client cloner

README.md

@@ -83,26 +83,20 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ├── bootstrap.sh                # Cluster initialization script
 ├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
 │
-├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
-│   ├── base/                  # Base ArgoCD Application manifests (EU defaults)
-│   │   ├── kustomization.yaml
-│   │   ├── traefik-application.yaml
-│   │   ├── keycloak.yaml
-│   │   ├── grafana.yaml
-│   │   ├── gitea.yaml
-│   │   ├── gitea-actions.yaml
-│   │   ├── tempo.yaml
-│   │   ├── renovate.yaml
-│   │   ├── ...                # All other Application manifests
-│   │   └── secrets.yaml
-│   ├── overlays/              # Per-cluster overrides
-│   │   ├── upc-dev/           # UpCloud Dev cluster (uses base as-is)
-│   │   └── upc-prod/         # UpCloud Prod cluster (patches value paths)
-│   ├── dashboards/            # Grafana dashboard ConfigMaps
+├── infra/                     # Infrastructure ArgoCD Applications
+│   ├── enterprise-apps.yaml   # Manages all apps in apps/ folder
+│   ├── traefik-application.yaml
+│   ├── cert-manager-application.yaml
+│   ├── kyverno.yaml
+│   ├── prometheus.yaml
+│   ├── grafana.yaml
+│   ├── loki.yaml
+│   ├── tempo.yaml
+│   ├── fluent-bit.yaml
+│   ├── trivy.yaml
+│   ├── sealedsecrets.yaml
+│   ├── renovate.yaml
 │   └── values/                # Helm value overrides
-│       ├── base/              # Shared values (all clusters)
-│       ├── upc-dev/           # UpCloud Dev-specific values
-│       └── upc-prod/         # UpCloud Prod-specific values
 │
 ├── apps/                      # Business Applications
 │   ├── mcp10x.yaml
@@ -361,7 +355,7 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts
 
 ### App-of-Apps Pattern
-`_app-of-apps.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{upc-dev,upc-prod}/` render the base Applications with per-cluster patches (e.g., swapping value file paths from `upc-dev` to `upc-prod`).
+`_app-of-apps.yaml` is the root Application that manages all other Applications in `infra/`. Each YAML in `infra/` becomes a child Application managed by ArgoCD.
 
 ### Multi-Source Pattern
 Applications reference both:
@@ -460,14 +454,14 @@ Documentation lives in `docs/`. To update:
 ### Current Environment
 - **Provider**: UpCloud Managed Kubernetes
 - **Environment**: Production (internal use only)
-- **Clusters**: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays
+- **Cluster**: Single cluster
 - **Auth**: Disabled for ArgoCD (internal access)
 - **Backup**: None (cluster rebuildable via GitOps)
 
 ### Known Limitations
 - No automated backups (yet)
 - Secret rotation not automated
-- Multi-cluster limited to upc-dev and upc-prod environments
+- Single cluster (no multi-cluster setup)
 - DNS management is manual
 
 **Future improvements**: See [Operations Runbook - Disaster Recovery](docs/OPERATIONS-RUNBOOK.md#disaster-recovery)

_app-of-apps-upc-prod.yaml

@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: infrastructure-apps
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: infrastructure-apps
-    app.kubernetes.io/part-of: platform
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: git@github.com:fortedigital/sturdy-adventure.git
-    targetRevision: HEAD
-    path: infra/overlays/upc-prod
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true

_app-of-apps.yaml

@@ -20,7 +20,7 @@ spec:
   source:
     repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
-    path: infra/overlays/upc-dev
+    path: infra
   destination:
     server: https://kubernetes.default.svc
     namespace: default

apps/base/kustomization.yaml

@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- dot-ai-stack.yaml
-- mcp10x.yaml
-- musicman.yaml
-- mcpcoder.yaml
-- argo-mcp.yaml

apps/dot-ai-stack.yaml

@@ -27,19 +27,29 @@ metadata:
 spec:
   project: default
 
-  sources:
-  - repoURL: ghcr.io/vfarcic/dot-ai-stack/charts
+  source:
+    repoURL: ghcr.io/vfarcic/dot-ai-stack/charts
     chart: dot-ai-stack
     targetRevision: "0.56.0"
+
     helm:
       releaseName: dot-ai-stack
-      valueFiles:
-      - $values/infra/values/base/dot-ai-stack-values.yaml
-      - $values/infra/values/upc-dev/dot-ai-stack-values.yaml
-
-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
-    targetRevision: HEAD
-    ref: values
+      values: |
+        dot-ai:
+          ingress:
+            enabled: true
+            className: traefik
+            host: kubemcp.forteapps.net
+          webUI:
+            baseUrl: http://kubemcpui.forteapps.net
+        dot-ai-ui:
+          uiAuth:
+            secretRef:
+              name: dot-ai-secrets
+          ingress:
+            enabled: true
+            className: traefik
+            host: kubemcpui.forteapps.net
 
   destination:
     server: https://kubernetes.default.svc

apps/overlays/upc-dev/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-
-# No patches needed — base already has "upc-dev" paths
-# upc-dev is the default/base cluster

apps/overlays/upc-prod/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-
-patches:
-# dot-ai-stack: swap upc-dev → upc-prod
-- target:
-    kind: Application
-    name: dot-ai-stack
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/upc-prod/dot-ai-stack-values.yaml

bootstrap.sh

@@ -2,14 +2,7 @@
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
 
-CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (eu|us)}"
-
-echo "running $0 for cluster: ${CLUSTER}..."
-
-# Source cluster config
-eval $(yq -r 'to_entries[] | "export \(.key)=\"\(.value)\""' "clusters/${CLUSTER}.yaml")
-
-echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
+echo "running $0..."
 
 ############################################################
 # Bootstrap                                                     #
@@ -27,8 +20,8 @@ Bootstrap()
 Github()
 {
     echo "Installing secret..."
-    kubectl apply -f private/github-${CLUSTER}.yaml
-    kubectl apply -f private/main-${CLUSTER}.key
+    kubectl apply -f private/github.yaml
+    kubectl apply -f private/main.key
 }
 
 ############################################################
@@ -38,15 +31,15 @@ ArgoCd()
 {
     # install argocd
     echo "Installing ArgoCD..."
+    CLUSTER_NAME="${CLUSTER_NAME:-dev-fd-no-svg1}"
     helm upgrade --install argocd argo-cd \
             --repo https://argoproj.github.io/argo-helm \
             --namespace argocd --create-namespace \
-            --values infra/values/base/argocd-values.yaml \
-            --values "infra/values/${CLUSTER}/argocd-values.yaml" \
-            --set notifications.context.clusterName="${clusterName}" \
+            --values infra/values/argocd-values.yaml \
+            --set notifications.context.clusterName="$CLUSTER_NAME" \
             --timeout 60s --atomic
 
-    kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
+    kubectl apply -f _app-of-apps.yaml -n argocd
 }
 
-# Bootstrap
+Bootstrap

clusters/upc-dev.yaml

@@ -1,10 +0,0 @@
-clusterName: dev-fd-no-svg1
-domain: forteapps.net
-argocdDomain: argocd.127.0.0.1.nip.io
-grafanaDomain: grafana.forteapps.net
-keycloakDomain: id.forteapps.net
-dotaiDomain: kubemcp.forteapps.net
-dotaiUiDomain: kubemcpui.forteapps.net
-letsencryptEmail: danijels@gmail.com
-trustedIPs: "172.16.1.0/24"
-cloudProvider: upcloud

clusters/upc-prod.yaml

@@ -1,10 +0,0 @@
-clusterName: dev-fd-us-east1
-domain: us.forteapps.net
-argocdDomain: argocd.us.forteapps.net
-grafanaDomain: grafana.us.forteapps.net
-keycloakDomain: id.us.forteapps.net
-dotaiDomain: kubemcp.us.forteapps.net
-dotaiUiDomain: kubemcpui.us.forteapps.net
-letsencryptEmail: danijels@gmail.com
-trustedIPs: "10.0.0.0/16"
-cloudProvider: tbd

docs/DEVELOPER-GUIDE.md

@@ -1364,7 +1364,7 @@ Existing clients (like Gitea) are defined directly in `forte-realm.json` inside
 
 #### Step 1: Add Client to Realm Config
 
-In `infra/values/base/keycloak-values.yaml`, add a new entry to the `clients` array in `forte-realm.json`:
+In `infra/values/keycloak-values.yaml`, add a new entry to the `clients` array in `forte-realm.json`:
 
 ```json
 {
@@ -1404,7 +1404,7 @@ existingSecret: myapp-oidc-credentials
 
 ```bash
 cd ~/dev/k8s/launchpad
-git add infra/values/base/keycloak-values.yaml
+git add infra/values/keycloak-values.yaml
 git commit -m "Add myapp Keycloak client with auto-sync"
 git push
 ```

docs/GITOPS-ARCHITECTURE.md

@@ -16,7 +16,7 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
 
 ### Key Characteristics
 - **Environment**: Production (internal use only)
-- **Cluster Type**: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays
+- **Cluster Type**: Single cluster, single environment
 - **GitOps Tool**: ArgoCD
 - **Deployment Pattern**: App-of-Apps
 - **Secret Management**: Sealed Secrets (kubeseal)
@@ -62,8 +62,8 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
                                                         │
                                                         ▼
                                            ┌────────────────────────────────┐
-                                           │   Kubernetes Clusters          │
-                                           │   (UpCloud: upc-dev, upc-prod) │
+                                           │   Kubernetes Cluster           │
+                                           │   (UpCloud Managed)            │
                                            │                                │
                                            │  ┌──────────────────────────┐  │
                                            │  │    ArgoCD                │  │
@@ -116,68 +116,74 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
 ```
 launchpad/
 ├── bootstrap.sh                      # Cluster initialization script
-├── _app-of-apps-upc-dev.yaml        # Root ArgoCD Application (upc-dev cluster)
-├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
+├── _app-of-apps.yaml                 # Root ArgoCD Application (App-of-Apps pattern)
 │
-├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
-│   ├── base/                         # Base Application manifests (upc-dev defaults)
-│   │   ├── kustomization.yaml
-│   │   ├── traefik-application.yaml
-│   │   ├── keycloak.yaml
-│   │   ├── grafana.yaml
-│   │   ├── gitea.yaml
-│   │   ├── gitea-actions.yaml
-│   │   ├── tempo.yaml
-│   │   ├── renovate.yaml
-│   │   ├── ...                       # All other Application manifests
-│   │   └── secrets.yaml
-│   ├── overlays/                     # Per-cluster overrides
-│   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
-│   │   └── upc-prod/                # UpCloud Prod (patches value paths)
-│   ├── dashboards/                   # Grafana dashboard ConfigMaps
+├── infra/                            # Infrastructure ArgoCD Applications
+│   ├── enterprise-apps.yaml          # Parent app managing all apps in apps/
+│   ├── cluster-resources-application.yaml
+│   ├── traefik-application.yaml
+│   ├── cert-manager-application.yaml
+│   ├── kyverno.yaml
+│   ├── kyverno-policies.yaml
+│   ├── prometheus.yaml
+│   ├── grafana.yaml
+│   ├── loki.yaml
+│   ├── tempo.yaml
+│   ├── fluent-bit.yaml
+│   ├── trivy.yaml
+│   ├── sealedsecrets.yaml
+│   ├── secrets.yaml
 │   └── values/                       # Helm value overrides for infra
-│       ├── base/                     # Shared values (all clusters)
-│       │   ├── traefik-values.yaml
-│       │   ├── keycloak-values.yaml
-│       │   ├── grafana-values.yaml
-│       │   ├── prometheus-values.yaml
-│       │   ├── gitea-values.yaml
-│       │   └── ...
-│       ├── upc-dev/                  # upc-dev cluster-specific values
-│       │   ├── traefik-values.yaml
-│       │   ├── keycloak-values.yaml
-│       │   └── grafana-values.yaml
-│       └── upc-prod/                # upc-prod cluster-specific values
-│           ├── traefik-values.yaml
-│           ├── keycloak-values.yaml
-│           └── grafana-values.yaml
+│       ├── argocd-values.yaml
+│       ├── prometheus-values.yaml
+│       ├── grafana-values.yaml
+│       ├── loki-values.yaml
+│       ├── tempo-values.yaml
+│       └── fluent-bit-values.yaml
 │
-├── apps/                             # Business Application ArgoCD manifests (Kustomize)
-│   ├── base/                         # Base app manifests
-│   │   ├── kustomization.yaml
-│   │   ├── dot-ai-stack.yaml
-│   │   └── ...
-│   └── overlays/
-│       ├── upc-dev/                  # Uses base as-is
-│       └── upc-prod/                # Patches value paths
+├── apps/                             # Business Application ArgoCD manifests
+│   ├── mcp10x.yaml                   # MCP 10X application
+│   ├── musicman.yaml                 # Music Man application
+│   ├── dot-ai-stack.yaml             # Dot AI Stack
+│   └── argo-mcp.yaml                 # ArgoCD MCP server
 │
 ├── cluster-resources/                # Cluster-wide Kubernetes resources
-│   ├── ...
+│   ├── cert-manager-namespace.yaml
+│   ├── secrets-namespace.yaml
+│   ├── letsencrypt-issuer.yaml       # Let's Encrypt ClusterIssuer
+│   ├── kyverno-config.yaml
+│   ├── argocd-notifications-secret-sealed.yaml
+│   ├── forte10x-repo-credentials-sealed.yaml
+│   ├── mcp10x-repo-credentials-sealed.yaml
 │   └── policies/                     # Kyverno policies
+│       ├── deployment-verifier.yaml
+│       ├── label-checker.yaml
+│       ├── bare-pod-cleaner.yaml
+│       ├── replicaset-cleaner.yaml
+│       ├── default-ns-blocker.yaml
+│       ├── secret-cloner.yaml
+│       └── auth-sidecar-injector.yaml
 │
-├── secrets/                          # Application secrets (sealed, per-cluster)
-│   └── upc-dev/                      # Secrets for upc-dev cluster
+├── secrets/                          # Application secrets (sealed)
+│   ├── argocd-mcp-credentials.yaml
+│   ├── dot-ai-secrets.yaml
+│   ├── mcp10x-credentials-sealed.yaml
+│   └── musicman-credentials.yaml
 │
 ├── private/                          # Local-only files (NOT in Git)
+│   ├── *.yaml                        # Unsealed secrets
+│   └── *.sh                          # Helper scripts
 │
 └── docs/                             # Documentation
+    ├── GITOPS-ARCHITECTURE.md        # This file
+    ├── DEVELOPER-GUIDE.md
+    ├── OPERATIONS-RUNBOOK.md
+    └── REFERENCE.md
 ```
 
 **Key Points**:
-- `_app-of-apps-upc-dev.yaml` and `_app-of-apps-upc-prod.yaml` are the per-cluster root Applications
-- Kustomize overlays in `infra/overlays/` render base Applications with per-cluster patches
-- Helm values are split: `values/base/` (shared) + `values/upc-dev/` or `values/upc-prod/` (cluster-specific)
-- `apps/` follows the same base/overlays pattern for business applications
+- `_app-of-apps.yaml` is the root Application that ArgoCD monitors
+- `infra/enterprise-apps.yaml` auto-discovers all apps in `apps/` folder
 - Changes pushed to this repo trigger automatic syncs in ArgoCD
 - `private/` folder contains local-only files (Git-ignored)
 
@@ -289,7 +295,7 @@ app-repository/
 ### The App-of-Apps Pattern
 
 ```
-_app-of-apps-{upc-dev,upc-prod}.yaml (Root, per cluster)
+_app-of-apps.yaml (Root)
     │
     ├── infrastructure-apps (manages infra/)
     │   ├── cluster-resources-application
@@ -309,10 +315,10 @@ _app-of-apps-{upc-dev,upc-prod}.yaml (Root, per cluster)
 ```
 
 **How It Works**:
-1. Bootstrap script installs ArgoCD and applies `_app-of-apps-upc-dev.yaml` (or `upc-prod`)
-2. ArgoCD creates the root Application which monitors the appropriate `infra/overlays/` folder
-3. Kustomize renders base Applications with cluster-specific patches
-4. `enterprise-apps` Application monitors the cluster's `apps/overlays/` folder
+1. Bootstrap script installs ArgoCD and applies `_app-of-apps.yaml`
+2. ArgoCD creates the root Application which monitors `infra/` folder
+3. Each YAML in `infra/` becomes a child Application
+4. `enterprise-apps.yaml` monitors `apps/` folder and auto-discovers applications
 5. ArgoCD continuously syncs (every 60s) and auto-heals drift
 
 ### Sync Waves & Ordering
@@ -357,34 +363,6 @@ spec:
 - Easy to update all apps by changing the chart
 - Environment-specific values isolated in separate repo
 
-### Multi-Cluster Pattern
-
-Kustomize overlays enable deploying the same Applications across clusters with different configurations:
-
-```yaml
-# infra/base/ contains default (upc-dev) Applications
-# Helm values are layered: base + cluster-specific
-valueFiles:
-- $values/infra/values/base/traefik-values.yaml    # Shared config
-- $values/infra/values/upc-dev/traefik-values.yaml  # Cluster-specific
-
-# infra/overlays/upc-prod/kustomization.yaml patches the second valueFile
-patches:
-- target:
-    kind: Application
-    name: traefik
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/upc-prod/traefik-values.yaml
-```
-
-**Benefits**:
-- Single source of truth for Application definitions
-- Cluster-specific values isolated per overlay
-- Easy to add new clusters by creating a new overlay
-- Base values shared across all clusters reduce duplication
-
 ---
 
 ## CI/CD Pipeline

docs/OPERATIONS-RUNBOOK.md

@@ -207,7 +207,7 @@ kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=repository
 # Settings → Repositories → Should show "Successful" status
 
 # Test by creating an application
-kubectl apply -f _app-of-apps-upc-dev.yaml   # or _app-of-apps-upc-prod.yaml
+kubectl apply -f _app-of-apps.yaml
 
 # Check application sync status
 kubectl get applications -n argocd
@@ -1352,13 +1352,13 @@ kubectl get deployment argocd-server -n argocd \
   -o jsonpath='{.spec.template.spec.containers[0].image}'
 
 # Update version in values
-vim infra/values/base/argocd-values.yaml
+vim infra/values/argocd-values.yaml
 
 # Or upgrade via Helm directly
 helm upgrade argocd argo-cd \
   --repo https://argoproj.github.io/argo-helm \
   --namespace argocd \
-  --values infra/values/base/argocd-values.yaml \
+  --values infra/values/argocd-values.yaml \
   --version 6.0.0  # New version
 
 # Verify
@@ -1454,8 +1454,8 @@ kubectl top pods --all-namespaces --sort-by=cpu
 Example: Adding Redis
 
 ```bash
-# 1. Create application manifest in base/
-cat > infra/base/redis-application.yaml <<EOF
+# 1. Create application manifest
+cat > infra/redis-application.yaml <<EOF
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -1465,17 +1465,15 @@ metadata:
     argocd.argoproj.io/sync-wave: "1"
 spec:
   project: default
-  sources:
-  - repoURL: https://charts.bitnami.com/bitnami
+  source:
+    repoURL: https://charts.bitnami.com/bitnami
     chart: redis
     targetRevision: 18.0.0
     helm:
-      releaseName: redis
-      valueFiles:
-      - \$values/infra/values/base/redis-values.yaml
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
+      values: |
+        auth:
+          enabled: true
+          password: changeme
   destination:
     server: https://kubernetes.default.svc
     namespace: redis
@@ -1487,37 +1485,30 @@ spec:
     - CreateNamespace=true
 EOF
 
-# 2. Add to base kustomization
-# Edit infra/base/kustomization.yaml and add: - redis-application.yaml
-
-# 3. Create base values file
-cat > infra/values/base/redis-values.yaml <<EOF
-auth:
-  enabled: true
-EOF
-
-# 4. Commit and push
-git add infra/base/redis-application.yaml infra/values/base/redis-values.yaml infra/base/kustomization.yaml
+# 2. Commit and push
+git add infra/redis-application.yaml
 git commit -m "Add Redis infrastructure component"
 git push
 
-# 5. ArgoCD will auto-sync within 60 seconds
+# 3. ArgoCD will auto-sync within 60 seconds
 ```
 
-### Multi-Cluster Setup
+### Multi-Cluster Setup (Future)
 
-The repository supports multiple clusters via Kustomize overlays:
+For multi-cluster deployments:
 
-- **upc-dev** (default): `infra/overlays/upc-dev/` — uses base Applications as-is
-- **upc-prod**: `infra/overlays/upc-prod/` — patches value file paths from `upc-dev` to `upc-prod`
+```yaml
+# Different destinations per environment
+# dev-cluster
+destination:
+  server: https://dev.k8s.example.com
+  namespace: myapp
 
-Each cluster has its own:
-- Root app-of-apps file: `_app-of-apps-upc-dev.yaml` / `_app-of-apps-upc-prod.yaml`
-- Cluster-specific Helm values: `infra/values/upc-dev/` / `infra/values/upc-prod/`
-- Sealed secrets: `secrets/upc-dev/` (others as needed)
-- Apps overlay: `apps/overlays/upc-dev/` / `apps/overlays/upc-prod/`
-
-To add a new cluster, create a new overlay directory (e.g., `infra/overlays/upc-staging/`) with patches that swap the value file paths.
+# prod-cluster
+destination:
+  server: https://prod.k8s.example.com
+  namespace: myapp
+```
 
 ### Blue-Green Deployments
 

docs/README.md

@@ -180,7 +180,7 @@ Reference for:
                             │
                             ▼
 ┌──────────────────────────────────────────────────────────────┐
-│          Kubernetes Clusters (UpCloud: upc-dev, upc-prod)     │
+│               Kubernetes Cluster (UpCloud)                    │
 │  ┌──────────────────────────────────────────────────────┐    │
 │  │  Infrastructure: Traefik, Cert-Manager, Kyverno     │    │
 │  ├──────────────────────────────────────────────────────┤    │
@@ -194,7 +194,7 @@ Reference for:
 ### Key Technologies
 
 - **GitOps**: ArgoCD
-- **Kubernetes**: UpCloud Managed Kubernetes (multi-cluster: upc-dev, upc-prod)
+- **Kubernetes**: UpCloud Managed Kubernetes
 - **Ingress**: Traefik v2
 - **Certificates**: Cert-Manager + Let's Encrypt
 - **Policies**: Kyverno

docs/REFERENCE.md

@@ -21,7 +21,7 @@
 |-----------|-------|
 | **Provider** | UpCloud Managed Kubernetes |
 | **Environment** | Production (internal use) |
-| **Cluster Count** | Multi-cluster (upc-dev, upc-prod) |
+| **Cluster Count** | Single cluster |
 | **GitOps Tool** | ArgoCD |
 | **Ingress Controller** | Traefik v2 |
 | **Certificate Management** | Cert-Manager + Let's Encrypt |
@@ -71,8 +71,7 @@ Internet
 ```
 launchpad/
 ├── bootstrap.sh                   # Cluster initialization script
-├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
-├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
+├── _app-of-apps.yaml              # Root ArgoCD Application
 │
 ├── infra/                         # Infrastructure applications
 │   ├── cluster-resources-application.yaml
@@ -157,15 +156,15 @@ ArgoCd() {
   helm upgrade --install argocd argo-cd \
     --repo https://argoproj.github.io/argo-helm \
     --namespace argocd --create-namespace \
-    --values infra/values/base/argocd-values.yaml \
+    --values infra/values/argocd-values.yaml \
     --set notifications.context.clusterName="$CLUSTER_NAME" \
     --timeout 60s --atomic
 
-  kubectl apply -f _app-of-apps-upc-dev.yaml -n argocd   # or _app-of-apps-upc-prod.yaml
+  kubectl apply -f _app-of-apps.yaml -n argocd
 }
 ```
 
-**`_app-of-apps-upc-dev.yaml`** / **`_app-of-apps-upc-prod.yaml`**
+**`_app-of-apps.yaml`**
 ```yaml
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -616,7 +615,7 @@ retry:
 
 **Configuration**:
 ```yaml
-# infra/base/traefik-application.yaml
+# infra/traefik-application.yaml
 replicas: 2
 
 service:
@@ -791,7 +790,7 @@ persistence:
 
 **Configuration**:
 ```yaml
-# infra/base/gitea.yaml + infra/values/base/gitea-values.yaml
+# infra/gitea.yaml + infra/values/gitea-values.yaml
 ingress:
   host: git.forteapps.net
   tls: cert-manager (letsencrypt-prod)
@@ -834,7 +833,7 @@ postgresql:
 
 **Configuration**:
 ```yaml
-# infra/base/gitea-actions.yaml + infra/values/base/gitea-actions-values.yaml
+# infra/gitea-actions.yaml + infra/values/gitea-actions-values.yaml
 replicaCount: 3
 
 runner:
@@ -995,7 +994,7 @@ kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.ann
 
 **Configuration**:
 ```yaml
-# infra/base/renovate.yaml + infra/values/base/renovate-values.yaml
+# infra/renovate.yaml + infra/values/renovate-values.yaml
 cronjob:
   schedule: "@daily"
   concurrencyPolicy: Forbid

infra/base/kustomization.yaml

@@ -1,23 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- traefik-application.yaml
-- keycloak.yaml
-- grafana.yaml
-- cert-manager-application.yaml
-- kyverno.yaml
-- sealedsecrets.yaml
-- prometheus.yaml
-- loki.yaml
-- fluent-bit.yaml
-- trivy.yaml
-- enterprise-apps.yaml
-- cluster-resources-application.yaml
-- kyverno-policies.yaml
-- secrets.yaml
-- gitea.yaml
-- gitea-actions.yaml
-- renovate.yaml
-- tempo.yaml
-- grafana-dashboards.yaml
-- network-policies-application.yaml

infra/base/traefik-application.yaml

@@ -1,51 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: traefik-system
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: traefik
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: traefik
-    app.kubernetes.io/part-of: platform
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://traefik.github.io/charts
-    chart: traefik
-    targetRevision: "28.0.0"
-    helm:
-      releaseName: traefik
-      valueFiles:
-      - $values/infra/values/base/traefik-values.yaml
-      - $values/infra/values/upc-dev/traefik-values.yaml
-
-  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: traefik-system
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true

infra/enterprise-apps.yaml

@@ -18,7 +18,7 @@ spec:
   source:
     repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
-    path: apps/overlays/upc-dev
+    path: apps
   destination:
     server: https://kubernetes.default.svc
     namespace: apps

infra/fluent-bit.yaml

@@ -21,7 +21,7 @@ spec:
     helm:
       releaseName: fluent-bit
       valueFiles:
-      - $values/infra/values/base/fluent-bit-values.yaml
+      - $values/infra/values/fluent-bit-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/gitea-actions.yaml

@@ -21,7 +21,7 @@ spec:
     helm:
       releaseName: gitea-actions
       valueFiles:
-      - $values/infra/values/base/gitea-actions-values.yaml
+      - $values/infra/values/gitea-actions-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/gitea.yaml

@@ -21,7 +21,7 @@ spec:
     helm:
       releaseName: gitea
       valueFiles:
-      - $values/infra/values/base/gitea-values.yaml
+      - $values/infra/values/gitea-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/grafana.yaml

@@ -21,8 +21,7 @@ spec:
     helm:
       releaseName: grafana
       valueFiles:
-      - $values/infra/values/base/grafana-values.yaml
-      - $values/infra/values/upc-dev/grafana-values.yaml
+      - $values/infra/values/grafana-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/keycloak.yaml

@@ -21,8 +21,7 @@ spec:
     helm:
       releaseName: keycloak
       valueFiles:
-      - $values/infra/values/base/keycloak-values.yaml
-      - $values/infra/values/upc-dev/keycloak-values.yaml
+      - $values/infra/values/keycloak-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/loki.yaml

@@ -21,7 +21,7 @@ spec:
     helm:
       releaseName: loki
       valueFiles:
-      - $values/infra/values/base/loki-values.yaml
+      - $values/infra/values/loki-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/overlays/upc-dev/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-
-# No patches needed — base already has "upc-dev" paths
-# upc-dev is the default/base cluster

infra/overlays/upc-prod/kustomization.yaml

@@ -1,50 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-
-patches:
-# Traefik: swap upc-dev → upc-prod in valueFiles
-- target:
-    kind: Application
-    name: traefik
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/upc-prod/traefik-values.yaml
-
-# Keycloak: swap upc-dev → upc-prod
-- target:
-    kind: Application
-    name: keycloak
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/upc-prod/keycloak-values.yaml
-
-# Grafana: swap upc-dev → upc-prod
-- target:
-    kind: Application
-    name: grafana
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/upc-prod/grafana-values.yaml
-
-# Secrets: change path to upc-prod
-- target:
-    kind: Application
-    name: secrets
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: secrets/upc-prod
-
-# Enterprise-apps: point to upc-prod overlay
-- target:
-    kind: Application
-    name: enterprise-apps
-  patch: |
-    - op: replace
-      path: /spec/source/path
-      value: apps/overlays/upc-prod

infra/prometheus.yaml

@@ -21,7 +21,7 @@ spec:
     helm:
       releaseName: prometheus
       valueFiles:
-      - $values/infra/values/base/prometheus-values.yaml
+      - $values/infra/values/prometheus-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/renovate.yaml

@@ -21,7 +21,7 @@ spec:
     helm:
       releaseName: renovate
       valueFiles:
-      - $values/infra/values/base/renovate-values.yaml
+      - $values/infra/values/renovate-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/secrets.yaml

@@ -18,7 +18,7 @@ spec:
   project: default
   source:
     repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    path: secrets/upc-dev
+    path: secrets
   destination:
     server: https://kubernetes.default.svc
     namespace: secrets

infra/tempo.yaml

@@ -21,7 +21,7 @@ spec:
     helm:
       releaseName: tempo
       valueFiles:
-      - $values/infra/values/base/tempo-values.yaml
+      - $values/infra/values/tempo-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD

infra/traefik-application.yaml

@@ -0,0 +1,159 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik-system
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: traefik
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: https://traefik.github.io/charts
+    chart: traefik
+    targetRevision: "28.0.0"
+
+    helm:
+      values: |
+        metrics:
+          addInternals: true
+        tracing:
+          otlp:
+            enabled: true
+        logs:
+          general:
+            level: DEBUG
+          access:
+            format: json
+            enabled: true
+
+        additionalArguments:
+          - "--tracing.otlp.http.endpoint=http://tempo.monitoring.svc.cluster.local:4318/v1/traces"
+
+        providers:
+          kubernetesIngress:
+            publishedService: # Fixes ArgoCD health checks for LoadBalancer services
+              enabled: true
+        deployment:
+          replicas: 2
+
+        ingressRoute:
+          dashboard:
+            enabled: true
+            # Optional: specify entrypoint
+            entrypoint: traefik
+
+        api:
+          dashboard: true
+          debug: false
+
+        service:
+          type: LoadBalancer
+          annotations:
+            traefik.ingress.kubernetes.io/router.entrypoints: websecure
+            traefik.ingress.kubernetes.io/router.priority: "42"
+            traefik.ingress.kubernetes.io/router.tls: "true"
+            service.beta.kubernetes.io/upcloud-load-balancer-config: |
+              {
+                  "frontends": [
+                      {
+                          "name": "web",
+                          "mode": "tcp"
+                      },
+                      {
+                          "name": "websecure",
+                          "mode": "tcp"
+                      },
+                      {
+                          "name": "giteassh",
+                          "mode": "tcp"
+                      }
+                  ],
+                  "backends": [
+                      {
+                          "name": "web",
+                          "properties": {
+                              "outbound_proxy_protocol": "v2"
+                          }
+                      },
+                      {
+                          "name": "websecure",
+                          "properties": {
+                              "outbound_proxy_protocol": "v2"
+                          }
+                      },
+                      {
+                          "name": "giteassh"
+                      }
+                  ]
+              }
+
+        ingressClass:
+          enabled: true
+          isDefaultClass: true
+
+        # Configure entry points
+        ports:
+          metrics:
+            expose: 
+              default: true
+            observability:
+              accessLogs: true
+              metrics: true
+              tracing: true
+              traceVerbosity: detailed
+          web:
+            proxyProtocol:
+              trustedIPs: "172.16.1.0/24"
+            forwardedHeaders:
+              trustedIPs: "172.16.1.0/24"
+            http:
+              redirections:
+                entrypoint:
+                  to: websecure
+                  scheme: https
+
+          websecure:
+            proxyProtocol:
+              trustedIPs: "172.16.1.0/24"
+            forwardedHeaders:
+              trustedIPs: "172.16.1.0/24"
+            observability:
+              accessLogs: true
+              metrics: true
+              tracing: true
+
+          giteassh:
+            port: 2222
+            expose:
+              default: true
+            exposedPort: 2222
+            protocol: TCP
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: traefik-system
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true

infra/values/argocd-values.yaml

@@ -1,3 +1,5 @@
+global:
+  domain: argocd.127.0.0.1.nip.io
 configs:
   secret:
     createSecret: true
@@ -20,6 +22,10 @@ notifications:
   secret:
     create: false
 
+  # Shared context variables available in all templates
+  context:
+    clusterName: "dev-fd-no-svg1"
+
   # Define notification templates
   templates:
     template.app-syncing: |

infra/values/base/dot-ai-stack-values.yaml

@@ -1,11 +0,0 @@
-dot-ai:
-  ingress:
-    enabled: true
-    className: traefik
-dot-ai-ui:
-  uiAuth:
-    secretRef:
-      name: dot-ai-secrets
-  ingress:
-    enabled: true
-    className: traefik

infra/values/base/traefik-values.yaml

@@ -1,50 +0,0 @@
-providers:
-  kubernetesIngress:
-    publishedService: # Fixes ArgoCD health checks for LoadBalancer services
-      enabled: true
-deployment:
-  replicas: 2
-
-ingressRoute:
-  dashboard:
-    enabled: true
-    # Optional: specify entrypoint
-    entrypoint: traefik
-
-api:
-  dashboard: true
-  debug: false
-
-service:
-  type: LoadBalancer
-  annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.priority: "42"
-    traefik.ingress.kubernetes.io/router.tls: "true"
-
-ingressClass:
-  enabled: true
-  isDefaultClass: true
-
-# Configure entry points
-ports:
-  metrics:
-    expose:
-      default: true
-    observability:
-      accessLogs: true
-      metrics: true
-      tracing: true
-      traceVerbosity: detailed
-  web:
-    http:
-      redirections:
-        entrypoint:
-          to: websecure
-          scheme: https
-
-  websecure:
-    observability:
-      accessLogs: true
-      metrics: true
-      tracing: true

infra/values/grafana-values.yaml

@@ -1,5 +1,7 @@
 ingress:
   enabled: true
+  hosts:
+  - grafana.127.0.0.1.nip.io
 resources:
   requests:
     cpu: 50m

infra/values/keycloak-values.yaml

@@ -1,4 +1,5 @@
 # Bitnami Keycloak Helm Chart Values
+# Host: id.forteapps.net
 # Chart version: 25.2.0
 
 image:
@@ -14,6 +15,7 @@ auth:
 
 ingress:
   enabled: true
+  hostname: id.forteapps.net
   tls: true
   ingressClassName: traefik
   annotations:

infra/values/upc-dev/argocd-values.yaml

@@ -1,5 +0,0 @@
-global:
-  domain: argocd.127.0.0.1.nip.io
-notifications:
-  context:
-    clusterName: "dev-fd-eu-no-svg1"

infra/values/upc-dev/dot-ai-stack-values.yaml

@@ -1,8 +0,0 @@
-dot-ai:
-  ingress:
-    host: kubemcp.forteapps.net
-  webUI:
-    baseUrl: http://kubemcpui.forteapps.net
-dot-ai-ui:
-  ingress:
-    host: kubemcpui.forteapps.net

infra/values/upc-dev/grafana-values.yaml

@@ -1,3 +0,0 @@
-ingress:
-  hosts:
-  - grafana.forteapps.net

infra/values/upc-dev/keycloak-values.yaml

@@ -1,2 +0,0 @@
-ingress:
-  hostname: id.forteapps.net

infra/values/upc-dev/traefik-values.yaml

@@ -1,40 +0,0 @@
-service:
-  annotations:
-    service.beta.kubernetes.io/upcloud-load-balancer-config: |
-      {
-          "frontends": [
-              {
-                  "name": "web",
-                  "mode": "tcp"
-              },
-              {
-                  "name": "websecure",
-                  "mode": "tcp"
-              }
-          ],
-          "backends": [
-              {
-                  "name": "web",
-                  "properties": {
-                      "outbound_proxy_protocol": "v2"
-                  }
-              },
-              {
-                  "name": "websecure",
-                  "properties": {
-                      "outbound_proxy_protocol": "v2"
-                  }
-              }
-          ]
-      }
-ports:
-  web:
-    proxyProtocol:
-      trustedIPs: "172.16.1.0/24"
-    forwardedHeaders:
-      trustedIPs: "172.16.1.0/24"
-  websecure:
-    proxyProtocol:
-      trustedIPs: "172.16.1.0/24"
-    forwardedHeaders:
-      trustedIPs: "172.16.1.0/24"

infra/values/upc-prod/argocd-values.yaml

@@ -1,5 +0,0 @@
-global:
-  domain: argocd.us.forteapps.net
-notifications:
-  context:
-    clusterName: "dev-fd-us-east1"

infra/values/upc-prod/dot-ai-stack-values.yaml

@@ -1,8 +0,0 @@
-dot-ai:
-  ingress:
-    host: kubemcp.us.forteapps.net
-  webUI:
-    baseUrl: http://kubemcpui.us.forteapps.net
-dot-ai-ui:
-  ingress:
-    host: kubemcpui.us.forteapps.net

infra/values/upc-prod/grafana-values.yaml

@@ -1,3 +0,0 @@
-ingress:
-  hosts:
-  - grafana.us.forteapps.net

infra/values/upc-prod/keycloak-values.yaml

@@ -1,2 +0,0 @@
-ingress:
-  hostname: id.us.forteapps.net

infra/values/upc-prod/traefik-values.yaml

@@ -1,13 +0,0 @@
-service:
-  annotations: {}
-ports:
-  web:
-    proxyProtocol:
-      trustedIPs: "10.0.0.0/16"
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/16"
-  websecure:
-    proxyProtocol:
-      trustedIPs: "10.0.0.0/16"
-    forwardedHeaders:
-      trustedIPs: "10.0.0.0/16"

secrets/upc-dev/dot-ai-secrets.yaml

@@ -1,18 +0,0 @@
-# SealedSecret created after namespace (sync-wave: 0)
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: dot-ai-secrets
-  namespace: dot-ai
-spec:
-  encryptedData:
-    anthropic-api-key: AgASIRVNs7kIvZ/XwFJ4j9TJ05TW4YlFNzi2lx+6URlvzjTkMignK+y4/HD3wTK37BkIonnOXf/DGJcMgqgxOrHBVu9tLkSamve5qgf+SOZ8jxaqpLX2e5hdmHrgMp7rVWKiOoxM+bvu8Gdve3eMwXX8Eazj7W7vi430LsvW4BmPrQp+A9SOP+hwMlV5r+P5pUogC3hddt5KoSwpgnpOb8fRGlLDpc548eDNBJrhsAZiiFqc8+CycHX6idxWzlWOTPR05LBs7YrTIP/LUXWdyq6UG8yB5D0c9JNndnGo6kSfJxdaxCNO7GhMAOmo4CitzYn/zhICwuHPLKwUYQBcEHVpFxgub0U9fY7s4i0SAH9aF1kk8yqHWaCicHzi6B3AxMZYr+knS5vVNB+uGZmSKgZ7QNE1bF6E4Gg5bXRwk7OVQhuJSBzxVNDoXoJ6stL8ejU+MP5FtI792FxZbNDImu3kqor/t9wB49ZeB9Ngks2yvtlSrQ3G2lxJaOgNBPmKYhAX95JFI3xUSHOMa18ftn+aXmEQTXOHtM/IT8A95gUvIKz8Hrt03CwgZ8E+3lcsjAVsfNjqn/erqV+xi93OYOL6o9ivmTIem3MzsqjKuQ57HKaghnd+Ygdt/WfotRBSgZtCweOkZBV0XKxI1RmCQXk6dce8x4T7FDEeaSQwkc4yZ77LfQJnyVgU1rds9Hqv0RbymHK8JCQEMMb6PcK+Ow068fdj4NP27HkuYMB5JdPp682KIRwGznN2d3+QPXRd/ZHshnixudY7CLirlZl9xD0HssfSBI+uCrFEAln8D93UYbn7trF5gkKWYQsQ07CVZ5Z1qXieqwJWjHRY+oY=
-    auth-token: AgB65rUY3yJuTTLbGyrCtJPZp8UyEOr+kznSMGvUaZ9PoHq+kIEhazRdVKHa/WGvMWuc4x+XYRuIGj+2KiooyilUPrLcE3bz9fUOAFbRw3+iUh3WAgwK+f3eBUG6/0OoFw+GJ583IRidDW1t2BchMxSM1m+3vmQoF24qj7k9j/lWPsnX2IX3DhM0SomD1xmG+LsQMo2e4vQXB0BxhVDIQ621JTrvUPYzYx0NlPqZO/MtR1JWYS7WBTvegvgeBKLxfy9KLnqsuzu7rc2t9BYt7TRqvBg/prrKPdSV6Ei4GOZq+AcG15iOKXhsj8SxejPpM0QDemFTRQkdfz+k8ms4/SM0eylr5fEaa99TMTvjYGCfjJJyRcVm5Ef/XdmXiM3OI1u+9QNPiqXh1zmtp0yQMZ7nRE70kKQ2MHVhEmSUkBjovybIzLk4OL1v0FGDDqa1BN9KmNEBlo8H7DqXzfamVoNPyuuO625B3HgSeR3Udq8hngy9W/wiolmMNSc9C6vBA0HzE7Mkq79fHh/ruTi5zOJLfyEP7KQQqlNKfEtDFQfabaV9ERthQjuUs8ZIrdfCTOyQkrmmGY/sH5yodLRSYSEpHFrhPepwHS7lGzbVucW3Fn34D4OxJXyXQQObZKybLV7g6Oglf2Pdn11CEu/4+19RlykuOlm1dlj852a5NWWmmX319laLGlEd1BpG4cZyc9UZud68dGumwzrUupUMTLlJx8bR5rLgqaMpQMluwvq8MQbBXm4ySOcQ2jQhjw==
-    openai-api-key: AgBc4cSrd0riSxKPrp7AqrNYMDAZJTe3aCjTOwEb5pS/KARkgoEGz+0ZhLXa2bcCsPlQzqRzZ1c1cUCnBACkp1xoMfhSOoIJUWJQHRgZx5kEDhNIE/M8PQe8es7jYsW7/ui6iK8uj3Ljk21r8l/ctnP/KiKyML4553el28Ya7XsPQynRvpVexFC4BoJw50nkauLnvl3in0cKmEVAkMWorUP3Etapaj4DWkCQQ22RPN0xGNo9yiIUEAVE+uTRFNKGEHMIvJzgB291FJQtG/WoN/Sy/DeoZkUYndA7CbfFgiz9sq3GqJwyqTM+Ikzw6VCQ3TVWYO/6+yaEzT1NZ/rw00YhDyFoH+yGTkX5lrSUo8lGf3T9OODTdSS1203xtj4dhGbY70sPGMxDfucnO6piVcuRfh9bWg1VX+MTjqpBQE1J0DKJanhoh6lKbPOJhRbi0TIoCz1a3btbbKLDq2YJl7FXA3QNdBsR4qVJ3xmgWlH/eTUskCE2YxDzHmkxgZN2mL22SfeUJYtDRswRG0UGc6pvg2xrR0iEDB0UbH4FQK46fWv8aiOejteLlAAyA9HNA8yi73rTEjq55wpO19/MYj+6oUGEHpFaJje77INTHAKpdbfkp8iKotNXFYLM2hsjyau+x/AFjg87kEdIUVVHHLVMDhOq6NO+foM0nFOIv4lr2Yjl15+ImMSTEfcBr+nWaomnb9G8i5ptqz9bMHbxAcHpzWUBH9SZhzrCWZNDzOm2X2K6mpXhg4WX7VJMoIJk/f+bxTTKnWBawdnpCdbdG5GYQh7usqjPuELFYRTsx+6Tqoddp4KIEyMMxO81XObiN5vEBg74ygunxrjKNg5FoOkUA79YvcGBVVU1FNRl3d8IslXFqhEOT35nxGBB0T7ZORii34tZ2E551NkIo1WbCwilD3Dlgw==
-    ui-auth-token: AgDStP4jHhMehx/SAv5x2aQrJwChnWq8WhV/LVTSuuCSSy9kFQGa3Izyl21sMhLKUgrlS030GH50lbku+IY90S+MSBfaCq0Xb8qwohfH+qJulMRgljoU8r58/3ZsaBzbGJjiNMgBCwGlvuK85t3R3662ftwikahWqLfwAahi12L0llUDNyG9UB0Os3oR2CVAt83+YB07YspCWRzwuOz9D1SgOL/g/JF2hoL43pDD65BqYKdEuLFInJZx1Ul68V/FPmJK1gmJb/Kv8pgtk0sGTzxbbTdIQ1Ugf6+8//CWEq6GsMeEZG9VwExL/KYqobnbqd02FRgSSvWybhWLjiALLQvAFtce6FR6bur0rsariyogGjYCuXYdRnhf7QnB6NopwplhFP37Qf6E4q2pJTJ6Fzv0xq+XlfzNkn9Jvebrdkk/5CThW+wPAfx8r1VIySqBsYnPO/ZQDkfQ5ocX6fmzZ1iCg+0NI24k2YwCeMZtEAGpKEtejS0BLvqrilUG6Oz9sHCGHro4Bv5B/jzUjGbye0DSDj1f6c2RcpqMiUxfPvydJIcJGhrTx8sZS3qhEWME7kwjJCZpHEzfdv0weSJbgVGBSh9e1wjZxxeJGXuZKdFzdhpNEWP4uScGW0UnRDwxZzHMsLjS/W30mQmwmgJVTKdPl6VQrvdq7m4AC6+/d7iXlHazieC1KpBme4hWzO+/h7qRw1P5Va/ZWZtnGs8476J8hIojRtOJ/CdWwVLUa0gHo4CYnempIMwCIS3GtA==
-  template:
-    metadata:
-      creationTimestamp: null
-      name: dot-ai-secrets
-      namespace: dot-ai