Merge branch 'main' of https://git.forteapps.net/Forte/launchpad

db home
icon
2026-04-28 20:11:41 +02:00 · 2026-04-28 20:11:37 +02:00 · 2026-04-28 16:50:10 +02:00 · 2026-04-28 16:48:29 +02:00 · 2026-04-28 16:02:12 +02:00 · 2026-04-28 15:51:53 +02:00
37 changed files with 39 additions and 992 deletions
--- a/apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml
+++ b/apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml
@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: dbunk-demo
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "12"
-  labels:
-    app.kubernetes.io/name: dbunk-demo
-    app.kubernetes.io/part-of: apps
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
-    path: forteapp
-    targetRevision: HEAD
-    helm:
-      valueFiles:
-      - $values/dbunk-demo/values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: dbunk-demo
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-    retry:
-      limit: 5
-      backoff:
-        duration: 5s
-        factor: 2
-        maxDuration: 3m
--- a/apps/overlays/upc-dev/dbunk-demo/kustomization.yaml
+++ b/apps/overlays/upc-dev/dbunk-demo/kustomization.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- dbunk-demo.yaml
--- a/apps/overlays/upc-dev/kustomization.yaml
+++ b/apps/overlays/upc-dev/kustomization.yaml
@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
- dbunk-demo

 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -1063,52 +1063,6 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes

-### Vaultwarden
-
-**Chart**: `guerzon/vaultwarden`
-**Version**: 0.36.4 (app v1.36.0-alpine)
-**Namespace**: `vaultwarden`
-
-**Purpose**: Self-hosted Bitwarden-compatible password manager.
-
-**Configuration**:
-```yaml
-# infra/overlays/upc-dev/vaultwarden/ + infra/values/
-domain: "https://bitwarden.forteapps.net"
-
-ingress:
-  enabled: true
-  class: "traefik"
-  tls: true
-  tlsSecret: vaultwarden-tls
-  hostname: bitwarden.forteapps.net
-  additionalAnnotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-
-database:
-  type: postgresql
-  host: vaultwarden-postgresql  # StatefulSet in overlay
-  existingSecret: prod-db-creds
-
-storage:
-  data: 5Gi (ReadWriteOnce)
-  attachments: 5Gi (ReadWriteOnce)
-```
-
-**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc).
-
-**SSO**: Keycloak OIDC via `forte` realm (client ID: `vaultwarden`). Self-service client config Secret (`keycloak-client-vaultwarden`) triggers registrar to create KC client and sync credentials to `vaultwarden-oidc-credentials`. PKCE enabled.
-
-**Endpoints**:
- Web UI: `https://bitwarden.forteapps.net`
-
-**Database**: Separate ArgoCD Application `vaultwarden-postgresql` (sync-wave `"0"`) deploys PostgreSQL 16 StatefulSet + SealedSecret before Vaultwarden (wave `"1"`). 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately.
-
-**Secrets**:
- `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials
- `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
- `vaultwarden-tls` — auto-managed by cert-manager
-
 ### AI Code Review (ai-review)

 **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
@@ -1187,30 +1141,6 @@ ignore:
 - Check Gitea Actions tab for workflow run status and logs
 - Monitor Anthropic usage dashboard for token consumption

-### Keycloak Browser Flow (IdP Auto-Redirect)
-
-**File**: `infra/values/base/keycloak-values.yaml` (inside `forte-realm.json`)
-
-The realm uses a custom browser authentication flow (`browser-auto-idp`) that skips the Keycloak login page and redirects directly to the Entra ID identity provider.
-
-**Flow executions**:
-
-| Priority | Authenticator | Requirement | Purpose |
-|----------|--------------|-------------|---------|
-| 10 | `auth-cookie` | ALTERNATIVE | Reuse existing session (no redirect) |
-| 20 | `identity-provider-redirector` | ALTERNATIVE | Auto-redirect to `forte-entra` IdP |
-
-**Key fields in realm JSON**:
- `"browserFlow": "browser-auto-idp"` — overrides the default `browser` flow at realm level
- `"authenticationFlows"` — defines the custom flow with its executions
- `"authenticatorConfig"` — sets `defaultProvider: "forte-entra"` on the redirector
-
-**Why custom flow**: The default KC browser flow shows a username/password form with an IdP button. Since all authentication is via Entra ID, the custom flow eliminates this step. The `auth-cookie` execution preserves session reuse so returning users aren't redirected again.
-
-**Important**: The `forte-entra` identity provider must exist in Keycloak (currently configured manually in the KC admin console). If the IdP alias changes, update the `defaultProvider` value in the realm JSON.
-
---
-
 ### Keycloak Client Registrar

 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
--- a/infra/base/keycloak/keycloak.yaml
+++ b/infra/base/keycloak/keycloak.yaml
@@ -43,6 +43,10 @@ spec:
    - ServerSideApply=true

  ignoreDifferences:
+  - group: batch
+    kind: CronJob
+    jsonPointers:
+    - /spec/jobTemplate/spec/template/spec/containers/0/args
  - group: apps
    kind: StatefulSet
    jsonPointers:
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -22,4 +22,3 @@ resources:
 - karpor
 - databunker
 - homepage
- vault
--- a/infra/base/kyverno-policies/kyverno-policies.yaml
+++ b/infra/base/kyverno-policies/kyverno-policies.yaml
@@ -27,6 +27,7 @@ spec:
    automated:
      prune: true
      selfHeal: true
+      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
--- a/infra/base/vault/kustomization.yaml
+++ b/infra/base/vault/kustomization.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- vault.yaml
--- a/infra/base/vault/vault.yaml
+++ b/infra/base/vault/vault.yaml
@@ -1,49 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vault
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://helm.releases.hashicorp.com
-    chart: vault
-    targetRevision: "0.32.0"
-    helm:
-      releaseName: vault
-      valueFiles:
-      - $values/infra/values/base/vault-values.yaml
-      - $values/infra/values/upc-dev/vault-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: vault
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -2,10 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
- vaultwarden-postgresql
- vaultwarden
- passwordpusher-postgresql
- passwordpusher

 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- passwordpusher-postgresql.yaml
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml
@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: passwordpusher
---
-
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: passwordpusher-postgresql
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  labels:
-    app.kubernetes.io/name: passwordpusher-postgresql
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/upc-dev/passwordpusher-postgresql/resources
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: passwordpusher
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml
@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- postgresql.yaml
- passwordpusher-db-secret-sealed.yaml
- passwordpusher-smtp-secret-sealed.yaml
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml
@@ -1,17 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: passwordpusher-db-creds
-  namespace: passwordpusher
-spec:
-  encryptedData:
-    DATABASE_URL: AgBeCVhdJoq18FFbP/8CUFFHBu3cUHisStmqeU3stH33qRgm0sh1Agw87QaiECBlKGp9yEjDVgQEjU/h9vEqs5L13vnzTvzmzEIMy23m1nWEyX6pY06O/ISDD6AVeW73SX6ctgZ4wabv8zZhEQ/GiKTLq8indTrNglINpItUKdjpZ5IhJWNScOkykZdIN/OyJxxzKQ5fM48ZVfL8HnTNQ+sqEJQ/P4CEHVwJQaEuIKsS+P1PKNmOxzI7IB7PegkZwORMKA83r1oufiV5q+/wY2eMujt/PkZxkokj9jdI9ATGwXfOVgPR16BXrKRIKO2AwObL1ter+Y0LnNGxl9gAz8q65b4KHdM//sKSscLo9rPWKq0R0y4octiC1FlQEvsbMZnNntDLR1vBiqRUz5YaoKcEH6nlLpubCrBpIve8f5Ty3w2YUk7k4dpQzITgZqpJirmw5RAY9OIQQldB8NHjfmKkTtlHxW1Bif/yo+XqCKX4+1xh4nbWb6z2VQtUeQHm++ITZokxAV5as/EEZyEfCfqLbQbQkk5xuPpc3B6VjyGNbAIyQQz3Ktx5t2bqa/qf2YQQTVMZaBijHV6jaK3YzyWyheefZAqliF3xUY8mm2zrOAK4+JaKbRKSQzvCzpYtcwxVO5hCV0Wki4qbMXCWbLV0SmUgiJeL/SC/iXSPBmdQIw2P8Pao1gPzhtJl/rGzdw+Nx0VtYeCID8PlsvjUO3oiv3wYFVE/Xb9oYkoQnadOrnBmUNoXATvPLb6bN/cxlZ6c5bDAReY5M5k4Im9XMWDUDiH/9bIk+V8C
-    pgpassword: AgBneCXX9h7cFbvVcqk9bNSgHqPGpYQmDxDHmI2CdgIPXwogVA/HxGpaR/HnByUwXbk9PBzHuNJHTWB5XtbEgd7EVvhmhNkEuW9cfBpO6RhSYWr4yQsEQ4tRIDicCMnCh3qWFxMJKPxhN4+gB+KY0HxVQXlr/TkPEnHGNILCrwJsSP9JYufYy5xcL25c949X6M2iSi1i8OFDOYC7s72VZmS2iAEIdnY01yDJ/pW5UYNi53rtAYWZ0tzRJbl55NdWeZGJdmKEQ0OvywW50So97R0ceC6QCkBzzRin4IP5dWuWbqm/D9FL4pxUfIvNuXbMd2fGbn1DjgqfeiN9QSfgLeHqMWbFAmelA/ETKGZBJJkp8MQta7PYk30yDo9cD147AnfLSjR74plGCZBFt0tn/8fGE00G70ymo1FPqWqnVMvlrnaWwdgdlKeKbamPWw0Uo6ZHcglFlHq5ke2kEhRG4yFvk8PuuUygHShGe7uQAlWcqLw4H4/WZyy/bBVTyUfmXTg0ArEKdbb7iI/izGgGMv2NtSiV9/DutkiqmrGoc+gO6fYGfUc66XJMpAlH/FUs3Ebqk0ZSIR4j8NyygwgY+1Jm3yuSQCs6+MVH5nrf1VoAYGadMiB40lfmn1FkZwrkdWm+C00/exVqT2dys+AjMfpAFfmGY2LDjSavvqJXKYyX1x/kZ6D+gndhP2FcT9qscnScGjys8JrH
-    pgusername: AgBUzpTtG8uIRRCjX3xN5UEvCybo2sgMk2v6SwoaO0TDVNMwZNKEjNigWeaD0nOX/gXu14X2KPX12YfXyaag+1CmaprUAVZzQDmF3Rseaz5MzqQnJlYfYdlWM4O+x0j2KLj+hKiw30P0T3IxZyngRw+T5c8hevYA2tXU0dvdmXZhs7L5M1mO1DJcef0tH/170RQ/8klUxaj/reWibK3DNxqCU/BOkJvUMoDkmb+hGlX4i4f0cPWEIYRjjXejDtL+LO7bMxzESqmb8VDPlDiIBvCYyBNdkN/F4ngfIAWxKBiMQTvsD8O7W3qdMDy55qHW3gPZY6ugLEyw/un6MtsaYSBame6kbjjEoy0pyyjB+SGWB6xxUIZ2Lfzflu8rZBnKEi2fkxsIAE71vhnLzcXn0WYjF3Hgh/fWQ6GYqJK9M5Ieiq6WVnWvztvWKuscZmVlHtRO9HtucCyiArvZE2yLRUDwI6NAws4R6gELadfjSECp1CRaOc53MrPHvYjIE/WWq1uI+0f0spaPV09mYEl5qGgcPW7V5ADXcmxIXHqtOfhEevrckILr9U9G/FU2q3ohveUiUUxBaMOzgAJ9mO64oDfLbit2WJqaqmdKy4xiVWwzxVDmWmNKFAs3DHNK7y9QNvYmrbM6370Pw2zsxc89yl0PvqCtzj57uUDh3ohNE3ZrTUHWsHkEniKiSCVRZD5LG9dEJKMD1nE=
-  template:
-    metadata:
-      creationTimestamp: null
-      name: passwordpusher-db-creds
-      namespace: passwordpusher
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml
@@ -1,16 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: passwordpusher-smtp-creds
-  namespace: passwordpusher
-spec:
-  encryptedData:
-    PWP__MAIL_SMTP_PASSWORD: AgBgRYGOS6O5u6WDXxfqkLsVClufJe8O0K3/NBWKEnwKFKd/yeQVnkB/sd2apIFADK6auge+G5uFv9TejWJuqkU3QHbkvmnjnMtinRkt/lh0GrrCygmvzvwTQKCXefeqWHT5yvGtN0z6mLP73yOLoJmAMnZk9/QGHuw9jfuLEDREZ3cSrdYAAIWhospSPpvau2UNN2/yanjhmH0Yux2fZVkwKtDcS6YHFtL+s4VR7wcB/cvMaCX4vSezMtyQJhgHcmFLNHnNjjVdMEQVGMtrZ7XocbWJ0ZkvKotkuOFf/XMq5AM9ZVgaJB9di39JLweqpsfGVQJftgGW/f/edDSlbiOTjDO2cM93xY9OD9T2kts5MkeX1jLD+Q+V0OXL7+nor1jAfv/CwZ5sBibnQFKYaQpCRCw4c4pYX73VjbRsEcTHXJyfUpTJdlw8Jd3yPPL1Uqb6ga5xxUO7YsgfdH4HZYWuLR/x8Pk1Ne/qpctzHZcUkRto6MKPhkK1IW83qSJPGT3wNHgYcx6uMW9f9L/ox7k00GGWZ3Pj79khv9NJ8PXO0thsTuZktjskHYBmZk044CWpSiill0318pCaIXW6mpg5adGbeZLa+LZ9GNxMWP+iOJIcFyYNZs3GmlV08OQ741S2cbumOQhxppJkcWTdpkZrZlAanLa4XZsmW+PXmsujOsMLEuto3PpJxpujYAt3s6Nv7O79FlGqrfisRipdFw==
-    PWP__MAIL_SMTP_USER_NAME: AgAli4SWEtNSiuRvbhuAYdRtBPpPYQfVp1cjiPXUqX7CxBG6bOdlMFzUPnjmZ3RVDq8UaRbwF1eJisnLt1nRCh5+DzpOXNgiU8ex2uZx7mQPf/nr/5p1HwJHbMZUo6Qieqo8NIwA0fwapQPsLizI90wI2J8f4m4nk4SXb0FW0h23SpulEJV99w92TPdOd/KuovVzEFltWeCWOsaHdVufKDsKLMFc4SNrkBwYxaCkuGnM6zICiLc7+5lF7cza8JukfGXsF12U04CkqgMDOOQG4GNNIeGSOc2GGtngpmYbuKZA1vk8ZnG3K+nVyD12bW2JhvWOBpNSc+29gLbizkNGI8QLhlxet3HznjYal9aqiIR2/glZgIUsnmgwmVg+VpxnM6A/R47sljeIzyzY0dkVxDyG1fDfKiWmXIWQU/7750Ct8XgMsVIkyDGQAK2g8o97a75lSnTngGq88VvTBLCiSEgumhPrMYf4n7ot4tSM1lfGuxmYdrOKXqXNkhBF+jxe27pd4ayCzcXniibZKRqhCozZZkAoYoo+V8tnIlewrTJhzm9THgKL849Df3Va9tI7EOvqHy82FjwTL++jCpUrOe1Emp11WpUJElnn+PUWRJnW02Xz+a0vP+mJMjC1XsylDM78i31a6Tw8Rfu7W4G7yuwzgU9GDCDL6dt7nsGUSNuucZz7CVx2pePFLWJBC8DmcuuWh/UlnrNp8IY/9kC34DAbwuBTQuFhYne1xWSA
-  template:
-    metadata:
-      creationTimestamp: null
-      name: passwordpusher-smtp-creds
-      namespace: passwordpusher
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml
@@ -1,98 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: passwordpusher-postgresql
-  namespace: passwordpusher
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: passwordpusher
-    app.kubernetes.io/component: database
-spec:
-  type: ClusterIP
-  ports:
-  - name: tcp-postgresql
-    port: 5432
-    targetPort: tcp-postgresql
-  selector:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: passwordpusher
---
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: passwordpusher-postgresql
-  namespace: passwordpusher
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: passwordpusher
-    app.kubernetes.io/component: database
-spec:
-  serviceName: passwordpusher-postgresql
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: postgresql
-      app.kubernetes.io/instance: passwordpusher
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: postgresql
-        app.kubernetes.io/instance: passwordpusher
-        app.kubernetes.io/component: database
-    spec:
-      containers:
-      - name: postgresql
-        image: postgres:16-alpine
-        ports:
-        - name: tcp-postgresql
-          containerPort: 5432
-        env:
-        - name: POSTGRES_USER
-          valueFrom:
-            secretKeyRef:
-              name: passwordpusher-db-creds
-              key: pgusername
-        - name: POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: passwordpusher-db-creds
-              key: pgpassword
-        - name: POSTGRES_DB
-          value: passwordpusher
-        - name: PGDATA
-          value: /var/lib/postgresql/data/pgdata
-        volumeMounts:
-        - name: data
-          mountPath: /var/lib/postgresql/data
-        livenessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
-          initialDelaySeconds: 30
-          periodSeconds: 10
-        readinessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
-          initialDelaySeconds: 5
-          periodSeconds: 5
-        resources:
-          requests:
-            cpu: 100m
-            memory: 256Mi
-          limits:
-            cpu: 500m
-            memory: 512Mi
-  volumeClaimTemplates:
-  - metadata:
-      name: data
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi
--- a/infra/overlays/upc-dev/passwordpusher/kustomization.yaml
+++ b/infra/overlays/upc-dev/passwordpusher/kustomization.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- passwordpusher.yaml
--- a/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml
+++ b/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml
@@ -1,43 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: passwordpusher
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: passwordpusher
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://pglombardo.github.io/passwordpusher-charts
-    chart: password-pusher
-    targetRevision: "1.4.4"
-    helm:
-      releaseName: passwordpusher
-      valueFiles:
-      - $values/infra/values/base/passwordpusher-values.yaml
-      - $values/infra/values/upc-dev/passwordpusher-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: passwordpusher
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- vaultwarden-postgresql.yaml
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- postgresql.yaml
- vaultwarden-db-secret-sealed.yaml
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml
@@ -1,98 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: vaultwarden-postgresql
-  namespace: vaultwarden
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: vaultwarden
-    app.kubernetes.io/component: database
-spec:
-  type: ClusterIP
-  ports:
-  - name: tcp-postgresql
-    port: 5432
-    targetPort: tcp-postgresql
-  selector:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: vaultwarden
---
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: vaultwarden-postgresql
-  namespace: vaultwarden
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: vaultwarden
-    app.kubernetes.io/component: database
-spec:
-  serviceName: vaultwarden-postgresql
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: postgresql
-      app.kubernetes.io/instance: vaultwarden
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: postgresql
-        app.kubernetes.io/instance: vaultwarden
-        app.kubernetes.io/component: database
-    spec:
-      containers:
-      - name: postgresql
-        image: postgres:16-alpine
-        ports:
-        - name: tcp-postgresql
-          containerPort: 5432
-        env:
-        - name: POSTGRES_USER
-          valueFrom:
-            secretKeyRef:
-              name: prod-db-creds
-              key: pgusername
-        - name: POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: prod-db-creds
-              key: pgpassword
-        - name: POSTGRES_DB
-          value: vaultwarden
-        - name: PGDATA
-          value: /var/lib/postgresql/data/pgdata
-        volumeMounts:
-        - name: data
-          mountPath: /var/lib/postgresql/data
-        livenessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d vaultwarden
-          initialDelaySeconds: 30
-          periodSeconds: 10
-        readinessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d vaultwarden
-          initialDelaySeconds: 5
-          periodSeconds: 5
-        resources:
-          requests:
-            cpu: 100m
-            memory: 256Mi
-          limits:
-            cpu: 500m
-            memory: 512Mi
-  volumeClaimTemplates:
-  - metadata:
-      name: data
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml
@@ -1,20 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: prod-db-creds
-  namespace: vaultwarden
-spec:
-  encryptedData:
-    DATABASE_URL: AgAy1d//kBevUqZxB5KAXd+qxm8QykNxp5J1QP7Y30XCpE8hldPXF+NIx3w0B0PUyMAVsa+JrBmCMtzgibddIJqqF2upu/8EYxJZNusrJPOi47g3VcZIg1WyxoFfffH6jwhzv69TE/T8WGBXmWbD2vr+XWjE24Q+lgwLut0mocVfihUjpuYq0WDjgJx7pqLnY1VatTwgSkAv1uRRVqdi7e1M5isDNEpdItCbEoWwdvZhG5JIMAA/2vecY4/vEne3cg46lJAkv4ueZNATG6DOXGgQgz6h7zCKSGS1xTfGr+4A2V2/vSYpQ/r8Td37mlseoBvwN4H5O+FgHrVREm7N6aafDariYd+ZfqUIGObsZIXhxhDmAM96pjtP8ehYVwq1srWTU+SUewEmwLFWhVP1UFnTB5vgIuOWoKjHlS7dSUpStpw2u7/mQ6vhRhEaDqY6cNzJgM9hipQM/pt5an7z4ovWVeAeK8InGzKU+uxOpv/oxmi9N54B+5O4DVZC+BIbFXchxDvqivRcZrTK+CNjHjkk4We5MvN0qlhSuCYOGzEVaQ192yHciDoncw58D7fG4NicT2AcCJDVIwRGG05wqKal7g61g7Qg16oqdZIauKIU7ChSgBk7Xv33biZ4ZPe+JoSEmp9izJ8R7yyNO3KJgqH7iQ2UQzXDUqhfTr6w/oIdFST8sQtEIo7o1Z5JoXpzd4R1gVkcPWqtbbB22iRrDJsofeW+yvgGqyZLsWT2bKuDMLUn3GiqvaHaeQ9AbhNBnl6Qth3X8heBm2Zle1xxapFktisPwBQC7FDlukgvkiAOO7BywVI0+ITU4KLLOAftVqHmZ4fgDDqNFg8=
-    SMTP_PASSWORD: AgCbhM99+DbSTCcuxtcccOrZq99GjR51B5SkW6DNxz1jW2q4lgc6o21+gHEGGAamRDg/mWyu2UBBNgEzrW024558qP6SjVPwJclWhNZHyL4R4MCA0kv/kqNa43na2j3pq7kzT0MrqPAXD8IJrtYPxr+ngiuo7MCRef/TzEfwbwK+KgkeB1g+9ErwHWr5tU1B+3yAn5tfNeHmGFrLX230mra2ie+ntNx9kn80mb5TYoJ/mSaX7wv4bqZGEHkg7isXrMoMROXLBepCvP0zi3ta+SKJjHy73TvhKSzo7/ZHxapHw3oaazdpKJobeolWB7SziWsbXfT0gYYim3LrcieQeb7hhN3OAvSYx1Z/3UefEE1o3GFEzK1UV9ISwU/mBjMDZWyM7dK9lSbuPGvbpKU1jjP8qZWQP5v2SIT6Nb5TQgNeATdO3RkjoviqRzjJfpuu+oe5paXNeEIUSTskL7HuUjWj13DX1zDqQWTR1/Tb9ntxRtgIoAl2ymDsOednurnJeX71OJ3G++Oc8b5P2EkNQuEwaYb9raNHqZkCXeRpQVyEGIUh9sAGZUplUJSues/Jw25WuFoNBfMi/F022Mkvfnp/s0J+QrMIxSRvqiWS+7hODknvE3Zf2DI+DKClWxspfv084DAkOSV1Lq9fqNy/bKoJR/5MVHmxbW6teza6zXBnwn2nk+2DZ8IU20P15aVdtKR2zG9u8hnrqWrTQHTdvzb34WKjC0km4/MaIGKvboyw
-    SMTP_USERNAME: AgCijAuSvlGeMME1FyPXQdOTGKktyXfT8tjBK/ozt3X8O5hebFVvM61hNLDQTe9V/O/NLw6P1wbV4V+wtztqLs9TPDyq9L3D9JUEDjh97gWxVf7nFf8/d24F0PJoR8srKp3onb7+Rx02318RUp+gp7YsXbK6YBfkaOsoD08UgrFY3ARnP4eIirRICNCdouPgKkh038yAWcQDA20GBN2faJlQSejS4cr8WAa/ME1fRe40Q4tewgiX7hK5BWjt2eoovLrPzcHvbgTbfjwUWvmeiSicnF+VLrc3M56aKML2xuAggBk4vKtla/Af1pJfjv+Ut2z6VzECfIth12yQa6kIvKOE8aa3o/6oKLRJQRO8rQOOmLiInR+jQxrOmYw+OzkON07nBIeBon7nKYSIMiBt68kXKWJ9ZDexF7WGOHsFgUo4hA/z/c/Ccg6XHgxFt7uXZYLyziihQXy33zIsvu0rXOaczT5j3NJIhO60jz2Q8ig9JuWhd7+Dnd9EFMC0WJOM9kjpxeSjg4MYjH7VGnnEDF2GAQTlwDn5HwZJXRQFHfdCiHS5CCpfmak9MtIC9uoIsbPAnEhdTC20wDvIGlR5O4JGlQRyirKKmCdT1MJt8zi5d+EVQiicVZLGGD6nsqCNchvFYcx+glMYqWWsmyS6M+uVaYa/Fb/n+0QR6GNCF3Qi7voMJf2bFxFDk78fk76MG919XPQVAG/FPliNyWJJ7gEM+j/rDYuSrul14duV
-    adminToken: AgCVSgRK39WksTX6GogBvMZtPMd4XzMFkKSPhjTCm8pllzuc88pS2LXHxyGDWVLf+GZXRTCNrf5JLPst8/GTvOX17J9scRAjmhoyVVgzFNbcqGI/czLf9vH6JnhorMmUHxS+kWBm3oLZjhW3f/9vq0xzSbut87VDsyenaK4EcFLrYnfVRlMrwxL9oxPPTeB+Wah/uGoyLNfc7MMLK+/sUma4RO61VJ8YvmLUnwYNFosUcbF2B9hXMSzKKCJ+ihXYIdNIz2YWdMmj7a3D+Mor5x4jIjC+tunT4Zge5L1mx0i92KPgPkP48jKxayIZ/FxnYej+ggU6PmdYD1B6wgUbgLQV6ccwysjHce7ICvGWiM+PozFWI1qEVKqtNgp3kwInThD63Hyub9Euj0g/SE/nZcwy8DuIEhsLpLSdvxDT2lCps0VdXcb01kuta/3i4vgozSBvdIL1FrQKPLqF5+6ZEQ6BdZDkgxVqQ845WZoGbfqIyI03BMvsx/8HB5c+0Y0w0C6DRpEW55T9yRTZqzvqWUOpXy5/L2Nc9G4PCUK3lY0QPIFlPCBDl+cKgfP/XvKhMFcFpwp/Ssd0o+RhgOMBHJ5qk7RxAN1k2Y6Tkros39eUKWbM6UQ97LjrAdLcgJKX86ZkEChdeeKOnSxRmqHFXx5m4Wa6syixjipeQPwybCYQA9TgNBv0lToA7gi+lcVvXkoAgYIeB9Cp0j8UVEwdgvwWp8YgkpuWhPCAafhboH8qGhHhVfKADmlB05vUItZ0eoEVv7D9SqUTFueUmoZXwo67uyMLZhQo7eGr9+k8hiesCoEm11HCTa4DvF9zE54zgkyt0TMsKAEKmX47zJwnw76zidZC/K9e
-    pgpassword: AgCeQLwzajVBHW+o1ZSAcfbcJXny5K7UxxMfjud0j3hm9qx3TlLaFJrNoWd4XCuHAW1Ybl23ynWm+8kpXfZv95bXGkl0jZIm989MlAJQYKcaSTdhIM6Bkl3Cbr8kTVj2yrylGPJ96QISKNoiV7IetU82t8f21kxjyrNwt4lQEwWRFjW45jozb32qFXRkTioJ1WKaeJkyRSHWn7nLVitqZ4QjZzoN9AC7cUDOY/FffEiz7QRYSf6xaVPqQfCeH6QVtfmwtU5qNTcthOW0+/LQKpkg8i2nuoAsyOe7tsOYCENbDGkLckNTns2oPvDnH5eA8F5VDlnyJtROlwKjWfTC2zjazZynpA6cBH9XzX3Pg9P45G5HJ/4TVSUbTMCSVrbW8Ec+zdA2P4l3ytfVM2ER4N2/bQrUEVW2/ngDzhsKllmOPEN/M7b/VTed7U1xyJHsoT+AJEqVJO/vFBRxpI/ZacD+m5kWf3sp1SUWSgkUi+YWH8xuRurM2/kiUGwwUXu5ZMumjpMTkJBfX4NYRezq0DCsgaXdO2yI4xTfAysj78UikdU0PKyAXPcT8y55kJQ1jECszFauyeSYh0FpLu/XAmeB8dunlBqgISLszwnnman0/ThLeo96MFo6WPXoAeMTy8+GfTSH5tkmm8TVD7A+gRHprfFS66eY5Zi38OPU+VGRJS1J8yLSD2cNvCFR/sz1Br9VV7IySx1S+HvbEd7BwmdWrIoEcVUwIAD/U0Uxbw4sr7wLQ2wFQjDil4VItA==
-    pgusername: AgAcgel8GpdRVThE9i4EfFwcJYHEPnCyi4jHEaAltn4VMtub6hvhtH+ihxS97AhK6kgrTLEgtlfb07n1EZ3AK18A+ci9P5ulP0GgwMrMt1yxiHliqInvZPNb8vWC/2f2lZm7EFrBvYqMFRPV10YygtkW3Kku8h31l0xc2/DUKqZ2hMymIjx7hupabUOhnPJeF+IxVhTcsAa6SjhppX1ED0R/Im73pxTxbfLQETkHd5KcB4h6RLIPvuNiG5uftkPP8qjJqFIhNew+0IxMrsTzJbyLx90vqI6LHHtsrNDAsOHqWGnyZqIdkK+Bagm84VlpBfIdz8Fs0YqzBQaZts4+QXByzkcQZBDy11Hg9FCjdUVk3VgVLDQj+hL+aWTeJ0Iui4zW4LMSB0Dk0ZQeQa4BtwuDllky5GUA7sLmkbceAWymBNzNXSOeeAi1qfR6h6rNnh0x5yOnSN8soReNaCEYBSa8HjUamvuzu4yn+fKOJyI50QEJ7hKLXLaqyiNpa5bJw4FQvGM7qESkZW2BZLEvkq4mlKjzvSm891DozA44Zy1s/3CvytFsUtaWmquSvqqHWUxqEEemJ8zOCFXEYo1TjEfkYIUipM5KJ+PrpQGTgjdnL8FbAv3r3NG7DoucQtVeJJVeaBqOZcfEQw4Xz15grsdjggFunhmz+ZjWjgEwV4G/dCmeus3SBWJWLMOoPWCvBWrQZRQq9KVj
-  template:
-    metadata:
-      creationTimestamp: null
-      name: prod-db-creds
-      namespace: vaultwarden
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml
@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: vaultwarden
---
-
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vaultwarden-postgresql
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  labels:
-    app.kubernetes.io/name: vaultwarden-postgresql
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/upc-dev/vaultwarden-postgresql/resources
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: vaultwarden
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates
--- a/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml
@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: keycloak-client-vaultwarden
-  namespace: vaultwarden
-  labels:
-    keycloak.forteapps.net/client-config: "true"
-stringData:
-  client.json: |
-    {
-      "clientId": "vaultwarden",
-      "name": "Vaultwarden",
-      "redirectUris": ["https://vaultwarden.forteapps.net/*"],
-      "webOrigins": ["https://vaultwarden.forteapps.net"],
-      "protocolMappers": [],
-      "secret": {
-        "namespace": "vaultwarden",
-        "name": "vaultwarden-oidc-credentials",
-        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
-      }
-    }
--- a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- vaultwarden.yaml
- keycloak-client-config.yaml
--- a/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml
@@ -1,43 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vaultwarden
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: vaultwarden
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://guerzon.github.io/vaultwarden
-    chart: vaultwarden
-    targetRevision: "0.36.4"
-    helm:
-      releaseName: vaultwarden
-      valueFiles:
-      - $values/infra/values/base/vaultwarden-values.yaml
-      - $values/infra/values/upc-dev/vaultwarden-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: vaultwarden
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -41,7 +41,6 @@ gitea:
    oauth2:
      ENABLED: true
      ENABLE_AUTO_REGISTRATION: true
-      ACCOUNT_LINKING: auto
      USERNAME: email

    session:
--- a/infra/values/base/homepage-values.yaml
+++ b/infra/values/base/homepage-values.yaml
@@ -17,25 +17,21 @@ config:
    traefik: true

  settings:
-    title: "Platform"
+    title: "Forte Platform"
    headerStyle: clean
    layout:
      Apps:
        style: row
-        columns: 3
-      Security:
+        columns: 4
+      Identity:
        style: row
-        columns: 3
-      Tools:
+        columns: 4
+      DevOps:
        style: row
-        header: false
-        columns: 2
-        DevOps:
-          style: column
-          rows: 2
-        Monitoring:
-          style: column
-          rows: 1
+        columns: 4
+      Monitoring:
+        style: row
+        columns: 4

  # Top-of-page cluster overview widget
  widgets:
@@ -54,7 +50,12 @@ config:
  # In-cluster entries come from K8s service annotations.
  # External (out-of-cluster) services are listed here statically.
  bookmarks: []
-  services: []
+  services:
+  - Apps:
+    - Forte Feedback:
+        href: https://feedback.forteapps.net
+        description: Fortes internal feedback app
+        icon: forte

 resources:
  requests:
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -21,9 +21,9 @@ ingress:
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "Keycloak"
    gethomepage.dev/description: "Identity & access management"
-    gethomepage.dev/group: "Security"
+    gethomepage.dev/group: "Identity"
    gethomepage.dev/icon: "keycloak"
-    gethomepage.dev/href: "https://id.forteapps.net/admin/forte-test/console/"
+    gethomepage.dev/href: "https://id.forteapps.net"

 metrics:
  enabled: true
@@ -58,9 +58,6 @@ keycloakConfigCli:
  enabled: true
  image:
    repository: bitnamilegacy/keycloak-config-cli
-  extraEnvVars:
-  - name: IMPORT_MANAGED_PROTOCOL_MAPPER
-    value: "no-delete"
  configuration:
    forte-realm.json: |
      {
@@ -104,18 +101,6 @@ keycloakConfigCli:
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
-              },
-              {
-                "name": "groups",
-                "protocol": "openid-connect",
-                "protocolMapper": "oidc-group-membership-mapper",
-                "config": {
-                  "claim.name": "groups",
-                  "full.path": "false",
-                  "id.token.claim": "true",
-                  "access.token.claim": "true",
-                  "userinfo.token.claim": "true"
-                }
              }
            ]
          },
@@ -188,54 +173,7 @@ keycloakConfigCli:
            ]
          }
        ],
-        "browserFlow": "browser-auto-idp",
-        "authenticationFlows": [
-          {
-            "alias": "browser-auto-idp",
-            "description": "Browser flow with auto-redirect to Forte Entra IdP",
-            "providerId": "basic-flow",
-            "topLevel": true,
-            "builtIn": false,
-            "authenticationExecutions": [
-              {
-                "authenticator": "auth-cookie",
-                "authenticatorFlow": false,
-                "requirement": "ALTERNATIVE",
-                "priority": 10
-              },
-              {
-                "authenticator": "identity-provider-redirector",
-                "authenticatorFlow": false,
-                "requirement": "ALTERNATIVE",
-                "priority": 20,
-                "authenticatorConfig": "forte-entra-redirector"
-              }
-            ]
-          }
-        ],
-        "authenticatorConfig": [
-          {
-            "alias": "forte-entra-redirector",
-            "config": {
-              "defaultProvider": "forte-entra"
-            }
-          }
-        ],
        "groups": [
-          {
-            "name": "k8s",
-            "path": "/k8s",
-            "clientRoles": {
-              "grafana": ["Editor"]
-            }
-          },
-          {
-            "name": "dev",
-            "path": "/dev",
-            "clientRoles": {
-              "grafana": ["Viewer"]
-            }
-          },
          {
            "name": "ArgoCD Admins",
            "path": "/ArgoCD Admins"
@@ -505,10 +443,10 @@ extraDeploy:
                  CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"')

                  # Check if credential Secret already exists in target namespace
-                  CRED_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
+                  CRED_EXISTS=$(curl -sf -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
-                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}" || echo "000")
+                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")

                  # Skip if hash matches and credential Secret exists
                  if [ "$CONFIG_HASH" = "$EXISTING_HASH" ] && [ "$CRED_EXISTS" = "200" ]; then
@@ -528,47 +466,44 @@ extraDeploy:
                    publicClient: false,
                    redirectUris: .redirectUris,
                    webOrigins: .webOrigins,
+                    defaultClientScopes: .defaultClientScopes,
                    protocolMappers: (.protocolMappers // [])
-                  } | with_entries(select(.value != null))')
+                  }')

                  # Check if client already exists
-                  EXISTING_RESPONSE=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
-                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" || true)
-                  EXISTING=$(echo "$EXISTING_RESPONSE" | jq -r '.[0].id // empty' 2>/dev/null || true)
+                  EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
+                    | jq -r '.[0].id // empty')

                  if [ -n "$EXISTING" ]; then
                    echo "  Updating existing Keycloak client (uuid: ${EXISTING})"
-                    RESPONSE=$(curl -s -w "\n%{http_code}" \
+                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X PUT -d "$KC_CLIENT" \
-                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}" || true)
-                    HTTP_CODE=$(echo "$RESPONSE" | tail -1)
-                    RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}")
                    if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "200" ]; then
-                      echo "  ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
+                      echo "  ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                      continue
                    fi
                    CLIENT_UUID="$EXISTING"
                  else
                    echo "  Creating new Keycloak client '${CLIENT_ID}'"
-                    RESPONSE=$(curl -s -w "\n%{http_code}" \
+                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X POST -d "$KC_CLIENT" \
-                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients" || true)
-                    HTTP_CODE=$(echo "$RESPONSE" | tail -1)
-                    RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
                    if [ "$HTTP_CODE" != "201" ]; then
-                      echo "  ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
+                      echo "  ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                      continue
                    fi
                    # Fetch the newly created client's UUID
-                    CLIENT_UUID=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                    CLIENT_UUID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
-                      | jq -r '.[0].id' || true)
+                      | jq -r '.[0].id')
                  fi

                  # Sync credentials to target namespace
--- a/infra/values/base/passwordpusher-values.yaml
+++ b/infra/values/base/passwordpusher-values.yaml
@@ -1,7 +0,0 @@
-image:
-  repository: docker.io/pglombardo/pwpush
-  tag: "release-1.51.0"
-
-# Disable the bundled postgresql subchart — we run our own StatefulSet
-postgresql:
-  enabled: false
--- a/infra/values/base/vault-values.yaml
+++ b/infra/values/base/vault-values.yaml
@@ -1,36 +0,0 @@
-# HashiCorp Vault Helm Chart Values
-# Chart: hashicorp/vault v0.32.0
-
-server:
-  standalone:
-    enabled: true
-
-  dataStorage:
-    enabled: true
-    size: 5Gi
-
-  resources:
-    requests:
-      cpu: 100m
-      memory: 128Mi
-    limits:
-      cpu: 250m
-      memory: 256Mi
-
-  ingress:
-    enabled: true
-    ingressClassName: traefik
-    pathType: Prefix
-    activeService: true
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-      gethomepage.dev/enabled: "true"
-      gethomepage.dev/name: "Vault"
-      gethomepage.dev/description: "Secrets management"
-      gethomepage.dev/group: "Security"
-      gethomepage.dev/icon: "vault"
-      gethomepage.dev/href: "https://vault.forteapps.net"
-
-ui:
-  enabled: true
-  serviceType: ClusterIP
--- a/infra/values/base/vaultwarden-values.yaml
+++ b/infra/values/base/vaultwarden-values.yaml
@@ -1,3 +0,0 @@
-image:
-  tag: "1.36.0-alpine"
-domain: "https://vaultwarden.forteapps.net"
--- a/infra/values/upc-dev/databunker-values.yaml
+++ b/infra/values/upc-dev/databunker-values.yaml
@@ -5,6 +5,6 @@ ingress:
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "Databunker"
    gethomepage.dev/description: "Secure Database for PII and PCI Records"
-    gethomepage.dev/group: "Security"
-    gethomepage.dev/icon: "double-take"
+    gethomepage.dev/group: "Identity"
+    gethomepage.dev/icon: "adminer"
    gethomepage.dev/href: "https://databunker.forteapps.net"
--- a/infra/values/upc-dev/homepage-values.yaml
+++ b/infra/values/upc-dev/homepage-values.yaml
@@ -13,53 +13,3 @@ ingress:
    - secretName: homepage-tls
      hosts:
      - start.forteapps.net
-
-config:
-  settings:
-    title: "Forte Platform"
-    headerStyle: clean
-    layout:
-      Apps:
-        style: row
-        columns: 2
-      Security:
-        style: row
-        columns: 3
-      Tools:
-        style: row
-        header: false
-        columns: 2
-        DevOps:
-          style: column
-          rows: 2
-        Monitoring:
-          style: column
-          rows: 1
-
-  # Top-of-page cluster overview widget
-  widgets:
-  - kubernetes:
-      cluster:
-        show: true
-        cpu: true
-        memory: true
-        showLabel: true
-        label: "Cluster"
-      nodes:
-        show: true
-        cpu: true
-        memory: true
-        showLabel: true
-  # In-cluster entries come from K8s service annotations.
-  # External (out-of-cluster) services are listed here statically.
-  bookmarks: []
-  services:
-  - Apps:
-    - Forte Benken:
-        href: https://benken.hackathon.forteapps.net
-        description: Teknisk kompetanse fra offentlige anbud
-        icon: forte
-    - Forte Feedback:
-        href: https://feedback.forteapps.net
-        description: Fortes internal feedback app
-        icon: forte
--- a/infra/values/upc-dev/passwordpusher-values.yaml
+++ b/infra/values/upc-dev/passwordpusher-values.yaml
@@ -1,50 +0,0 @@
-env:
-  PWP__HOST_DOMAIN: pwpush.forteapps.net
-  PWP__HOST_PROTOCOL: https
-  PWP__ENABLE_LOGINS: "true"
-  PWP__ALLOW_ANONYMOUS: "false"
-  PWP__SIGNUPS_ENABLED: "false"
-  PWP__MAIL_RAISE_DELIVERY_ERRORS: "false"
-  PWP__MAIL_SMTP_ADDRESS: smtp.office365.com
-  PWP__MAIL_SMTP_PORT: "587"
-  PWP__MAIL_SMTP_AUTHENTICATION: login
-  PWP__MAIL_SMTP_STARTTLS: "true"
-  PWP__MAIL_SMTP_DOMAIN: fortedigital.com
-  PWP__MAIL_SENDER: noreply@fortedigital.com
-
-envFrom:
- secretRef:
-    name: passwordpusher-db-creds
- secretRef:
-    name: passwordpusher-smtp-creds
-
-ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "PasswordPusher"
-    gethomepage.dev/description: "Share passwords securely with expiring links"
-    gethomepage.dev/group: "Security"
-    gethomepage.dev/icon: "passwordpusher"
-    gethomepage.dev/href: "https://pwpush.forteapps.net"
-  hosts:
-  - host: pwpush.forteapps.net
-    paths:
-    - path: /
-      pathType: Prefix
-  tls:
-  - secretName: passwordpusher-tls
-    hosts:
-    - pwpush.forteapps.net
-
-resources:
-  requests:
-    cpu: 100m
-    memory: 256Mi
-  limits:
-    cpu: 500m
-    memory: 512Mi
-
-replicaCount: 1
--- a/infra/values/upc-dev/vault-values.yaml
+++ b/infra/values/upc-dev/vault-values.yaml
@@ -1,9 +0,0 @@
-server:
-  ingress:
-    hosts:
-    - host: vault.forteapps.net
-      paths: []
-    tls:
-    - secretName: vault-tls
-      hosts:
-      - vault.forteapps.net
--- a/infra/values/upc-dev/vaultwarden-values.yaml
+++ b/infra/values/upc-dev/vaultwarden-values.yaml
@@ -1,82 +0,0 @@
-adminToken:
-  existingSecret: "prod-db-creds"
-  existingSecretKey: "adminToken"
-domain: "https://vaultwarden.forteapps.net"
-signupsAllowed: false
-resourceType: StatefulSet
-database:
-  type: postgresql
-  host: vaultwarden-postgresql
-  port: "5432"
-  dbName: vaultwarden
-  existingSecret: prod-db-creds
-  existingSecretKey: DATABASE_URL
-  existingSecretUserKey: pgusername
-  existingSecretPasswordKey: pgpassword
-ingress:
-  enabled: true
-  class: "traefik"
-  tls: true
-  tlsSecret: vaultwarden-tls
-  hostname: vaultwarden.forteapps.net
-  additionalAnnotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "VaultWarden"
-    gethomepage.dev/description: "Password management"
-    gethomepage.dev/group: "Security"
-    gethomepage.dev/icon: "vaultwarden"
-    gethomepage.dev/href: "https://vaultwarden.forteapps.net"
-
-replicas: 1
-# Multi-Attach error for volume "pvc-102ec9a4-dccd-4cba-bb4b-650f7d934c81" Volume is already used by pod(s) vaultwarden-7f568875c7-m9cgs
-
-service:
-  sessionAffinity: ClientIP
-  sessionAffinityConfig:
-    clientIP:
-      timeoutSeconds: 10800
-
-smtp:
-  host: smtp.office365.com
-  security: starttls
-  port: 587
-  authMechanism: "Login"
-  from: noreply@fortedigital.com
-  fromName: "Forte Bitwarden Administrator"
-  debug: true
-  existingSecret: prod-db-creds
-  username:
-    existingSecretKey: SMTP_USERNAME
-  password:
-    existingSecretKey: SMTP_PASSWORD
-
-storage:
-  data:
-    name: "vaultwarden-data"
-    size: "5Gi"
-    class: ""
-    path: "/data"
-    keepPvc: true
-    accessMode: "ReadWriteOnce"
-
-  attachments:
-    name: "vaultwarden-files"
-    size: "5Gi"
-    class: ""
-    path: /files
-    keepPvc: true
-    accessMode: "ReadWriteOnce"
-
-sso:
-  enabled: true
-  existingSecret: vaultwarden-oidc-credentials
-  authority: "https://id.forteapps.net/realms/forte"
-  scopes: "email profile"
-  onlySSO: true
-  pkce: true
-  signupsMatchEmail: true
-  clientId:
-    existingSecretKey: client-id
-  clientSecret:
-    existingSecretKey: client-secret
Author	SHA1	Message	Date
Danijel Simeunovic	3e590e4a19	Merge branch 'main' of https://git.forteapps.net/Forte/launchpad	2026-04-28 20:11:41 +02:00
Danijel Simeunovic	00128b6beb	db home	2026-04-28 20:11:37 +02:00
Danijel Simeunovic	a4599fdf91	icon	2026-04-28 16:50:10 +02:00
Danijel Simeunovic	c76bb562a4	ff homepage	2026-04-28 16:48:29 +02:00
Danijel Simeunovic	53b43da813	traefik enable	2026-04-28 16:02:12 +02:00
Danijel Simeunovic	0ac7f94c26	hp rbac extra	2026-04-28 15:51:53 +02:00
Danijel Simeunovic	6ab8cad193	hp apps	2026-04-28 15:47:13 +02:00
Danijel Simeunovic	9b91b5a26e	widgets	2026-04-28 15:29:49 +02:00
Danijel Simeunovic	d8d0b2e1dd	argo icon hp	2026-04-28 15:26:14 +02:00
Danijel Simeunovic	5653036f5d	no token	2026-04-28 15:16:04 +02:00
Danijel Simeunovic	caf14c90a8	templating fix	2026-04-28 15:03:10 +02:00
Danijel Simeunovic	3880ba843a	grafana token	2026-04-28 14:59:59 +02:00
Danijel Simeunovic	27843f3786	token scope	2026-04-28 14:33:27 +02:00
Danijel Simeunovic	1783c76a2d	gitea widget	2026-04-28 14:30:59 +02:00
Danijel Simeunovic	e9513da92b	hp config	2026-04-28 14:21:01 +02:00
Danijel Simeunovic	f5486a9210	homepage	2026-04-28 14:10:53 +02:00