vault migration

ign diff
auto flow
2026-04-30 22:38:33 +02:00 · 2026-04-30 19:08:24 +02:00 · 2026-04-30 18:24:34 +02:00 · 2026-04-30 18:16:25 +02:00 · 2026-04-30 18:11:48 +02:00 · 2026-04-30 18:05:09 +02:00
75 changed files with 1314 additions and 980 deletions
--- a/README.md
+++ b/README.md
@@ -57,11 +57,11 @@ This repository contains the complete GitOps configuration for our Kubernetes cl

 ### What's Inside

- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets, Homepage (platform dashboard)
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Vault, Vault Secrets Operator, Homepage (platform dashboard)
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
 - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
- **Secrets**: Sealed Secrets for secure Git storage
+- **Secrets**: Vault Secrets Operator (VSO) syncs secrets from HashiCorp Vault to K8s

 ### Key Features

@@ -187,7 +187,7 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A
 **Quick version**:
 1. Create `apps/myapp.yaml` (ArgoCD Application manifest)
 2. Create `helm-prod-values/myapp/values.yaml` (configuration)
-3. Create sealed secrets if needed
+3. Write secrets to Vault and create VaultStaticSecret CRD if needed
 4. Commit and push - ArgoCD auto-syncs!

 ### Update an Existing Application
@@ -200,22 +200,18 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A

 ### Manage Secrets

-**See detailed guide**: [Developer Guide - Working with Secrets](docs/DEVELOPER-GUIDE.md#working-with-secrets)
+**See detailed guide**: [Vault Secrets Operator Reference](docs/vault-secrets-operator.md)

 ```bash
-# Create plain secret
-kubectl create secret generic myapp-creds \
-  --from-literal=KEY=value \
-  --dry-run=client -o yaml > private/myapp-creds.yaml
+# 1. Write secret to Vault
+vault kv put kv/myapp/myapp-creds KEY=value

-# Seal it
-kubeseal --format=yaml --cert=pub-cert.pem \
-  < private/myapp-creds.yaml > secrets/myapp-creds-sealed.yaml
+# 2. Create VaultStaticSecret CRD (one-time, commit to git)
+# See docs/vault-secrets-operator.md for CRD template

-# Commit sealed version
-git add secrets/myapp-creds-sealed.yaml
-git commit -m "Add myapp credentials"
-git push
+# 3. Rotate secrets — no git commit needed!
+vault kv put kv/myapp/myapp-creds KEY=new-value
+# VSO picks up changes within 30 seconds
 ```

 ### Enable Authentication
@@ -328,7 +324,7 @@ kubectl patch application myapp -n argocd \
 ## 🔐 Security

 ### Secret Management
- ✅ Sealed Secrets for Git storage
+- ✅ Vault Secrets Operator (VSO) for secret management
 - ✅ Kyverno auto-clones secrets to namespaces
 - ❌ Never commit plain secrets

@@ -355,7 +351,8 @@ kubectl patch application myapp -n argocd \
 | **Traefik** | Ingress controller | `traefik` | 2 |
 | **Cert-Manager** | TLS certificates | `cert-manager` | 1 |
 | **Kyverno** | Policy engine | `kyverno` | 1 |
-| **Sealed Secrets** | Secret encryption | `kube-system` | 1 |
+| **Vault** | Secret storage | `vault` | 1 |
+| **Vault Secrets Operator** | Secret sync (Vault → K8s) | `vault-secrets-operator-system` | 1 |
 | **Prometheus** | Metrics | `monitoring` | 1 |
 | **Grafana** | Dashboards | `monitoring` | 1 |
 | **Loki** | Logs | `monitoring` | 1 |
@@ -455,7 +452,7 @@ Applications deploy in order using `argocd.argoproj.io/sync-wave`:
 1. Read [Developer Guide - Deploying Your First Application](docs/DEVELOPER-GUIDE.md#deploying-your-first-application)
 2. Create ArgoCD Application manifest in `apps/`
 3. Create Helm values in `helm-prod-values/`
-4. Create sealed secrets if needed
+4. Write secrets to Vault and create VaultStaticSecret CRD if needed
 5. Commit and push - ArgoCD handles the rest!

 ### Modifying Infrastructure
@@ -499,7 +496,8 @@ Documentation lives in `docs/`. To update:
 - [Traefik Documentation](https://doc.traefik.io/traefik/)
 - [Cert-Manager Documentation](https://cert-manager.io/docs/)
 - [Grafana Tempo Documentation](https://grafana.com/docs/tempo/)
- [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
+- [Vault Secrets Operator](https://developer.hashicorp.com/vault/docs/platform/k8s/vso)
+- [HashiCorp Vault](https://developer.hashicorp.com/vault/docs)

 ### Related Repositories
 - [forte-helm](https://git.forteapps.net/Forte/forte-helm) - Helm chart templates
--- a/apps/base/argo-mcp/argocd-mcp-credentials-vault.yaml
+++ b/apps/base/argo-mcp/argocd-mcp-credentials-vault.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: argocd-mcp-credentials
+  namespace: argocd-mcp
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd-mcp/argocd-mcp-credentials
+  destination:
+    name: argocd-mcp-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/apps/base/argo-mcp/auth-oidc-vault.yaml
+++ b/apps/base/argo-mcp/auth-oidc-vault.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: auth-oidc
+  namespace: argocd-mcp
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd-mcp/auth-oidc
+  destination:
+    name: auth-oidc
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/apps/base/argo-mcp/kustomization.yaml
+++ b/apps/base/argo-mcp/kustomization.yaml
@@ -2,5 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - argo-mcp.yaml
- argocdmcp-auth-oidc-sealed.yaml
- argocd-mcp-credentials.yaml
+- vault-auth.yaml
+- auth-oidc-vault.yaml
+- argocd-mcp-credentials-vault.yaml
+# Removed: argocdmcp-auth-oidc-sealed.yaml, argocd-mcp-credentials.yaml (migrated to VSO)
--- a/apps/base/argo-mcp/vault-auth.yaml
+++ b/apps/base/argo-mcp/vault-auth.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-argocd-mcp
+  namespace: argocd-mcp
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: argocd-mcp
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-argocd-mcp
+    serviceAccount: vault-auth-argocd-mcp
+    audiences:
+    - vault
--- a/apps/base/dot-ai-stack/dot-ai-secrets-vault.yaml
+++ b/apps/base/dot-ai-stack/dot-ai-secrets-vault.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: dot-ai-secrets
+  namespace: dot-ai
+spec:
+  type: kv-v2
+  mount: kv
+  path: dot-ai/dot-ai-secrets
+  destination:
+    name: dot-ai-secrets
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/apps/base/dot-ai-stack/kustomization.yaml
+++ b/apps/base/dot-ai-stack/kustomization.yaml
@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - dot-ai-stack.yaml
- dot-ai-secrets.yaml
+- vault-auth.yaml
+- dot-ai-secrets-vault.yaml
+# Removed: dot-ai-secrets.yaml (migrated to VSO)
--- a/apps/base/dot-ai-stack/vault-auth.yaml
+++ b/apps/base/dot-ai-stack/vault-auth.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-dot-ai
+  namespace: dot-ai
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: dot-ai
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-dot-ai
+    serviceAccount: vault-auth-dot-ai
+    audiences:
+    - vault
--- a/apps/base/mcp10x/app-credentials-vault.yaml
+++ b/apps/base/mcp10x/app-credentials-vault.yaml
@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: app-credentials
+  namespace: mcp10x
+spec:
+  type: kv-v2
+  mount: kv
+  path: mcp10x/app-credentials
+  destination:
+    name: app-credentials
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/apps/base/mcp10x/kustomization.yaml
+++ b/apps/base/mcp10x/kustomization.yaml
@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - mcp10x.yaml
- forte10x-app-credentials-sealed.yaml
+- vault-auth.yaml
+- app-credentials-vault.yaml
+# Removed: forte10x-app-credentials-sealed.yaml (migrated to VSO)
--- a/apps/base/mcp10x/vault-auth.yaml
+++ b/apps/base/mcp10x/vault-auth.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-mcp10x
+  namespace: mcp10x
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: mcp10x
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-mcp10x
+    serviceAccount: vault-auth-mcp10x
+    audiences:
+    - vault
--- a/apps/base/musicman/kustomization.yaml
+++ b/apps/base/musicman/kustomization.yaml
@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - musicman.yaml
- musicman-credentials.yaml
+- vault-auth.yaml
+- musicman-credentials-vault.yaml
+# Removed: musicman-credentials.yaml (migrated to VSO)
--- a/apps/base/musicman/musicman-credentials-vault.yaml
+++ b/apps/base/musicman/musicman-credentials-vault.yaml
@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: musicman-credentials
+  namespace: music-man
+spec:
+  type: kv-v2
+  mount: kv
+  path: music-man/musicman-credentials
+  destination:
+    name: musicman-credentials
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/apps/base/musicman/vault-auth.yaml
+++ b/apps/base/musicman/vault-auth.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-music-man
+  namespace: music-man
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: music-man
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-music-man
+    serviceAccount: vault-auth-music-man
+    audiences:
+    - vault
--- a/apps/base/ts-mcp/kustomization.yaml
+++ b/apps/base/ts-mcp/kustomization.yaml
@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ts-mcp.yaml
- ts-mcp-secrets-sealed.yaml
+- vault-auth.yaml
+- ts-mcp-secrets-vault.yaml
+# Removed: ts-mcp-secrets-sealed.yaml (migrated to VSO)
--- a/apps/base/ts-mcp/ts-mcp-secrets-vault.yaml
+++ b/apps/base/ts-mcp/ts-mcp-secrets-vault.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: ts-mcp-secrets
+  namespace: ts-mcp
+spec:
+  type: kv-v2
+  mount: kv
+  path: ts-mcp/ts-mcp-secrets
+  destination:
+    name: ts-mcp-secrets
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/apps/base/ts-mcp/vault-auth.yaml
+++ b/apps/base/ts-mcp/vault-auth.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-ts-mcp
+  namespace: ts-mcp
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: ts-mcp
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-ts-mcp
+    serviceAccount: vault-auth-ts-mcp
+    audiences:
+    - vault
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml
@@ -1,33 +1,34 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: passwordpusher
---
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: passwordpusher-postgresql
+  name: feedback
  namespace: argocd
  annotations:
-    argocd.argoproj.io/sync-wave: "0"
+    argocd.argoproj.io/sync-wave: "12"
  labels:
-    app.kubernetes.io/name: passwordpusher-postgresql
-    app.kubernetes.io/part-of: security
+    app.kubernetes.io/name: feedback
+    app.kubernetes.io/part-of: apps
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default

-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  sources:
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    path: forteapp
    targetRevision: HEAD
-    path: infra/overlays/upc-dev/passwordpusher-postgresql/resources
+    helm:
+      valueFiles:
+      - $values/feedback/values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
+    targetRevision: HEAD
+    ref: values

  destination:
    server: https://kubernetes.default.svc
-    namespace: passwordpusher
+    namespace: feedback

  syncPolicy:
    automated:
@@ -38,6 +39,12 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m

  ignoreDifferences:
  - group: apps
--- a/infra/overlays/upc-dev/passwordpusher/kustomization.yaml
+++ b/infra/overlays/upc-dev/passwordpusher/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- passwordpusher.yaml
+- feedback.yaml
--- a/apps/overlays/upc-dev/kustomization.yaml
+++ b/apps/overlays/upc-dev/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
 resources:
 - ../../base
 - dbunk-demo
+- feedback

 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/cluster-resources/argocd-notifications-secret-vault.yaml
+++ b/cluster-resources/argocd-notifications-secret-vault.yaml
@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: argocd-notifications-secret
+  namespace: argocd
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd/argocd-notifications-secret
+  destination:
+    name: argocd-notifications-secret
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/cluster-resources/forte-helm-repo-vault.yaml
+++ b/cluster-resources/forte-helm-repo-vault.yaml
@@ -0,0 +1,16 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: forte-helm-repo
+  namespace: argocd
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd/forte-helm-repo
+  destination:
+    name: forte-helm-repo
+    create: true
+    labels:
+      argocd.argoproj.io/secret-type: repository
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/cluster-resources/forte10x-repo-credentials-vault.yaml
+++ b/cluster-resources/forte10x-repo-credentials-vault.yaml
@@ -0,0 +1,17 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: forte10x-repo-creds
+  namespace: argocd
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd/forte10x-repo-creds
+  destination:
+    name: forte10x-repo-creds
+    create: true
+    type: Opaque
+    labels:
+      argocd.argoproj.io/secret-type: repository
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/cluster-resources/mcp10x-repo-credentials-vault.yaml
+++ b/cluster-resources/mcp10x-repo-credentials-vault.yaml
@@ -0,0 +1,17 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: mcp10x-repo-creds
+  namespace: argocd
+spec:
+  type: kv-v2
+  mount: kv
+  path: argocd/mcp10x-repo-creds
+  destination:
+    name: mcp10x-repo-creds
+    create: true
+    type: Opaque
+    labels:
+      argocd.argoproj.io/secret-type: repository
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/cluster-resources/policies/auth-sidecar-injector.yaml
+++ b/cluster-resources/policies/auth-sidecar-injector.yaml
@@ -245,6 +245,12 @@ spec:
                secretKeyRef:
                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
+            - name: AUTH_OIDC_IDP_HINT
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-idp-hint\" || '' }}"
+            - name: AUTH_OIDC_BROKER_ALIAS
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-alias\" || '' }}"
+            - name: AUTH_OIDC_BROKER_TOKEN_HEADER
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-token-header\" || '' }}"
            resources:
              limits:
                cpu: 50m
@@ -324,6 +330,8 @@ spec:
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}"
            - name: AUTH_MCP_SCOPES_SUPPORTED
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'profile'  }}"
+            - name: AUTH_MCP_IDP_HINT
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-idp-hint\" || '' }}"
            resources:
              limits:
                cpu: 50m
--- a/cluster-resources/vault-auth-argocd.yaml
+++ b/cluster-resources/vault-auth-argocd.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-argocd
+  namespace: argocd
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: argocd
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-argocd
+    serviceAccount: vault-auth-argocd
+    audiences:
+    - vault
--- a/docs/DEVELOPER-GUIDE.md
+++ b/docs/DEVELOPER-GUIDE.md
@@ -60,18 +60,16 @@ If you do need cluster access, install:
   curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
   ```

-2. **kubeseal** - For sealing secrets
+2. **vault** CLI - For managing secrets in HashiCorp Vault
   ```bash
   # macOS
-   brew install kubeseal
+   brew install hashicorp/tap/vault

   # Windows
-   choco install kubeseal
+   choco install vault

   # Linux
-   wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/kubeseal-0.24.0-linux-amd64.tar.gz
-   tar -xvzf kubeseal-0.24.0-linux-amd64.tar.gz
-   sudo mv kubeseal /usr/local/bin/
+   # See https://developer.hashicorp.com/vault/install
   ```

 3. **Git** - Version control
@@ -634,115 +632,100 @@ git push

 ### Understanding Secret Management

-**NEVER commit plain secrets to Git.** We use **Sealed Secrets** to encrypt secrets before committing.
+Secrets are managed via **HashiCorp Vault** and synced to Kubernetes by the **Vault Secrets Operator (VSO)**. See [Vault Secrets Operator Reference](vault-secrets-operator.md) for full details.
+
+**NEVER commit plain secret values to Git.** Only VaultStaticSecret CRD manifests are committed.

 ### Creating a New Secret

-#### Step 1: Create Plain Secret Locally
+#### Step 1: Write Secret to Vault

 ```bash
-cd ~/dev/k8s/launchpad
-
-# Create secret in private/ folder (Git-ignored)
-kubectl create secret generic myapp-credentials \
-  --from-literal=API_KEY=your-secret-key-here \
-  --from-literal=DB_PASSWORD=super-secret-password \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
+vault kv put kv/myapp/myapp-credentials \
+  API_KEY=your-secret-key-here \
+  DB_PASSWORD=super-secret-password
 ```

-**DO NOT commit this file!** It's in `private/` which is Git-ignored.
+#### Step 2: Create VaultStaticSecret CRD

-#### Step 2: Seal the Secret
+Create a YAML file (e.g., `apps/base/myapp/myapp-credentials-vault.yaml`):

-Seal your secret:
-
-```bash
-kubeseal --format=yaml \
-  --namespace=myapp \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
+```yaml
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: myapp-credentials
+  namespace: myapp
+spec:
+  type: kv-v2
+  mount: kv
+  path: myapp/myapp-credentials
+  destination:
+    name: myapp-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
 ```

-#### Step 3: Commit Sealed Secret
+#### Step 3: Add VaultAuth (if new namespace)
+
+If this is a new namespace, also create a `vault-auth.yaml` with a ServiceAccount and VaultAuth CRD. See [VSO Reference](vault-secrets-operator.md#vaultauth) for template.
+
+#### Step 4: Commit and Push

 ```bash
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Add myapp credentials (sealed)"
+git add apps/base/myapp/myapp-credentials-vault.yaml
+git commit -m "Add myapp credentials (VSO)"
 git push
 ```

-#### Step 4: Reference Secret in Application
+ArgoCD syncs the CRD, VSO creates the K8s Secret.
+
+#### Step 5: Reference Secret in Application

 Update your `helm-prod-values/myapp/values.yaml`:

 ```yaml
 app:
-  envSecretName: "myapp-credentials"  # References the SealedSecret
+  envSecretName: "myapp-credentials"  # VSO creates this K8s Secret
 ```

-Commit and push:
+### Updating / Rotating a Secret
+
+**No git commit needed** — just update in Vault:
+
 ```bash
-cd ~/dev/k8s/helm-prod-values
-git add myapp/values.yaml
-git commit -m "Reference myapp credentials"
-git push
+vault kv put kv/myapp/myapp-credentials \
+  API_KEY=new-key-here \
+  DB_PASSWORD=new-password
 ```

-### Updating a Secret
-
-To update an existing secret:
+VSO picks up changes within 30 seconds. Restart pods if they don't watch for secret updates:

 ```bash
-# 1. Create new version of secret
-kubectl create secret generic myapp-credentials \
-  --from-literal=API_KEY=new-key-here \
-  --from-literal=DB_PASSWORD=new-password \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
-
-# 2. Seal it
-kubeseal --format=yaml \
-  --namespace=myapp \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
-
-# 3. Commit sealed version
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Update myapp credentials"
-git push
-
-# 4. Restart pods to pick up new secret
 kubectl rollout restart deployment myapp -n myapp
 ```

 ### Secret Best Practices

-✅ **DO**:
- Store secrets in `private/` folder locally
- Always seal secrets before committing
- Delete plain secrets after sealing
- Use meaningful secret names
+- Write secrets to Vault via UI or CLI — never commit values to Git
+- Use meaningful secret names matching the KV path convention: `kv/{namespace}/{secret-name}`
 - Document what each secret contains
-
-❌ **DON'T**:
- Commit plain secrets to Git
- Share secrets via Slack/email
- Hard-code secrets in code
- Use the same secret across multiple environments
- Store secrets in Docker images
+- Use Vault's versioning for audit trail

 ### Where Secrets Are Stored

 ```
-┌─────────────────────────────────────────────────────────────┐
-│  Location                │  Content           │  Committed?│
-├──────────────────────────┼────────────────────┼────────────┤
-│  private/                │  Plain secrets     │  ❌ NO      │
-│  secrets/                │  Sealed secrets    │  ✅ YES     │
-│  Kubernetes cluster      │  Unsealed secrets  │  N/A       │
-└─────────────────────────────────────────────────────────────┘
+┌──────────────────────────────────────────────────────────────────┐
+│  Location                  │  Content                │  In Git? │
+├────────────────────────────┼─────────────────────────┼──────────┤
+│  Vault KV (kv/{ns}/{name}) │  Secret values          │  ❌ NO   │
+│  VaultStaticSecret CRD     │  Sync config (no values)│  ✅ YES  │
+│  Kubernetes cluster        │  K8s Secret (synced)    │  N/A     │
+└──────────────────────────────────────────────────────────────────┘
 ```

-**Sealed Secrets Controller** in the cluster decrypts sealed secrets automatically.
+**Vault Secrets Operator** syncs secrets from Vault to K8s automatically (30s refresh).

 ---

@@ -876,28 +859,13 @@ In your identity provider (e.g., Keycloak):
 #### Step 2: Create OIDC Secret

 ```bash
-# Create plain secret
-kubectl create secret generic auth-oidc \
-  --from-literal=client-secret=your-oidc-client-secret \
-  --from-literal=cookie-secret=$(openssl rand -hex 32) \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
+# Write OIDC secret to Vault
+vault kv put kv/myapp/auth-oidc \
+  client-secret=your-oidc-client-secret \
+  cookie-secret=$(openssl rand -hex 32)

-# Seal it
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-auth-oidc.yaml \
-  > secrets/myapp-auth-oidc-sealed.yaml
-
-# Commit sealed secret
-cd ~/dev/k8s/launchpad
-git add secrets/myapp-auth-oidc-sealed.yaml
-git commit -m "Add OIDC secrets for myapp"
-git push
-
-# Clean up
-rm private/myapp-auth-oidc.yaml
+# Create VaultStaticSecret CRD (see docs/vault-secrets-operator.md for template)
+# Add to apps/base/myapp/auth-oidc-vault.yaml and commit
 ```

 #### Step 3: Configure Helm Values
@@ -1127,16 +1095,13 @@ ingress:
  host: web-app.forteapps.net
 ```

-**With sealed OIDC secret**:
+**With Vault OIDC secret**:
 ```bash
-# Create and seal secret
-kubectl create secret generic auth-oidc \
-  --from-literal=client-secret=super-secret-value \
-  --from-literal=cookie-secret=$(openssl rand -hex 32) \
-  --namespace=web-app \
-  --dry-run=client -o yaml | \
-  kubeseal --format=yaml --cert=pub-cert.pem --namespace=web-app \
-  > secrets/web-app-auth-oidc-sealed.yaml
+# Write OIDC secret to Vault
+vault kv put kv/web-app/auth-oidc \
+  client-secret=super-secret-value \
+  cookie-secret=$(openssl rand -hex 32)
+# Then create VaultStaticSecret CRD — see docs/vault-secrets-operator.md
 ```

 #### Example 3: MCP Server with OAuth 2.0
@@ -1264,7 +1229,7 @@ kubectl logs -n myapp <pod-name> -c authn
 - Use token auth for service-to-service communication
 - Rotate tokens and secrets regularly
 - Use strong random tokens (32+ bytes)
- Store client secrets in SealedSecrets
+- Store client secrets in Vault
 - Test authentication before deploying to production
 - Document which tokens/users have access

@@ -1568,22 +1533,22 @@ curl http://localhost:8080

 #### Problem: Secret not found

-**Check if SealedSecret exists:**
+**Check VSO sync status:**
 ```bash
-kubectl get sealedsecret -n myapp
+kubectl get vaultstaticsecret -n myapp
 kubectl get secret -n myapp
 ```

 **Solutions:**
 ```bash
-# Check if secret is in Git
-ls -l secrets/myapp-credentials-sealed.yaml
+# Check VaultAuth is authenticated
+kubectl get vaultauth -n myapp

-# Re-apply sealed secret
-kubectl apply -f secrets/myapp-credentials-sealed.yaml
+# Check VaultStaticSecret events
+kubectl describe vaultstaticsecret myapp-credentials -n myapp

-# Check sealed-secrets-controller logs
-kubectl logs -n kube-system deployment/sealed-secrets-controller
+# Verify secret exists in Vault
+vault kv get kv/myapp/myapp-credentials
 ```

 #### Problem: Secret exists but pods can't access it
@@ -1694,7 +1659,7 @@ If you're stuck:
 ### Secret Management

 ✅ **DO**:
- Use kubeseal for all secrets
+- Use Vault for all secrets (see docs/vault-secrets-operator.md)
 - Store plain secrets in password manager
 - Rotate secrets regularly
 - Use different secrets per environment
@@ -1746,16 +1711,9 @@ kubectl rollout restart deployment myapp -n myapp
 # Port-forward to service
 kubectl port-forward -n myapp service/myapp 8080:3000

-# Create secret
-kubectl create secret generic myapp-credentials \
-  --from-literal=KEY=value \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
-
-# Seal secret
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
+# Write secret to Vault
+vault kv put kv/myapp/myapp-credentials KEY=value
+# Create VaultStaticSecret CRD — see docs/vault-secrets-operator.md
 ```

 ### Repository Locations
--- a/docs/OPERATIONS-RUNBOOK.md
+++ b/docs/OPERATIONS-RUNBOOK.md
@@ -188,13 +188,15 @@ Save the following file in private/ (gitignored) folder as secret.yaml
      <paste your private key here>
    project: default
 ```
-Seal the secret using `kubeseal` command 
+Write the secret to Vault:
 ```bash
-kubeseal --format=yaml \
-  --namespace=argocd \
-  < private/secret.yaml \
-  > secrets/forte-helm-repo-secret-sealed.yaml
+vault kv put kv/argocd/forte-helm-repo \
+  type=git \
+  url=ssh://git@git.forteapps.net:2222/Forte/forte-helm.git \
+  sshPrivateKey="$(cat private/ssh-key)" \
+  project=default
 ```
+Then create a VaultStaticSecret CRD with `argocd.argoproj.io/secret-type: repository` label.

 **Step 4: Register Repository in ArgoCD**

@@ -499,7 +501,7 @@ See [Developer Guide](DEVELOPER-GUIDE.md#deploying-your-first-application) for d
 **Quick checklist:**
 - [ ] Create `helm-prod-values/myapp/values.yaml`
 - [ ] Create `apps/myapp.yaml` in config repo
- [ ] Create SealedSecret if needed
+- [ ] Write secrets to Vault and create VaultStaticSecret CRD if needed
 - [ ] Commit and push changes
 - [ ] Verify sync in Slack/ArgoCD
 - [ ] Configure DNS for domain
@@ -670,92 +672,61 @@ db:

 ## Secret Management

+Secrets are managed via **HashiCorp Vault** and synced to Kubernetes by the **Vault Secrets Operator (VSO)**. See [Vault Secrets Operator Reference](vault-secrets-operator.md) for full details.
+
 ### Creating Secrets

-#### Step 1: Get Public Certificate
+#### Step 1: Write to Vault

 ```bash
-# Fetch sealed-secrets public cert (one-time)
-kubeseal --fetch-cert \
-  --controller-name=sealed-secrets-controller \
-  --controller-namespace=kube-system \
-  > pub-cert.pem
-
-# Save this certificate for future use
+# From literal values
+vault kv put kv/myapp/myapp-credentials \
+  API_KEY=secret123 \
+  DB_PASSWORD=pass456
 ```

-#### Step 2: Create Plain Secret
+#### Step 2: Create VaultStaticSecret CRD

-```bash
-# Method 1: From literal values
-kubectl create secret generic myapp-credentials \
-  --from-literal=API_KEY=secret123 \
-  --from-literal=DB_PASSWORD=pass456 \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
-
-# Method 2: From file
-kubectl create secret generic myapp-credentials \
-  --from-file=.env \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
-
-# Method 3: From multiple files
-kubectl create secret generic myapp-credentials \
-  --from-file=api-key.txt \
-  --from-file=db-password.txt \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
+```yaml
+# apps/base/myapp/myapp-credentials-vault.yaml
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: myapp-credentials
+  namespace: myapp
+spec:
+  type: kv-v2
+  mount: kv
+  path: myapp/myapp-credentials
+  destination:
+    name: myapp-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
 ```

-#### Step 3: Seal Secret
+#### Step 3: Commit CRD

 ```bash
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
-```
-
-#### Step 4: Commit Sealed Secret
-
-```bash
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Add myapp credentials"
+git add apps/base/myapp/myapp-credentials-vault.yaml
+git commit -m "Add myapp credentials (VSO)"
 git push
-
-# Delete plain secret
-rm private/myapp-credentials.yaml
 ```

-### Updating Secrets
+ArgoCD syncs the CRD, VSO creates the K8s Secret automatically.
+
+### Updating / Rotating Secrets
+
+**No git commit needed** — just update in Vault:

 ```bash
-# 1. Create new version
-kubectl create secret generic myapp-credentials \
-  --from-literal=API_KEY=new-secret-key \
-  --from-literal=DB_PASSWORD=new-password \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-credentials.yaml
+vault kv put kv/myapp/myapp-credentials \
+  API_KEY=new-secret-key \
+  DB_PASSWORD=new-password

-# 2. Seal it
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-credentials.yaml \
-  > secrets/myapp-credentials-sealed.yaml
-
-# 3. Commit
-git add secrets/myapp-credentials-sealed.yaml
-git commit -m "Update myapp credentials"
-git push
-
-# 4. Restart pods to pick up new secret
+# VSO picks up changes within 30 seconds
+# Restart pods if needed
 kubectl rollout restart deployment myapp -n myapp
-
-# 5. Delete plain secret
-rm private/myapp-credentials.yaml
 ```

 ### Viewing Secrets (Unsealed)
@@ -832,30 +803,13 @@ OIDC auth requires an `auth-oidc` Secret with two keys:
 CLIENT_SECRET="your-oidc-client-secret-from-provider"
 COOKIE_SECRET=$(openssl rand -hex 32)

-# Create plain secret
-kubectl create secret generic auth-oidc \
-  --from-literal=client-secret=$CLIENT_SECRET \
-  --from-literal=cookie-secret=$COOKIE_SECRET \
-  --namespace=myapp \
-  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
+# Write to Vault
+vault kv put kv/myapp/auth-oidc \
+  client-secret=$CLIENT_SECRET \
+  cookie-secret=$COOKIE_SECRET

-# Seal it
-kubeseal --format=yaml \
-  --cert=pub-cert.pem \
-  --namespace=myapp \
-  < private/myapp-auth-oidc.yaml \
-  > secrets/myapp-auth-oidc-sealed.yaml
-
-# Apply sealed secret
-kubectl apply -f secrets/myapp-auth-oidc-sealed.yaml
-
-# Commit to Git
-git add secrets/myapp-auth-oidc-sealed.yaml
-git commit -m "Add OIDC secrets for myapp"
-git push
-
-# Clean up
-rm private/myapp-auth-oidc.yaml
+# Create VaultStaticSecret CRD (one-time) and commit
+# See docs/vault-secrets-operator.md for CRD template
 ```

 #### Rotating Authentication Secrets
@@ -882,16 +836,12 @@ kubectl rollout restart deployment myapp -n myapp
 # Rotate cookie secret (safe - invalidates existing sessions)
 NEW_COOKIE_SECRET=$(openssl rand -hex 32)

-# Recreate secret
-kubectl create secret generic auth-oidc \
-  --from-literal=client-secret=$CLIENT_SECRET \
-  --from-literal=cookie-secret=$NEW_COOKIE_SECRET \
-  --namespace=myapp \
-  --dry-run=client -o yaml | \
-  kubeseal --format=yaml --cert=pub-cert.pem --namespace=myapp | \
-  kubectl apply -f -
+# Update in Vault — no git commit needed
+vault kv put kv/myapp/auth-oidc \
+  client-secret=$CLIENT_SECRET \
+  cookie-secret=$NEW_COOKIE_SECRET

-# Restart to pick up new secret
+# VSO picks up within 30s. Restart pods to use new secret:
 kubectl rollout restart deployment myapp -n myapp
 ```

@@ -1342,13 +1292,11 @@ kubectl get applications -n argocd -w
               - pg_dump -U $DB_USER -d $DB_NAME > /backup/dump-$(date +%Y%m%d).sql
   ```

-3. **Sealed Secrets private key backup**
+3. **Vault backup**
   ```bash
-   # Backup sealed-secrets controller private key
-   kubectl get secret -n kube-system sealed-secrets-key \
-     -o yaml > sealed-secrets-key-backup.yaml
-
-   # Store in secure location (password manager, vault)
+   # Vault data is stored on PVC — ensure PVC snapshots are configured
+   # For disaster recovery, maintain Vault unseal keys in a secure location
+   # All secrets can be re-seeded from source if needed
   ```

 ---
@@ -1668,7 +1616,7 @@ echo "Remember to delete: $SECRET_FILE"
 - [ ] Gitea Actions workflow configured
 - [ ] Helm values created in `helm-prod-values/`
 - [ ] ArgoCD application manifest created in `apps/`
- [ ] Secrets created and sealed
+- [ ] Secrets written to Vault and VaultStaticSecret CRD created
 - [ ] DNS record added for domain
 - [ ] Application synced successfully
 - [ ] Health check passed
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -1063,52 +1063,6 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes

-### Vaultwarden
-
-**Chart**: `guerzon/vaultwarden`
-**Version**: 0.36.4 (app v1.36.0-alpine)
-**Namespace**: `vaultwarden`
-
-**Purpose**: Self-hosted Bitwarden-compatible password manager.
-
-**Configuration**:
-```yaml
-# infra/overlays/upc-dev/vaultwarden/ + infra/values/
-domain: "https://bitwarden.forteapps.net"
-
-ingress:
-  enabled: true
-  class: "traefik"
-  tls: true
-  tlsSecret: vaultwarden-tls
-  hostname: bitwarden.forteapps.net
-  additionalAnnotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-
-database:
-  type: postgresql
-  host: vaultwarden-postgresql  # StatefulSet in overlay
-  existingSecret: prod-db-creds
-
-storage:
-  data: 5Gi (ReadWriteOnce)
-  attachments: 5Gi (ReadWriteOnce)
-```
-
-**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc).
-
-**SSO**: Keycloak OIDC via `forte` realm (client ID: `vaultwarden`). Self-service client config Secret (`keycloak-client-vaultwarden`) triggers registrar to create KC client and sync credentials to `vaultwarden-oidc-credentials`. PKCE enabled.
-
-**Endpoints**:
- Web UI: `https://bitwarden.forteapps.net`
-
-**Database**: Separate ArgoCD Application `vaultwarden-postgresql` (sync-wave `"0"`) deploys PostgreSQL 16 StatefulSet + SealedSecret before Vaultwarden (wave `"1"`). 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately.
-
-**Secrets**:
- `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials
- `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
- `vaultwarden-tls` — auto-managed by cert-manager
-
 ### AI Code Review (ai-review)

 **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
@@ -1187,30 +1141,6 @@ ignore:
 - Check Gitea Actions tab for workflow run status and logs
 - Monitor Anthropic usage dashboard for token consumption

-### Keycloak Browser Flow (IdP Auto-Redirect)
-
-**File**: `infra/values/base/keycloak-values.yaml` (inside `forte-realm.json`)
-
-The realm uses a custom browser authentication flow (`browser-auto-idp`) that skips the Keycloak login page and redirects directly to the Entra ID identity provider.
-
-**Flow executions**:
-
-| Priority | Authenticator | Requirement | Purpose |
-|----------|--------------|-------------|---------|
-| 10 | `auth-cookie` | ALTERNATIVE | Reuse existing session (no redirect) |
-| 20 | `identity-provider-redirector` | ALTERNATIVE | Auto-redirect to `forte-entra` IdP |
-
-**Key fields in realm JSON**:
- `"browserFlow": "browser-auto-idp"` — overrides the default `browser` flow at realm level
- `"authenticationFlows"` — defines the custom flow with its executions
- `"authenticatorConfig"` — sets `defaultProvider: "forte-entra"` on the redirector
-
-**Why custom flow**: The default KC browser flow shows a username/password form with an IdP button. Since all authentication is via Entra ID, the custom flow eliminates this step. The `auth-cookie` execution preserves session reuse so returning users aren't redirected again.
-
-**Important**: The `forte-entra` identity provider must exist in Keycloak (currently configured manually in the KC admin console). If the IdP alias changes, update the `defaultProvider` value in the realm JSON.
-
---
-
 ### Keycloak Client Registrar

 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
@@ -1454,6 +1384,46 @@ spec:
 - Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
 - `synchronize: true` — changes to the source Secret are reflected in the clone

+### Keycloak Microsoft/Entra Identity Provider
+
+**File**: `infra/values/upc-dev/keycloak-values.yaml`
+**Namespace**: `keycloak`
+
+**Purpose**: Configures Microsoft Entra (Azure AD) as an external identity provider for the Forte realm, enabling SSO via Microsoft accounts with token storage for downstream API access (e.g., Microsoft Graph).
+
+**Configuration via keycloakConfigCli**:
+- IdP alias: `forte-entra`, provider: `microsoft`
+- Client secret injected from `microsoft-idp-credentials` Secret via `$(env:MS_IDP_CLIENT_SECRET)` syntax
+- `extraEnvVarsSecret: microsoft-idp-credentials` makes the Secret available as env vars to config-cli
+
+**Key Configuration Notes**:
+
+| Field | Location | Notes |
+|-------|----------|-------|
+| `tenant` | `config.tenant` | **Must be `tenant`, NOT `tenantId`** — wrong key silently falls back to `common` (multi-tenant) |
+| `storeToken` | Top-level IdP field | **NOT inside `config`** — enables broker token storage for KC broker API |
+| `defaultScope` | `config.defaultScope` | Space-separated: `openid email profile User.Read Mail.Send` |
+| `syncMode` | `config.syncMode` | `IMPORT` — imports user on first login |
+
+**Token Storage & Broker Access**:
+- `storeToken: true` persists the Entra access token in Keycloak
+- Realm role `default-roles-forte` includes composite `broker.read-token` — grants all realm users access to broker token API
+- Broker token retrievable via: `GET /realms/forte/broker/forte-entra/token`
+
+**Identity Provider Mappers**:
+- `forte-entra-email`: Hardcodes `emailVerified=true` for Entra-authenticated users (Entra guarantees email verification)
+
+**Required Secret** (`microsoft-idp-credentials`):
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: microsoft-idp-credentials
+  namespace: keycloak
+stringData:
+  MS_IDP_CLIENT_SECRET: "<entra-app-client-secret>"
+```
+
 ### Default Namespace Blocker

 **File**: `cluster-resources/policies/default-ns-blocker.yaml`
--- a/docs/vault-secrets-operator.md
+++ b/docs/vault-secrets-operator.md
@@ -0,0 +1,206 @@
+# Vault Secrets Operator (VSO) Reference
+
+## Overview
+
+The platform uses HashiCorp Vault Secrets Operator (VSO) to sync secrets from Vault KV v2 to native Kubernetes Secrets. This replaces the previous SealedSecrets workflow.
+
+**Key benefit**: Secret values can be rotated via Vault UI/CLI without a git commit. Only new VaultStaticSecret CRDs need to be committed.
+
+## Architecture
+
+```
+Vault (KV v2)                VSO                        K8s Secret
+kv/{namespace}/{name}  -->  VaultStaticSecret CRD  -->  Secret in namespace
+                            (polls every 30s)
+```
+
+- **Vault**: Standalone instance in `vault` namespace, KV v2 at `kv/`
+- **VSO**: Deployed in `vault-secrets-operator-system` namespace via ArgoCD
+- **Auth**: Kubernetes auth method — each namespace has its own ServiceAccount + VaultAuth CRD
+
+## KV Path Convention
+
+```
+kv/{namespace}/{secret-name}
+```
+
+Examples:
+- `kv/homepage/homepage-widget-credentials`
+- `kv/argocd/forte-helm-repo`
+- `kv/gitea/gitea-smtp-secret`
+- `kv/keycloak/keycloak-credentials`
+
+## Vault Policy Structure
+
+Each namespace gets a read-only policy:
+
+```hcl
+# Policy: ns-{namespace}
+path "kv/data/{namespace}/*" {
+  capabilities = ["read"]
+}
+path "kv/metadata/{namespace}/*" {
+  capabilities = ["read", "list"]
+}
+```
+
+## Kubernetes Auth Roles
+
+Each namespace has a bound ServiceAccount:
+
+```
+Role: ns-{namespace}
+  bound_service_account_names: vault-auth-{namespace}
+  bound_service_account_namespaces: {namespace}
+  policies: ns-{namespace}
+  audience: vault
+  ttl: 1h
+```
+
+## CRD Reference
+
+### VaultAuth
+
+Per-namespace auth binding. One per namespace.
+
+```yaml
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: {namespace}
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-{namespace}
+    serviceAccount: vault-auth-{namespace}
+    audiences:
+    - vault
+```
+
+Each VaultAuth requires a corresponding ServiceAccount:
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-{namespace}
+  namespace: {namespace}
+```
+
+### VaultStaticSecret
+
+One per secret. Syncs a Vault KV path to a K8s Secret.
+
+```yaml
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: {secret-name}
+  namespace: {namespace}
+spec:
+  type: kv-v2
+  mount: kv
+  path: {namespace}/{secret-name}
+  destination:
+    name: {secret-name}        # K8s Secret name (must match what apps expect)
+    create: true
+    type: Opaque               # Optional, defaults to Opaque
+    labels:                    # Optional, for secrets that need labels
+      some-label: "value"
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
+```
+
+## Special Labels
+
+Some secrets require specific labels for correct operation:
+
+| Secret | Label | Purpose |
+|--------|-------|---------|
+| `renovate-env` | `allowedToBeCloned: "true"` | Kyverno secret-cloner policy |
+| `gitea-smtp-secret` | `allowedToBeCloned: "true"` | Kyverno secret-cloner policy |
+| `forte-helm-repo` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
+| `forte10x-repo-creds` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
+| `mcp10x-repo-creds` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
+
+These are set in `destination.labels` of the VaultStaticSecret CRD.
+
+## Namespaces & Secrets Map
+
+| Namespace | Secrets |
+|-----------|---------|
+| `homepage` | homepage-widget-credentials |
+| `renovate` | renovate-env |
+| `gitea` | gitea-credentials, gitea-backup-s3, gitea-smtp-secret, gitea-runner-token |
+| `keycloak` | keycloak-credentials, microsoft-idp-credentials (overlay) |
+| `argocd` | forte-helm-repo, forte10x-repo-creds, mcp10x-repo-creds, argocd-notifications-secret |
+| `mcp10x` | app-credentials |
+| `ts-mcp` | ts-mcp-secrets |
+| `argocd-mcp` | auth-oidc, argocd-mcp-credentials |
+| `dot-ai` | dot-ai-secrets |
+| `music-man` | musicman-credentials |
+
+## Common Operations
+
+### Add a new secret
+
+1. Write to Vault:
+   ```bash
+   vault kv put kv/{namespace}/{secret-name} key1=val1 key2=val2
+   ```
+
+2. Create VaultStaticSecret YAML (see template above)
+
+3. Add to kustomization.yaml in the appropriate directory
+
+4. Commit and push — ArgoCD syncs the CRD, VSO creates the K8s Secret
+
+### Rotate a secret value
+
+No git commit needed:
+```bash
+vault kv put kv/{namespace}/{secret-name} key1=new-val1 key2=new-val2
+```
+VSO picks up changes within 30 seconds.
+
+### Check sync status
+
+```bash
+# VaultAuth status
+kubectl get vaultauth -n {namespace}
+
+# VaultStaticSecret status
+kubectl get vaultstaticsecret -n {namespace}
+
+# Verify K8s Secret exists with correct keys
+kubectl get secret {name} -n {namespace} -o jsonpath='{.data}' | jq
+```
+
+### Troubleshooting
+
+1. **VaultAuth not authenticating**: Check ServiceAccount exists, Vault role matches SA name/namespace
+2. **VaultStaticSecret not syncing**: Check `kubectl describe vaultstaticsecret {name} -n {ns}` for events
+3. **Secret missing keys**: Verify Vault KV path has all expected keys: `vault kv get kv/{ns}/{name}`
+4. **Permission denied**: Verify Vault policy allows read on `kv/data/{ns}/*`
+
+## File Locations
+
+| Type | Location |
+|------|----------|
+| VSO ArgoCD Application | `infra/base/vault-secrets-operator/` |
+| VSO Helm values | `infra/values/base/vault-secrets-operator-values.yaml` |
+| Vault policies script | `scripts/vault-setup-policies.sh` |
+| Seed script | `scripts/seed-vault-from-cluster.sh` |
+| VaultAuth + VaultStaticSecret | Alongside ArgoCD Application in each component directory |
+
+## Setup Scripts
+
+```bash
+# Create all Vault policies and auth roles
+./scripts/vault-setup-policies.sh
+
+# Seed Vault KV from existing K8s Secrets
+./scripts/seed-vault-from-cluster.sh
+```
--- a/infra/base/gitea/gitea-backup-s3-vault.yaml
+++ b/infra/base/gitea/gitea-backup-s3-vault.yaml
@@ -0,0 +1,15 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-backup-s3
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-backup-s3
+  destination:
+    name: gitea-backup-s3
+    create: true
+    type: Opaque
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/infra/base/gitea/gitea-credentials-vault.yaml
+++ b/infra/base/gitea/gitea-credentials-vault.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-credentials
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-credentials
+  destination:
+    name: gitea-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/infra/base/gitea/gitea-runner-token-vault.yaml
+++ b/infra/base/gitea/gitea-runner-token-vault.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-runner-token
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-runner-token
+  destination:
+    name: gitea-runner-token
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/infra/base/gitea/gitea-smtp-secret-vault.yaml
+++ b/infra/base/gitea/gitea-smtp-secret-vault.yaml
@@ -0,0 +1,17 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-smtp-secret
+  namespace: gitea
+spec:
+  type: kv-v2
+  mount: kv
+  path: gitea/gitea-smtp-secret
+  destination:
+    name: gitea-smtp-secret
+    create: true
+    type: Opaque
+    labels:
+      allowedToBeCloned: "true"
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/infra/base/gitea/kustomization.yaml
+++ b/infra/base/gitea/kustomization.yaml
@@ -2,7 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gitea.yaml
- gitea-backup-s3-sealed.yaml
- gitea-credentials-sealed.yaml
- gitea-runner-token-sealed.yaml
- gitea-smtp-secret-sealed.yaml
+- vault-auth.yaml
+- gitea-credentials-vault.yaml
+- gitea-backup-s3-vault.yaml
+- gitea-smtp-secret-vault.yaml
+- gitea-runner-token-vault.yaml
+# Removed: gitea-*-sealed.yaml (migrated to VSO)
--- a/infra/base/gitea/vault-auth.yaml
+++ b/infra/base/gitea/vault-auth.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-gitea
+  namespace: gitea
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: gitea
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-gitea
+    serviceAccount: vault-auth-gitea
+    audiences:
+    - vault
--- a/infra/base/homepage/homepage-widget-credentials-vault.yaml
+++ b/infra/base/homepage/homepage-widget-credentials-vault.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: homepage-widget-credentials
+  namespace: homepage
+spec:
+  type: kv-v2
+  mount: kv
+  path: homepage/homepage-widget-credentials
+  destination:
+    name: homepage-widget-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/infra/base/homepage/kustomization.yaml
+++ b/infra/base/homepage/kustomization.yaml
@@ -2,5 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - homepage.yaml
- homepage-widget-credentials-sealed.yaml
+- vault-auth.yaml
+- homepage-widget-credentials-vault.yaml
 - homepage-extra-rbac.yaml
+# Removed: homepage-widget-credentials-sealed.yaml (migrated to VSO)
--- a/infra/base/homepage/vault-auth.yaml
+++ b/infra/base/homepage/vault-auth.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-homepage
+  namespace: homepage
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: homepage
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-homepage
+    serviceAccount: vault-auth-homepage
+    audiences:
+    - vault
--- a/infra/base/keycloak/keycloak-credentials-vault.yaml
+++ b/infra/base/keycloak/keycloak-credentials-vault.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: keycloak-credentials
+  namespace: keycloak
+spec:
+  type: kv-v2
+  mount: kv
+  path: keycloak/keycloak-credentials
+  destination:
+    name: keycloak-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/infra/base/keycloak/keycloak.yaml
+++ b/infra/base/keycloak/keycloak.yaml
@@ -43,6 +43,10 @@ spec:
    - ServerSideApply=true

  ignoreDifferences:
+  - group: batch
+    kind: CronJob
+    jsonPointers:
+    - /spec/jobTemplate/spec/template/spec/containers/0/args
  - group: apps
    kind: StatefulSet
    jsonPointers:
--- a/infra/base/keycloak/kustomization.yaml
+++ b/infra/base/keycloak/kustomization.yaml
@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - keycloak.yaml
- keycloak-credentials-sealed.yaml
+- vault-auth.yaml
+- keycloak-credentials-vault.yaml
+# Removed: keycloak-credentials-sealed.yaml (migrated to VSO)
--- a/infra/base/keycloak/vault-auth.yaml
+++ b/infra/base/keycloak/vault-auth.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-keycloak
+  namespace: keycloak
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: keycloak
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-keycloak
+    serviceAccount: vault-auth-keycloak
+    audiences:
+    - vault
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -23,3 +23,4 @@ resources:
 - databunker
 - homepage
 - vault
+- vault-secrets-operator
--- a/infra/base/renovate/kustomization.yaml
+++ b/infra/base/renovate/kustomization.yaml
@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - renovate.yaml
- renovate-env-sealed.yaml
+- vault-auth.yaml
+- renovate-env-vault.yaml
+# Removed: renovate-env-sealed.yaml (migrated to VSO)
--- a/infra/base/renovate/renovate-env-vault.yaml
+++ b/infra/base/renovate/renovate-env-vault.yaml
@@ -0,0 +1,17 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: renovate-env
+  namespace: renovate
+spec:
+  type: kv-v2
+  mount: kv
+  path: renovate/renovate-env
+  destination:
+    name: renovate-env
+    create: true
+    type: Opaque
+    labels:
+      allowedToBeCloned: "true"
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/infra/base/renovate/vault-auth.yaml
+++ b/infra/base/renovate/vault-auth.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-auth-renovate
+  namespace: renovate
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: renovate
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ns-renovate
+    serviceAccount: vault-auth-renovate
+    audiences:
+    - vault
--- a/infra/base/sealedsecrets/kustomization.yaml
+++ b/infra/base/sealedsecrets/kustomization.yaml
@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - sealedsecrets.yaml
- argocd-forte-helm-secret-sealed.yaml
+# Removed: argocd-forte-helm-secret-sealed.yaml (migrated to VSO — now in cluster-resources/)
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- vaultwarden-postgresql.yaml
+- vault-secrets-operator.yaml
--- a/infra/base/vault-secrets-operator/vault-secrets-operator.yaml
+++ b/infra/base/vault-secrets-operator/vault-secrets-operator.yaml
@@ -1,12 +1,12 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: vaultwarden
+  name: vault-secrets-operator
  namespace: argocd
  annotations:
-    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/sync-wave: "2"
  labels:
-    app.kubernetes.io/name: vaultwarden
+    app.kubernetes.io/name: vault-secrets-operator
    app.kubernetes.io/part-of: security
    app.kubernetes.io/managed-by: argocd
  finalizers:
@@ -15,14 +15,13 @@ spec:
  project: default

  sources:
-  - repoURL: https://guerzon.github.io/vaultwarden
-    chart: vaultwarden
-    targetRevision: "0.36.4"
+  - repoURL: https://helm.releases.hashicorp.com
+    chart: vault-secrets-operator
+    targetRevision: "0.10.0"
    helm:
-      releaseName: vaultwarden
+      releaseName: vault-secrets-operator
      valueFiles:
-      - $values/infra/values/base/vaultwarden-values.yaml
-      - $values/infra/values/upc-dev/vaultwarden-values.yaml
+      - $values/infra/values/base/vault-secrets-operator-values.yaml

  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
@@ -30,7 +29,7 @@ spec:

  destination:
    server: https://kubernetes.default.svc
-    namespace: vaultwarden
+    namespace: vault-secrets-operator-system

  syncPolicy:
    automated:
--- a/infra/overlays/upc-dev/entra-upc-dev-credentials-sealed.yaml
+++ b/infra/overlays/upc-dev/entra-upc-dev-credentials-sealed.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: microsoft-idp-credentials
+  namespace: keycloak
+spec:
+  encryptedData:
+    MS_IDP_CLIENT_SECRET: AgBGeloOR8LVop8yluydjc7qj4JUkb85z7B3h07i3xLPup1ojgSqtx08huv+8gvSaFoPdxOY8g23iuKeAr2b2A70paHv0ILSVRsIpxzjuao4aDRWxMHD/SFzvitvqaXD1eQUcBNRDk/1NOG0o5b9o4ddMWkNmyCYuZcmOyx18DC1kFrcWGUgJkLTr+YRZcLJ2T80obZ+y4zztYc+vNQlu11KSIALz++c9XzK2XYSdOMdFHmzadWxoCjvkJqG4W5C6AQBlYa7NSydyU6K3TnwS4VHF8w1DRNneM/IuHLMNbcL8WZjHlSS8xgXFUMhG4rkejwM6joQLx57OosTQe1/xdCOPBXq4NO8Q76RXXkoI0EYMbzfK33vr4NVh8zmBUYxhaeQySh2jYdYp7t/79UzvP7jtGYUgqIZNEBqbDKkzvXsJ4dHJnss8U8lWVgLev31ZhaTjIr3A8VKDPbJKIRZPO71/4DiCF0WKLYNKfbYJ5tsyTxivFWDY5NPNkKkgXk4QoScZ3r4bYNZjDp1rC5zCRPGf0Lt1C5Zovx1HTUjpGpAFVi7DyNmEc0uXn2sTwPARAuAj8str+RnlRNzBkpPWKdlOoDVPTSA41dSTfUVZMlQlluu4fdDgGj5sEnhEN0iIxZNRwU/2DD2AVSqG+KtdIkfH6/j0jzdFn4D3Ha6vwAsBIURK4Ird/pLuNGGCDB+LrrNGXDTTKAPFydCuRtpyoM9kFOtSZb7T7q6Vfkqa7LfgP8mdG9JGXJx
+  template:
+    metadata:
+      creationTimestamp: null
+      name: microsoft-idp-credentials
+      namespace: keycloak
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -2,10 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
- vaultwarden-postgresql
- vaultwarden
- passwordpusher-postgresql
- passwordpusher
+- microsoft-idp-credentials-vault.yaml
+# Removed: entra-upc-dev-credentials-sealed.yaml (migrated to VSO)

 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/infra/overlays/upc-dev/microsoft-idp-credentials-vault.yaml
+++ b/infra/overlays/upc-dev/microsoft-idp-credentials-vault.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: microsoft-idp-credentials
+  namespace: keycloak
+spec:
+  type: kv-v2
+  mount: kv
+  path: keycloak/microsoft-idp-credentials
+  destination:
+    name: microsoft-idp-credentials
+    create: true
+  refreshAfter: 30s
+  vaultAuthRef: vault-auth
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- passwordpusher-postgresql.yaml
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml
@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- postgresql.yaml
- passwordpusher-db-secret-sealed.yaml
- passwordpusher-smtp-secret-sealed.yaml
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml
@@ -1,17 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: passwordpusher-db-creds
-  namespace: passwordpusher
-spec:
-  encryptedData:
-    DATABASE_URL: AgBeCVhdJoq18FFbP/8CUFFHBu3cUHisStmqeU3stH33qRgm0sh1Agw87QaiECBlKGp9yEjDVgQEjU/h9vEqs5L13vnzTvzmzEIMy23m1nWEyX6pY06O/ISDD6AVeW73SX6ctgZ4wabv8zZhEQ/GiKTLq8indTrNglINpItUKdjpZ5IhJWNScOkykZdIN/OyJxxzKQ5fM48ZVfL8HnTNQ+sqEJQ/P4CEHVwJQaEuIKsS+P1PKNmOxzI7IB7PegkZwORMKA83r1oufiV5q+/wY2eMujt/PkZxkokj9jdI9ATGwXfOVgPR16BXrKRIKO2AwObL1ter+Y0LnNGxl9gAz8q65b4KHdM//sKSscLo9rPWKq0R0y4octiC1FlQEvsbMZnNntDLR1vBiqRUz5YaoKcEH6nlLpubCrBpIve8f5Ty3w2YUk7k4dpQzITgZqpJirmw5RAY9OIQQldB8NHjfmKkTtlHxW1Bif/yo+XqCKX4+1xh4nbWb6z2VQtUeQHm++ITZokxAV5as/EEZyEfCfqLbQbQkk5xuPpc3B6VjyGNbAIyQQz3Ktx5t2bqa/qf2YQQTVMZaBijHV6jaK3YzyWyheefZAqliF3xUY8mm2zrOAK4+JaKbRKSQzvCzpYtcwxVO5hCV0Wki4qbMXCWbLV0SmUgiJeL/SC/iXSPBmdQIw2P8Pao1gPzhtJl/rGzdw+Nx0VtYeCID8PlsvjUO3oiv3wYFVE/Xb9oYkoQnadOrnBmUNoXATvPLb6bN/cxlZ6c5bDAReY5M5k4Im9XMWDUDiH/9bIk+V8C
-    pgpassword: AgBneCXX9h7cFbvVcqk9bNSgHqPGpYQmDxDHmI2CdgIPXwogVA/HxGpaR/HnByUwXbk9PBzHuNJHTWB5XtbEgd7EVvhmhNkEuW9cfBpO6RhSYWr4yQsEQ4tRIDicCMnCh3qWFxMJKPxhN4+gB+KY0HxVQXlr/TkPEnHGNILCrwJsSP9JYufYy5xcL25c949X6M2iSi1i8OFDOYC7s72VZmS2iAEIdnY01yDJ/pW5UYNi53rtAYWZ0tzRJbl55NdWeZGJdmKEQ0OvywW50So97R0ceC6QCkBzzRin4IP5dWuWbqm/D9FL4pxUfIvNuXbMd2fGbn1DjgqfeiN9QSfgLeHqMWbFAmelA/ETKGZBJJkp8MQta7PYk30yDo9cD147AnfLSjR74plGCZBFt0tn/8fGE00G70ymo1FPqWqnVMvlrnaWwdgdlKeKbamPWw0Uo6ZHcglFlHq5ke2kEhRG4yFvk8PuuUygHShGe7uQAlWcqLw4H4/WZyy/bBVTyUfmXTg0ArEKdbb7iI/izGgGMv2NtSiV9/DutkiqmrGoc+gO6fYGfUc66XJMpAlH/FUs3Ebqk0ZSIR4j8NyygwgY+1Jm3yuSQCs6+MVH5nrf1VoAYGadMiB40lfmn1FkZwrkdWm+C00/exVqT2dys+AjMfpAFfmGY2LDjSavvqJXKYyX1x/kZ6D+gndhP2FcT9qscnScGjys8JrH
-    pgusername: AgBUzpTtG8uIRRCjX3xN5UEvCybo2sgMk2v6SwoaO0TDVNMwZNKEjNigWeaD0nOX/gXu14X2KPX12YfXyaag+1CmaprUAVZzQDmF3Rseaz5MzqQnJlYfYdlWM4O+x0j2KLj+hKiw30P0T3IxZyngRw+T5c8hevYA2tXU0dvdmXZhs7L5M1mO1DJcef0tH/170RQ/8klUxaj/reWibK3DNxqCU/BOkJvUMoDkmb+hGlX4i4f0cPWEIYRjjXejDtL+LO7bMxzESqmb8VDPlDiIBvCYyBNdkN/F4ngfIAWxKBiMQTvsD8O7W3qdMDy55qHW3gPZY6ugLEyw/un6MtsaYSBame6kbjjEoy0pyyjB+SGWB6xxUIZ2Lfzflu8rZBnKEi2fkxsIAE71vhnLzcXn0WYjF3Hgh/fWQ6GYqJK9M5Ieiq6WVnWvztvWKuscZmVlHtRO9HtucCyiArvZE2yLRUDwI6NAws4R6gELadfjSECp1CRaOc53MrPHvYjIE/WWq1uI+0f0spaPV09mYEl5qGgcPW7V5ADXcmxIXHqtOfhEevrckILr9U9G/FU2q3ohveUiUUxBaMOzgAJ9mO64oDfLbit2WJqaqmdKy4xiVWwzxVDmWmNKFAs3DHNK7y9QNvYmrbM6370Pw2zsxc89yl0PvqCtzj57uUDh3ohNE3ZrTUHWsHkEniKiSCVRZD5LG9dEJKMD1nE=
-  template:
-    metadata:
-      creationTimestamp: null
-      name: passwordpusher-db-creds
-      namespace: passwordpusher
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml
@@ -1,16 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: passwordpusher-smtp-creds
-  namespace: passwordpusher
-spec:
-  encryptedData:
-    PWP__MAIL_SMTP_PASSWORD: AgBgRYGOS6O5u6WDXxfqkLsVClufJe8O0K3/NBWKEnwKFKd/yeQVnkB/sd2apIFADK6auge+G5uFv9TejWJuqkU3QHbkvmnjnMtinRkt/lh0GrrCygmvzvwTQKCXefeqWHT5yvGtN0z6mLP73yOLoJmAMnZk9/QGHuw9jfuLEDREZ3cSrdYAAIWhospSPpvau2UNN2/yanjhmH0Yux2fZVkwKtDcS6YHFtL+s4VR7wcB/cvMaCX4vSezMtyQJhgHcmFLNHnNjjVdMEQVGMtrZ7XocbWJ0ZkvKotkuOFf/XMq5AM9ZVgaJB9di39JLweqpsfGVQJftgGW/f/edDSlbiOTjDO2cM93xY9OD9T2kts5MkeX1jLD+Q+V0OXL7+nor1jAfv/CwZ5sBibnQFKYaQpCRCw4c4pYX73VjbRsEcTHXJyfUpTJdlw8Jd3yPPL1Uqb6ga5xxUO7YsgfdH4HZYWuLR/x8Pk1Ne/qpctzHZcUkRto6MKPhkK1IW83qSJPGT3wNHgYcx6uMW9f9L/ox7k00GGWZ3Pj79khv9NJ8PXO0thsTuZktjskHYBmZk044CWpSiill0318pCaIXW6mpg5adGbeZLa+LZ9GNxMWP+iOJIcFyYNZs3GmlV08OQ741S2cbumOQhxppJkcWTdpkZrZlAanLa4XZsmW+PXmsujOsMLEuto3PpJxpujYAt3s6Nv7O79FlGqrfisRipdFw==
-    PWP__MAIL_SMTP_USER_NAME: AgAli4SWEtNSiuRvbhuAYdRtBPpPYQfVp1cjiPXUqX7CxBG6bOdlMFzUPnjmZ3RVDq8UaRbwF1eJisnLt1nRCh5+DzpOXNgiU8ex2uZx7mQPf/nr/5p1HwJHbMZUo6Qieqo8NIwA0fwapQPsLizI90wI2J8f4m4nk4SXb0FW0h23SpulEJV99w92TPdOd/KuovVzEFltWeCWOsaHdVufKDsKLMFc4SNrkBwYxaCkuGnM6zICiLc7+5lF7cza8JukfGXsF12U04CkqgMDOOQG4GNNIeGSOc2GGtngpmYbuKZA1vk8ZnG3K+nVyD12bW2JhvWOBpNSc+29gLbizkNGI8QLhlxet3HznjYal9aqiIR2/glZgIUsnmgwmVg+VpxnM6A/R47sljeIzyzY0dkVxDyG1fDfKiWmXIWQU/7750Ct8XgMsVIkyDGQAK2g8o97a75lSnTngGq88VvTBLCiSEgumhPrMYf4n7ot4tSM1lfGuxmYdrOKXqXNkhBF+jxe27pd4ayCzcXniibZKRqhCozZZkAoYoo+V8tnIlewrTJhzm9THgKL849Df3Va9tI7EOvqHy82FjwTL++jCpUrOe1Emp11WpUJElnn+PUWRJnW02Xz+a0vP+mJMjC1XsylDM78i31a6Tw8Rfu7W4G7yuwzgU9GDCDL6dt7nsGUSNuucZz7CVx2pePFLWJBC8DmcuuWh/UlnrNp8IY/9kC34DAbwuBTQuFhYne1xWSA
-  template:
-    metadata:
-      creationTimestamp: null
-      name: passwordpusher-smtp-creds
-      namespace: passwordpusher
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml
@@ -1,98 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: passwordpusher-postgresql
-  namespace: passwordpusher
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: passwordpusher
-    app.kubernetes.io/component: database
-spec:
-  type: ClusterIP
-  ports:
-  - name: tcp-postgresql
-    port: 5432
-    targetPort: tcp-postgresql
-  selector:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: passwordpusher
---
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: passwordpusher-postgresql
-  namespace: passwordpusher
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: passwordpusher
-    app.kubernetes.io/component: database
-spec:
-  serviceName: passwordpusher-postgresql
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: postgresql
-      app.kubernetes.io/instance: passwordpusher
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: postgresql
-        app.kubernetes.io/instance: passwordpusher
-        app.kubernetes.io/component: database
-    spec:
-      containers:
-      - name: postgresql
-        image: postgres:16-alpine
-        ports:
-        - name: tcp-postgresql
-          containerPort: 5432
-        env:
-        - name: POSTGRES_USER
-          valueFrom:
-            secretKeyRef:
-              name: passwordpusher-db-creds
-              key: pgusername
-        - name: POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: passwordpusher-db-creds
-              key: pgpassword
-        - name: POSTGRES_DB
-          value: passwordpusher
-        - name: PGDATA
-          value: /var/lib/postgresql/data/pgdata
-        volumeMounts:
-        - name: data
-          mountPath: /var/lib/postgresql/data
-        livenessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
-          initialDelaySeconds: 30
-          periodSeconds: 10
-        readinessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
-          initialDelaySeconds: 5
-          periodSeconds: 5
-        resources:
-          requests:
-            cpu: 100m
-            memory: 256Mi
-          limits:
-            cpu: 500m
-            memory: 512Mi
-  volumeClaimTemplates:
-  - metadata:
-      name: data
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi
--- a/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml
+++ b/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml
@@ -1,43 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: passwordpusher
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: passwordpusher
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://pglombardo.github.io/passwordpusher-charts
-    chart: password-pusher
-    targetRevision: "1.4.4"
-    helm:
-      releaseName: passwordpusher
-      valueFiles:
-      - $values/infra/values/base/passwordpusher-values.yaml
-      - $values/infra/values/upc-dev/passwordpusher-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: passwordpusher
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- postgresql.yaml
- vaultwarden-db-secret-sealed.yaml
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml
@@ -1,98 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: vaultwarden-postgresql
-  namespace: vaultwarden
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: vaultwarden
-    app.kubernetes.io/component: database
-spec:
-  type: ClusterIP
-  ports:
-  - name: tcp-postgresql
-    port: 5432
-    targetPort: tcp-postgresql
-  selector:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: vaultwarden
---
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: vaultwarden-postgresql
-  namespace: vaultwarden
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: vaultwarden
-    app.kubernetes.io/component: database
-spec:
-  serviceName: vaultwarden-postgresql
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: postgresql
-      app.kubernetes.io/instance: vaultwarden
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: postgresql
-        app.kubernetes.io/instance: vaultwarden
-        app.kubernetes.io/component: database
-    spec:
-      containers:
-      - name: postgresql
-        image: postgres:16-alpine
-        ports:
-        - name: tcp-postgresql
-          containerPort: 5432
-        env:
-        - name: POSTGRES_USER
-          valueFrom:
-            secretKeyRef:
-              name: prod-db-creds
-              key: pgusername
-        - name: POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: prod-db-creds
-              key: pgpassword
-        - name: POSTGRES_DB
-          value: vaultwarden
-        - name: PGDATA
-          value: /var/lib/postgresql/data/pgdata
-        volumeMounts:
-        - name: data
-          mountPath: /var/lib/postgresql/data
-        livenessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d vaultwarden
-          initialDelaySeconds: 30
-          periodSeconds: 10
-        readinessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - pg_isready -U "$POSTGRES_USER" -d vaultwarden
-          initialDelaySeconds: 5
-          periodSeconds: 5
-        resources:
-          requests:
-            cpu: 100m
-            memory: 256Mi
-          limits:
-            cpu: 500m
-            memory: 512Mi
-  volumeClaimTemplates:
-  - metadata:
-      name: data
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml
@@ -1,20 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: prod-db-creds
-  namespace: vaultwarden
-spec:
-  encryptedData:
-    DATABASE_URL: AgAy1d//kBevUqZxB5KAXd+qxm8QykNxp5J1QP7Y30XCpE8hldPXF+NIx3w0B0PUyMAVsa+JrBmCMtzgibddIJqqF2upu/8EYxJZNusrJPOi47g3VcZIg1WyxoFfffH6jwhzv69TE/T8WGBXmWbD2vr+XWjE24Q+lgwLut0mocVfihUjpuYq0WDjgJx7pqLnY1VatTwgSkAv1uRRVqdi7e1M5isDNEpdItCbEoWwdvZhG5JIMAA/2vecY4/vEne3cg46lJAkv4ueZNATG6DOXGgQgz6h7zCKSGS1xTfGr+4A2V2/vSYpQ/r8Td37mlseoBvwN4H5O+FgHrVREm7N6aafDariYd+ZfqUIGObsZIXhxhDmAM96pjtP8ehYVwq1srWTU+SUewEmwLFWhVP1UFnTB5vgIuOWoKjHlS7dSUpStpw2u7/mQ6vhRhEaDqY6cNzJgM9hipQM/pt5an7z4ovWVeAeK8InGzKU+uxOpv/oxmi9N54B+5O4DVZC+BIbFXchxDvqivRcZrTK+CNjHjkk4We5MvN0qlhSuCYOGzEVaQ192yHciDoncw58D7fG4NicT2AcCJDVIwRGG05wqKal7g61g7Qg16oqdZIauKIU7ChSgBk7Xv33biZ4ZPe+JoSEmp9izJ8R7yyNO3KJgqH7iQ2UQzXDUqhfTr6w/oIdFST8sQtEIo7o1Z5JoXpzd4R1gVkcPWqtbbB22iRrDJsofeW+yvgGqyZLsWT2bKuDMLUn3GiqvaHaeQ9AbhNBnl6Qth3X8heBm2Zle1xxapFktisPwBQC7FDlukgvkiAOO7BywVI0+ITU4KLLOAftVqHmZ4fgDDqNFg8=
-    SMTP_PASSWORD: AgCbhM99+DbSTCcuxtcccOrZq99GjR51B5SkW6DNxz1jW2q4lgc6o21+gHEGGAamRDg/mWyu2UBBNgEzrW024558qP6SjVPwJclWhNZHyL4R4MCA0kv/kqNa43na2j3pq7kzT0MrqPAXD8IJrtYPxr+ngiuo7MCRef/TzEfwbwK+KgkeB1g+9ErwHWr5tU1B+3yAn5tfNeHmGFrLX230mra2ie+ntNx9kn80mb5TYoJ/mSaX7wv4bqZGEHkg7isXrMoMROXLBepCvP0zi3ta+SKJjHy73TvhKSzo7/ZHxapHw3oaazdpKJobeolWB7SziWsbXfT0gYYim3LrcieQeb7hhN3OAvSYx1Z/3UefEE1o3GFEzK1UV9ISwU/mBjMDZWyM7dK9lSbuPGvbpKU1jjP8qZWQP5v2SIT6Nb5TQgNeATdO3RkjoviqRzjJfpuu+oe5paXNeEIUSTskL7HuUjWj13DX1zDqQWTR1/Tb9ntxRtgIoAl2ymDsOednurnJeX71OJ3G++Oc8b5P2EkNQuEwaYb9raNHqZkCXeRpQVyEGIUh9sAGZUplUJSues/Jw25WuFoNBfMi/F022Mkvfnp/s0J+QrMIxSRvqiWS+7hODknvE3Zf2DI+DKClWxspfv084DAkOSV1Lq9fqNy/bKoJR/5MVHmxbW6teza6zXBnwn2nk+2DZ8IU20P15aVdtKR2zG9u8hnrqWrTQHTdvzb34WKjC0km4/MaIGKvboyw
-    SMTP_USERNAME: AgCijAuSvlGeMME1FyPXQdOTGKktyXfT8tjBK/ozt3X8O5hebFVvM61hNLDQTe9V/O/NLw6P1wbV4V+wtztqLs9TPDyq9L3D9JUEDjh97gWxVf7nFf8/d24F0PJoR8srKp3onb7+Rx02318RUp+gp7YsXbK6YBfkaOsoD08UgrFY3ARnP4eIirRICNCdouPgKkh038yAWcQDA20GBN2faJlQSejS4cr8WAa/ME1fRe40Q4tewgiX7hK5BWjt2eoovLrPzcHvbgTbfjwUWvmeiSicnF+VLrc3M56aKML2xuAggBk4vKtla/Af1pJfjv+Ut2z6VzECfIth12yQa6kIvKOE8aa3o/6oKLRJQRO8rQOOmLiInR+jQxrOmYw+OzkON07nBIeBon7nKYSIMiBt68kXKWJ9ZDexF7WGOHsFgUo4hA/z/c/Ccg6XHgxFt7uXZYLyziihQXy33zIsvu0rXOaczT5j3NJIhO60jz2Q8ig9JuWhd7+Dnd9EFMC0WJOM9kjpxeSjg4MYjH7VGnnEDF2GAQTlwDn5HwZJXRQFHfdCiHS5CCpfmak9MtIC9uoIsbPAnEhdTC20wDvIGlR5O4JGlQRyirKKmCdT1MJt8zi5d+EVQiicVZLGGD6nsqCNchvFYcx+glMYqWWsmyS6M+uVaYa/Fb/n+0QR6GNCF3Qi7voMJf2bFxFDk78fk76MG919XPQVAG/FPliNyWJJ7gEM+j/rDYuSrul14duV
-    adminToken: AgCVSgRK39WksTX6GogBvMZtPMd4XzMFkKSPhjTCm8pllzuc88pS2LXHxyGDWVLf+GZXRTCNrf5JLPst8/GTvOX17J9scRAjmhoyVVgzFNbcqGI/czLf9vH6JnhorMmUHxS+kWBm3oLZjhW3f/9vq0xzSbut87VDsyenaK4EcFLrYnfVRlMrwxL9oxPPTeB+Wah/uGoyLNfc7MMLK+/sUma4RO61VJ8YvmLUnwYNFosUcbF2B9hXMSzKKCJ+ihXYIdNIz2YWdMmj7a3D+Mor5x4jIjC+tunT4Zge5L1mx0i92KPgPkP48jKxayIZ/FxnYej+ggU6PmdYD1B6wgUbgLQV6ccwysjHce7ICvGWiM+PozFWI1qEVKqtNgp3kwInThD63Hyub9Euj0g/SE/nZcwy8DuIEhsLpLSdvxDT2lCps0VdXcb01kuta/3i4vgozSBvdIL1FrQKPLqF5+6ZEQ6BdZDkgxVqQ845WZoGbfqIyI03BMvsx/8HB5c+0Y0w0C6DRpEW55T9yRTZqzvqWUOpXy5/L2Nc9G4PCUK3lY0QPIFlPCBDl+cKgfP/XvKhMFcFpwp/Ssd0o+RhgOMBHJ5qk7RxAN1k2Y6Tkros39eUKWbM6UQ97LjrAdLcgJKX86ZkEChdeeKOnSxRmqHFXx5m4Wa6syixjipeQPwybCYQA9TgNBv0lToA7gi+lcVvXkoAgYIeB9Cp0j8UVEwdgvwWp8YgkpuWhPCAafhboH8qGhHhVfKADmlB05vUItZ0eoEVv7D9SqUTFueUmoZXwo67uyMLZhQo7eGr9+k8hiesCoEm11HCTa4DvF9zE54zgkyt0TMsKAEKmX47zJwnw76zidZC/K9e
-    pgpassword: AgCeQLwzajVBHW+o1ZSAcfbcJXny5K7UxxMfjud0j3hm9qx3TlLaFJrNoWd4XCuHAW1Ybl23ynWm+8kpXfZv95bXGkl0jZIm989MlAJQYKcaSTdhIM6Bkl3Cbr8kTVj2yrylGPJ96QISKNoiV7IetU82t8f21kxjyrNwt4lQEwWRFjW45jozb32qFXRkTioJ1WKaeJkyRSHWn7nLVitqZ4QjZzoN9AC7cUDOY/FffEiz7QRYSf6xaVPqQfCeH6QVtfmwtU5qNTcthOW0+/LQKpkg8i2nuoAsyOe7tsOYCENbDGkLckNTns2oPvDnH5eA8F5VDlnyJtROlwKjWfTC2zjazZynpA6cBH9XzX3Pg9P45G5HJ/4TVSUbTMCSVrbW8Ec+zdA2P4l3ytfVM2ER4N2/bQrUEVW2/ngDzhsKllmOPEN/M7b/VTed7U1xyJHsoT+AJEqVJO/vFBRxpI/ZacD+m5kWf3sp1SUWSgkUi+YWH8xuRurM2/kiUGwwUXu5ZMumjpMTkJBfX4NYRezq0DCsgaXdO2yI4xTfAysj78UikdU0PKyAXPcT8y55kJQ1jECszFauyeSYh0FpLu/XAmeB8dunlBqgISLszwnnman0/ThLeo96MFo6WPXoAeMTy8+GfTSH5tkmm8TVD7A+gRHprfFS66eY5Zi38OPU+VGRJS1J8yLSD2cNvCFR/sz1Br9VV7IySx1S+HvbEd7BwmdWrIoEcVUwIAD/U0Uxbw4sr7wLQ2wFQjDil4VItA==
-    pgusername: AgAcgel8GpdRVThE9i4EfFwcJYHEPnCyi4jHEaAltn4VMtub6hvhtH+ihxS97AhK6kgrTLEgtlfb07n1EZ3AK18A+ci9P5ulP0GgwMrMt1yxiHliqInvZPNb8vWC/2f2lZm7EFrBvYqMFRPV10YygtkW3Kku8h31l0xc2/DUKqZ2hMymIjx7hupabUOhnPJeF+IxVhTcsAa6SjhppX1ED0R/Im73pxTxbfLQETkHd5KcB4h6RLIPvuNiG5uftkPP8qjJqFIhNew+0IxMrsTzJbyLx90vqI6LHHtsrNDAsOHqWGnyZqIdkK+Bagm84VlpBfIdz8Fs0YqzBQaZts4+QXByzkcQZBDy11Hg9FCjdUVk3VgVLDQj+hL+aWTeJ0Iui4zW4LMSB0Dk0ZQeQa4BtwuDllky5GUA7sLmkbceAWymBNzNXSOeeAi1qfR6h6rNnh0x5yOnSN8soReNaCEYBSa8HjUamvuzu4yn+fKOJyI50QEJ7hKLXLaqyiNpa5bJw4FQvGM7qESkZW2BZLEvkq4mlKjzvSm891DozA44Zy1s/3CvytFsUtaWmquSvqqHWUxqEEemJ8zOCFXEYo1TjEfkYIUipM5KJ+PrpQGTgjdnL8FbAv3r3NG7DoucQtVeJJVeaBqOZcfEQw4Xz15grsdjggFunhmz+ZjWjgEwV4G/dCmeus3SBWJWLMOoPWCvBWrQZRQq9KVj
-  template:
-    metadata:
-      creationTimestamp: null
-      name: prod-db-creds
-      namespace: vaultwarden
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml
@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: vaultwarden
---
-
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vaultwarden-postgresql
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  labels:
-    app.kubernetes.io/name: vaultwarden-postgresql
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/upc-dev/vaultwarden-postgresql/resources
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: vaultwarden
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates
--- a/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml
@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: keycloak-client-vaultwarden
-  namespace: vaultwarden
-  labels:
-    keycloak.forteapps.net/client-config: "true"
-stringData:
-  client.json: |
-    {
-      "clientId": "vaultwarden",
-      "name": "Vaultwarden",
-      "redirectUris": ["https://vaultwarden.forteapps.net/*"],
-      "webOrigins": ["https://vaultwarden.forteapps.net"],
-      "protocolMappers": [],
-      "secret": {
-        "namespace": "vaultwarden",
-        "name": "vaultwarden-oidc-credentials",
-        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
-      }
-    }
--- a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- vaultwarden.yaml
- keycloak-client-config.yaml
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -41,7 +41,6 @@ gitea:
    oauth2:
      ENABLED: true
      ENABLE_AUTO_REGISTRATION: true
-      ACCOUNT_LINKING: auto
      USERNAME: email

    session:
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -58,9 +58,6 @@ keycloakConfigCli:
  enabled: true
  image:
    repository: bitnamilegacy/keycloak-config-cli
-  extraEnvVars:
-  - name: IMPORT_MANAGED_PROTOCOL_MAPPER
-    value: "no-delete"
  configuration:
    forte-realm.json: |
      {
@@ -104,18 +101,6 @@ keycloakConfigCli:
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
-              },
-              {
-                "name": "groups",
-                "protocol": "openid-connect",
-                "protocolMapper": "oidc-group-membership-mapper",
-                "config": {
-                  "claim.name": "groups",
-                  "full.path": "false",
-                  "id.token.claim": "true",
-                  "access.token.claim": "true",
-                  "userinfo.token.claim": "true"
-                }
              }
            ]
          },
@@ -188,54 +173,7 @@ keycloakConfigCli:
            ]
          }
        ],
-        "browserFlow": "browser-auto-idp",
-        "authenticationFlows": [
-          {
-            "alias": "browser-auto-idp",
-            "description": "Browser flow with auto-redirect to Forte Entra IdP",
-            "providerId": "basic-flow",
-            "topLevel": true,
-            "builtIn": false,
-            "authenticationExecutions": [
-              {
-                "authenticator": "auth-cookie",
-                "authenticatorFlow": false,
-                "requirement": "ALTERNATIVE",
-                "priority": 10
-              },
-              {
-                "authenticator": "identity-provider-redirector",
-                "authenticatorFlow": false,
-                "requirement": "ALTERNATIVE",
-                "priority": 20,
-                "authenticatorConfig": "forte-entra-redirector"
-              }
-            ]
-          }
-        ],
-        "authenticatorConfig": [
-          {
-            "alias": "forte-entra-redirector",
-            "config": {
-              "defaultProvider": "forte-entra"
-            }
-          }
-        ],
        "groups": [
-          {
-            "name": "k8s",
-            "path": "/k8s",
-            "clientRoles": {
-              "grafana": ["Editor"]
-            }
-          },
-          {
-            "name": "dev",
-            "path": "/dev",
-            "clientRoles": {
-              "grafana": ["Viewer"]
-            }
-          },
          {
            "name": "ArgoCD Admins",
            "path": "/ArgoCD Admins"
@@ -321,7 +259,7 @@ extraDeploy:
                ADMIN_PASS=$(cat /secrets/admin-password)

                echo "Authenticating to Keycloak..."
-                TOKEN=$(curl -sf -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
+                TOKEN=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
                  -d "client_id=admin-cli" \
                  -d "username=${ADMIN_USER}" \
                  -d "password=${ADMIN_PASS}" \
@@ -338,7 +276,7 @@ extraDeploy:
                upsert_secret() {
                  local ns="$1" name="$2" manifest="$3"
                  local code
-                  code=$(curl -sf -o /dev/null -w "%{http_code}" \
+                  code=$(curl -s -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/json" \
@@ -347,7 +285,7 @@ extraDeploy:
                  if [ "$code" = "200" ]; then
                    echo "  Updated secret '${ns}/${name}'"
                  elif [ "$code" = "404" ]; then
-                    code=$(curl -sf -o /dev/null -w "%{http_code}" \
+                    code=$(curl -s -o /dev/null -w "%{http_code}" \
                      --cacert "$CA_CERT" \
                      -H "Authorization: Bearer ${SA_TOKEN}" \
                      -H "Content-Type: application/json" \
@@ -394,7 +332,7 @@ extraDeploy:

                  # Get the client secret from Keycloak
                  local secret_value
-                  secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                  secret_value=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
                    | jq -r '.value')

@@ -409,7 +347,7 @@ extraDeploy:

                  # Write to target namespace (if it exists)
                  local ns_status
-                  ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \
+                  ns_status=$(curl -s -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    "${K8S_API}/api/v1/namespaces/${target_ns}")
@@ -433,12 +371,12 @@ extraDeploy:
                  local ns="$1" name="$2" key="$3" value="$4"
                  local patch
                  patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
-                  curl -sf -o /dev/null \
+                  curl -s -o /dev/null \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/strategic-merge-patch+json" \
                    -X PATCH -d "$patch" \
-                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}"
+                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" || true
                }

                # =============================================
@@ -446,7 +384,7 @@ extraDeploy:
                # =============================================
                echo "=== Legacy sync: clients with k8s.secret.sync=true ==="

-                CLIENTS=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                CLIENTS=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                  "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")

                SYNC_CLIENTS=$(echo "$CLIENTS" | jq -c '[.[] | select(.attributes["k8s.secret.sync"] == "true")]')
@@ -471,7 +409,7 @@ extraDeploy:
                echo ""
                echo "=== Self-service: config Secrets with label keycloak.forteapps.net/client-config=true ==="

-                CONFIG_SECRETS=$(curl -sf \
+                CONFIG_SECRETS=$(curl -s \
                  --cacert "$CA_CERT" \
                  -H "Authorization: Bearer ${SA_TOKEN}" \
                  "${K8S_API}/api/v1/namespaces/keycloak/secrets?labelSelector=keycloak.forteapps.net/client-config=true")
@@ -492,6 +430,10 @@ extraDeploy:
                  CLIENT_JSON=$(printf '%s' "$CLIENT_JSON_B64" | base64 -d)

                  CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId')
+                  if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
+                    echo "ERROR: Could not extract clientId from config '${CONFIG_NAME}', skipping"
+                    continue
+                  fi
                  echo "Processing self-service client '${CLIENT_ID}' from config '${CONFIG_NAME}'"

                  # Compute config hash for change detection
@@ -508,7 +450,7 @@ extraDeploy:
                  CRED_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
-                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}" || echo "000")
+                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")

                  # Skip if hash matches and credential Secret exists
                  if [ "$CONFIG_HASH" = "$EXISTING_HASH" ] && [ "$CRED_EXISTS" = "200" ]; then
@@ -529,46 +471,68 @@ extraDeploy:
                    redirectUris: .redirectUris,
                    webOrigins: .webOrigins,
                    protocolMappers: (.protocolMappers // [])
-                  } | with_entries(select(.value != null))')
+                  } + if .defaultClientScopes then {defaultClientScopes: .defaultClientScopes} else {} end')

                  # Check if client already exists
-                  EXISTING_RESPONSE=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
-                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" || true)
-                  EXISTING=$(echo "$EXISTING_RESPONSE" | jq -r '.[0].id // empty' 2>/dev/null || true)
+                  EXISTING=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
+                    | jq -r '.[0].id // empty')

                  if [ -n "$EXISTING" ]; then
                    echo "  Updating existing Keycloak client (uuid: ${EXISTING})"
-                    RESPONSE=$(curl -s -w "\n%{http_code}" \
+                    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X PUT -d "$KC_CLIENT" \
-                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}" || true)
-                    HTTP_CODE=$(echo "$RESPONSE" | tail -1)
-                    RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}")
                    if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "200" ]; then
-                      echo "  ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
+                      echo "  ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                      continue
                    fi
                    CLIENT_UUID="$EXISTING"
                  else
                    echo "  Creating new Keycloak client '${CLIENT_ID}'"
-                    RESPONSE=$(curl -s -w "\n%{http_code}" \
+                    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X POST -d "$KC_CLIENT" \
-                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients" || true)
-                    HTTP_CODE=$(echo "$RESPONSE" | tail -1)
-                    RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
                    if [ "$HTTP_CODE" != "201" ]; then
-                      echo "  ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
+                      echo "  ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                      continue
                    fi
                    # Fetch the newly created client's UUID
                    CLIENT_UUID=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
-                      | jq -r '.[0].id' || true)
+                      | jq -r '.[0].id')
+                  fi
+
+                  # Assign default client scopes (KC REST API ignores defaultClientScopes in POST/PUT body)
+                  REQUESTED_SCOPES=$(echo "$CLIENT_JSON" | jq -r '.defaultClientScopes // [] | .[]' 2>/dev/null)
+                  if [ -n "$REQUESTED_SCOPES" ]; then
+                    # Fetch all realm client scopes once
+                    ALL_SCOPES=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/client-scopes")
+
+                    echo "$REQUESTED_SCOPES" | while read -r SCOPE_NAME; do
+                      [ -z "$SCOPE_NAME" ] && continue
+                      SCOPE_ID=$(echo "$ALL_SCOPES" | jq -r --arg name "$SCOPE_NAME" '.[] | select(.name == $name) | .id // empty')
+                      if [ -z "$SCOPE_ID" ]; then
+                        echo "  WARNING: Scope '${SCOPE_NAME}' not found in realm, skipping"
+                        continue
+                      fi
+                      SC_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+                        -H "Authorization: Bearer ${TOKEN}" \
+                        -X PUT \
+                        "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${CLIENT_UUID}/default-client-scopes/${SCOPE_ID}")
+                      if [ "$SC_CODE" = "204" ] || [ "$SC_CODE" = "200" ]; then
+                        echo "  Assigned scope '${SCOPE_NAME}'"
+                      else
+                        echo "  WARNING: Failed to assign scope '${SCOPE_NAME}' (HTTP ${SC_CODE})"
+                      fi
+                    done
                  fi

                  # Sync credentials to target namespace
--- a/infra/values/base/passwordpusher-values.yaml
+++ b/infra/values/base/passwordpusher-values.yaml
@@ -1,7 +0,0 @@
-image:
-  repository: docker.io/pglombardo/pwpush
-  tag: "release-1.51.0"
-
-# Disable the bundled postgresql subchart — we run our own StatefulSet
-postgresql:
-  enabled: false
--- a/infra/values/base/vault-secrets-operator-values.yaml
+++ b/infra/values/base/vault-secrets-operator-values.yaml
@@ -0,0 +1,19 @@
+# Vault Secrets Operator Helm values
+# Docs: https://developer.hashicorp.com/vault/docs/platform/k8s/vso
+
+# Default Vault connection — used by VaultAuth CRDs that don't specify one
+defaultVaultConnection:
+  enabled: true
+  address: http://vault.vault.svc.cluster.local:8200
+
+# Default auth method — Kubernetes auth
+defaultAuthMethod:
+  enabled: true
+  namespace: ""
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: vso-operator
+    serviceAccount: default
+    audiences:
+    - vault
--- a/infra/values/base/vaultwarden-values.yaml
+++ b/infra/values/base/vaultwarden-values.yaml
@@ -1,3 +0,0 @@
-image:
-  tag: "1.36.0-alpine"
-domain: "https://vaultwarden.forteapps.net"
--- a/infra/values/upc-dev/keycloak-values.yaml
+++ b/infra/values/upc-dev/keycloak-values.yaml
@@ -1,2 +1,108 @@
 ingress:
  hostname: id.forteapps.net
+
+keycloakConfigCli:
+  enabled: true
+  extraEnvVars:
+    - name: IMPORT_VAR_SUBSTITUTION_ENABLED
+      value: "true"
+    - name: MS_IDP_CLIENT_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: microsoft-idp-credentials
+          key: MS_IDP_CLIENT_SECRET
+  configuration:
+    microsoft-idp.json: |
+      {
+        "realm": "forte",
+        "authenticationFlows": [
+          {
+            "alias": "auto-link-first-broker-login",
+            "description": "Auto-link IdP accounts to existing users by email",
+            "providerId": "basic-flow",
+            "topLevel": true,
+            "builtIn": false,
+            "authenticationExecutions": [
+              {
+                "authenticator": "idp-create-user-if-unique",
+                "authenticatorFlow": false,
+                "requirement": "ALTERNATIVE",
+                "priority": 10
+              },
+              {
+                "authenticator": "idp-auto-link",
+                "authenticatorFlow": false,
+                "requirement": "ALTERNATIVE",
+                "priority": 20
+              }
+            ]
+          }
+        ],
+        "identityProviders": [
+          {
+            "alias": "forte-entra",
+            "displayName": "Forte Entra",
+            "providerId": "microsoft",
+            "enabled": true,
+            "trustEmail": true,
+            "firstBrokerLoginFlowAlias": "auto-link-first-broker-login",
+            "config": {
+              "clientId": "7995d2b5-b798-4caf-8da6-b00b78bb34d7",
+              "clientSecret": "$(env:MS_IDP_CLIENT_SECRET)",
+              "defaultScope": "openid email profile",
+              "tenantId": "063afd9e-5fcb-48d2-a769-ca31b0f5b443",
+              "syncMode": "IMPORT"
+            }
+          },
+          {
+            "alias": "forte-entra-graph",
+            "displayName": "Forte Entra (Graph)",
+            "providerId": "microsoft",
+            "enabled": true,
+            "storeToken": true,
+            "trustEmail": true,
+            "firstBrokerLoginFlowAlias": "auto-link-first-broker-login",
+            "config": {
+              "clientId": "7995d2b5-b798-4caf-8da6-b00b78bb34d7",
+              "clientSecret": "$(env:MS_IDP_CLIENT_SECRET)",
+              "defaultScope": "openid email profile User.Read Mail.Send",
+              "tenantId": "063afd9e-5fcb-48d2-a769-ca31b0f5b443",
+              "syncMode": "IMPORT"
+            }
+          }
+        ],
+        "identityProviderMappers": [
+          {
+            "name": "forte-entra-email",
+            "identityProviderAlias": "forte-entra",
+            "identityProviderMapper": "hardcoded-attribute-idp-mapper",
+            "config": {
+              "syncMode": "INHERIT",
+              "attribute": "emailVerified",
+              "attribute.value": "true"
+            }
+          },
+          {
+            "name": "forte-entra-graph-email",
+            "identityProviderAlias": "forte-entra-graph",
+            "identityProviderMapper": "hardcoded-attribute-idp-mapper",
+            "config": {
+              "syncMode": "INHERIT",
+              "attribute": "emailVerified",
+              "attribute.value": "true"
+            }
+          }
+        ],
+        "roles": {
+          "realm": [
+            {
+              "name": "default-roles-forte",
+              "composites": {
+                "client": {
+                  "broker": ["read-token"]
+                }
+              }
+            }
+          ]
+        }
+      }
--- a/infra/values/upc-dev/passwordpusher-values.yaml
+++ b/infra/values/upc-dev/passwordpusher-values.yaml
@@ -1,50 +0,0 @@
-env:
-  PWP__HOST_DOMAIN: pwpush.forteapps.net
-  PWP__HOST_PROTOCOL: https
-  PWP__ENABLE_LOGINS: "true"
-  PWP__ALLOW_ANONYMOUS: "false"
-  PWP__SIGNUPS_ENABLED: "false"
-  PWP__MAIL_RAISE_DELIVERY_ERRORS: "false"
-  PWP__MAIL_SMTP_ADDRESS: smtp.office365.com
-  PWP__MAIL_SMTP_PORT: "587"
-  PWP__MAIL_SMTP_AUTHENTICATION: login
-  PWP__MAIL_SMTP_STARTTLS: "true"
-  PWP__MAIL_SMTP_DOMAIN: fortedigital.com
-  PWP__MAIL_SENDER: noreply@fortedigital.com
-
-envFrom:
- secretRef:
-    name: passwordpusher-db-creds
- secretRef:
-    name: passwordpusher-smtp-creds
-
-ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "PasswordPusher"
-    gethomepage.dev/description: "Share passwords securely with expiring links"
-    gethomepage.dev/group: "Security"
-    gethomepage.dev/icon: "passwordpusher"
-    gethomepage.dev/href: "https://pwpush.forteapps.net"
-  hosts:
-  - host: pwpush.forteapps.net
-    paths:
-    - path: /
-      pathType: Prefix
-  tls:
-  - secretName: passwordpusher-tls
-    hosts:
-    - pwpush.forteapps.net
-
-resources:
-  requests:
-    cpu: 100m
-    memory: 256Mi
-  limits:
-    cpu: 500m
-    memory: 512Mi
-
-replicaCount: 1
--- a/infra/values/upc-dev/vaultwarden-values.yaml
+++ b/infra/values/upc-dev/vaultwarden-values.yaml
@@ -1,82 +0,0 @@
-adminToken:
-  existingSecret: "prod-db-creds"
-  existingSecretKey: "adminToken"
-domain: "https://vaultwarden.forteapps.net"
-signupsAllowed: false
-resourceType: StatefulSet
-database:
-  type: postgresql
-  host: vaultwarden-postgresql
-  port: "5432"
-  dbName: vaultwarden
-  existingSecret: prod-db-creds
-  existingSecretKey: DATABASE_URL
-  existingSecretUserKey: pgusername
-  existingSecretPasswordKey: pgpassword
-ingress:
-  enabled: true
-  class: "traefik"
-  tls: true
-  tlsSecret: vaultwarden-tls
-  hostname: vaultwarden.forteapps.net
-  additionalAnnotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "VaultWarden"
-    gethomepage.dev/description: "Password management"
-    gethomepage.dev/group: "Security"
-    gethomepage.dev/icon: "vaultwarden"
-    gethomepage.dev/href: "https://vaultwarden.forteapps.net"
-
-replicas: 1
-# Multi-Attach error for volume "pvc-102ec9a4-dccd-4cba-bb4b-650f7d934c81" Volume is already used by pod(s) vaultwarden-7f568875c7-m9cgs
-
-service:
-  sessionAffinity: ClientIP
-  sessionAffinityConfig:
-    clientIP:
-      timeoutSeconds: 10800
-
-smtp:
-  host: smtp.office365.com
-  security: starttls
-  port: 587
-  authMechanism: "Login"
-  from: noreply@fortedigital.com
-  fromName: "Forte Bitwarden Administrator"
-  debug: true
-  existingSecret: prod-db-creds
-  username:
-    existingSecretKey: SMTP_USERNAME
-  password:
-    existingSecretKey: SMTP_PASSWORD
-
-storage:
-  data:
-    name: "vaultwarden-data"
-    size: "5Gi"
-    class: ""
-    path: "/data"
-    keepPvc: true
-    accessMode: "ReadWriteOnce"
-
-  attachments:
-    name: "vaultwarden-files"
-    size: "5Gi"
-    class: ""
-    path: /files
-    keepPvc: true
-    accessMode: "ReadWriteOnce"
-
-sso:
-  enabled: true
-  existingSecret: vaultwarden-oidc-credentials
-  authority: "https://id.forteapps.net/realms/forte"
-  scopes: "email profile"
-  onlySSO: true
-  pkce: true
-  signupsMatchEmail: true
-  clientId:
-    existingSecretKey: client-id
-  clientSecret:
-    existingSecretKey: client-secret
--- a/scripts/seed-vault-from-cluster.sh
+++ b/scripts/seed-vault-from-cluster.sh
@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# seed-vault-from-cluster.sh — Read existing K8s Secrets and write to Vault KV
+#
+# Prerequisites:
+#   - vault CLI authenticated (VAULT_ADDR + VAULT_TOKEN set)
+#   - kubectl access to the cluster
+#   - KV v2 engine at kv/
+#
+# Usage: ./scripts/seed-vault-from-cluster.sh
+#
+# This reads plaintext values from existing K8s Secrets and writes them
+# to Vault KV v2 at kv/{namespace}/{secret-name}.
+
+set -euo pipefail
+
+echo "=== Seeding Vault KV from existing K8s Secrets ==="
+echo ""
+
+# Helper: read a K8s secret and write all keys to Vault KV
+seed_secret() {
+  local ns="$1"
+  local secret_name="$2"
+  local vault_path="kv/${ns}/${secret_name}"
+
+  echo "--- ${ns}/${secret_name} → ${vault_path} ---"
+
+  # Get all keys from the secret
+  local keys
+  keys=$(kubectl get secret "${secret_name}" -n "${ns}" -o json 2>/dev/null | \
+    jq -r '.data // {} | keys[]' 2>/dev/null) || {
+    echo "  SKIP: secret not found in cluster"
+    echo ""
+    return
+  }
+
+  if [ -z "${keys}" ]; then
+    echo "  SKIP: no data keys"
+    echo ""
+    return
+  fi
+
+  # Build vault kv put arguments
+  local args=()
+  for key in ${keys}; do
+    local value
+    value=$(kubectl get secret "${secret_name}" -n "${ns}" -o jsonpath="{.data.${key}}" | base64 -d)
+    args+=("${key}=${value}")
+  done
+
+  vault kv put "${vault_path}" "${args[@]}"
+  echo "  OK: $(echo "${keys}" | wc -w | tr -d ' ') keys written"
+  echo ""
+}
+
+# --- Homepage ---
+seed_secret homepage homepage-widget-credentials
+
+# --- Renovate ---
+seed_secret renovate renovate-env
+
+# --- Gitea ---
+seed_secret gitea gitea-credentials
+seed_secret gitea gitea-backup-s3
+seed_secret gitea gitea-smtp-secret
+seed_secret gitea gitea-runner-token
+
+# --- Keycloak ---
+seed_secret keycloak keycloak-credentials
+seed_secret keycloak microsoft-idp-credentials
+
+# --- ArgoCD ---
+seed_secret argocd forte-helm-repo
+seed_secret argocd forte10x-repo-creds
+seed_secret argocd mcp10x-repo-creds
+seed_secret argocd argocd-notifications-secret
+
+# --- Application secrets ---
+seed_secret mcp10x app-credentials
+seed_secret ts-mcp ts-mcp-secrets
+seed_secret argocd-mcp auth-oidc
+seed_secret argocd-mcp argocd-mcp-credentials
+seed_secret dot-ai dot-ai-secrets
+seed_secret music-man musicman-credentials
+
+echo "=== Done. Verify with: vault kv list kv/{namespace} ==="
--- a/scripts/vault-setup-policies.sh
+++ b/scripts/vault-setup-policies.sh
@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+# vault-setup-policies.sh — Create Vault policies + Kubernetes auth roles for VSO
+#
+# Prerequisites:
+#   - vault CLI authenticated (VAULT_ADDR + VAULT_TOKEN set)
+#   - Kubernetes auth method enabled at auth/kubernetes/
+#   - KV v2 secrets engine at kv/
+#
+# Usage: ./scripts/vault-setup-policies.sh
+
+set -euo pipefail
+
+echo "=== Vault Secrets Operator — Policy & Auth Role Setup ==="
+echo ""
+
+# All namespaces that have secrets to migrate
+NAMESPACES=(
+  argocd
+  gitea
+  keycloak
+  renovate
+  homepage
+  argocd-mcp
+  mcp10x
+  ts-mcp
+  dot-ai
+  music-man
+  vault-secrets-operator-system
+)
+
+# --- Per-namespace policies and auth roles ---
+
+for NS in "${NAMESPACES[@]}"; do
+  echo "--- Namespace: ${NS} ---"
+
+  # Create read-only policy for this namespace's secrets
+  echo "  Creating policy: ns-${NS}"
+  vault policy write "ns-${NS}" - <<EOF
+path "kv/data/${NS}/*" {
+  capabilities = ["read"]
+}
+path "kv/metadata/${NS}/*" {
+  capabilities = ["read", "list"]
+}
+EOF
+
+  # Create Kubernetes auth role bound to namespace-specific ServiceAccount
+  echo "  Creating auth role: ns-${NS}"
+  vault write "auth/kubernetes/role/ns-${NS}" \
+    bound_service_account_names="vault-auth-${NS}" \
+    bound_service_account_namespaces="${NS}" \
+    policies="ns-${NS}" \
+    audience="vault" \
+    ttl="1h"
+
+  echo ""
+done
+
+# --- VSO operator role (broad read for default auth method) ---
+
+echo "--- VSO Operator Role ---"
+echo "  Creating policy: vso-operator"
+vault policy write vso-operator - <<EOF
+path "kv/data/*" {
+  capabilities = ["read"]
+}
+path "kv/metadata/*" {
+  capabilities = ["read", "list"]
+}
+EOF
+
+echo "  Creating auth role: vso-operator"
+vault write auth/kubernetes/role/vso-operator \
+  bound_service_account_names="vault-secrets-operator" \
+  bound_service_account_namespaces="vault-secrets-operator-system" \
+  policies="vso-operator" \
+  audience="vault" \
+  ttl="1h"
+
+echo ""
+echo "=== Done. All ${#NAMESPACES[@]} namespace policies + auth roles created. ==="
Author	SHA1	Message	Date
Danijel Simeunovic	73376a0a7d	vault migration	2026-04-30 22:38:33 +02:00
Danijel Simeunovic	2e09a2d404	ign diff	2026-04-30 19:08:24 +02:00
Danijel Simeunovic	9e9254a466	auto flow	2026-04-30 18:24:34 +02:00
Danijel Simeunovic	539217c3f2	subst	2026-04-30 18:16:25 +02:00
Danijel Simeunovic	80cf435486	test2	2026-04-30 18:11:48 +02:00
Danijel Simeunovic	0d7980d105	env secret	2026-04-30 18:05:09 +02:00
Danijel Simeunovic	f280596ddb	debug	2026-04-30 18:00:08 +02:00
Danijel Simeunovic	65dc795cd6	idp hint	2026-04-30 15:50:23 +02:00
Danijel Simeunovic	237dc0ff90	new idp	2026-04-30 15:34:58 +02:00
Danijel Simeunovic	788cc8f4f4	tenantId	2026-04-30 15:19:37 +02:00
Danijel Simeunovic	4def4d2ed7	cli enable	2026-04-30 15:08:20 +02:00
Danijel Simeunovic	7d1e2d4665	broker alias	2026-04-30 14:49:38 +02:00
Danijel Simeunovic	417185d567	idp auto config Co-authored-by: Copilot <copilot@github.com>	2026-04-30 14:37:13 +02:00
Danijel Simeunovic	03e60a3512	kc syncer	2026-04-30 11:45:30 +02:00
Danijel Simeunovic	2135580210	kc script	2026-04-29 14:42:27 +02:00
Danijel Simeunovic	37a38a1179	feedback app Co-authored-by: Copilot <copilot@github.com>	2026-04-29 14:22:02 +02:00