rev

docs/REFERENCE.md

@@ -1109,6 +1109,56 @@ storage:
 - `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
 - `vaultwarden-tls` — auto-managed by cert-manager
 
+### Chibisafe
+
+**Chart**: `l4gdev/chibisafe`
+**Version**: 0.1.1 (app latest)
+**Namespace**: `chibisafe`
+
+**Purpose**: Self-hosted file upload and sharing service.
+
+**Configuration**:
+```yaml
+# infra/overlays/upc-dev/chibisafe/ + infra/values/
+ingress:
+  enabled: true
+  className: "traefik"
+  hosts:
+  - host: chibisafe.forteapps.net
+    paths:
+    - path: /
+      pathType: Prefix
+  tls:
+  - secretName: chibisafe-tls
+    hosts:
+    - chibisafe.forteapps.net
+
+persistence:
+  database:
+    enabled: true   # SQLite, 1Gi
+  uploads:
+    enabled: true   # User files, 10Gi
+```
+
+**Architecture**: Three-container pod — frontend (Next.js :8001), backend (API :8000), Caddy (reverse proxy :80). Auth sidecar injected via Kyverno policy (OIDC mode, port 9001).
+
+**Ingress**: IngressRoute (not chart's built-in Ingress) targeting sidecar port 9001 directly. Chart's `ingress.enabled: false`. Separate cert-manager Certificate resource for TLS.
+
+**Why IngressRoute**: Chart hardcodes Service `targetPort: http` → Caddy port 80. Cannot override via values. IngressRoute bypasses Service, routes directly to sidecar pod port.
+
+**TLS**: cert-manager Certificate resource with `letsencrypt-prod` ClusterIssuer.
+
+**Storage**: SQLite database (1Gi PVC) + uploads (10Gi PVC), both ReadWriteOnce — single replica only.
+
+**SSO**: Keycloak OIDC via `forte` realm (client ID: `chibisafe`). Self-service client config Secret (`keycloak-client-chibisafe`) triggers registrar to create KC client and sync credentials to `chibisafe-oidc-credentials`.
+
+**Endpoints**:
+- Web UI: `https://chibisafe.forteapps.net`
+
+**Secrets**:
+- `chibisafe-tls` — auto-managed by cert-manager
+- `chibisafe-oidc-credentials` (registrar-managed) — OIDC client ID + secret
+
 ### AI Code Review (ai-review)
 
 **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)

infra/overlays/upc-dev/chibisafe/auth-oidc-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: auth-oidc
+  namespace: chibisafe
+type: Opaque
+stringData:
+  cookie-secret: "gtwkoUMSp1wJa2o5Fo5CNByR8+kTocJOOuywuLexRO4="

infra/overlays/upc-dev/chibisafe/chibisafe.yaml

@@ -1,13 +1,13 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: passwordpusher
+  name: chibisafe
   namespace: argocd
   annotations:
     argocd.argoproj.io/sync-wave: "1"
   labels:
-    app.kubernetes.io/name: passwordpusher
-    app.kubernetes.io/part-of: security
+    app.kubernetes.io/name: chibisafe
+    app.kubernetes.io/part-of: storage
     app.kubernetes.io/managed-by: argocd
   finalizers:
   - resources-finalizer.argocd.argoproj.io
@@ -15,14 +15,14 @@ spec:
   project: default
 
   sources:
-  - repoURL: https://pglombardo.github.io/passwordpusher-charts
-    chart: password-pusher
-    targetRevision: "1.4.4"
+  - repoURL: https://l4gdev.github.io/helm-charts
+    chart: chibisafe
+    targetRevision: "0.1.1"
     helm:
-      releaseName: passwordpusher
+      releaseName: chibisafe
       valueFiles:
-      - $values/infra/values/base/passwordpusher-values.yaml
-      - $values/infra/values/upc-dev/passwordpusher-values.yaml
+      - $values/infra/values/base/chibisafe-values.yaml
+      - $values/infra/values/upc-dev/chibisafe-values.yaml
 
   - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
@@ -30,7 +30,7 @@ spec:
 
   destination:
     server: https://kubernetes.default.svc
-    namespace: passwordpusher
+    namespace: chibisafe
 
   syncPolicy:
     automated:

infra/overlays/upc-dev/chibisafe/ingressroute.yaml

@@ -0,0 +1,36 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: chibisafe-tls
+  namespace: chibisafe
+spec:
+  secretName: chibisafe-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+  - chibisafe.forteapps.net
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: chibisafe
+  namespace: chibisafe
+  annotations:
+    gethomepage.dev/enabled: "false"
+    gethomepage.dev/name: "Chibisafe"
+    gethomepage.dev/description: "File upload & sharing"
+    gethomepage.dev/group: "Storage"
+    gethomepage.dev/icon: "chibisafe"
+    gethomepage.dev/href: "https://chibisafe.forteapps.net"
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - match: Host(`chibisafe.forteapps.net`)
+    kind: Rule
+    services:
+    - name: chibisafe
+      port: 9001
+  tls:
+    secretName: chibisafe-tls

infra/overlays/upc-dev/chibisafe/keycloak-client-config.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-chibisafe
+  namespace: chibisafe
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "chibisafe",
+      "name": "Chibisafe",
+      "redirectUris": ["https://chibisafe.forteapps.net/*"],
+      "webOrigins": ["https://chibisafe.forteapps.net"],
+      "protocolMappers": [],
+      "secret": {
+        "namespace": "chibisafe",
+        "name": "chibisafe-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }

infra/overlays/upc-dev/chibisafe/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- chibisafe.yaml
+- keycloak-client-config.yaml
+- ingressroute.yaml
+- auth-oidc-secret.yaml

infra/overlays/upc-dev/kustomization.yaml

@@ -2,10 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
+- chibisafe
 - vaultwarden-postgresql
 - vaultwarden
-- passwordpusher-postgresql
-- passwordpusher
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster

infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- passwordpusher-postgresql.yaml

infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml

@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: passwordpusher
----
-
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: passwordpusher-postgresql
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  labels:
-    app.kubernetes.io/name: passwordpusher-postgresql
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/upc-dev/passwordpusher-postgresql/resources
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: passwordpusher
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates

infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- postgresql.yaml
-- passwordpusher-db-secret-sealed.yaml
-- passwordpusher-smtp-secret-sealed.yaml

infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml

@@ -1,17 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: passwordpusher-db-creds
-  namespace: passwordpusher
-spec:
-  encryptedData:
-    DATABASE_URL: AgBeCVhdJoq18FFbP/8CUFFHBu3cUHisStmqeU3stH33qRgm0sh1Agw87QaiECBlKGp9yEjDVgQEjU/h9vEqs5L13vnzTvzmzEIMy23m1nWEyX6pY06O/ISDD6AVeW73SX6ctgZ4wabv8zZhEQ/GiKTLq8indTrNglINpItUKdjpZ5IhJWNScOkykZdIN/OyJxxzKQ5fM48ZVfL8HnTNQ+sqEJQ/P4CEHVwJQaEuIKsS+P1PKNmOxzI7IB7PegkZwORMKA83r1oufiV5q+/wY2eMujt/PkZxkokj9jdI9ATGwXfOVgPR16BXrKRIKO2AwObL1ter+Y0LnNGxl9gAz8q65b4KHdM//sKSscLo9rPWKq0R0y4octiC1FlQEvsbMZnNntDLR1vBiqRUz5YaoKcEH6nlLpubCrBpIve8f5Ty3w2YUk7k4dpQzITgZqpJirmw5RAY9OIQQldB8NHjfmKkTtlHxW1Bif/yo+XqCKX4+1xh4nbWb6z2VQtUeQHm++ITZokxAV5as/EEZyEfCfqLbQbQkk5xuPpc3B6VjyGNbAIyQQz3Ktx5t2bqa/qf2YQQTVMZaBijHV6jaK3YzyWyheefZAqliF3xUY8mm2zrOAK4+JaKbRKSQzvCzpYtcwxVO5hCV0Wki4qbMXCWbLV0SmUgiJeL/SC/iXSPBmdQIw2P8Pao1gPzhtJl/rGzdw+Nx0VtYeCID8PlsvjUO3oiv3wYFVE/Xb9oYkoQnadOrnBmUNoXATvPLb6bN/cxlZ6c5bDAReY5M5k4Im9XMWDUDiH/9bIk+V8C
-    pgpassword: AgBneCXX9h7cFbvVcqk9bNSgHqPGpYQmDxDHmI2CdgIPXwogVA/HxGpaR/HnByUwXbk9PBzHuNJHTWB5XtbEgd7EVvhmhNkEuW9cfBpO6RhSYWr4yQsEQ4tRIDicCMnCh3qWFxMJKPxhN4+gB+KY0HxVQXlr/TkPEnHGNILCrwJsSP9JYufYy5xcL25c949X6M2iSi1i8OFDOYC7s72VZmS2iAEIdnY01yDJ/pW5UYNi53rtAYWZ0tzRJbl55NdWeZGJdmKEQ0OvywW50So97R0ceC6QCkBzzRin4IP5dWuWbqm/D9FL4pxUfIvNuXbMd2fGbn1DjgqfeiN9QSfgLeHqMWbFAmelA/ETKGZBJJkp8MQta7PYk30yDo9cD147AnfLSjR74plGCZBFt0tn/8fGE00G70ymo1FPqWqnVMvlrnaWwdgdlKeKbamPWw0Uo6ZHcglFlHq5ke2kEhRG4yFvk8PuuUygHShGe7uQAlWcqLw4H4/WZyy/bBVTyUfmXTg0ArEKdbb7iI/izGgGMv2NtSiV9/DutkiqmrGoc+gO6fYGfUc66XJMpAlH/FUs3Ebqk0ZSIR4j8NyygwgY+1Jm3yuSQCs6+MVH5nrf1VoAYGadMiB40lfmn1FkZwrkdWm+C00/exVqT2dys+AjMfpAFfmGY2LDjSavvqJXKYyX1x/kZ6D+gndhP2FcT9qscnScGjys8JrH
-    pgusername: AgBUzpTtG8uIRRCjX3xN5UEvCybo2sgMk2v6SwoaO0TDVNMwZNKEjNigWeaD0nOX/gXu14X2KPX12YfXyaag+1CmaprUAVZzQDmF3Rseaz5MzqQnJlYfYdlWM4O+x0j2KLj+hKiw30P0T3IxZyngRw+T5c8hevYA2tXU0dvdmXZhs7L5M1mO1DJcef0tH/170RQ/8klUxaj/reWibK3DNxqCU/BOkJvUMoDkmb+hGlX4i4f0cPWEIYRjjXejDtL+LO7bMxzESqmb8VDPlDiIBvCYyBNdkN/F4ngfIAWxKBiMQTvsD8O7W3qdMDy55qHW3gPZY6ugLEyw/un6MtsaYSBame6kbjjEoy0pyyjB+SGWB6xxUIZ2Lfzflu8rZBnKEi2fkxsIAE71vhnLzcXn0WYjF3Hgh/fWQ6GYqJK9M5Ieiq6WVnWvztvWKuscZmVlHtRO9HtucCyiArvZE2yLRUDwI6NAws4R6gELadfjSECp1CRaOc53MrPHvYjIE/WWq1uI+0f0spaPV09mYEl5qGgcPW7V5ADXcmxIXHqtOfhEevrckILr9U9G/FU2q3ohveUiUUxBaMOzgAJ9mO64oDfLbit2WJqaqmdKy4xiVWwzxVDmWmNKFAs3DHNK7y9QNvYmrbM6370Pw2zsxc89yl0PvqCtzj57uUDh3ohNE3ZrTUHWsHkEniKiSCVRZD5LG9dEJKMD1nE=
-  template:
-    metadata:
-      creationTimestamp: null
-      name: passwordpusher-db-creds
-      namespace: passwordpusher

infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: passwordpusher-smtp-creds
-  namespace: passwordpusher
-spec:
-  encryptedData:
-    PWP__MAIL_SMTP_PASSWORD: AgBgRYGOS6O5u6WDXxfqkLsVClufJe8O0K3/NBWKEnwKFKd/yeQVnkB/sd2apIFADK6auge+G5uFv9TejWJuqkU3QHbkvmnjnMtinRkt/lh0GrrCygmvzvwTQKCXefeqWHT5yvGtN0z6mLP73yOLoJmAMnZk9/QGHuw9jfuLEDREZ3cSrdYAAIWhospSPpvau2UNN2/yanjhmH0Yux2fZVkwKtDcS6YHFtL+s4VR7wcB/cvMaCX4vSezMtyQJhgHcmFLNHnNjjVdMEQVGMtrZ7XocbWJ0ZkvKotkuOFf/XMq5AM9ZVgaJB9di39JLweqpsfGVQJftgGW/f/edDSlbiOTjDO2cM93xY9OD9T2kts5MkeX1jLD+Q+V0OXL7+nor1jAfv/CwZ5sBibnQFKYaQpCRCw4c4pYX73VjbRsEcTHXJyfUpTJdlw8Jd3yPPL1Uqb6ga5xxUO7YsgfdH4HZYWuLR/x8Pk1Ne/qpctzHZcUkRto6MKPhkK1IW83qSJPGT3wNHgYcx6uMW9f9L/ox7k00GGWZ3Pj79khv9NJ8PXO0thsTuZktjskHYBmZk044CWpSiill0318pCaIXW6mpg5adGbeZLa+LZ9GNxMWP+iOJIcFyYNZs3GmlV08OQ741S2cbumOQhxppJkcWTdpkZrZlAanLa4XZsmW+PXmsujOsMLEuto3PpJxpujYAt3s6Nv7O79FlGqrfisRipdFw==
-    PWP__MAIL_SMTP_USER_NAME: AgAli4SWEtNSiuRvbhuAYdRtBPpPYQfVp1cjiPXUqX7CxBG6bOdlMFzUPnjmZ3RVDq8UaRbwF1eJisnLt1nRCh5+DzpOXNgiU8ex2uZx7mQPf/nr/5p1HwJHbMZUo6Qieqo8NIwA0fwapQPsLizI90wI2J8f4m4nk4SXb0FW0h23SpulEJV99w92TPdOd/KuovVzEFltWeCWOsaHdVufKDsKLMFc4SNrkBwYxaCkuGnM6zICiLc7+5lF7cza8JukfGXsF12U04CkqgMDOOQG4GNNIeGSOc2GGtngpmYbuKZA1vk8ZnG3K+nVyD12bW2JhvWOBpNSc+29gLbizkNGI8QLhlxet3HznjYal9aqiIR2/glZgIUsnmgwmVg+VpxnM6A/R47sljeIzyzY0dkVxDyG1fDfKiWmXIWQU/7750Ct8XgMsVIkyDGQAK2g8o97a75lSnTngGq88VvTBLCiSEgumhPrMYf4n7ot4tSM1lfGuxmYdrOKXqXNkhBF+jxe27pd4ayCzcXniibZKRqhCozZZkAoYoo+V8tnIlewrTJhzm9THgKL849Df3Va9tI7EOvqHy82FjwTL++jCpUrOe1Emp11WpUJElnn+PUWRJnW02Xz+a0vP+mJMjC1XsylDM78i31a6Tw8Rfu7W4G7yuwzgU9GDCDL6dt7nsGUSNuucZz7CVx2pePFLWJBC8DmcuuWh/UlnrNp8IY/9kC34DAbwuBTQuFhYne1xWSA
-  template:
-    metadata:
-      creationTimestamp: null
-      name: passwordpusher-smtp-creds
-      namespace: passwordpusher

infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml

@@ -1,98 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: passwordpusher-postgresql
-  namespace: passwordpusher
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: passwordpusher
-    app.kubernetes.io/component: database
-spec:
-  type: ClusterIP
-  ports:
-  - name: tcp-postgresql
-    port: 5432
-    targetPort: tcp-postgresql
-  selector:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: passwordpusher
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: passwordpusher-postgresql
-  namespace: passwordpusher
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: passwordpusher
-    app.kubernetes.io/component: database
-spec:
-  serviceName: passwordpusher-postgresql
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: postgresql
-      app.kubernetes.io/instance: passwordpusher
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: postgresql
-        app.kubernetes.io/instance: passwordpusher
-        app.kubernetes.io/component: database
-    spec:
-      containers:
-      - name: postgresql
-        image: postgres:16-alpine
-        ports:
-        - name: tcp-postgresql
-          containerPort: 5432
-        env:
-        - name: POSTGRES_USER
-          valueFrom:
-            secretKeyRef:
-              name: passwordpusher-db-creds
-              key: pgusername
-        - name: POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: passwordpusher-db-creds
-              key: pgpassword
-        - name: POSTGRES_DB
-          value: passwordpusher
-        - name: PGDATA
-          value: /var/lib/postgresql/data/pgdata
-        volumeMounts:
-        - name: data
-          mountPath: /var/lib/postgresql/data
-        livenessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
-          initialDelaySeconds: 30
-          periodSeconds: 10
-        readinessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
-          initialDelaySeconds: 5
-          periodSeconds: 5
-        resources:
-          requests:
-            cpu: 100m
-            memory: 256Mi
-          limits:
-            cpu: 500m
-            memory: 512Mi
-  volumeClaimTemplates:
-  - metadata:
-      name: data
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi

infra/overlays/upc-dev/passwordpusher/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- passwordpusher.yaml

infra/values/base/chibisafe-values.yaml

@@ -0,0 +1,45 @@
+replicaCount: 1
+
+frontend:
+  image:
+    repository: chibisafe/chibisafe
+    tag: "latest"
+    pullPolicy: IfNotPresent
+
+backend:
+  image:
+    repository: chibisafe/chibisafe-server
+    tag: "latest"
+    pullPolicy: IfNotPresent
+
+caddy:
+  image:
+    repository: caddy
+    tag: "2-alpine"
+    pullPolicy: IfNotPresent
+
+persistence:
+  database:
+    enabled: true
+    size: 1Gi
+    accessModes:
+    - ReadWriteOnce
+
+  uploads:
+    enabled: true
+    size: 10Gi
+    accessModes:
+    - ReadWriteOnce
+
+  logs:
+    enabled: false
+
+service:
+  type: ClusterIP
+  port: 80
+
+networkPolicy:
+  enabled: false
+
+podDisruptionBudget:
+  enabled: false

infra/values/base/passwordpusher-values.yaml

@@ -1,7 +0,0 @@
-image:
-  repository: docker.io/pglombardo/pwpush
-  tag: "release-1.51.0"
-
-# Disable the bundled postgresql subchart — we run our own StatefulSet
-postgresql:
-  enabled: false

infra/values/upc-dev/chibisafe-values.yaml

@@ -0,0 +1,11 @@
+podAnnotations:
+  policies.forteapps.io/auth: "true"
+  policies.forteapps.io/auth-type: "oidc"
+  policies.forteapps.io/auth-oidc-authority: "https://id.forteapps.net/realms/forte"
+  policies.forteapps.io/auth-oidc-client-id: "chibisafe"
+  policies.forteapps.io/auth-oidc-callback-path: "https://chibisafe.forteapps.net/auth/callback"
+  policies.forteapps.io/auth-oidc-credentials-secret: "chibisafe-oidc-credentials"
+
+# Ingress disabled — using IngressRoute to target sidecar port directly
+ingress:
+  enabled: false

infra/values/upc-dev/passwordpusher-values.yaml

@@ -1,50 +0,0 @@
-env:
-  PWP__HOST_DOMAIN: pwpush.forteapps.net
-  PWP__HOST_PROTOCOL: https
-  PWP__ENABLE_LOGINS: "true"
-  PWP__ALLOW_ANONYMOUS: "false"
-  PWP__SIGNUPS_ENABLED: "false"
-  PWP__MAIL_RAISE_DELIVERY_ERRORS: "false"
-  PWP__MAIL_SMTP_ADDRESS: smtp.office365.com
-  PWP__MAIL_SMTP_PORT: "587"
-  PWP__MAIL_SMTP_AUTHENTICATION: login
-  PWP__MAIL_SMTP_STARTTLS: "true"
-  PWP__MAIL_SMTP_DOMAIN: fortedigital.com
-  PWP__MAIL_SENDER: noreply@fortedigital.com
-
-envFrom:
-- secretRef:
-    name: passwordpusher-db-creds
-- secretRef:
-    name: passwordpusher-smtp-creds
-
-ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "PasswordPusher"
-    gethomepage.dev/description: "Share passwords securely with expiring links"
-    gethomepage.dev/group: "Security"
-    gethomepage.dev/icon: "passwordpusher"
-    gethomepage.dev/href: "https://pwpush.forteapps.net"
-  hosts:
-  - host: pwpush.forteapps.net
-    paths:
-    - path: /
-      pathType: Prefix
-  tls:
-  - secretName: passwordpusher-tls
-    hosts:
-    - pwpush.forteapps.net
-
-resources:
-  requests:
-    cpu: 100m
-    memory: 256Mi
-  limits:
-    cpu: 500m
-    memory: 512Mi
-
-replicaCount: 1