dns01

cluster-resources/letsencrypt-issuer.yaml

@@ -12,6 +12,18 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-staging-key
     solvers:
+    # DNS-01 solver for wildcard certificates (*.example.com)
+    - dns01:
+        cloudflare:
+          email: danijels@gmail.com
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token
+      selector:
+        dnsNames:
+        - '*.example.com'
+        - 'example.com'
+    # HTTP-01 fallback for non-wildcard certificates
     - http01:
         ingress:
           class: traefik
@@ -30,6 +42,116 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-prod-key
     solvers:
+    # DNS-01 solver for wildcard certificates (*.example.com)
+    - dns01:
+        cloudflare:
+          email: danijels@gmail.com
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token
+      selector:
+        dnsNames:
+        - '*.example.com'
+        - 'example.com'
+    # HTTP-01 fallback for non-wildcard certificates
     - http01:
         ingress:
           class: traefik
+
+# =============================================================================
+# DNS PROVIDER EXAMPLES - Uncomment and configure based on your provider:
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Option 1: Cloudflare (recommended - supports API tokens with limited scope)
+# -----------------------------------------------------------------------------
+# Create secret with: kubectl create secret generic cloudflare-api-token-secret \
+#   --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager
+#
+# dns01:
+#   cloudflare:
+#     email: your-cloudflare-email@example.com
+#     apiTokenSecretRef:
+#       name: cloudflare-api-token-secret
+#       key: api-token
+
+# -----------------------------------------------------------------------------
+# Option 2: AWS Route53
+# -----------------------------------------------------------------------------
+# Create secret with: kubectl create secret generic route53-credentials \
+#   --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager
+#
+# dns01:
+#   route53:
+#     region: us-east-1
+#     hostedZoneID: ZXXXXXXXXXXXXX  # Optional: auto-detected if not specified
+#     accessKeyID: YOUR_ACCESS_KEY_ID
+#     secretAccessKeySecretRef:
+#       name: route53-credentials
+#       key: secret-access-key
+
+# -----------------------------------------------------------------------------
+# Option 3: Azure DNS
+# -----------------------------------------------------------------------------
+# Create secret with: kubectl create secret generic azuredns-config \
+#   --from-literal=client-secret=YOUR_CLIENT_SECRET -n cert-manager
+#
+# dns01:
+#   azureDNS:
+#     subscriptionID: YOUR_SUBSCRIPTION_ID
+#     resourceGroupName: YOUR_RESOURCE_GROUP
+#     hostedZoneName: example.com
+#     environment: AzurePublicCloud
+#     managedIdentity:
+#       clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID  # For AKS with pod identity
+#     # OR use service principal:
+#     # clientID: YOUR_SERVICE_PRINCIPAL_CLIENT_ID
+#     # clientSecretSecretRef:
+#     #   name: azuredns-config
+#     #   key: client-secret
+
+# -----------------------------------------------------------------------------
+# Option 4: Google Cloud DNS
+# -----------------------------------------------------------------------------
+# Create secret with service account JSON key:
+# kubectl create secret generic clouddns-service-account \
+#   --from-file=service-account.json=path/to/key.json -n cert-manager
+#
+# dns01:
+#   cloudDNS:
+#     project: YOUR_GCP_PROJECT_ID
+#     hostedZoneName: example-com  # Managed zone name in Cloud DNS
+#     serviceAccountSecretRef:
+#       name: clouddns-service-account
+#       key: service-account.json
+
+# -----------------------------------------------------------------------------
+# Option 5: GoDaddy
+# -----------------------------------------------------------------------------
+# Requires external webhook: https://github.com/snowdrop/godaddy-webhook
+#
+# dns01:
+#   webhook:
+#     groupName: acme.yourcompany.com
+#     solverName: godaddy
+#     config:
+#       apiKeySecretRef:
+#         name: godaddy-api-credentials
+#         key: api-key
+#       apiSecretSecretRef:
+#         name: godaddy-api-credentials
+#         key: api-secret
+
+# -----------------------------------------------------------------------------
+# Option 6: Manual/Dynamic DNS (for homelab)
+# -----------------------------------------------------------------------------
+# Requires RFC2136 provider or external webhook
+#
+# dns01:
+#   rfc2136:
+#     nameserver: your-dns-server.example.com
+#     tsigKeyName: cert-manager-key
+#     tsigAlgorithm: HMACSHA256
+#     tsigSecretSecretRef:
+#       name: tsig-secret
+#       key: secret

cluster-resources/policies/label-checker.yaml

@@ -1,40 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: require-labels
-  annotations:
-    policies.kyverno.io/title: Require Labels
-    policies.kyverno.io/category: Best Practices
-    policies.kyverno.io/minversion: 1.6.0
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Pod, Label
-    policies.kyverno.io/description: Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
-spec:
-  validationFailureAction: Audit
-  background: true
-  rules:
-  - name: check-for-labels
-    skipBackgroundRequests: true
-    exclude:
-      any:
-      - resources:
-          namespaces:
-          - kube-system
-          - istio-system
-          - argocd
-          - cert-manager
-          - monitoring
-          - secrets
-          - kyverno
-    match:
-      any:
-      - resources:
-          kinds:
-          - Pod
-    validate:
-      message: The label `app.kubernetes.io/name` is required.
-      allowExistingViolations: true
-      pattern:
-        metadata:
-          labels:
-            app.kubernetes.io/name: "?*"

cluster-resources/wildcard-certificate-example.yaml

@@ -0,0 +1,92 @@
+---
+# Example: Wildcard Certificate for *.example.com
+# This creates a certificate that covers ALL subdomains of example.com
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-example-com
+  namespace: default  # Change to your application's namespace
+spec:
+  # The secret where the TLS certificate will be stored
+  secretName: wildcard-example-com-tls
+  
+  # Use the production issuer (use letsencrypt-staging for testing)
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+    
+  # DNS names this certificate will cover
+  # Both wildcard AND apex domain are recommended
+  dnsNames:
+    - '*.example.com'    # Covers: app.example.com, api.example.com, etc.
+    - 'example.com'      # Also include apex domain explicitly
+  
+  # Optional: Configure certificate duration and renewal
+  duration: 2160h0m0s    # 90 days (Let's Encrypt default)
+  renewBefore: 720h0m0s  # Renew 30 days before expiry
+  
+  # Optional: Private key settings
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 4096
+
+---
+# Example: Using the wildcard certificate with a Traefik IngressRoute
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: app-ingress
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    # Match any subdomain - the wildcard cert covers all of them
+    - match: Host(`app.example.com`) || Host(`api.example.com`) || Host(`www.example.com`)
+      kind: Rule
+      services:
+        - name: my-service
+          port: 80
+  tls:
+    # Reference the secret created by the Certificate
+    secretName: wildcard-example-com-tls
+
+---
+# Example: Using wildcard certificate with standard Kubernetes Ingress
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: wildcard-ingress
+  namespace: default
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  tls:
+    - hosts:
+        - '*.example.com'
+        - 'example.com'
+      secretName: wildcard-example-com-tls
+  rules:
+    - host: app.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: app-service
+                port:
+                  number: 80
+    - host: api.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: api-service
+                port:
+                  number: 80

infra/overlays/upc-dev/kustomization.yaml

@@ -4,8 +4,6 @@ resources:
 - ../../base
 - vaultwarden-postgresql
 - vaultwarden
-- passwordpusher-postgresql
-- passwordpusher
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster

infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- passwordpusher-postgresql.yaml

infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml

@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: passwordpusher
----
-
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: passwordpusher-postgresql
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  labels:
-    app.kubernetes.io/name: passwordpusher-postgresql
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/upc-dev/passwordpusher-postgresql/resources
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: passwordpusher
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates

infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- postgresql.yaml
-- passwordpusher-db-secret-sealed.yaml
-- passwordpusher-smtp-secret-sealed.yaml

infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml

@@ -1,17 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: passwordpusher-db-creds
-  namespace: passwordpusher
-spec:
-  encryptedData:
-    DATABASE_URL: AgBeCVhdJoq18FFbP/8CUFFHBu3cUHisStmqeU3stH33qRgm0sh1Agw87QaiECBlKGp9yEjDVgQEjU/h9vEqs5L13vnzTvzmzEIMy23m1nWEyX6pY06O/ISDD6AVeW73SX6ctgZ4wabv8zZhEQ/GiKTLq8indTrNglINpItUKdjpZ5IhJWNScOkykZdIN/OyJxxzKQ5fM48ZVfL8HnTNQ+sqEJQ/P4CEHVwJQaEuIKsS+P1PKNmOxzI7IB7PegkZwORMKA83r1oufiV5q+/wY2eMujt/PkZxkokj9jdI9ATGwXfOVgPR16BXrKRIKO2AwObL1ter+Y0LnNGxl9gAz8q65b4KHdM//sKSscLo9rPWKq0R0y4octiC1FlQEvsbMZnNntDLR1vBiqRUz5YaoKcEH6nlLpubCrBpIve8f5Ty3w2YUk7k4dpQzITgZqpJirmw5RAY9OIQQldB8NHjfmKkTtlHxW1Bif/yo+XqCKX4+1xh4nbWb6z2VQtUeQHm++ITZokxAV5as/EEZyEfCfqLbQbQkk5xuPpc3B6VjyGNbAIyQQz3Ktx5t2bqa/qf2YQQTVMZaBijHV6jaK3YzyWyheefZAqliF3xUY8mm2zrOAK4+JaKbRKSQzvCzpYtcwxVO5hCV0Wki4qbMXCWbLV0SmUgiJeL/SC/iXSPBmdQIw2P8Pao1gPzhtJl/rGzdw+Nx0VtYeCID8PlsvjUO3oiv3wYFVE/Xb9oYkoQnadOrnBmUNoXATvPLb6bN/cxlZ6c5bDAReY5M5k4Im9XMWDUDiH/9bIk+V8C
-    pgpassword: AgBneCXX9h7cFbvVcqk9bNSgHqPGpYQmDxDHmI2CdgIPXwogVA/HxGpaR/HnByUwXbk9PBzHuNJHTWB5XtbEgd7EVvhmhNkEuW9cfBpO6RhSYWr4yQsEQ4tRIDicCMnCh3qWFxMJKPxhN4+gB+KY0HxVQXlr/TkPEnHGNILCrwJsSP9JYufYy5xcL25c949X6M2iSi1i8OFDOYC7s72VZmS2iAEIdnY01yDJ/pW5UYNi53rtAYWZ0tzRJbl55NdWeZGJdmKEQ0OvywW50So97R0ceC6QCkBzzRin4IP5dWuWbqm/D9FL4pxUfIvNuXbMd2fGbn1DjgqfeiN9QSfgLeHqMWbFAmelA/ETKGZBJJkp8MQta7PYk30yDo9cD147AnfLSjR74plGCZBFt0tn/8fGE00G70ymo1FPqWqnVMvlrnaWwdgdlKeKbamPWw0Uo6ZHcglFlHq5ke2kEhRG4yFvk8PuuUygHShGe7uQAlWcqLw4H4/WZyy/bBVTyUfmXTg0ArEKdbb7iI/izGgGMv2NtSiV9/DutkiqmrGoc+gO6fYGfUc66XJMpAlH/FUs3Ebqk0ZSIR4j8NyygwgY+1Jm3yuSQCs6+MVH5nrf1VoAYGadMiB40lfmn1FkZwrkdWm+C00/exVqT2dys+AjMfpAFfmGY2LDjSavvqJXKYyX1x/kZ6D+gndhP2FcT9qscnScGjys8JrH
-    pgusername: AgBUzpTtG8uIRRCjX3xN5UEvCybo2sgMk2v6SwoaO0TDVNMwZNKEjNigWeaD0nOX/gXu14X2KPX12YfXyaag+1CmaprUAVZzQDmF3Rseaz5MzqQnJlYfYdlWM4O+x0j2KLj+hKiw30P0T3IxZyngRw+T5c8hevYA2tXU0dvdmXZhs7L5M1mO1DJcef0tH/170RQ/8klUxaj/reWibK3DNxqCU/BOkJvUMoDkmb+hGlX4i4f0cPWEIYRjjXejDtL+LO7bMxzESqmb8VDPlDiIBvCYyBNdkN/F4ngfIAWxKBiMQTvsD8O7W3qdMDy55qHW3gPZY6ugLEyw/un6MtsaYSBame6kbjjEoy0pyyjB+SGWB6xxUIZ2Lfzflu8rZBnKEi2fkxsIAE71vhnLzcXn0WYjF3Hgh/fWQ6GYqJK9M5Ieiq6WVnWvztvWKuscZmVlHtRO9HtucCyiArvZE2yLRUDwI6NAws4R6gELadfjSECp1CRaOc53MrPHvYjIE/WWq1uI+0f0spaPV09mYEl5qGgcPW7V5ADXcmxIXHqtOfhEevrckILr9U9G/FU2q3ohveUiUUxBaMOzgAJ9mO64oDfLbit2WJqaqmdKy4xiVWwzxVDmWmNKFAs3DHNK7y9QNvYmrbM6370Pw2zsxc89yl0PvqCtzj57uUDh3ohNE3ZrTUHWsHkEniKiSCVRZD5LG9dEJKMD1nE=
-  template:
-    metadata:
-      creationTimestamp: null
-      name: passwordpusher-db-creds
-      namespace: passwordpusher

infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: passwordpusher-smtp-creds
-  namespace: passwordpusher
-spec:
-  encryptedData:
-    PWP__MAIL_SMTP_PASSWORD: AgBgRYGOS6O5u6WDXxfqkLsVClufJe8O0K3/NBWKEnwKFKd/yeQVnkB/sd2apIFADK6auge+G5uFv9TejWJuqkU3QHbkvmnjnMtinRkt/lh0GrrCygmvzvwTQKCXefeqWHT5yvGtN0z6mLP73yOLoJmAMnZk9/QGHuw9jfuLEDREZ3cSrdYAAIWhospSPpvau2UNN2/yanjhmH0Yux2fZVkwKtDcS6YHFtL+s4VR7wcB/cvMaCX4vSezMtyQJhgHcmFLNHnNjjVdMEQVGMtrZ7XocbWJ0ZkvKotkuOFf/XMq5AM9ZVgaJB9di39JLweqpsfGVQJftgGW/f/edDSlbiOTjDO2cM93xY9OD9T2kts5MkeX1jLD+Q+V0OXL7+nor1jAfv/CwZ5sBibnQFKYaQpCRCw4c4pYX73VjbRsEcTHXJyfUpTJdlw8Jd3yPPL1Uqb6ga5xxUO7YsgfdH4HZYWuLR/x8Pk1Ne/qpctzHZcUkRto6MKPhkK1IW83qSJPGT3wNHgYcx6uMW9f9L/ox7k00GGWZ3Pj79khv9NJ8PXO0thsTuZktjskHYBmZk044CWpSiill0318pCaIXW6mpg5adGbeZLa+LZ9GNxMWP+iOJIcFyYNZs3GmlV08OQ741S2cbumOQhxppJkcWTdpkZrZlAanLa4XZsmW+PXmsujOsMLEuto3PpJxpujYAt3s6Nv7O79FlGqrfisRipdFw==
-    PWP__MAIL_SMTP_USER_NAME: AgAli4SWEtNSiuRvbhuAYdRtBPpPYQfVp1cjiPXUqX7CxBG6bOdlMFzUPnjmZ3RVDq8UaRbwF1eJisnLt1nRCh5+DzpOXNgiU8ex2uZx7mQPf/nr/5p1HwJHbMZUo6Qieqo8NIwA0fwapQPsLizI90wI2J8f4m4nk4SXb0FW0h23SpulEJV99w92TPdOd/KuovVzEFltWeCWOsaHdVufKDsKLMFc4SNrkBwYxaCkuGnM6zICiLc7+5lF7cza8JukfGXsF12U04CkqgMDOOQG4GNNIeGSOc2GGtngpmYbuKZA1vk8ZnG3K+nVyD12bW2JhvWOBpNSc+29gLbizkNGI8QLhlxet3HznjYal9aqiIR2/glZgIUsnmgwmVg+VpxnM6A/R47sljeIzyzY0dkVxDyG1fDfKiWmXIWQU/7750Ct8XgMsVIkyDGQAK2g8o97a75lSnTngGq88VvTBLCiSEgumhPrMYf4n7ot4tSM1lfGuxmYdrOKXqXNkhBF+jxe27pd4ayCzcXniibZKRqhCozZZkAoYoo+V8tnIlewrTJhzm9THgKL849Df3Va9tI7EOvqHy82FjwTL++jCpUrOe1Emp11WpUJElnn+PUWRJnW02Xz+a0vP+mJMjC1XsylDM78i31a6Tw8Rfu7W4G7yuwzgU9GDCDL6dt7nsGUSNuucZz7CVx2pePFLWJBC8DmcuuWh/UlnrNp8IY/9kC34DAbwuBTQuFhYne1xWSA
-  template:
-    metadata:
-      creationTimestamp: null
-      name: passwordpusher-smtp-creds
-      namespace: passwordpusher

infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml

@@ -1,98 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: passwordpusher-postgresql
-  namespace: passwordpusher
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: passwordpusher
-    app.kubernetes.io/component: database
-spec:
-  type: ClusterIP
-  ports:
-  - name: tcp-postgresql
-    port: 5432
-    targetPort: tcp-postgresql
-  selector:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: passwordpusher
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: passwordpusher-postgresql
-  namespace: passwordpusher
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: passwordpusher
-    app.kubernetes.io/component: database
-spec:
-  serviceName: passwordpusher-postgresql
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: postgresql
-      app.kubernetes.io/instance: passwordpusher
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: postgresql
-        app.kubernetes.io/instance: passwordpusher
-        app.kubernetes.io/component: database
-    spec:
-      containers:
-      - name: postgresql
-        image: postgres:16-alpine
-        ports:
-        - name: tcp-postgresql
-          containerPort: 5432
-        env:
-        - name: POSTGRES_USER
-          valueFrom:
-            secretKeyRef:
-              name: passwordpusher-db-creds
-              key: pgusername
-        - name: POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: passwordpusher-db-creds
-              key: pgpassword
-        - name: POSTGRES_DB
-          value: passwordpusher
-        - name: PGDATA
-          value: /var/lib/postgresql/data/pgdata
-        volumeMounts:
-        - name: data
-          mountPath: /var/lib/postgresql/data
-        livenessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
-          initialDelaySeconds: 30
-          periodSeconds: 10
-        readinessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
-          initialDelaySeconds: 5
-          periodSeconds: 5
-        resources:
-          requests:
-            cpu: 100m
-            memory: 256Mi
-          limits:
-            cpu: 500m
-            memory: 512Mi
-  volumeClaimTemplates:
-  - metadata:
-      name: data
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi

infra/overlays/upc-dev/passwordpusher/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- passwordpusher.yaml

infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml

@@ -1,43 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: passwordpusher
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: passwordpusher
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://pglombardo.github.io/passwordpusher-charts
-    chart: password-pusher
-    targetRevision: "1.4.4"
-    helm:
-      releaseName: passwordpusher
-      valueFiles:
-      - $values/infra/values/base/passwordpusher-values.yaml
-      - $values/infra/values/upc-dev/passwordpusher-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: passwordpusher
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true

infra/values/base/passwordpusher-values.yaml

@@ -1,7 +0,0 @@
-image:
-  repository: docker.io/pglombardo/pwpush
-  tag: "release-1.51.0"
-
-# Disable the bundled postgresql subchart — we run our own StatefulSet
-postgresql:
-  enabled: false

infra/values/upc-dev/passwordpusher-values.yaml

@@ -1,50 +0,0 @@
-env:
-  PWP__HOST_DOMAIN: pwpush.forteapps.net
-  PWP__HOST_PROTOCOL: https
-  PWP__ENABLE_LOGINS: "true"
-  PWP__ALLOW_ANONYMOUS: "false"
-  PWP__SIGNUPS_ENABLED: "false"
-  PWP__MAIL_RAISE_DELIVERY_ERRORS: "false"
-  PWP__MAIL_SMTP_ADDRESS: smtp.office365.com
-  PWP__MAIL_SMTP_PORT: "587"
-  PWP__MAIL_SMTP_AUTHENTICATION: login
-  PWP__MAIL_SMTP_STARTTLS: "true"
-  PWP__MAIL_SMTP_DOMAIN: fortedigital.com
-  PWP__MAIL_SENDER: noreply@fortedigital.com
-
-envFrom:
-- secretRef:
-    name: passwordpusher-db-creds
-- secretRef:
-    name: passwordpusher-smtp-creds
-
-ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "PasswordPusher"
-    gethomepage.dev/description: "Share passwords securely with expiring links"
-    gethomepage.dev/group: "Security"
-    gethomepage.dev/icon: "passwordpusher"
-    gethomepage.dev/href: "https://pwpush.forteapps.net"
-  hosts:
-  - host: pwpush.forteapps.net
-    paths:
-    - path: /
-      pathType: Prefix
-  tls:
-  - secretName: passwordpusher-tls
-    hosts:
-    - pwpush.forteapps.net
-
-resources:
-  requests:
-    cpu: 100m
-    memory: 256Mi
-  limits:
-    cpu: 500m
-    memory: 512Mi
-
-replicaCount: 1