rbac

Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Reviewed-on: #14

.gitattributes

@@ -0,0 +1,2 @@
+# Force LF line endings for shell scripts
+*.sh text eol=lf

README.md

@@ -355,7 +355,6 @@ kubectl patch application myapp -n argocd \
 | **Fluent-Bit** | Log shipping | `monitoring` | DaemonSet |
 | **OpenCost** | Cost monitoring | `monitoring` | 1 |
 | **Renovate** | Dependency updates | `renovate` | CronJob |
-| **Trivy** | Vulnerability scanning | `trivy-system` | 1 |
 
 **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components)
 

bootstrap.sh

@@ -1,4 +1,5 @@
 #!/bin/zsh
+
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
 
@@ -27,8 +28,8 @@ Bootstrap()
 Gitea()
 {
     echo "Installing secret..."
-    kubectl apply -f private/gitea-repo-main.yaml
+    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
-    kubectl apply -f private/main.key
+    kubectl apply -f "private/${CLUSTER}/main.key"
 }
 
 ############################################################
@@ -36,10 +37,15 @@ Gitea()
 ############################################################
 ArgoCd()
 {
+    # Pre-create ConfigMap for repo-server env (must exist before Helm upgrade)
+    kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
+    kubectl apply -f cluster-resources/argocd-repo-server-config.yaml
+
     # install argocd
     echo "Installing ArgoCD..."
     helm upgrade --install argocd argo-cd \
             --repo https://argoproj.github.io/argo-helm \
+            --version "7.8.0" \
             --namespace argocd --create-namespace \
             --values infra/values/base/argocd-values.yaml \
             --values "infra/values/${CLUSTER}/argocd-values.yaml" \
@@ -49,4 +55,4 @@ ArgoCd()
     kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }
 
-# Bootstrap
+Bootstrap

cluster-resources/argocd-oidc-secret-sync.yaml

@@ -0,0 +1,83 @@
+# CronJob: syncs OIDC client secret from registrar-managed
+# argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
+# Runs every 2 min. No-ops if source secret doesn't exist yet
+# (safe for fresh deploys before Keycloak is up).
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
+  verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-oidc-sync
+subjects:
+- kind: ServiceAccount
+  name: argocd-oidc-sync
+  namespace: argocd
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+spec:
+  schedule: "*/2 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        spec:
+          serviceAccountName: argocd-oidc-sync
+          restartPolicy: Never
+          containers:
+          - name: sync
+            image: bitnami/kubectl:latest
+            command: ["/bin/sh", "-c"]
+            args:
+            - |
+              set -e
+
+              # Exit gracefully if source secret doesn't exist yet
+              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
+                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
+                exit 0
+              fi
+
+              # Read current OIDC client secret
+              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
+                -o jsonpath='{.data.client-secret}' | base64 -d)
+
+              # Read current value in argocd-secret (if any)
+              CURRENT=$(kubectl get secret argocd-secret -n argocd \
+                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")
+
+              # Only patch if changed
+              if [ "$NEW_SECRET" = "$CURRENT" ]; then
+                echo "oidc.clientSecret already up to date"
+                exit 0
+              fi
+
+              kubectl patch secret argocd-secret -n argocd --type merge \
+                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
+              echo "Patched argocd-secret with oidc.clientSecret"

cluster-resources/argocd-repo-server-config.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-repo-server-config
+  namespace: argocd
+data:
+  # Disable git submodule checkout - submodules (e.g. shared-prompts)
+  # are not needed for K8s manifest generation
+  ARGOCD_GIT_MODULES_ENABLED: "false"

cluster-resources/policies/label-checker.yaml

@@ -26,7 +26,6 @@ spec:
           - monitoring
           - secrets
           - kyverno
-          - trivy-system
     match:
       any:
       - resources:

cluster-resources/policies/secret-cloner.yaml

@@ -16,7 +16,6 @@ spec:
       - resources:
           namespaces:
           - kube-system
-          - trivy-system
           - monitoring
           - argocd
           - cert-manager

devbox.json

@@ -0,0 +1,32 @@
+{
+  "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.16.0/.schema/devbox.schema.json",
+  "packages": [
+    "kubectl@1.33.2",
+    "kubernetes-helm@3.18.4",
+    "k9s@0.50.7",
+    "kubeseal@0.30.0",
+    "argocd@2.14.11",
+    "kubecm@0.33.1",
+    "kubectl-tree@0.4.3",
+    "kind@0.29.0",
+    "kustomize@5.7.0",
+    "kyverno@1.14.3",
+    "syft@1.29.0",
+    "grype@0.92.2",
+    "traefik@3.6.7",
+    "claude-code@latest",
+    "go@latest",
+    "dotnet-sdk@latest",
+    "opentofu@1.11.6"
+  ],
+  "shell": {
+    "init_hook": [
+      "echo 'Welcome to devbox!' > /dev/null"
+    ],
+    "scripts": {
+      "test": [
+        "echo \"Error: no test specified\" && exit 1"
+      ]
+    }
+  }
+}

docs/DEVELOPER-GUIDE.md

@@ -654,21 +654,11 @@ kubectl create secret generic myapp-credentials \
 
 #### Step 2: Seal the Secret
 
-Get the public certificate (one-time setup):
-
-```bash
-# Fetch public cert from cluster
-kubeseal --fetch-cert \
-  --controller-name=sealed-secrets-controller \
-  --controller-namespace=kube-system \
-  > pub-cert.pem
-```
-
 Seal your secret:
 
 ```bash
 kubeseal --format=yaml \
-  --cert=pub-cert.pem \
+  --namespace=myapp \
   < private/myapp-credentials.yaml \
   > secrets/myapp-credentials-sealed.yaml
 ```
@@ -711,7 +701,7 @@ kubectl create secret generic myapp-credentials \
 
 # 2. Seal it
 kubeseal --format=yaml \
-  --cert=pub-cert.pem \
+  --namespace=myapp \
   < private/myapp-credentials.yaml \
   > secrets/myapp-credentials-sealed.yaml
 

docs/REFERENCE.md

@@ -88,7 +88,6 @@ launchpad/
 │   ├── loki.yaml
 │   ├── tempo.yaml
 │   ├── fluent-bit.yaml
-│   ├── trivy.yaml
 │   ├── gitea.yaml
 │   ├── gitea-actions.yaml
 │   ├── sealedsecrets.yaml
@@ -655,8 +654,88 @@ retry:
 |---------|-------|---------|
 | `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
 | `timeout.reconciliation` | `60s` | Reconciliation interval |
-| `admin.enabled` | `true` | Enable admin account |
+| `admin.enabled` | `false` | Admin login disabled (SSO-only) |
-| `git.submodule.enabled` | `false` | Disable git submodule checkout — submodules are not needed for manifest generation |
+| `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
+
+**Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
+```yaml
+configs:
+  params:
+    "reposerver.enable.git.submodule": "false"
+```
+This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
+
+**Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
+```bash
+# Enable admin login
+kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
+# Log in as admin, do what's needed, then disable again
+kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
+```
+ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
+
+**OIDC Authentication** (Keycloak):
+```yaml
+configs:
+  cm:
+    oidc.config: |
+      name: Forte SSO
+      issuer: https://id.forteapps.net/realms/forte
+      clientID: argocd
+      clientSecret: $oidc.clientSecret
+      requestedScopes: ["openid", "email", "profile"]
+  rbacConfig:
+    policy.csv: |
+      g, ArgoCD Admins, role:admin
+      g, ArgoCD Viewers, role:readonly
+    # Deny users not in any declared KC group
+    policy.default: ""
+    scopes: '[groups]'
+```
+
+**Access Control**: Only users in declared Keycloak groups can access ArgoCD. Users not in any group are denied (`policy.default: ""`). Assign users to groups in Keycloak admin console.
+
+| KC Group | ArgoCD Role | Access |
+|----------|-------------|--------|
+| `ArgoCD Admins` | `role:admin` | Full control over all apps |
+| `ArgoCD Viewers` | `role:readonly` | Read-only access to all apps |
+| `Observability Team` | `role:observability` | Get/sync monitoring apps (prometheus, loki, fluent-bit, tempo, grafana, opencost) |
+| `Dev Tools Team` | `role:devtools` | Get/sync dev tool apps (gitea, gitea-actions, renovate, karpor) |
+| `App Developers` | `role:app-dev` | Get/sync/action on enterprise-apps only |
+
+**Per-Cluster RBAC**: Add cluster-specific policies in `infra/values/<cluster>/argocd-values.yaml` using `configs.rbac.policy.<cluster>.csv`. ArgoCD concatenates all `policy.*.csv` keys alphabetically after `policy.csv`. Example:
+```yaml
+# infra/values/upc-dev/argocd-values.yaml
+configs:
+  rbac:
+    policy.upc-dev.csv: |
+      p, role:staging-deployer, applications, sync, default/enterprise-apps, allow
+      g, Staging Deployers, role:staging-deployer
+```
+
+- ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
+- Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
+- `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
+- OIDC secret is synced by CronJob `argocd-oidc-sync` (see `cluster-resources/argocd-oidc-secret-sync.yaml`)
+- The CronJob bridges `argocd-oidc-credentials` (from KC registrar) → `argocd-secret` every 2 min
+- Safe for fresh deploys: no-ops if source secret doesn't exist yet
+
+**Ingress** (Traefik + TLS):
+```yaml
+server:
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls: true
+  extraArgs:
+  - --insecure
+configs:
+  params:
+    "server.insecure": true
+```
+TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
 
 ---
 
@@ -777,6 +856,15 @@ kubeStateMetrics:
 - Loki
 - Tempo
 
+**Ingress**: Exposed via Traefik at `https://grafana.forteapps.net` with cert-manager TLS.
+
+**OIDC Authentication** (Keycloak):
+- Uses `grafana.ini.auth.generic_oauth` with KC `grafana` client
+- Secret `grafana-oidc-credentials` synced by KC registrar, loaded via `envFromSecrets`
+- SSO-only mode: `auth.disable_login_form: true` + `auth.generic_oauth.auto_login: true`
+- Role mapping via JMESPath on `resource_access.grafana.roles` claim (requires KC client role mapper)
+- Roles: KC client roles `Admin`/`Editor` map to Grafana roles; default is `Viewer`
+
 ### Loki
 
 **Chart**: `grafana/loki-stack`

infra/base/keycloak.yaml

@@ -15,7 +15,7 @@ spec:
   project: default
 
   sources:
-  - repoURL: https://charts.bitnami.com/bitnami
+  - repoURL: registry-1.docker.io/bitnamicharts
     chart: keycloak
     targetRevision: "25.2.0"
     helm:
@@ -47,3 +47,7 @@ spec:
     kind: CronJob
     jsonPointers:
     - /spec/jobTemplate/spec/template/spec/containers/0/args
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates

infra/base/kustomization.yaml

@@ -10,7 +10,6 @@ resources:
 - prometheus.yaml
 - loki.yaml
 - fluent-bit.yaml
-- trivy.yaml
 - enterprise-apps.yaml
 - cluster-resources-application.yaml
 - kyverno-policies.yaml
@@ -21,5 +20,4 @@ resources:
 - renovate.yaml
 - tempo.yaml
 - grafana-dashboards.yaml
-- network-policies-application.yaml
 - karpor.yaml

infra/base/loki.yaml

@@ -40,3 +40,9 @@ spec:
     - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates

infra/base/network-policies-application.yaml

@@ -1,33 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: network-policies
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: network-policies
-    app.kubernetes.io/part-of: platform
-    app.kubernetes.io/managed-by: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: cluster-resources/network
-
-  destination:
-    server: https://kubernetes.default.svc
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-
-    syncOptions:
-    - Validate=true
-    - ServerSideApply=true

infra/base/tempo.yaml

@@ -40,3 +40,9 @@ spec:
     - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates

infra/base/trivy.yaml

@@ -1,67 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: trivy-system
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: trivy-operator
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  labels:
-    app.kubernetes.io/name: trivy-operator
-    app.kubernetes.io/part-of: platform
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: https://aquasecurity.github.io/helm-charts
-    chart: trivy-operator
-    targetRevision: 0.31.0
-    helm:
-      releaseName: trivy-operator
-      valuesObject:
-        operator:
-          targetNamespaces: ""
-          excludeNamespaces: "argocd,trivy-system,kube-system,monitoring,kyverno,cert-manager"
-          scanJobsInSameNamespace: true
-          metricsVulnIdEnabled: true
-          metricsImageInfo: true
-        trivy:
-          ignoreUnfixed: false
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: trivy-system
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-    retry:
-      limit: 5
-      backoff:
-        duration: 5s
-        factor: 2
-        maxDuration: 3m
-
-  ignoreDifferences:
-  - group: apiextensions.k8s.io
-    kind: CustomResourceDefinition
-    jsonPointers:
-    - /metadata/labels
-    - /metadata/annotations
-    - /metadata/finalizers

infra/dashboards/kustomization.yaml

@@ -8,9 +8,6 @@ generatorOptions:
     grafana_dashboard: "1"
 
 configMapGenerator:
-- name: grafana-dashboard-trivy
-  files:
-  - trivy.json
 - name: grafana-dashboard-traefik-loki
   files:
   - traefik-loki.json

infra/values/base/argocd-values.yaml

@@ -2,25 +2,85 @@ configs:
   secret:
     createSecret: true
     argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
+    # oidc.clientSecret managed by argocd-oidc-sync CronJob
+    # (reads from argocd-oidc-credentials, patches argocd-secret)
   ssh:
     knownHosts: |
       [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
   cm:
     application.resourceTrackingMethod: annotation
     timeout.reconciliation: 60s
-    admin.enabled: "true"
+    # Admin login disabled — SSO only. Break-glass: kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
+    admin.enabled: "false"
+    url: https://argocd.forteapps.net
+    oidc.config: |
+      name: Forte SSO
+      issuer: https://id.forteapps.net/realms/forte
+      clientID: argocd
+      clientSecret: $oidc.clientSecret
+      requestedScopes: ["openid", "email", "profile"]
+  rbac:
+    # Base RBAC — org-wide roles shared across all clusters.
+    # Per-cluster policies go in infra/values/<cluster>/argocd-values.yaml
+    # as configs.rbac.policy.<cluster>.csv (ArgoCD concatenates all policy.*.csv keys)
+    policy.csv: |
+      # Platform administrators — full control
+      g, ArgoCD Admins, role:admin
+
+      # Read-only viewers — see all, change nothing
+      g, ArgoCD Viewers, role:readonly
+
+      # --- Per-team roles (scoped to default project app names) ---
+      # Observability team — manage monitoring stack
+      p, role:observability, applications, get, default/prometheus, allow
+      p, role:observability, applications, get, default/loki, allow
+      p, role:observability, applications, get, default/fluent-bit, allow
+      p, role:observability, applications, get, default/tempo, allow
+      p, role:observability, applications, get, default/grafana, allow
+      p, role:observability, applications, get, default/grafana-dashboards, allow
+      p, role:observability, applications, get, default/opencost, allow
+      p, role:observability, applications, sync, default/prometheus, allow
+      p, role:observability, applications, sync, default/loki, allow
+      p, role:observability, applications, sync, default/fluent-bit, allow
+      p, role:observability, applications, sync, default/tempo, allow
+      p, role:observability, applications, sync, default/grafana, allow
+      p, role:observability, applications, sync, default/grafana-dashboards, allow
+      p, role:observability, applications, sync, default/opencost, allow
+      p, role:observability, logs, get, default/*, allow
+      g, Observability Team, role:observability
+
+      # Dev tools team — manage gitea, renovate, karpor
+      p, role:devtools, applications, get, default/gitea, allow
+      p, role:devtools, applications, get, default/gitea-actions, allow
+      p, role:devtools, applications, get, default/renovate, allow
+      p, role:devtools, applications, get, default/karpor, allow
+      p, role:devtools, applications, sync, default/gitea, allow
+      p, role:devtools, applications, sync, default/gitea-actions, allow
+      p, role:devtools, applications, sync, default/renovate, allow
+      p, role:devtools, applications, sync, default/karpor, allow
+      p, role:devtools, logs, get, default/*, allow
+      g, Dev Tools Team, role:devtools
+
+      # App developers — manage enterprise apps only
+      p, role:app-dev, applications, get, default/enterprise-apps, allow
+      p, role:app-dev, applications, sync, default/enterprise-apps, allow
+      p, role:app-dev, applications, action, default/enterprise-apps, allow
+      p, role:app-dev, logs, get, default/enterprise-apps, allow
+      g, App Developers, role:app-dev
+
+    # Deny users not in any declared KC group
+    policy.default: ""
+    scopes: '[groups]'
   params:
     "server.insecure": true
-repoServer:
+    "reposerver.enable.git.submodule": "false"
-  env:
-  # Disable git submodule checkout - submodules (e.g. shared-prompts)
-  # are not needed for K8s manifest generation
-  - name: ARGOCD_GIT_MODULES_ENABLED
-    value: "false"
 server:
   ingress:
-    enabled: false
+    enabled: true
-    ingressClassName: nginx
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls: true
   extraArgs:
   - --insecure
 

infra/values/base/gitea-values.yaml

@@ -77,7 +77,7 @@ gitea:
       FROM: "noreply@fortedigital.com"
 
     admin:
-      DEFAULT_EMAIL_NOTIFICATIONS: enabled
+      DEFAULT_EMAIL_NOTIFICATIONS: onmention
 
   # -- SMTP credentials injected from secret (USER and PASSWD)
   additionalConfigFromEnvs:
@@ -98,7 +98,7 @@ gitea:
     existingSecret: gitea-oidc-credentials
     key: gitea
     autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
-    scopes: "openid email profile organization"
+    scopes: "email profile organization"
     groupClaimName: "groups"
     adminGroup: ""
     restrictedGroup: ""

infra/values/base/grafana-values.yaml

@@ -1,5 +1,13 @@
 ingress:
   enabled: true
+  ingressClassName: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  tls:
+  - secretName: grafana-tls
+    hosts:
+    - grafana.forteapps.net
+
 resources:
   requests:
     cpu: 50m
@@ -11,6 +19,29 @@ resources:
 adminUser: admin
 adminPassword: "forte"
 
+envFromSecrets:
+- name: grafana-oidc-credentials
+
+grafana.ini:
+  server:
+    root_url: https://grafana.forteapps.net
+  auth.generic_oauth:
+    enabled: true
+    name: Forte SSO
+    allow_sign_up: true
+    client_id: ${client-id}
+    client_secret: ${client-secret}
+    scopes: openid email profile
+    auth_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/auth
+    token_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/token
+    api_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/userinfo
+    role_attribute_path: "contains(resource_access.grafana.roles[*], 'Admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor' || 'Viewer'"
+    role_attribute_strict: true
+    allow_assign_grafana_admin: true
+    auto_login: true
+  auth:
+    disable_login_form: true
+
 datasources:
   datasources.yaml:
     apiVersion: 1

infra/values/base/keycloak-values.yaml

@@ -75,7 +75,6 @@ keycloakConfigCli:
             "publicClient": false,
             "redirectUris": ["https://git.forteapps.net/*"],
             "webOrigins": ["https://git.forteapps.net"],
-            "defaultClientScopes": ["openid", "email", "profile"],
             "attributes": {
               "k8s.secret.sync": "true",
               "k8s.secret.namespace": "gitea",
@@ -98,6 +97,96 @@ keycloakConfigCli:
                 }
               }
             ]
+          },
+          {
+            "clientId": "grafana",
+            "name": "Grafana",
+            "enabled": true,
+            "protocol": "openid-connect",
+            "clientAuthenticatorType": "client-secret",
+            "standardFlowEnabled": true,
+            "directAccessGrantsEnabled": false,
+            "publicClient": false,
+            "redirectUris": ["https://grafana.forteapps.net/*"],
+            "webOrigins": ["https://grafana.forteapps.net"],
+            "attributes": {
+              "k8s.secret.sync": "true",
+              "k8s.secret.namespace": "monitoring",
+              "k8s.secret.name": "grafana-oidc-credentials",
+              "k8s.secret.client-id-key": "client-id",
+              "k8s.secret.client-secret-key": "client-secret"
+            },
+            "protocolMappers": [
+              {
+                "name": "client-roles",
+                "protocol": "openid-connect",
+                "protocolMapper": "oidc-usermodel-client-role-mapper",
+                "config": {
+                  "claim.name": "resource_access.grafana.roles",
+                  "jsonType.label": "String",
+                  "multivalued": "true",
+                  "usermodel.clientRoleMapping.clientId": "grafana",
+                  "id.token.claim": "true",
+                  "access.token.claim": "true",
+                  "userinfo.token.claim": "true"
+                }
+              }
+            ]
+          },
+          {
+            "clientId": "argocd",
+            "name": "ArgoCD",
+            "enabled": true,
+            "protocol": "openid-connect",
+            "clientAuthenticatorType": "client-secret",
+            "standardFlowEnabled": true,
+            "directAccessGrantsEnabled": false,
+            "publicClient": false,
+            "redirectUris": ["https://argocd.forteapps.net/auth/callback"],
+            "webOrigins": ["https://argocd.forteapps.net"],
+            "attributes": {
+              "k8s.secret.sync": "true",
+              "k8s.secret.namespace": "argocd",
+              "k8s.secret.name": "argocd-oidc-credentials",
+              "k8s.secret.client-id-key": "client-id",
+              "k8s.secret.client-secret-key": "client-secret"
+            },
+            "protocolMappers": [
+              {
+                "name": "groups",
+                "protocol": "openid-connect",
+                "protocolMapper": "oidc-group-membership-mapper",
+                "config": {
+                  "claim.name": "groups",
+                  "full.path": "false",
+                  "id.token.claim": "true",
+                  "access.token.claim": "true",
+                  "userinfo.token.claim": "true"
+                }
+              }
+            ]
+          }
+        ],
+        "groups": [
+          {
+            "name": "ArgoCD Admins",
+            "path": "/ArgoCD Admins"
+          },
+          {
+            "name": "ArgoCD Viewers",
+            "path": "/ArgoCD Viewers"
+          },
+          {
+            "name": "Observability Team",
+            "path": "/Observability Team"
+          },
+          {
+            "name": "Dev Tools Team",
+            "path": "/Dev Tools Team"
+          },
+          {
+            "name": "App Developers",
+            "path": "/App Developers"
           }
         ]
       }
@@ -116,12 +205,12 @@ extraDeploy:
   metadata:
     name: keycloak-client-registrar
   rules:
-  - apiGroups: [""]
+  - apiGroups: [ "" ]
-    resources: ["secrets"]
+    resources: [ "secrets" ]
-    verbs: ["get", "list", "create", "update", "patch"]
+    verbs: [ "get", "list", "create", "update", "patch" ]
-  - apiGroups: [""]
+  - apiGroups: [ "" ]
-    resources: ["namespaces"]
+    resources: [ "namespaces" ]
-    verbs: ["get", "list"]
+    verbs: [ "get", "list" ]
 
 # -- ClusterRoleBinding for the registrar ServiceAccount
 - apiVersion: rbac.authorization.k8s.io/v1
@@ -158,7 +247,7 @@ extraDeploy:
             containers:
             - name: registrar
               image: alpine:3.20
-              command: ["/bin/sh", "-c"]
+              command: [ "/bin/sh", "-c" ]
               args:
               - |
                 set -e

infra/values/base/prometheus-values.yaml

@@ -36,28 +36,6 @@ extraScrapeConfigs: |
       - source_labels: [__meta_kubernetes_namespace]
         target_label: namespace
 
-  - job_name: trivy-operator
-    scrape_interval: 30s
-    metrics_path: /metrics
-    kubernetes_sd_configs:
-      - role: pod
-        namespaces:
-          names:
-            - trivy-system
-    relabel_configs:
-      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name]
-        regex: trivy-operator
-        action: keep
-      - source_labels: [__meta_kubernetes_pod_container_port_number]
-        regex: "8080"
-        action: keep
-      - source_labels: [__meta_kubernetes_pod_name]
-        target_label: pod
-      - source_labels: [__meta_kubernetes_namespace]
-        target_label: namespace
-      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance]
-        target_label: instance
-
   - job_name: traefik
     scrape_interval: 15s
     metrics_path: /metrics

infra/values/upc-dev/argocd-values.yaml

@@ -1,5 +1,5 @@
 global:
-  domain: argocd.127.0.0.1.nip.io
+  domain: argocd.forteapps.net
 notifications:
   context:
     clusterName: "dev-fd-eu-no-svg1"

secrets/base/kustomization.yaml

@@ -11,6 +11,6 @@ resources:
 - gitea-runner-token-sealed.yaml
 - gitea-smtp-secret-sealed.yaml
 - keycloak-credentials-sealed.yaml
-- musicman-auth-oidc-sealed.yaml
 - musicman-credentials.yaml
 - renovate-env-sealed.yaml
+- ts-mcp-secrets-sealed.yaml

secrets/base/musicman-auth-oidc-sealed.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: auth-oidc
-  namespace: music-man
-spec:
-  encryptedData:
-    client-secret: AgAKQ24qP43Dopfb6LfH0o7RIQjK3IMjII8knmdpfL5ldXJRGaYYYQDjZJcIE5HiLoEFXKkLHm39k83l6sJ1fn1RCbbskSGmosYNenJgxOqTZdlyC911km1PVMu890N2JEqUVRQb4YTn8+1dYUglWPL+zaAki3wJ84G5uM6ZY0R7mMEp/5J8RFEeByzdTiHLtB9U2fPnBJiGdKfFN/ysnoZOLN0nAHvvnTEa4pkO2BXNrrhVl7Nje/y9IDmQntCNIHomF9Fy4bo1SpChj1vRXWbLETlMdFkRINHMVWAvemoIDv+CaHVRaaoy/XtTngqA5lyZZwiwiix+HBIDPE5HAnGE/Zqgc2L+ByR3ak33H6O6iGJoVdR79uu9PiW0iaWJwruXgSfm7Fq0KuOHNg0QzfTqsZf0jgT5RhT4apSGHZOl2g4QUkMUee6BPuFM435ZZFdOfDZw1YRdqdFvI6OJgx7+G+kwwnEa125LuBgbJzqLRVxH0LbD9HoBoEqZUB4H0V+0PUY7uVSKcpZUi0RwiLjcoHJzaJlgJdaEc9GrDhh8OvDXOxsBJcRrJDmAH5WbGLXbq7+HUknfbJFkcl6rg9bPWDah0DDf98weqUdafpn0TTt7qoOGW1z27yVApGn9bm9B7ykCa/i9QtX/6G9RTaoslTU45pYzA1Clw9ccRNxv7O+2afU5KZORZPYNXCho4K7tpR7Hw788Rj68x1GYxrZh82+s0fs/SYpvzvN6EiFxKY8R+f1azefD
-    cookie-secret: AgAPJomNWVV2m8izVg8CQ78mnXP9qQaXh1WaIELv4JzwyUIcMOddDDq8PWzmAiWfV24iYj/oy9QB0jruI8+78H5nU6QsF5KB3DlZiDjzwaUeNOs1q4wPsQ/aU9JygYpWD2dYUn4pBYqQQxJyf/gJ1u6jbGMbjsO5J3kkK4RaFiTNt+A3151nmYVgWToknTPPcTaFgpH0xumhQHicO9MyaNsSKOJ1c2AeUiWHqc/0a39tuchCgq4Gm1FOKjXXfevcZw/IamnRiEegoAr5qgSPl7e1xfZeG49FJacsfpWEuQhmKGsaePTHok141VnkKHhlmFdewe3Sn+kSWJbtAx6jky0sqClUKqopVjxfj5IKwcucE0NjxxX2HXmQb/e9nY3BLQ1CRjQQVCNa+JJy6DvAbcERHs7t9T7ATXm4S5lawp9fp8UB1ySy++q4Qvmc+4/16tgugqVEths/n+gSYLWAM8Ibd42RhNXlWqjzvpAUXmHX3Dt/26wNy+5ZnRlcwOIotPBdDqQKlp3fGKc2loC2JHcyN1PH31EwY5+h4pdU/sGSU+EsPd43hALUHq3XzvibHVDQTzyerJgC77NX6kvu2W+V5iWN9LYAAVjMh5yzLYjfgoC/zzIiOIe9yRf6zJzW0nhSkdcoC8EH0lcwEEDp0d/CuO0A6AwWOBaer+tnQtjHeZse9RdKEfyisJDDa7xUNj4T9e8Z+shdkU94vladQpVP1lyRd4auXF7B+T0+1Pkmvac8wDHDk67iomi+1BpS+/2jdJUGJO+91+qIdCFLPi1Y
-  template:
-    metadata:
-      creationTimestamp: null
-      name: auth-oidc
-      namespace: music-man

secrets/base/ts-mcp-secrets-sealed.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: ts-mcp-secrets
+  namespace: ts-mcp
+spec:
+  encryptedData:
+    AZURE_CLIENT_SECRET: AgCWj525+NHkZ8XG97hEe4RS0SDC0QIGDXmEvzSlIqJQ9XVZEeKxVuAYmJ+w/HH7zBXD3qlZISeOPKn3FbMEeRukmYK0d5PsH26tRUMPoMzwWCuQkZIQ83uX9Pz/wMiqW8aZFIxpdEiUgVdanxHSFoDRPC1VlSEtV9B9yN2MgXBID5s0oje5BM9ttc4WVRe6+9pMeaOC6u+YUgcfY7xPLetZfC9nQO4zn4jYhoQXfAddwMzNODvQNGPzIv6PXDXJweTwdmtGaxM6eDdcCJI/30bEV9prA5m6UlgTZ/Qp+onU70KdkBA9gM9tMMVUR6j/2sbWzqMP/rVaFLeUH1PjHv15n4EieWyuDyYEfmZNDFXc7O9RIK6P0jCIE+t3myxK2ZQ7cfXprdOSj94au0qP6leat0UUVoc9CFJHHtrNxXYWl7IYVhwvIQCMSgO2qoAXkdW4wKVJAcbJadJjoL2pWxzjaD4GgnUaAxWBANqZI2lD8CED4VfUVMB0ZUYRS/zvy/eqIGlT8WbzwTYFi3YDZRvAUIknxaWEavIG4x52d0FqTmFYY06W53fGYfBrUjJI54GWYyBpKdZTf7b/AlAN0+kwkk6OqsUWwWDqxR7LVCcPhjSIKd/THp+Tbq9z5TiPIHxOO9V60u51f8IoQrEgQfNov7CEGQZ8B9HUGObjNc5MhujzBJasMhrUcd2Ddk6KWk07B7223p/gIEM+81ZWQYUcc29+U/j1dQyRNZy/TC56ywe5DDBJSoGp
+  template:
+    metadata:
+      name: ts-mcp-secrets
+      namespace: ts-mcp