOFF" ]]; then
+        gsutil rm "$name" && echo "Deleted: ${name}"
+      fi
+    done
+echo "Pruning complete."

scripts/backup/s3-minio.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# S3-compatible backup upload (UpCloud Objects, MinIO, Wasabi, etc.)
+# Uses: minio/mc
+# Env: S3_ENDPOINT, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, S3_BUCKET
+
+BACKUP_FILE="${1:?Usage: $0 <backup-file>}"
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+KEY="gitea-dump-${TIMESTAMP}.zip"
+
+mc alias set s3 "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}"
+
+echo "Uploading ${KEY}..."
+mc cp "$BACKUP_FILE" "s3/${S3_BUCKET}/${KEY}"
+echo "Upload complete."
+
+# Prune backups older than 7 days
+echo "Pruning backups older than 7 days..."
+mc rm --older-than 7d --force "s3/${S3_BUCKET}/" 2>&1 || true
+echo "Pruning complete."

scripts/gitea-backup-aks.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Gitea backup helper for Azure Blob Storage
+# Uses the gitea-backup-aks secret in the gitea namespace
+# Required secret keys:
+#   AZURE_STORAGE_ACCOUNT   — storage account name
+#   AZURE_STORAGE_KEY       — storage account key
+#   AZURE_CONTAINER         — blob container name
+#
+# Usage:
+#   ./scripts/gitea-backup-aks.sh list                    # list all backups
+#   ./scripts/gitea-backup-aks.sh download <filename>     # download a backup
+#   ./scripts/gitea-backup-aks.sh download latest          # download the most recent backup
+
+NAMESPACE="gitea"
+SECRET="gitea-backup-aks"
+IMAGE="mcr.microsoft.com/azure-cli:latest"
+POD_NAME="gitea-backup-helper"
+
+cleanup() {
+  kubectl -n "$NAMESPACE" delete pod "$POD_NAME" --ignore-not-found --grace-period=0 > /dev/null 2>&1 || true
+}
+
+az_run() {
+  cleanup
+  kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
+    --image="$IMAGE" \
+    --overrides="{
+      \"spec\":{\"containers\":[{
+        \"name\":\"$POD_NAME\",
+        \"image\":\"$IMAGE\",
+        \"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
+        \"command\":[\"sh\",\"-c\",\"$1\"],
+        \"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
+      }]}
+    }" > /dev/null 2>&1
+
+  kubectl -n "$NAMESPACE" wait --for=jsonpath='{.status.phase}'=Succeeded "pod/$POD_NAME" --timeout=120s > /dev/null 2>&1
+  kubectl -n "$NAMESPACE" logs "$POD_NAME"
+  cleanup
+}
+
+case "${1:-help}" in
+  list)
+    echo "Listing backups..."
+    az_run 'az storage blob list --account-name ${AZURE_STORAGE_ACCOUNT} --account-key ${AZURE_STORAGE_KEY} --container-name ${AZURE_CONTAINER} --output table --query "[].{Name:name, Size:properties.contentLength, Modified:properties.lastModified}"'
+    ;;
+
+  download)
+    FILE="${2:?Usage: $0 download <filename|latest>}"
+
+    if [ "$FILE" = "latest" ]; then
+      echo "Finding latest backup..."
+      FILE=$(az_run 'az storage blob list --account-name ${AZURE_STORAGE_ACCOUNT} --account-key ${AZURE_STORAGE_KEY} --container-name ${AZURE_CONTAINER} --query "sort_by([], &properties.lastModified)[-1].name" -o tsv' | tr -d '[:space:]')
+      if [ -z "$FILE" ]; then
+        echo "No backups found."
+        exit 1
+      fi
+      echo "Latest: $FILE"
+    fi
+
+    echo "Downloading $FILE..."
+    cleanup
+    kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
+      --image="$IMAGE" \
+      --overrides="{
+        \"spec\":{\"containers\":[{
+          \"name\":\"$POD_NAME\",
+          \"image\":\"$IMAGE\",
+          \"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
+          \"command\":[\"sh\",\"-c\",\"sleep 300\"],
+          \"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
+        }]}
+      }" > /dev/null 2>&1
+
+    kubectl -n "$NAMESPACE" wait --for=condition=Ready "pod/$POD_NAME" --timeout=60s > /dev/null 2>&1
+
+    echo "Saving to ./$FILE ..."
+    kubectl -n "$NAMESPACE" exec "$POD_NAME" -- \
+      az storage blob download \
+        --account-name "\${AZURE_STORAGE_ACCOUNT}" \
+        --account-key "\${AZURE_STORAGE_KEY}" \
+        --container-name "\${AZURE_CONTAINER}" \
+        --name "$FILE" \
+        --file /dev/stdout 2>/dev/null > "./$FILE"
+    cleanup
+
+    echo "Downloaded: ./$FILE"
+    ;;
+
+  *)
+    echo "Gitea backup helper (Azure Blob Storage)"
+    echo ""
+    echo "Usage:"
+    echo "  $0 list                    List all backups in Azure Blob"
+    echo "  $0 download <filename>     Download a specific backup"
+    echo "  $0 download latest         Download the most recent backup"
+    ;;
+esac

scripts/gitea-backup-eks.sh

@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Gitea backup helper for AWS S3
+# Uses the gitea-backup-s3 secret in the gitea namespace
+# (same secret schema: S3_ENDPOINT, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, S3_BUCKET)
+#
+# For AWS, S3_ENDPOINT is typically https://s3.<region>.amazonaws.com
+#
+# Usage:
+#   ./scripts/gitea-backup-eks.sh list                    # list all backups
+#   ./scripts/gitea-backup-eks.sh download <filename>     # download a backup to current dir
+#   ./scripts/gitea-backup-eks.sh download latest          # download the most recent backup
+
+NAMESPACE="gitea"
+SECRET="gitea-backup-s3"
+IMAGE="minio/mc:latest"
+POD_NAME="gitea-backup-helper"
+ALIAS_CMD='mc alias set s3 ${S3_ENDPOINT} ${AWS_ACCESS_KEY_ID} ${AWS_SECRET_ACCESS_KEY} > /dev/null'
+
+cleanup() {
+  kubectl -n "$NAMESPACE" delete pod "$POD_NAME" --ignore-not-found --grace-period=0 > /dev/null 2>&1 || true
+}
+
+mc_run() {
+  cleanup
+  kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
+    --image="$IMAGE" \
+    --overrides="{
+      \"spec\":{\"containers\":[{
+        \"name\":\"$POD_NAME\",
+        \"image\":\"$IMAGE\",
+        \"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
+        \"command\":[\"sh\",\"-c\",\"${ALIAS_CMD}; $1\"],
+        \"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
+      }]}
+    }" > /dev/null 2>&1
+
+  kubectl -n "$NAMESPACE" wait --for=jsonpath='{.status.phase}'=Succeeded "pod/$POD_NAME" --timeout=120s > /dev/null 2>&1
+  kubectl -n "$NAMESPACE" logs "$POD_NAME"
+  cleanup
+}
+
+case "${1:-help}" in
+  list)
+    echo "Listing backups..."
+    mc_run 'mc ls s3/${S3_BUCKET}/'
+    ;;
+
+  download)
+    FILE="${2:?Usage: $0 download <filename|latest>}"
+
+    if [ "$FILE" = "latest" ]; then
+      echo "Finding latest backup..."
+      FILE=$(mc_run 'mc ls s3/${S3_BUCKET}/' | sort | tail -1 | awk '{print $NF}' | tr -d '[:space:]')
+      if [ -z "$FILE" ]; then
+        echo "No backups found."
+        exit 1
+      fi
+      echo "Latest: $FILE"
+    fi
+
+    echo "Downloading $FILE..."
+    cleanup
+    kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
+      --image="$IMAGE" \
+      --overrides="{
+        \"spec\":{\"containers\":[{
+          \"name\":\"$POD_NAME\",
+          \"image\":\"$IMAGE\",
+          \"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
+          \"command\":[\"sh\",\"-c\",\"sleep 300\"],
+          \"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
+        }]}
+      }" > /dev/null 2>&1
+
+    kubectl -n "$NAMESPACE" wait --for=condition=Ready "pod/$POD_NAME" --timeout=60s > /dev/null 2>&1
+
+    echo "Saving to ./$FILE ..."
+    kubectl -n "$NAMESPACE" exec "$POD_NAME" -- sh -c "${ALIAS_CMD} && mc cat s3/\${S3_BUCKET}/$FILE" > "./$FILE"
+    cleanup
+
+    echo "Downloaded: ./$FILE"
+    ;;
+
+  *)
+    echo "Gitea backup helper (AWS S3)"
+    echo ""
+    echo "Usage:"
+    echo "  $0 list                    List all backups in S3"
+    echo "  $0 download <filename>     Download a specific backup"
+    echo "  $0 download latest         Download the most recent backup"
+    ;;
+esac

scripts/gitea-backup-gke.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Gitea backup helper for Google Cloud Storage
+# Uses the gitea-backup-gcs secret in the gitea namespace
+# Required secret keys:
+#   GCS_BUCKET              — bucket name (without gs:// prefix)
+#   GOOGLE_APPLICATION_CREDENTIALS_JSON — service account key JSON
+#     (alternatively, use Workload Identity and omit the key)
+#
+# Usage:
+#   ./scripts/gitea-backup-gke.sh list                    # list all backups
+#   ./scripts/gitea-backup-gke.sh download <filename>     # download a backup
+#   ./scripts/gitea-backup-gke.sh download latest          # download the most recent backup
+
+NAMESPACE="gitea"
+SECRET="gitea-backup-gcs"
+IMAGE="gcr.io/google.com/cloudsdktool/google-cloud-cli:slim"
+POD_NAME="gitea-backup-helper"
+AUTH_CMD='if [ -n "${GOOGLE_APPLICATION_CREDENTIALS_JSON:-}" ]; then echo "${GOOGLE_APPLICATION_CREDENTIALS_JSON}" > /tmp/gcs-key.json && gcloud auth activate-service-account --key-file=/tmp/gcs-key.json > /dev/null 2>&1; fi'
+
+cleanup() {
+  kubectl -n "$NAMESPACE" delete pod "$POD_NAME" --ignore-not-found --grace-period=0 > /dev/null 2>&1 || true
+}
+
+gcs_run() {
+  cleanup
+  kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
+    --image="$IMAGE" \
+    --overrides="{
+      \"spec\":{\"containers\":[{
+        \"name\":\"$POD_NAME\",
+        \"image\":\"$IMAGE\",
+        \"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
+        \"command\":[\"sh\",\"-c\",\"${AUTH_CMD}; $1\"],
+        \"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
+      }]}
+    }" > /dev/null 2>&1
+
+  kubectl -n "$NAMESPACE" wait --for=jsonpath='{.status.phase}'=Succeeded "pod/$POD_NAME" --timeout=120s > /dev/null 2>&1
+  kubectl -n "$NAMESPACE" logs "$POD_NAME"
+  cleanup
+}
+
+case "${1:-help}" in
+  list)
+    echo "Listing backups..."
+    gcs_run 'gsutil ls -l gs://${GCS_BUCKET}/'
+    ;;
+
+  download)
+    FILE="${2:?Usage: $0 download <filename|latest>}"
+
+    if [ "$FILE" = "latest" ]; then
+      echo "Finding latest backup..."
+      FILE=$(gcs_run 'gsutil ls gs://${GCS_BUCKET}/' | grep -v '^$' | grep -v 'TOTAL' | sort | tail -1 | xargs -I{} basename {} | tr -d '[:space:]')
+      if [ -z "$FILE" ]; then
+        echo "No backups found."
+        exit 1
+      fi
+      echo "Latest: $FILE"
+    fi
+
+    echo "Downloading $FILE..."
+    cleanup
+    kubectl -n "$NAMESPACE" run "$POD_NAME" --restart=Never \
+      --image="$IMAGE" \
+      --overrides="{
+        \"spec\":{\"containers\":[{
+          \"name\":\"$POD_NAME\",
+          \"image\":\"$IMAGE\",
+          \"env\":[{\"name\":\"HOME\",\"value\":\"/tmp\"}],
+          \"command\":[\"sh\",\"-c\",\"sleep 300\"],
+          \"envFrom\":[{\"secretRef\":{\"name\":\"$SECRET\"}}]
+        }]}
+      }" > /dev/null 2>&1
+
+    kubectl -n "$NAMESPACE" wait --for=condition=Ready "pod/$POD_NAME" --timeout=60s > /dev/null 2>&1
+
+    echo "Saving to ./$FILE ..."
+    kubectl -n "$NAMESPACE" exec "$POD_NAME" -- sh -c "${AUTH_CMD} && gsutil cat gs://\${GCS_BUCKET}/$FILE" > "./$FILE"
+    cleanup
+
+    echo "Downloaded: ./$FILE"
+    ;;
+
+  *)
+    echo "Gitea backup helper (Google Cloud Storage)"
+    echo ""
+    echo "Usage:"
+    echo "  $0 list                    List all backups in GCS"
+    echo "  $0 download <filename>     Download a specific backup"
+    echo "  $0 download latest         Download the most recent backup"
+    ;;
+esac

scripts/gitea-backup.sh

@@ -13,7 +13,7 @@ NAMESPACE="gitea"
 SECRET="gitea-backup-s3"
 IMAGE="minio/mc:latest"
 POD_NAME="gitea-backup-helper"
-ALIAS_CMD='mc alias set upcloud ${S3_ENDPOINT} ${AWS_ACCESS_KEY_ID} ${AWS_SECRET_ACCESS_KEY} > /dev/null'
+ALIAS_CMD='mc alias set s3 ${S3_ENDPOINT} ${AWS_ACCESS_KEY_ID} ${AWS_SECRET_ACCESS_KEY} > /dev/null'
 
 cleanup() {
   kubectl -n "$NAMESPACE" delete pod "$POD_NAME" --ignore-not-found --grace-period=0 > /dev/null 2>&1 || true
@@ -41,7 +41,7 @@ mc_run() {
 case "${1:-help}" in
   list)
     echo "Listing backups..."
-    mc_run 'mc ls upcloud/${S3_BUCKET}/'
+    mc_run 'mc ls s3/${S3_BUCKET}/'
     ;;
 
   download)
@@ -49,7 +49,7 @@ case "${1:-help}" in
 
     if [ "$FILE" = "latest" ]; then
       echo "Finding latest backup..."
-      FILE=$(mc_run 'mc ls upcloud/${S3_BUCKET}/' | sort | tail -1 | awk '{print $NF}' | tr -d '[:space:]')
+      FILE=$(mc_run 'mc ls s3/${S3_BUCKET}/' | sort | tail -1 | awk '{print $NF}' | tr -d '[:space:]')
       if [ -z "$FILE" ]; then
         echo "No backups found."
         exit 1
@@ -74,7 +74,7 @@ case "${1:-help}" in
     kubectl -n "$NAMESPACE" wait --for=condition=Ready "pod/$POD_NAME" --timeout=60s > /dev/null 2>&1
 
     echo "Saving to ./$FILE ..."
-    kubectl -n "$NAMESPACE" exec "$POD_NAME" -- sh -c "${ALIAS_CMD} && mc cat upcloud/\${S3_BUCKET}/$FILE" > "./$FILE"
+    kubectl -n "$NAMESPACE" exec "$POD_NAME" -- sh -c "${ALIAS_CMD} && mc cat s3/\${S3_BUCKET}/$FILE" > "./$FILE"
     cleanup
 
     echo "Downloaded: ./$FILE"