Merge branch 'main' of https://git.forteapps.net/Forte/launchpad into feature/dns01

@thomas.solbjor her er "import" av tofu fra ditt repo med justeringer for å tilpasse patterns her. Også minimalisert til å kun opprette cluster, ingen managed services som postgres etc. Ta en titt.

Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Reviewed-on: #15
Reviewed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Co-authored-by: Ghost <>
Co-committed-by: Ghost <>

.gitignore

@@ -15,4 +15,12 @@ CLAUDE.md
 devbox.d/
 devbox.lock
 .devbox/
-bash.exe.stackdump
+bash.exe.stackdump
+
+# OpenTofu
+.tofu/configs/*.env
+.tofu/scripts/*.config
+.tofu/platforms/**/.terraform/
+.tofu/platforms/**/terraform.tfstate*
+.tofu/platforms/**/tfplan
+.tofu/platforms/**/.terraform.lock.hcl

.tofu/configs/aks.env.example

@@ -0,0 +1,9 @@
+# Azure AKS credentials — copy to aks.env and fill in values
+# NEVER commit aks.env to git!
+
+# Required
+AZURE_TENANT_ID=your-azure-tenant-id
+AZURE_SUBSCRIPTION_ID=your-azure-subscription-id
+
+# Optional — defaults to cluster name if not set
+ARM_RESOURCE_GROUP=

.tofu/configs/eks.env.example

@@ -0,0 +1,10 @@
+# AWS EKS credentials — copy to eks.env and fill in values
+# NEVER commit eks.env to git!
+
+# Required — AWS CLI profile or access key
+AWS_PROFILE=default
+AWS_REGION=eu-west-1
+
+# Optional — override with explicit keys instead of profile
+# AWS_ACCESS_KEY_ID=
+# AWS_SECRET_ACCESS_KEY=

.tofu/configs/gke.env.example

@@ -0,0 +1,9 @@
+# GCP GKE credentials — copy to gke.env and fill in values
+# NEVER commit gke.env to git!
+
+# Required
+GCP_PROJECT_ID=your-gcp-project-id
+GCP_REGION=europe-west4
+
+# Optional — path to service account JSON key (if not using gcloud auth)
+# GOOGLE_APPLICATION_CREDENTIALS=/path/to/sa-key.json

.tofu/configs/upc.env.example

@@ -0,0 +1,8 @@
+# UpCloud credentials — copy to upc.env and fill in values
+# NEVER commit upc.env to git!
+
+# Required
+UPCLOUD_TOKEN=your-upcloud-api-token
+
+# Optional — set after cluster creation for kubeconfig retrieval
+UPCLOUD_CLUSTER_ID=

.tofu/platforms/aks/dev/main.tf

@@ -0,0 +1,18 @@
+module "cluster" {
+  source = "../modules/cluster"
+
+  prefix              = "clst-dev"
+  location            = "norwayeast"
+  resource_group_name = "clst-dev-rg"
+
+  # AKS — small dev nodes
+  aks_node_vm_size = "Standard_B2s"
+  aks_node_count   = 2
+
+  enable_delete_lock = false
+
+  tags = {
+    Environment = "dev"
+    ManagedBy   = "tofu"
+  }
+}

.tofu/platforms/aks/dev/outputs.tf

@@ -0,0 +1,26 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+output "cluster_name" {
+  value = module.cluster.cluster_name
+}
+
+output "resource_group_name" {
+  value = module.cluster.resource_group_name
+}
+
+output "kubernetes_version" {
+  value = module.cluster.kubernetes_version
+}
+
+output "location" {
+  value = module.cluster.location
+}
+
+output "oidc_issuer_url" {
+  value = module.cluster.oidc_issuer_url
+}
+
+output "kubeconfig" {
+  value     = module.cluster.kubeconfig
+  sensitive = true
+}

.tofu/platforms/aks/dev/providers.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 4.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+  # Credentials via environment variables:
+  #   ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET
+  # Or: az login (uses your Azure CLI session)
+}

.tofu/platforms/aks/modules/cluster/main.tf

@@ -0,0 +1,72 @@
+# Current Azure/Entra ID context — provides tenant_id used in outputs
+data "azurerm_client_config" "current" {}
+
+# ─── Resource Group ───────────────────────────────────────────────────
+
+resource "azurerm_resource_group" "main" {
+  name     = var.resource_group_name
+  location = var.location
+  tags     = var.tags
+}
+
+resource "azurerm_management_lock" "main" {
+  count      = var.enable_delete_lock ? 1 : 0
+  name       = "${var.prefix}-delete-lock"
+  scope      = azurerm_resource_group.main.id
+  lock_level = "CanNotDelete"
+  notes      = "Prevents accidental deletion of production resources"
+}
+
+# ─── Networking ───────────────────────────────────────────────────────
+
+resource "azurerm_virtual_network" "main" {
+  name                = "${var.prefix}-vnet"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+  address_space       = [var.vnet_address_space]
+  tags                = var.tags
+}
+
+# AKS nodes subnet
+resource "azurerm_subnet" "aks" {
+  name                 = "${var.prefix}-aks-subnet"
+  resource_group_name  = azurerm_resource_group.main.name
+  virtual_network_name = azurerm_virtual_network.main.name
+  address_prefixes     = [var.aks_subnet_cidr]
+}
+
+# ─── AKS Cluster ──────────────────────────────────────────────────────
+
+resource "azurerm_kubernetes_cluster" "main" {
+  name                = "${var.prefix}-aks"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+  dns_prefix          = replace(var.prefix, "-", "")
+  kubernetes_version  = var.aks_kubernetes_version
+  tags                = var.tags
+
+  default_node_pool {
+    name           = "system"
+    node_count     = var.aks_node_count
+    vm_size        = var.aks_node_vm_size
+    vnet_subnet_id = azurerm_subnet.aks.id
+    node_labels = {
+      prefix = var.prefix
+      role   = "worker"
+      env    = lookup(var.tags, "Environment", "dev")
+    }
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  network_profile {
+    network_plugin = "azure"
+    network_policy = "azure"
+  }
+
+  # Enable Workload Identity for keyless Azure service access (MSI)
+  oidc_issuer_enabled       = true
+  workload_identity_enabled = true
+}

.tofu/platforms/aks/modules/cluster/outputs.tf

@@ -0,0 +1,32 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+output "cluster_name" {
+  description = "AKS cluster name"
+  value       = azurerm_kubernetes_cluster.main.name
+}
+
+output "resource_group_name" {
+  description = "Resource group name"
+  value       = azurerm_resource_group.main.name
+}
+
+output "kubernetes_version" {
+  description = "Kubernetes version"
+  value       = azurerm_kubernetes_cluster.main.kubernetes_version
+}
+
+output "location" {
+  description = "Azure region"
+  value       = azurerm_resource_group.main.location
+}
+
+output "oidc_issuer_url" {
+  description = "AKS OIDC issuer URL (for workload identity federation)"
+  value       = azurerm_kubernetes_cluster.main.oidc_issuer_url
+}
+
+output "kubeconfig" {
+  description = "Kubeconfig for the AKS cluster"
+  value       = azurerm_kubernetes_cluster.main.kube_config_raw
+  sensitive   = true
+}

.tofu/platforms/aks/modules/cluster/providers.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 4.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~> 3.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
+  }
+}

.tofu/platforms/aks/modules/cluster/variables.tf

@@ -0,0 +1,56 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+variable "prefix" {
+  description = "Prefix for resource names"
+  type        = string
+}
+
+variable "location" {
+  description = "Azure region (e.g., norwayeast, westeurope, northeurope)"
+  type        = string
+}
+
+variable "resource_group_name" {
+  description = "Name of the Azure Resource Group to create"
+  type        = string
+}
+
+variable "vnet_address_space" {
+  description = "Address space for the virtual network"
+  type        = string
+  default     = "10.100.0.0/16"
+}
+
+variable "aks_subnet_cidr" {
+  description = "CIDR block for the AKS node subnet"
+  type        = string
+  default     = "10.100.0.0/22"
+}
+
+variable "aks_node_vm_size" {
+  description = "VM size for AKS worker nodes (e.g., Standard_B2s, Standard_D4s_v3)"
+  type        = string
+}
+
+variable "aks_node_count" {
+  description = "Number of AKS worker nodes"
+  type        = number
+}
+
+variable "aks_kubernetes_version" {
+  description = "Kubernetes version for AKS (null = latest stable)"
+  type        = string
+  default     = null
+}
+
+variable "enable_delete_lock" {
+  description = "Protect the resource group from accidental deletion"
+  type        = bool
+  default     = false
+}
+
+variable "tags" {
+  description = "Tags applied to all resources"
+  type        = map(string)
+  default     = {}
+}

.tofu/platforms/aks/prod/main.tf

@@ -0,0 +1,18 @@
+module "cluster" {
+  source = "../modules/cluster"
+
+  prefix              = "clst"
+  location            = "westeurope"
+  resource_group_name = "clst-prod-rg"
+
+  # AKS — general-purpose nodes for production
+  aks_node_vm_size = "Standard_D4s_v3"
+  aks_node_count   = 3
+
+  enable_delete_lock = true
+
+  tags = {
+    Environment = "prod"
+    ManagedBy   = "tofu"
+  }
+}

.tofu/platforms/aks/prod/outputs.tf

@@ -0,0 +1,26 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+output "cluster_name" {
+  value = module.cluster.cluster_name
+}
+
+output "resource_group_name" {
+  value = module.cluster.resource_group_name
+}
+
+output "kubernetes_version" {
+  value = module.cluster.kubernetes_version
+}
+
+output "location" {
+  value = module.cluster.location
+}
+
+output "oidc_issuer_url" {
+  value = module.cluster.oidc_issuer_url
+}
+
+output "kubeconfig" {
+  value     = module.cluster.kubeconfig
+  sensitive = true
+}

.tofu/platforms/aks/prod/providers.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 4.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+  # Credentials via environment variables:
+  #   ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET
+  # Or: az login (uses your Azure CLI session)
+}

.tofu/platforms/aks/workload/main.tf

@@ -0,0 +1,173 @@
+# =============================================================================
+# Azure Workload Cluster
+# =============================================================================
+# A lean AKS cluster for running application workloads. No managed data
+# services — those live on the platform cluster. ArgoCD (on the platform
+# cluster) deploys apps to this cluster via the app-of-apps pattern.
+#
+# Platform components deployed by deploy-workload.sh:
+#   nginx-ingress, cert-manager, external-dns, external-secrets, alloy
+#
+# Usage:
+#   tofu init && tofu plan && tofu apply
+#   ./sync-tofu-outputs.sh --env azure-workload
+#   ./deploy-workload.sh --env azure-workload
+# =============================================================================
+
+variable "prefix" {
+  description = "Prefix for resource names (e.g., clst-workload)"
+  type        = string
+  default     = "clst-workload"
+}
+
+variable "location" {
+  description = "Azure region"
+  type        = string
+  default     = "norwayeast"
+}
+
+variable "resource_group_name" {
+  description = "Name of the Azure Resource Group to create"
+  type        = string
+  default     = "clst-workload-rg"
+}
+
+variable "vnet_address_space" {
+  description = "Address space for the virtual network"
+  type        = string
+  default     = "10.110.0.0/16"
+}
+
+variable "aks_subnet_cidr" {
+  description = "CIDR block for the AKS node subnet"
+  type        = string
+  default     = "10.110.0.0/22"
+}
+
+variable "aks_node_vm_size" {
+  description = "VM size for AKS worker nodes"
+  type        = string
+  default     = "Standard_B2s"
+}
+
+variable "aks_node_count" {
+  description = "Number of AKS worker nodes"
+  type        = number
+  default     = 2
+}
+
+variable "aks_kubernetes_version" {
+  description = "Kubernetes version for AKS (null = latest stable)"
+  type        = string
+  default     = null
+}
+
+variable "domain" {
+  description = "Public domain name — must have an existing Azure DNS zone"
+  type        = string
+}
+
+variable "dns_zone_resource_group" {
+  description = "Resource group containing the Azure DNS zone (defaults to cluster RG)"
+  type        = string
+  default     = ""
+}
+
+variable "tags" {
+  description = "Tags applied to all resources"
+  type        = map(string)
+  default = {
+    Environment = "workload"
+    ManagedBy   = "tofu"
+  }
+}
+
+# ─── Resource Group ───────────────────────────────────────────────────
+
+resource "azurerm_resource_group" "main" {
+  name     = var.resource_group_name
+  location = var.location
+  tags     = var.tags
+}
+
+# ─── Networking ───────────────────────────────────────────────────────
+
+resource "azurerm_virtual_network" "main" {
+  name                = "${var.prefix}-vnet"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+  address_space       = [var.vnet_address_space]
+  tags                = var.tags
+}
+
+resource "azurerm_subnet" "aks" {
+  name                 = "${var.prefix}-aks-subnet"
+  resource_group_name  = azurerm_resource_group.main.name
+  virtual_network_name = azurerm_virtual_network.main.name
+  address_prefixes     = [var.aks_subnet_cidr]
+}
+
+# ─── AKS Cluster ──────────────────────────────────────────────────────
+
+resource "azurerm_kubernetes_cluster" "main" {
+  name                = "${var.prefix}-aks"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+  dns_prefix          = replace(var.prefix, "-", "")
+  kubernetes_version  = var.aks_kubernetes_version
+  tags                = var.tags
+
+  default_node_pool {
+    name           = "system"
+    node_count     = var.aks_node_count
+    vm_size        = var.aks_node_vm_size
+    vnet_subnet_id = azurerm_subnet.aks.id
+    node_labels = {
+      prefix = var.prefix
+      role   = "worker"
+      env    = lookup(var.tags, "Environment", "workload")
+    }
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  network_profile {
+    network_plugin = "azure"
+    network_policy = "azure"
+  }
+
+  oidc_issuer_enabled       = true
+  workload_identity_enabled = true
+}
+
+# ─── External-DNS Workload Identity ──────────────────────────────────
+# Allows external-dns to manage Azure DNS records for app ingresses.
+
+data "azurerm_dns_zone" "main" {
+  name                = var.domain
+  resource_group_name = var.dns_zone_resource_group != "" ? var.dns_zone_resource_group : azurerm_resource_group.main.name
+}
+
+resource "azurerm_user_assigned_identity" "external_dns" {
+  name                = "${var.prefix}-external-dns-identity"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+  tags                = var.tags
+}
+
+resource "azurerm_role_assignment" "external_dns_dns_contributor" {
+  scope                = data.azurerm_dns_zone.main.id
+  role_definition_name = "DNS Zone Contributor"
+  principal_id         = azurerm_user_assigned_identity.external_dns.principal_id
+}
+
+resource "azurerm_federated_identity_credential" "external_dns" {
+  name                = "${var.prefix}-external-dns-fedcred"
+  resource_group_name = azurerm_resource_group.main.name
+  parent_id           = azurerm_user_assigned_identity.external_dns.id
+  audience            = ["api://AzureADTokenExchange"]
+  issuer              = azurerm_kubernetes_cluster.main.oidc_issuer_url
+  subject             = "system:serviceaccount:external-dns:external-dns"
+}

.tofu/platforms/aks/workload/outputs.tf

@@ -0,0 +1,4 @@
+output "cluster_name"                    { value = azurerm_kubernetes_cluster.main.name }
+output "resource_group_name"             { value = azurerm_resource_group.main.name }
+output "location"                        { value = azurerm_resource_group.main.location }
+output "external_dns_identity_client_id" { value = azurerm_user_assigned_identity.external_dns.client_id }

.tofu/platforms/aks/workload/providers.tf

@@ -0,0 +1,21 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 4.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+  # Credentials via environment variables:
+  #   ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET
+  # Or: az login (uses your Azure CLI session)
+}

.tofu/platforms/eks/dev/main.tf

@@ -0,0 +1,21 @@
+module "cluster" {
+  source = "../modules/cluster"
+
+  region = var.region
+  prefix = "clst-dev"
+
+  # VPC
+  availability_zones = ["${var.region}a", "${var.region}b"]
+
+  # EKS — small dev nodes
+  node_instance_type = "t3.medium"
+  node_count         = 2
+  node_min_count     = 1
+  node_max_count     = 4
+  kubernetes_version = "1.30"
+
+  tags = {
+    Environment = "dev"
+    ManagedBy   = "tofu"
+  }
+}

.tofu/platforms/eks/dev/outputs.tf

@@ -0,0 +1,5 @@
+output "cluster_name"    { value = module.cluster.cluster_name }
+output "aws_region"      { value = module.cluster.aws_region }
+output "oidc_issuer_url" { value = module.cluster.oidc_issuer_url }
+output "oidc_provider_arn" { value = module.cluster.oidc_provider_arn }
+output "vpc_id"          { value = module.cluster.vpc_id }

.tofu/platforms/eks/dev/providers.tf

@@ -0,0 +1,24 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0"
+    }
+  }
+}
+
+# Authentication: set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
+# or configure an AWS profile: export AWS_PROFILE=clst
+provider "aws" {
+  region = var.region
+}
+
+variable "region" {
+  description = "AWS region for dev environment"
+  type        = string
+  default     = "eu-west-1"
+}

.tofu/platforms/eks/modules/cluster/main.tf

@@ -0,0 +1,207 @@
+# ─── VPC ──────────────────────────────────────────────────────────────
+
+resource "aws_vpc" "main" {
+  cidr_block           = var.vpc_cidr
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = merge(var.tags, { Name = "${var.prefix}-vpc" })
+}
+
+resource "aws_internet_gateway" "main" {
+  vpc_id = aws_vpc.main.id
+  tags   = merge(var.tags, { Name = "${var.prefix}-igw" })
+}
+
+# Public subnets (one per AZ) — for NAT gateways and load balancers
+resource "aws_subnet" "public" {
+  count             = length(var.availability_zones)
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = cidrsubnet(var.vpc_cidr, 4, count.index)
+  availability_zone = var.availability_zones[count.index]
+
+  map_public_ip_on_launch = true
+
+  tags = merge(var.tags, {
+    Name                                        = "${var.prefix}-public-${count.index + 1}"
+    "kubernetes.io/cluster/${var.prefix}-eks"   = "shared"
+    "kubernetes.io/role/elb"                    = "1"
+  })
+}
+
+# Private subnets (one per AZ) — for EKS nodes
+resource "aws_subnet" "private" {
+  count             = length(var.availability_zones)
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = cidrsubnet(var.vpc_cidr, 4, count.index + length(var.availability_zones))
+  availability_zone = var.availability_zones[count.index]
+
+  tags = merge(var.tags, {
+    Name                                        = "${var.prefix}-private-${count.index + 1}"
+    "kubernetes.io/cluster/${var.prefix}-eks"   = "shared"
+    "kubernetes.io/role/internal-elb"           = "1"
+  })
+}
+
+# NAT Gateway (single, in first public subnet — use one per AZ for prod HA)
+resource "aws_eip" "nat" {
+  domain = "vpc"
+  tags   = merge(var.tags, { Name = "${var.prefix}-nat-eip" })
+}
+
+resource "aws_nat_gateway" "main" {
+  allocation_id = aws_eip.nat.id
+  subnet_id     = aws_subnet.public[0].id
+  tags          = merge(var.tags, { Name = "${var.prefix}-nat" })
+
+  depends_on = [aws_internet_gateway.main]
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.main.id
+  }
+
+  tags = merge(var.tags, { Name = "${var.prefix}-public-rt" })
+}
+
+resource "aws_route_table_association" "public" {
+  count          = length(var.availability_zones)
+  subnet_id      = aws_subnet.public[count.index].id
+  route_table_id = aws_route_table.public.id
+}
+
+resource "aws_route_table" "private" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.main.id
+  }
+
+  tags = merge(var.tags, { Name = "${var.prefix}-private-rt" })
+}
+
+resource "aws_route_table_association" "private" {
+  count          = length(var.availability_zones)
+  subnet_id      = aws_subnet.private[count.index].id
+  route_table_id = aws_route_table.private.id
+}
+
+# ─── EKS Cluster ──────────────────────────────────────────────────────
+
+resource "aws_iam_role" "eks_cluster" {
+  name_prefix = "${var.prefix}-eks-cluster-"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action    = "sts:AssumeRole"
+      Effect    = "Allow"
+      Principal = { Service = "eks.amazonaws.com" }
+    }]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = aws_iam_role.eks_cluster.name
+}
+
+resource "aws_eks_cluster" "main" {
+  name     = "${var.prefix}-eks"
+  role_arn = aws_iam_role.eks_cluster.arn
+  version  = var.kubernetes_version
+
+  vpc_config {
+    subnet_ids              = concat(aws_subnet.private[*].id, aws_subnet.public[*].id)
+    endpoint_private_access = true
+    endpoint_public_access  = true
+  }
+
+  # Enable OIDC issuer for IRSA (IAM Roles for Service Accounts)
+  access_config {
+    authentication_mode = "API_AND_CONFIG_MAP"
+  }
+
+  tags = var.tags
+
+  depends_on = [aws_iam_role_policy_attachment.eks_cluster_policy]
+}
+
+# OIDC provider — required for IRSA (IAM Roles for Service Accounts)
+data "tls_certificate" "eks" {
+  url = aws_eks_cluster.main.identity[0].oidc[0].issuer
+}
+
+resource "aws_iam_openid_connect_provider" "eks" {
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint]
+  url             = aws_eks_cluster.main.identity[0].oidc[0].issuer
+
+  tags = var.tags
+}
+
+# EKS Node Group
+
+resource "aws_iam_role" "eks_nodes" {
+  name_prefix = "${var.prefix}-eks-nodes-"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action    = "sts:AssumeRole"
+      Effect    = "Allow"
+      Principal = { Service = "ec2.amazonaws.com" }
+    }]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "eks_worker_node_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = aws_iam_role.eks_nodes.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cni_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = aws_iam_role.eks_nodes.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks_ecr_readonly" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = aws_iam_role.eks_nodes.name
+}
+
+resource "aws_eks_node_group" "main" {
+  cluster_name    = aws_eks_cluster.main.name
+  node_group_name = "${var.prefix}-nodes"
+  node_role_arn   = aws_iam_role.eks_nodes.arn
+  subnet_ids      = aws_subnet.private[*].id
+
+  instance_types = [var.node_instance_type]
+
+  scaling_config {
+    desired_size = var.node_count
+    max_size     = var.node_max_count
+    min_size     = var.node_min_count
+  }
+
+  update_config {
+    max_unavailable = 1
+  }
+
+  tags = var.tags
+
+  depends_on = [
+    aws_iam_role_policy_attachment.eks_worker_node_policy,
+    aws_iam_role_policy_attachment.eks_cni_policy,
+    aws_iam_role_policy_attachment.eks_ecr_readonly,
+  ]
+}

.tofu/platforms/eks/modules/cluster/outputs.tf

@@ -0,0 +1,26 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+output "cluster_name" {
+  description = "EKS cluster name"
+  value       = aws_eks_cluster.main.name
+}
+
+output "aws_region" {
+  description = "AWS region"
+  value       = var.region
+}
+
+output "oidc_issuer_url" {
+  description = "EKS OIDC issuer URL (for IRSA)"
+  value       = aws_eks_cluster.main.identity[0].oidc[0].issuer
+}
+
+output "oidc_provider_arn" {
+  description = "IAM OIDC provider ARN (for IRSA trust policies)"
+  value       = aws_iam_openid_connect_provider.eks.arn
+}
+
+output "vpc_id" {
+  description = "VPC ID"
+  value       = aws_vpc.main.id
+}

.tofu/platforms/eks/modules/cluster/providers.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0"
+    }
+  }
+}

.tofu/platforms/eks/modules/cluster/variables.tf

@@ -0,0 +1,61 @@
+# ─── Region ──────────────────────────────────────────────────────────
+
+variable "region" {
+  description = "AWS region (e.g., eu-west-1, us-east-1)"
+  type        = string
+}
+
+variable "prefix" {
+  description = "Prefix for resource names (e.g., clst-dev)"
+  type        = string
+}
+
+# ─── Networking ───────────────────────────────────────────────────────
+
+variable "vpc_cidr" {
+  description = "VPC CIDR block"
+  type        = string
+  default     = "10.100.0.0/16"
+}
+
+variable "availability_zones" {
+  description = "List of AZs for subnets (2–3 recommended)"
+  type        = list(string)
+}
+
+# ─── EKS Cluster ─────────────────────────────────────────────────────
+
+variable "node_instance_type" {
+  description = "EKS node instance type (e.g., t3.medium, m5.xlarge)"
+  type        = string
+}
+
+variable "node_count" {
+  description = "Desired number of EKS worker nodes"
+  type        = number
+}
+
+variable "node_min_count" {
+  description = "Minimum number of EKS worker nodes"
+  type        = number
+  default     = 1
+}
+
+variable "node_max_count" {
+  description = "Maximum number of EKS worker nodes"
+  type        = number
+}
+
+variable "kubernetes_version" {
+  description = "Kubernetes version for EKS (e.g., \"1.30\")"
+  type        = string
+  default     = "1.30"
+}
+
+# ─── Tags ─────────────────────────────────────────────────────────────
+
+variable "tags" {
+  description = "Tags applied to all resources"
+  type        = map(string)
+  default     = {}
+}

.tofu/platforms/eks/prod/main.tf

@@ -0,0 +1,21 @@
+module "cluster" {
+  source = "../modules/cluster"
+
+  region = var.region
+  prefix = "clst"
+
+  # VPC
+  availability_zones = ["${var.region}a", "${var.region}b", "${var.region}c"]
+
+  # EKS — general-purpose nodes for production
+  node_instance_type = "m5.xlarge"
+  node_count         = 3
+  node_min_count     = 3
+  node_max_count     = 6
+  kubernetes_version = "1.30"
+
+  tags = {
+    Environment = "prod"
+    ManagedBy   = "tofu"
+  }
+}

.tofu/platforms/eks/prod/outputs.tf

@@ -0,0 +1,5 @@
+output "cluster_name"    { value = module.cluster.cluster_name }
+output "aws_region"      { value = module.cluster.aws_region }
+output "oidc_issuer_url" { value = module.cluster.oidc_issuer_url }
+output "oidc_provider_arn" { value = module.cluster.oidc_provider_arn }
+output "vpc_id"          { value = module.cluster.vpc_id }

.tofu/platforms/eks/prod/providers.tf

@@ -0,0 +1,22 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+}
+
+variable "region" {
+  description = "AWS region for prod environment"
+  type        = string
+  default     = "eu-west-1"
+}

.tofu/platforms/eks/workload/main.tf

@@ -0,0 +1,339 @@
+# =============================================================================
+# AWS Workload Cluster
+# =============================================================================
+# A lean EKS cluster for running application workloads. No managed data
+# services — those live on the platform cluster. ArgoCD (on the platform
+# cluster) deploys apps to this cluster via the app-of-apps pattern.
+#
+# Platform components deployed by deploy-workload.sh:
+#   nginx-ingress, cert-manager, external-dns, external-secrets, alloy
+#
+# Usage:
+#   tofu init && tofu plan && tofu apply
+#   ./sync-tofu-outputs.sh --env aws-workload
+#   ./deploy-workload.sh --env aws-workload
+# =============================================================================
+
+variable "prefix" {
+  description = "Prefix for resource names (e.g., clst-workload)"
+  type        = string
+  default     = "clst-workload"
+}
+
+variable "availability_zones" {
+  description = "List of AZs for subnets"
+  type        = list(string)
+  default     = ["eu-west-1a", "eu-west-1b"]
+}
+
+variable "vpc_cidr" {
+  description = "VPC CIDR block"
+  type        = string
+  default     = "10.110.0.0/16"
+}
+
+variable "node_instance_type" {
+  description = "EKS node instance type"
+  type        = string
+  default     = "t3.medium"
+}
+
+variable "node_count" {
+  description = "Desired number of EKS worker nodes"
+  type        = number
+  default     = 2
+}
+
+variable "node_min_count" {
+  description = "Minimum number of EKS worker nodes"
+  type        = number
+  default     = 1
+}
+
+variable "node_max_count" {
+  description = "Maximum number of EKS worker nodes"
+  type        = number
+  default     = 4
+}
+
+variable "kubernetes_version" {
+  description = "Kubernetes version for EKS"
+  type        = string
+  default     = "1.30"
+}
+
+variable "domain" {
+  description = "Public domain name — must have an existing Route53 hosted zone"
+  type        = string
+}
+
+variable "tags" {
+  description = "Tags applied to all resources"
+  type        = map(string)
+  default = {
+    Environment = "workload"
+    ManagedBy   = "tofu"
+  }
+}
+
+# ─── VPC ──────────────────────────────────────────────────────────────
+
+resource "aws_vpc" "main" {
+  cidr_block           = var.vpc_cidr
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = merge(var.tags, { Name = "${var.prefix}-vpc" })
+}
+
+resource "aws_internet_gateway" "main" {
+  vpc_id = aws_vpc.main.id
+  tags   = merge(var.tags, { Name = "${var.prefix}-igw" })
+}
+
+resource "aws_subnet" "public" {
+  count             = length(var.availability_zones)
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = cidrsubnet(var.vpc_cidr, 4, count.index)
+  availability_zone = var.availability_zones[count.index]
+
+  map_public_ip_on_launch = true
+
+  tags = merge(var.tags, {
+    Name                                        = "${var.prefix}-public-${count.index + 1}"
+    "kubernetes.io/cluster/${var.prefix}-eks"   = "shared"
+    "kubernetes.io/role/elb"                    = "1"
+  })
+}
+
+resource "aws_subnet" "private" {
+  count             = length(var.availability_zones)
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = cidrsubnet(var.vpc_cidr, 4, count.index + length(var.availability_zones))
+  availability_zone = var.availability_zones[count.index]
+
+  tags = merge(var.tags, {
+    Name                                        = "${var.prefix}-private-${count.index + 1}"
+    "kubernetes.io/cluster/${var.prefix}-eks"   = "shared"
+    "kubernetes.io/role/internal-elb"           = "1"
+  })
+}
+
+resource "aws_eip" "nat" {
+  domain = "vpc"
+  tags   = merge(var.tags, { Name = "${var.prefix}-nat-eip" })
+}
+
+resource "aws_nat_gateway" "main" {
+  allocation_id = aws_eip.nat.id
+  subnet_id     = aws_subnet.public[0].id
+  tags          = merge(var.tags, { Name = "${var.prefix}-nat" })
+
+  depends_on = [aws_internet_gateway.main]
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.main.id
+  }
+
+  tags = merge(var.tags, { Name = "${var.prefix}-public-rt" })
+}
+
+resource "aws_route_table_association" "public" {
+  count          = length(var.availability_zones)
+  subnet_id      = aws_subnet.public[count.index].id
+  route_table_id = aws_route_table.public.id
+}
+
+resource "aws_route_table" "private" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.main.id
+  }
+
+  tags = merge(var.tags, { Name = "${var.prefix}-private-rt" })
+}
+
+resource "aws_route_table_association" "private" {
+  count          = length(var.availability_zones)
+  subnet_id      = aws_subnet.private[count.index].id
+  route_table_id = aws_route_table.private.id
+}
+
+# ─── EKS Cluster ──────────────────────────────────────────────────────
+
+resource "aws_iam_role" "eks_cluster" {
+  name_prefix = "${var.prefix}-eks-cluster-"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action    = "sts:AssumeRole"
+      Effect    = "Allow"
+      Principal = { Service = "eks.amazonaws.com" }
+    }]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = aws_iam_role.eks_cluster.name
+}
+
+resource "aws_eks_cluster" "main" {
+  name     = "${var.prefix}-eks"
+  role_arn = aws_iam_role.eks_cluster.arn
+  version  = var.kubernetes_version
+
+  vpc_config {
+    subnet_ids              = concat(aws_subnet.private[*].id, aws_subnet.public[*].id)
+    endpoint_private_access = true
+    endpoint_public_access  = true
+  }
+
+  access_config {
+    authentication_mode = "API_AND_CONFIG_MAP"
+  }
+
+  tags = var.tags
+
+  depends_on = [aws_iam_role_policy_attachment.eks_cluster_policy]
+}
+
+# OIDC provider — required for IRSA
+data "tls_certificate" "eks" {
+  url = aws_eks_cluster.main.identity[0].oidc[0].issuer
+}
+
+resource "aws_iam_openid_connect_provider" "eks" {
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint]
+  url             = aws_eks_cluster.main.identity[0].oidc[0].issuer
+
+  tags = var.tags
+}
+
+resource "aws_iam_role" "eks_nodes" {
+  name_prefix = "${var.prefix}-eks-nodes-"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action    = "sts:AssumeRole"
+      Effect    = "Allow"
+      Principal = { Service = "ec2.amazonaws.com" }
+    }]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "eks_worker_node_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = aws_iam_role.eks_nodes.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cni_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = aws_iam_role.eks_nodes.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks_ecr_readonly" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = aws_iam_role.eks_nodes.name
+}
+
+resource "aws_eks_node_group" "main" {
+  cluster_name    = aws_eks_cluster.main.name
+  node_group_name = "${var.prefix}-nodes"
+  node_role_arn   = aws_iam_role.eks_nodes.arn
+  subnet_ids      = aws_subnet.private[*].id
+
+  instance_types = [var.node_instance_type]
+
+  scaling_config {
+    desired_size = var.node_count
+    max_size     = var.node_max_count
+    min_size     = var.node_min_count
+  }
+
+  update_config {
+    max_unavailable = 1
+  }
+
+  tags = var.tags
+
+  depends_on = [
+    aws_iam_role_policy_attachment.eks_worker_node_policy,
+    aws_iam_role_policy_attachment.eks_cni_policy,
+    aws_iam_role_policy_attachment.eks_ecr_readonly,
+  ]
+}
+
+# ─── External-DNS IRSA ───────────────────────────────────────────────
+# Allows external-dns to manage Route53 records for app ingresses.
+
+data "aws_route53_zone" "main" {
+  name         = var.domain
+  private_zone = false
+}
+
+data "aws_iam_policy_document" "external_dns_assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Federated"
+      identifiers = [aws_iam_openid_connect_provider.eks.arn]
+    }
+
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:sub"
+      values   = ["system:serviceaccount:external-dns:external-dns"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "external_dns_irsa" {
+  name_prefix        = "${var.prefix}-external-dns-irsa-"
+  assume_role_policy = data.aws_iam_policy_document.external_dns_assume_role.json
+
+  tags = var.tags
+}
+
+data "aws_iam_policy_document" "external_dns_route53" {
+  statement {
+    effect    = "Allow"
+    actions   = ["route53:ChangeResourceRecordSets"]
+    resources = ["arn:aws:route53:::hostedzone/${data.aws_route53_zone.main.zone_id}"]
+  }
+
+  statement {
+    effect  = "Allow"
+    actions = ["route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:ListTagsForResource"]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_role_policy" "external_dns_route53" {
+  name_prefix = "${var.prefix}-external-dns-route53-"
+  role        = aws_iam_role.external_dns_irsa.id
+  policy      = data.aws_iam_policy_document.external_dns_route53.json
+}

.tofu/platforms/eks/workload/outputs.tf

@@ -0,0 +1,3 @@
+output "cluster_name"              { value = aws_eks_cluster.main.name }
+output "aws_region"                { value = var.region }
+output "external_dns_irsa_role_arn" { value = aws_iam_role.external_dns_irsa.arn }

.tofu/platforms/eks/workload/providers.tf

@@ -0,0 +1,24 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0"
+    }
+  }
+}
+
+# Authentication: set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
+# or configure an AWS profile: export AWS_PROFILE=clst
+provider "aws" {
+  region = var.region
+}
+
+variable "region" {
+  description = "AWS region for the workload environment"
+  type        = string
+  default     = "eu-west-1"
+}

.tofu/platforms/gke/dev/main.tf

@@ -0,0 +1,17 @@
+module "cluster" {
+  source = "../modules/cluster"
+
+  project_id = var.project_id
+  region     = var.region
+  prefix     = "clst-dev"
+
+  # GKE — small dev nodes
+  node_machine_type   = "e2-standard-2"
+  node_count          = 2
+  deletion_protection = false
+
+  labels = {
+    environment = "dev"
+    managed-by  = "tofu"
+  }
+}

.tofu/platforms/gke/dev/outputs.tf

@@ -0,0 +1,3 @@
+output "cluster_name" { value = module.cluster.cluster_name }
+output "project_id"   { value = module.cluster.project_id }
+output "region"       { value = module.cluster.region }

.tofu/platforms/gke/dev/providers.tf

@@ -0,0 +1,26 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Authentication: use Application Default Credentials (gcloud auth application-default login)
+# or set GOOGLE_APPLICATION_CREDENTIALS to a service account key file.
+provider "google" {
+  project = var.project_id
+  region  = var.region
+}
+
+variable "project_id" {
+  description = "GCP project ID for the dev environment"
+  type        = string
+}
+
+variable "region" {
+  description = "GCP region"
+  type        = string
+  default     = "europe-west4"
+}

.tofu/platforms/gke/modules/cluster/main.tf

@@ -0,0 +1,115 @@
+# ─── Required APIs ────────────────────────────────────────────────────
+
+resource "google_project_service" "compute" {
+  project            = var.project_id
+  service            = "compute.googleapis.com"
+  disable_on_destroy = false
+}
+
+resource "google_project_service" "container" {
+  project            = var.project_id
+  service            = "container.googleapis.com"
+  disable_on_destroy = false
+}
+
+# ─── Networking ───────────────────────────────────────────────────────
+
+resource "google_compute_network" "main" {
+  project                 = var.project_id
+  name                    = "${var.prefix}-vpc"
+  auto_create_subnetworks = false
+
+  depends_on = [google_project_service.compute]
+}
+
+resource "google_compute_subnetwork" "main" {
+  project       = var.project_id
+  name          = "${var.prefix}-subnet"
+  ip_cidr_range = "10.100.0.0/22"
+  region        = var.region
+  network       = google_compute_network.main.id
+
+  # Secondary ranges required for GKE VPC-native cluster
+  secondary_ip_range {
+    range_name    = "pods"
+    ip_cidr_range = "10.200.0.0/14" # /14 = ~262k pod IPs
+  }
+
+  secondary_ip_range {
+    range_name    = "services"
+    ip_cidr_range = "10.204.0.0/20" # /20 = ~4k service IPs
+  }
+}
+
+# ─── GKE Cluster ──────────────────────────────────────────────────────
+#
+# Regional cluster (3 control-plane replicas) for HA.
+# Workload Identity enabled — allows K8s service accounts to impersonate
+# Google Service Accounts for keyless access to GCP services.
+
+resource "google_container_cluster" "main" {
+  project  = var.project_id
+  name     = "${var.prefix}-gke"
+  location = var.region # regional cluster
+
+  network    = google_compute_network.main.id
+  subnetwork = google_compute_subnetwork.main.id
+
+  # VPC-native cluster with alias IP ranges
+  ip_allocation_policy {
+    cluster_secondary_range_name  = "pods"
+    services_secondary_range_name = "services"
+  }
+
+  # Workload Identity pool — enables OIDC token projection for pods
+  workload_identity_config {
+    workload_pool = "${var.project_id}.svc.id.goog"
+  }
+
+  # Remove default node pool — we manage our own below
+  remove_default_node_pool = true
+  initial_node_count       = 1
+
+  deletion_protection = var.deletion_protection
+
+  dynamic "release_channel" {
+    for_each = var.kubernetes_version == null ? [1] : []
+    content {
+      channel = "STABLE"
+    }
+  }
+
+  resource_labels = var.labels
+
+  depends_on = [google_project_service.container]
+}
+
+resource "google_container_node_pool" "main" {
+  project    = var.project_id
+  name       = "${var.prefix}-nodes"
+  location   = var.region
+  cluster    = google_container_cluster.main.name
+  node_count = var.node_count
+
+  node_config {
+    machine_type = var.node_machine_type
+
+    # GKE_METADATA mode is required for Workload Identity
+    workload_metadata_config {
+      mode = "GKE_METADATA"
+    }
+
+    oauth_scopes = [
+      "https://www.googleapis.com/auth/cloud-platform",
+    ]
+
+    labels = merge(var.labels, {
+      role = "worker"
+    })
+  }
+
+  management {
+    auto_repair  = true
+    auto_upgrade = true
+  }
+}

.tofu/platforms/gke/modules/cluster/outputs.tf

@@ -0,0 +1,16 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+output "cluster_name" {
+  description = "GKE cluster name"
+  value       = google_container_cluster.main.name
+}
+
+output "project_id" {
+  description = "GCP project ID"
+  value       = var.project_id
+}
+
+output "region" {
+  description = "GCP region"
+  value       = var.region
+}

.tofu/platforms/gke/modules/cluster/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 6.0"
+    }
+  }
+}

.tofu/platforms/gke/modules/cluster/variables.tf

@@ -0,0 +1,48 @@
+# ─── Project / Region ────────────────────────────────────────────────
+
+variable "project_id" {
+  description = "GCP project ID"
+  type        = string
+}
+
+variable "region" {
+  description = "GCP region (e.g., europe-west4, europe-west1)"
+  type        = string
+}
+
+variable "prefix" {
+  description = "Prefix for resource names (e.g., clst-dev)"
+  type        = string
+}
+
+# ─── GKE Cluster ─────────────────────────────────────────────────────
+
+variable "node_machine_type" {
+  description = "GKE node machine type (e.g., e2-standard-2, e2-standard-4)"
+  type        = string
+}
+
+variable "node_count" {
+  description = "Number of nodes per zone (regional cluster spawns nodes in each zone)"
+  type        = number
+}
+
+variable "kubernetes_version" {
+  description = "GKE Kubernetes version channel (null = STABLE release channel)"
+  type        = string
+  default     = null
+}
+
+variable "deletion_protection" {
+  description = "Prevent cluster deletion (set true for production)"
+  type        = bool
+  default     = false
+}
+
+# ─── Labels ──────────────────────────────────────────────────────────
+
+variable "labels" {
+  description = "Labels applied to all resources"
+  type        = map(string)
+  default     = {}
+}

.tofu/platforms/gke/prod/main.tf

@@ -0,0 +1,17 @@
+module "cluster" {
+  source = "../modules/cluster"
+
+  project_id = var.project_id
+  region     = var.region
+  prefix     = "clst"
+
+  # GKE — general-purpose nodes for production
+  node_machine_type   = "e2-standard-4"
+  node_count          = 3
+  deletion_protection = true
+
+  labels = {
+    environment = "prod"
+    managed-by  = "tofu"
+  }
+}

.tofu/platforms/gke/prod/outputs.tf

@@ -0,0 +1,3 @@
+output "cluster_name" { value = module.cluster.cluster_name }
+output "project_id"   { value = module.cluster.project_id }
+output "region"       { value = module.cluster.region }

.tofu/platforms/gke/prod/providers.tf

@@ -0,0 +1,24 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 6.0"
+    }
+  }
+}
+
+provider "google" {
+  project = var.project_id
+  region  = var.region
+}
+
+variable "project_id" {
+  description = "GCP project ID for the prod environment"
+  type        = string
+}
+
+variable "region" {
+  description = "GCP region"
+  type        = string
+  default     = "europe-west1"
+}

.tofu/platforms/gke/workload/main.tf

@@ -0,0 +1,194 @@
+# =============================================================================
+# GCP Workload Cluster
+# =============================================================================
+# A lean GKE cluster for running application workloads. No managed data
+# services — those live on the platform cluster. ArgoCD (on the platform
+# cluster) deploys apps to this cluster via the app-of-apps pattern.
+#
+# Platform components deployed by deploy-workload.sh:
+#   nginx-ingress, cert-manager, external-dns, external-secrets, alloy
+#
+# Usage:
+#   tofu init && tofu plan && tofu apply
+#   ./sync-tofu-outputs.sh --env gcp-workload
+#   ./deploy-workload.sh --env gcp-workload
+# =============================================================================
+
+variable "prefix" {
+  description = "Prefix for resource names (e.g., clst-workload)"
+  type        = string
+  default     = "clst-workload"
+}
+
+variable "node_machine_type" {
+  description = "GKE node machine type"
+  type        = string
+  default     = "e2-standard-2"
+}
+
+variable "node_count" {
+  description = "Number of nodes per zone"
+  type        = number
+  default     = 1
+}
+
+variable "kubernetes_version" {
+  description = "GKE Kubernetes version (null = STABLE release channel)"
+  type        = string
+  default     = null
+}
+
+variable "deletion_protection" {
+  description = "Prevent cluster deletion"
+  type        = bool
+  default     = false
+}
+
+variable "labels" {
+  description = "Labels applied to all resources"
+  type        = map(string)
+  default = {
+    environment = "workload"
+    managed-by  = "tofu"
+  }
+}
+
+# ─── Required APIs ────────────────────────────────────────────────────
+
+resource "google_project_service" "compute" {
+  project            = var.project_id
+  service            = "compute.googleapis.com"
+  disable_on_destroy = false
+}
+
+resource "google_project_service" "container" {
+  project            = var.project_id
+  service            = "container.googleapis.com"
+  disable_on_destroy = false
+}
+
+resource "google_project_service" "iam" {
+  project            = var.project_id
+  service            = "iam.googleapis.com"
+  disable_on_destroy = false
+}
+
+resource "google_project_service" "dns" {
+  project            = var.project_id
+  service            = "dns.googleapis.com"
+  disable_on_destroy = false
+}
+
+# ─── Networking ───────────────────────────────────────────────────────
+
+resource "google_compute_network" "main" {
+  project                 = var.project_id
+  name                    = "${var.prefix}-vpc"
+  auto_create_subnetworks = false
+
+  depends_on = [google_project_service.compute]
+}
+
+resource "google_compute_subnetwork" "main" {
+  project       = var.project_id
+  name          = "${var.prefix}-subnet"
+  ip_cidr_range = "10.110.0.0/22"
+  region        = var.region
+  network       = google_compute_network.main.id
+
+  secondary_ip_range {
+    range_name    = "pods"
+    ip_cidr_range = "10.210.0.0/14"
+  }
+
+  secondary_ip_range {
+    range_name    = "services"
+    ip_cidr_range = "10.214.0.0/20"
+  }
+}
+
+# ─── GKE Cluster ──────────────────────────────────────────────────────
+
+resource "google_container_cluster" "main" {
+  project  = var.project_id
+  name     = "${var.prefix}-gke"
+  location = var.region
+
+  network    = google_compute_network.main.id
+  subnetwork = google_compute_subnetwork.main.id
+
+  ip_allocation_policy {
+    cluster_secondary_range_name  = "pods"
+    services_secondary_range_name = "services"
+  }
+
+  workload_identity_config {
+    workload_pool = "${var.project_id}.svc.id.goog"
+  }
+
+  remove_default_node_pool = true
+  initial_node_count       = 1
+
+  deletion_protection = var.deletion_protection
+
+  dynamic "release_channel" {
+    for_each = var.kubernetes_version == null ? [1] : []
+    content {
+      channel = "STABLE"
+    }
+  }
+
+  resource_labels = var.labels
+
+  depends_on = [google_project_service.container]
+}
+
+resource "google_container_node_pool" "main" {
+  project    = var.project_id
+  name       = "${var.prefix}-nodes"
+  location   = var.region
+  cluster    = google_container_cluster.main.name
+  node_count = var.node_count
+
+  node_config {
+    machine_type = var.node_machine_type
+
+    workload_metadata_config {
+      mode = "GKE_METADATA"
+    }
+
+    oauth_scopes = [
+      "https://www.googleapis.com/auth/cloud-platform",
+    ]
+
+    labels = merge(var.labels, { role = "worker" })
+  }
+
+  management {
+    auto_repair  = true
+    auto_upgrade = true
+  }
+}
+
+# ─── External-DNS Workload Identity ──────────────────────────────────
+# Allows external-dns to manage Cloud DNS records for app ingresses.
+
+resource "google_service_account" "external_dns" {
+  project      = var.project_id
+  account_id   = "${var.prefix}-external-dns"
+  display_name = "External-DNS Service Account (Workload Identity)"
+
+  depends_on = [google_project_service.iam]
+}
+
+resource "google_project_iam_member" "external_dns_dns_admin" {
+  project = var.project_id
+  role    = "roles/dns.admin"
+  member  = "serviceAccount:${google_service_account.external_dns.email}"
+}
+
+resource "google_service_account_iam_member" "external_dns_workload_identity" {
+  service_account_id = google_service_account.external_dns.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[external-dns/external-dns]"
+}

.tofu/platforms/gke/workload/outputs.tf

@@ -0,0 +1,4 @@
+output "cluster_name"           { value = google_container_cluster.main.name }
+output "project_id"             { value = var.project_id }
+output "region"                 { value = var.region }
+output "external_dns_gsa_email" { value = google_service_account.external_dns.email }

.tofu/platforms/gke/workload/providers.tf

@@ -0,0 +1,26 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Authentication: use Application Default Credentials (gcloud auth application-default login)
+# or set GOOGLE_APPLICATION_CREDENTIALS to a service account key file.
+provider "google" {
+  project = var.project_id
+  region  = var.region
+}
+
+variable "project_id" {
+  description = "GCP project ID for the workload environment"
+  type        = string
+}
+
+variable "region" {
+  description = "GCP region"
+  type        = string
+  default     = "europe-west4"
+}

.tofu/platforms/upc/dev/main.tf

@@ -0,0 +1,14 @@
+module "cluster" {
+  source = "../modules/cluster"
+
+  prefix       = "clst-dev"
+  zone         = "no-svg1"
+  node_plan    = "DEV-1xCPU-2GB"
+  node_count   = 2
+  network_cidr = "10.100.0.0/24"
+
+  tags = {
+    Environment = "dev"
+    ManagedBy   = "tofu"
+  }
+}

.tofu/platforms/upc/dev/outputs.tf

@@ -0,0 +1,13 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+output "cluster_id" {
+  value = module.cluster.cluster_id
+}
+
+output "cluster_name" {
+  value = module.cluster.cluster_name
+}
+
+output "zone" {
+  value = module.cluster.zone
+}

.tofu/platforms/upc/dev/providers.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    upcloud = {
+      source  = "UpCloudLtd/upcloud"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "upcloud" {
+  # Set via environment variables: UPCLOUD_USERNAME, UPCLOUD_PASSWORD
+}

.tofu/platforms/upc/modules/cluster/main.tf

@@ -0,0 +1,56 @@
+# Router for the private network
+resource "upcloud_router" "kubernetes" {
+  name = "${var.prefix}-${var.cluster_name}-router"
+}
+
+# Gateway for internet connectivity
+resource "upcloud_gateway" "kubernetes" {
+  name     = "${var.prefix}-${var.cluster_name}-gateway"
+  zone     = var.zone
+  features = ["nat"]
+  router {
+    id = upcloud_router.kubernetes.id
+  }
+}
+
+# Private network for the Kubernetes cluster
+resource "upcloud_network" "kubernetes" {
+  name   = "${var.prefix}-${var.cluster_name}-network"
+  zone   = var.zone
+  router = upcloud_router.kubernetes.id
+
+  ip_network {
+    address            = var.network_cidr
+    dhcp               = true
+    dhcp_default_route = true
+    family             = "IPv4"
+    gateway            = cidrhost(var.network_cidr, 1)
+  }
+
+  depends_on = [upcloud_gateway.kubernetes]
+}
+
+# Kubernetes cluster
+resource "upcloud_kubernetes_cluster" "main" {
+  name                    = "${var.prefix}-${var.cluster_name}"
+  zone                    = var.zone
+  network                 = upcloud_network.kubernetes.id
+  control_plane_ip_filter = var.control_plane_ip_filter
+
+  private_node_groups = true
+}
+
+# Node group for worker nodes
+resource "upcloud_kubernetes_node_group" "workers" {
+  cluster       = upcloud_kubernetes_cluster.main.id
+  name          = "${var.prefix}-${var.cluster_name}-workers"
+  node_count    = var.node_count
+  plan          = var.node_plan
+  anti_affinity = var.node_count > 1
+  labels = {
+    prefix  = var.prefix
+    cluster = var.cluster_name
+    role    = "worker"
+    env     = lookup(var.tags, "Environment", "dev")
+  }
+}

.tofu/platforms/upc/modules/cluster/outputs.tf

@@ -0,0 +1,31 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+output "cluster_id" {
+  description = "The ID of the Kubernetes cluster"
+  value       = upcloud_kubernetes_cluster.main.id
+}
+
+output "cluster_name" {
+  description = "The name of the Kubernetes cluster"
+  value       = upcloud_kubernetes_cluster.main.name
+}
+
+output "network_id" {
+  description = "The ID of the private network"
+  value       = upcloud_network.kubernetes.id
+}
+
+output "network_cidr" {
+  description = "The CIDR block of the private network"
+  value       = var.network_cidr
+}
+
+output "kubernetes_version" {
+  description = "The Kubernetes version of the cluster"
+  value       = upcloud_kubernetes_cluster.main.version
+}
+
+output "zone" {
+  description = "The zone where the cluster is deployed"
+  value       = var.zone
+}

.tofu/platforms/upc/modules/cluster/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    upcloud = {
+      source  = "UpCloudLtd/upcloud"
+      version = "~> 5.0"
+    }
+  }
+}

.tofu/platforms/upc/modules/cluster/variables.tf

@@ -0,0 +1,44 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+variable "prefix" {
+  description = "Prefix for resource names"
+  type        = string
+}
+
+variable "cluster_name" {
+  description = "Name of the Kubernetes cluster"
+  type        = string
+  default     = "main"
+}
+
+variable "zone" {
+  description = "UpCloud zone"
+  type        = string
+}
+
+variable "node_plan" {
+  description = "UpCloud server plan for worker nodes"
+  type        = string
+}
+
+variable "node_count" {
+  description = "Number of worker nodes"
+  type        = number
+}
+
+variable "network_cidr" {
+  description = "CIDR block for the private network"
+  type        = string
+  default     = "10.100.0.0/24"
+}
+
+variable "control_plane_ip_filter" {
+  description = "CIDRs allowed to access the K8s API"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
+variable "tags" {
+  description = "Labels to apply to resources"
+  type        = map(string)
+}

.tofu/platforms/upc/prod/main.tf

@@ -0,0 +1,16 @@
+module "cluster" {
+  source = "../modules/cluster"
+
+  prefix       = "clst"
+  zone         = "de-fra1"
+  node_plan    = "4xCPU-8GB"
+  node_count   = 3
+  network_cidr = "10.100.0.0/24"
+
+  control_plane_ip_filter = ["0.0.0.0/0"] # TODO: restrict to known CIDRs
+
+  tags = {
+    Environment = "prod"
+    ManagedBy   = "tofu"
+  }
+}

.tofu/platforms/upc/prod/outputs.tf

@@ -0,0 +1,13 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+output "cluster_id" {
+  value = module.cluster.cluster_id
+}
+
+output "cluster_name" {
+  value = module.cluster.cluster_name
+}
+
+output "zone" {
+  value = module.cluster.zone
+}

.tofu/platforms/upc/prod/providers.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    upcloud = {
+      source  = "UpCloudLtd/upcloud"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "upcloud" {
+  # Set via environment variables: UPCLOUD_USERNAME, UPCLOUD_PASSWORD
+}

.tofu/platforms/upc/workload/main.tf

@@ -0,0 +1,116 @@
+# =============================================================================
+# UpCloud Workload Cluster
+# =============================================================================
+# A lean UCS cluster for running application workloads. No managed data
+# services — those live on the platform cluster. ArgoCD (on the platform
+# cluster) deploys apps to this cluster via the app-of-apps pattern.
+#
+# Platform components deployed by deploy-workload.sh:
+#   nginx-ingress, cert-manager, external-dns, external-secrets, alloy
+#
+# Usage:
+#   tofu init && tofu plan && tofu apply
+#   ./sync-tofu-outputs.sh --env upcloud-workload
+#   ./deploy-workload.sh --env upcloud-workload
+# =============================================================================
+
+variable "prefix" {
+  description = "Prefix for resource names"
+  type        = string
+  default     = "clst-workload"
+}
+
+variable "zone" {
+  description = "UpCloud zone"
+  type        = string
+  default     = "fi-hel1"
+}
+
+variable "node_plan" {
+  description = "UpCloud server plan for worker nodes"
+  type        = string
+  default     = "2xCPU-4GB"
+}
+
+variable "node_count" {
+  description = "Number of worker nodes"
+  type        = number
+  default     = 2
+}
+
+variable "network_cidr" {
+  description = "CIDR block for the private network"
+  type        = string
+  default     = "10.110.0.0/24"
+}
+
+variable "control_plane_ip_filter" {
+  description = "CIDRs allowed to access the K8s API"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
+variable "tags" {
+  description = "Labels to apply to resources"
+  type        = map(string)
+  default = {
+    Environment = "workload"
+    ManagedBy   = "tofu"
+  }
+}
+
+# ─── Networking ───────────────────────────────────────────────────────
+
+resource "upcloud_router" "kubernetes" {
+  name = "${var.prefix}-workload-router"
+}
+
+resource "upcloud_gateway" "kubernetes" {
+  name     = "${var.prefix}-workload-gateway"
+  zone     = var.zone
+  features = ["nat"]
+  router {
+    id = upcloud_router.kubernetes.id
+  }
+}
+
+resource "upcloud_network" "kubernetes" {
+  name   = "${var.prefix}-workload-network"
+  zone   = var.zone
+  router = upcloud_router.kubernetes.id
+
+  ip_network {
+    address            = var.network_cidr
+    dhcp               = true
+    dhcp_default_route = true
+    family             = "IPv4"
+    gateway            = cidrhost(var.network_cidr, 1)
+  }
+
+  depends_on = [upcloud_gateway.kubernetes]
+}
+
+# ─── Kubernetes Cluster ───────────────────────────────────────────────
+
+resource "upcloud_kubernetes_cluster" "main" {
+  name                    = "${var.prefix}-workload"
+  zone                    = var.zone
+  network                 = upcloud_network.kubernetes.id
+  control_plane_ip_filter = var.control_plane_ip_filter
+
+  private_node_groups = true
+}
+
+resource "upcloud_kubernetes_node_group" "workers" {
+  cluster       = upcloud_kubernetes_cluster.main.id
+  name          = "${var.prefix}-workload-workers"
+  node_count    = var.node_count
+  plan          = var.node_plan
+  anti_affinity = var.node_count > 1
+  labels = {
+    prefix  = var.prefix
+    cluster = "workload"
+    role    = "worker"
+    env     = lookup(var.tags, "Environment", "workload")
+  }
+}

.tofu/platforms/upc/workload/outputs.tf

@@ -0,0 +1,3 @@
+output "cluster_name" { value = upcloud_kubernetes_cluster.main.name }
+output "cluster_id"   { value = upcloud_kubernetes_cluster.main.id }
+output "zone"         { value = var.zone }

.tofu/platforms/upc/workload/providers.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    upcloud = {
+      source  = "UpCloudLtd/upcloud"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "upcloud" {
+  # Set via environment variables: UPCLOUD_USERNAME, UPCLOUD_PASSWORD
+}

.tofu/scripts/get-kubeconfig.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+TOFU_ROOT="$(dirname "$SCRIPT_DIR")"
+PROJECT_ROOT="$(dirname "$TOFU_ROOT")"
+
+CLUSTER="${1:?Usage: $0 <cluster> (e.g., aks-dev, eks-prod)}"
+PLATFORM="${CLUSTER%%-*}"
+ENV="${CLUSTER#*-}"
+
+KUBECONFIG_FILE="$PROJECT_ROOT/private/$CLUSTER/kubeconfig"
+
+if [[ -f "$KUBECONFIG_FILE" ]]; then
+  echo "Kubeconfig already exists: $KUBECONFIG_FILE"
+  echo ""
+  echo "  export KUBECONFIG=$KUBECONFIG_FILE"
+else
+  echo "No cached kubeconfig. Fetching from platform..."
+
+  # Load platform credentials
+  ENV_FILE="$TOFU_ROOT/configs/$PLATFORM.env"
+  if [[ -f "$ENV_FILE" ]]; then
+    set -a; source "$ENV_FILE"; set +a
+  fi
+
+  TOFU_DIR="$TOFU_ROOT/platforms/$PLATFORM/$ENV"
+  mkdir -p "$(dirname "$KUBECONFIG_FILE")"
+
+  case "$PLATFORM" in
+    aks)
+      cd "$TOFU_DIR"
+      RG=$(tofu output -raw resource_group_name 2>/dev/null || echo "$CLUSTER-rg")
+      NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "$CLUSTER")
+      az aks get-credentials --resource-group "$RG" --name "$NAME" --file "$KUBECONFIG_FILE" --overwrite-existing
+      ;;
+    eks)
+      cd "$TOFU_DIR"
+      NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "$CLUSTER")
+      REGION=$(tofu output -raw aws_region 2>/dev/null || echo "${AWS_REGION:-eu-west-1}")
+      aws eks update-kubeconfig --name "$NAME" --region "$REGION" --kubeconfig "$KUBECONFIG_FILE"
+      ;;
+    gke)
+      cd "$TOFU_DIR"
+      NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "$CLUSTER")
+      REGION=$(tofu output -raw region 2>/dev/null || echo "${GCP_REGION:-europe-west4}")
+      PROJECT=$(tofu output -raw project_id 2>/dev/null || echo "${GCP_PROJECT_ID:-}")
+      gcloud container clusters get-credentials "$NAME" --region "$REGION" --project "$PROJECT"
+      cp ~/.kube/config "$KUBECONFIG_FILE"
+      ;;
+    upc)
+      cd "$TOFU_DIR"
+      CLUSTER_ID=$(tofu output -raw cluster_id 2>/dev/null || echo "${UPCLOUD_CLUSTER_ID:-}")
+      upctl kubernetes config "$CLUSTER_ID" > "$KUBECONFIG_FILE"
+      ;;
+    *)
+      echo "Error: unknown platform '$PLATFORM'"
+      exit 1
+      ;;
+  esac
+
+  chmod 600 "$KUBECONFIG_FILE"
+  echo "Kubeconfig saved: $KUBECONFIG_FILE"
+  echo ""
+  echo "  export KUBECONFIG=$KUBECONFIG_FILE"
+fi

.tofu/scripts/setup-cluster.sh

@@ -0,0 +1,246 @@
+#!/bin/bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+TOFU_ROOT="$(dirname "$SCRIPT_DIR")"
+PROJECT_ROOT="$(dirname "$TOFU_ROOT")"
+
+# ─── Usage ────────────────────────────────────────────────────────────
+usage() {
+  cat <<EOF
+Usage: $0 <cluster> [options]
+
+  Provision a Kubernetes cluster using OpenTofu.
+  Mirrors bootstrap.sh convention: cluster = <platform>-<env>
+
+  Clusters:   aks-dev | aks-prod | eks-dev | eks-prod
+              gke-dev | gke-prod | upc-dev | upc-prod
+              <platform>-workload (for workload clusters)
+
+  Options:
+    --plan        Plan only, don't apply
+    --destroy     Destroy the cluster (use teardown-cluster.sh instead)
+    --auto        Skip confirmation prompts
+    -h, --help    Show this help
+
+  Examples:
+    $0 aks-dev
+    $0 eks-prod --plan
+    $0 upc-dev --auto
+
+  Prerequisites:
+    - tofu, kubectl, helm installed
+    - Platform credentials in .tofu/configs/<platform>.env
+    - Cluster config in clusters/<cluster>.yaml
+
+  After provisioning, run:
+    ./bootstrap.sh <cluster>
+EOF
+  exit "${1:-0}"
+}
+
+# ─── Parse arguments ──────────────────────────────────────────────────
+CLUSTER=""
+PLAN_ONLY=false
+DESTROY=false
+AUTO_APPROVE=false
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --plan)       PLAN_ONLY=true; shift ;;
+    --destroy)    DESTROY=true; shift ;;
+    --auto)       AUTO_APPROVE=true; shift ;;
+    -h|--help)    usage 0 ;;
+    -*)           echo "Unknown option: $1"; usage 1 ;;
+    *)
+      if [[ -z "$CLUSTER" ]]; then
+        CLUSTER="$1"
+      else
+        echo "Error: unexpected argument '$1'"
+        usage 1
+      fi
+      shift
+      ;;
+  esac
+done
+
+[[ -z "$CLUSTER" ]] && { echo "Error: <cluster> argument required"; usage 1; }
+
+# ─── Map cluster → platform + env ────────────────────────────────────
+PLATFORM="${CLUSTER%%-*}"   # aks-dev → aks
+ENV="${CLUSTER#*-}"         # aks-dev → dev
+
+case "$PLATFORM" in
+  aks|eks|gke|upc) ;;
+  *) echo "Error: unknown platform '$PLATFORM'. Expected: aks, eks, gke, upc"; exit 1 ;;
+esac
+
+TOFU_DIR="$TOFU_ROOT/platforms/$PLATFORM/$ENV"
+if [[ ! -d "$TOFU_DIR" ]]; then
+  echo "Error: tofu directory not found: $TOFU_DIR"
+  echo "Available environments for $PLATFORM:"
+  ls -1 "$TOFU_ROOT/platforms/$PLATFORM/" 2>/dev/null | grep -v modules || echo "  (none)"
+  exit 1
+fi
+
+echo "========================================="
+echo "  Kubernetes Cluster Setup"
+echo "========================================="
+echo ""
+echo "  Cluster:   $CLUSTER"
+echo "  Platform:  $PLATFORM"
+echo "  Env:       $ENV"
+echo "  Tofu dir:  $TOFU_DIR"
+echo ""
+
+# ─── Prerequisites ────────────────────────────────────────────────────
+echo "=== Checking Prerequisites ==="
+command -v tofu    >/dev/null 2>&1 || { echo "Error: tofu is not installed."; exit 1; }
+command -v kubectl >/dev/null 2>&1 || { echo "Error: kubectl is not installed."; exit 1; }
+command -v helm    >/dev/null 2>&1 || { echo "Error: helm is not installed."; exit 1; }
+echo "  tofu, kubectl, helm: OK"
+
+# ─── Load platform credentials ────────────────────────────────────────
+ENV_FILE="$TOFU_ROOT/configs/$PLATFORM.env"
+if [[ -f "$ENV_FILE" ]]; then
+  echo "  Loading credentials from configs/$PLATFORM.env"
+  set -a
+  # shellcheck disable=SC1090
+  source "$ENV_FILE"
+  set +a
+else
+  echo "  Warning: $ENV_FILE not found — using existing environment/CLI auth"
+  echo "  Copy configs/$PLATFORM.env.example → configs/$PLATFORM.env to configure"
+fi
+
+# ─── Load cluster config (if exists) ──────────────────────────────────
+CLUSTER_CONFIG="$PROJECT_ROOT/clusters/$CLUSTER.yaml"
+if [[ -f "$CLUSTER_CONFIG" ]]; then
+  echo "  Loading cluster config from clusters/$CLUSTER.yaml"
+  if command -v yq >/dev/null 2>&1; then
+    eval "$(yq -r 'to_entries[] | "export CLUSTER_\(.key)=\"\(.value)\""' "$CLUSTER_CONFIG")"
+    echo "  Cluster name: ${CLUSTER_clusterName:-$CLUSTER}"
+  else
+    echo "  Warning: yq not installed — cluster config not loaded"
+  fi
+else
+  echo "  Warning: $CLUSTER_CONFIG not found — using defaults"
+fi
+echo ""
+
+# ─── Run OpenTofu ─────────────────────────────────────────────────────
+cd "$TOFU_DIR"
+
+echo "=== Initializing OpenTofu ==="
+tofu init
+
+echo ""
+if $DESTROY; then
+  echo "=== Planning Destruction ==="
+  tofu plan -destroy -out=tfplan
+
+  if ! $AUTO_APPROVE; then
+    echo ""
+    read -rp "DESTROY cluster $CLUSTER? This is irreversible. (yes/no) " REPLY
+    [[ "$REPLY" == "yes" ]] || { echo "Cancelled."; exit 1; }
+  fi
+
+  echo "Destroying infrastructure..."
+  tofu apply tfplan
+  echo ""
+  echo "=== Cluster $CLUSTER Destroyed ==="
+
+elif $PLAN_ONLY; then
+  echo "=== Planning Infrastructure ==="
+  tofu plan
+  echo ""
+  echo "=== Plan complete (--plan mode, no changes applied) ==="
+
+else
+  echo "=== Planning Infrastructure ==="
+  tofu plan -out=tfplan
+
+  if ! $AUTO_APPROVE; then
+    echo ""
+    read -rp "Apply this plan for $CLUSTER? (y/n) " -n 1 REPLY
+    echo
+    [[ "$REPLY" =~ ^[Yy]$ ]] || { echo "Cancelled."; exit 1; }
+  fi
+
+  echo "Applying infrastructure..."
+  tofu apply tfplan
+
+  # ─── Save kubeconfig ──────────────────────────────────────────────
+  KUBECONFIG_DIR="$PROJECT_ROOT/private/$CLUSTER"
+  mkdir -p "$KUBECONFIG_DIR"
+  KUBECONFIG_FILE="$KUBECONFIG_DIR/kubeconfig"
+
+  echo ""
+  echo "=== Saving Kubeconfig ==="
+
+  case "$PLATFORM" in
+    aks)
+      if tofu output -raw kubeconfig > "$KUBECONFIG_FILE" 2>/dev/null; then
+        echo "  Saved from tofu output"
+      else
+        echo "  Fetching from Azure CLI..."
+        RG=$(tofu output -raw resource_group_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}-rg")
+        NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}")
+        az aks get-credentials --resource-group "$RG" --name "$NAME" --file "$KUBECONFIG_FILE" --overwrite-existing
+      fi
+      ;;
+    eks)
+      NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}")
+      REGION=$(tofu output -raw aws_region 2>/dev/null || echo "${AWS_REGION:-eu-west-1}")
+      aws eks update-kubeconfig --name "$NAME" --region "$REGION" --kubeconfig "$KUBECONFIG_FILE"
+      ;;
+    gke)
+      NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}")
+      REGION=$(tofu output -raw region 2>/dev/null || echo "${GCP_REGION:-europe-west4}")
+      PROJECT=$(tofu output -raw project_id 2>/dev/null || echo "${GCP_PROJECT_ID:-}")
+      gcloud container clusters get-credentials "$NAME" --region "$REGION" --project "$PROJECT" 2>/dev/null \
+        && cp ~/.kube/config "$KUBECONFIG_FILE" \
+        || echo "  Warning: could not fetch kubeconfig via gcloud"
+      ;;
+    upc)
+      if tofu output -raw kubeconfig > "$KUBECONFIG_FILE" 2>/dev/null; then
+        echo "  Saved from tofu output"
+      else
+        CLUSTER_ID=$(tofu output -raw cluster_id 2>/dev/null || echo "${UPCLOUD_CLUSTER_ID:-}")
+        if [[ -n "$CLUSTER_ID" ]]; then
+          upctl kubernetes config "$CLUSTER_ID" > "$KUBECONFIG_FILE"
+        else
+          echo "  Warning: could not determine cluster ID for kubeconfig"
+        fi
+      fi
+      ;;
+  esac
+
+  if [[ -f "$KUBECONFIG_FILE" ]]; then
+    chmod 600 "$KUBECONFIG_FILE"
+    echo "  Kubeconfig: $KUBECONFIG_FILE"
+  fi
+
+  # ─── Wait for nodes ──────────────────────────────────────────────
+  echo ""
+  echo "=== Waiting for Cluster Nodes ==="
+  export KUBECONFIG="$KUBECONFIG_FILE"
+  if kubectl wait --for=condition=Ready nodes --all --timeout=300s 2>/dev/null; then
+    echo "  All nodes ready"
+  else
+    echo "  Warning: nodes not ready within timeout — check cluster status"
+  fi
+
+  # ─── Summary ─────────────────────────────────────────────────────
+  echo ""
+  echo "========================================="
+  echo "  Cluster $CLUSTER Provisioned"
+  echo "========================================="
+  echo ""
+  echo "  Kubeconfig: $KUBECONFIG_FILE"
+  echo ""
+  echo "  Next steps:"
+  echo "    export KUBECONFIG=$KUBECONFIG_FILE"
+  echo "    ./bootstrap.sh $CLUSTER"
+  echo ""
+fi

.tofu/scripts/teardown-cluster.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Delegate to setup-cluster.sh with --destroy flag
+exec "$SCRIPT_DIR/setup-cluster.sh" "$@" --destroy

README.md

@@ -57,11 +57,11 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 
 ### What's Inside
 
-- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Vault, Vault Secrets Operator, Homepage (platform dashboard)
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets, Homepage (platform dashboard)
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
 - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
-- **Secrets**: Vault Secrets Operator (VSO) syncs secrets from HashiCorp Vault to K8s
+- **Secrets**: Sealed Secrets for secure Git storage
 
 ### Key Features
 
@@ -80,8 +80,23 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 
 ```
 .
-├── bootstrap.sh                # Cluster initialization script
-├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
+├── bootstrap.sh                # Cluster initialization (ArgoCD + GitOps)
+├── _app-of-apps-{cluster}.yaml # Root ArgoCD Application (per cluster)
+│
+├── .tofu/                     # Infrastructure provisioning (OpenTofu)
+│   ├── platforms/             # Per-platform IaC (one dir per cloud)
+│   │   ├── aks/               # Azure AKS (modules/ + dev/ + prod/ + workload/)
+│   │   ├── eks/               # AWS EKS
+│   │   ├── gke/               # GCP GKE
+│   │   └── upc/               # UpCloud
+│   ├── configs/               # Platform credentials (git-ignored)
+│   │   └── *.env.example      # Template for each platform
+│   └── scripts/               # Cluster lifecycle scripts
+│       ├── setup-cluster.sh   # Create cluster: ./setup-cluster.sh aks-dev
+│       ├── teardown-cluster.sh
+│       └── get-kubeconfig.sh
+│
+├── clusters/                  # Cluster metadata (domain, trustedIPs, etc.)
 │
 ├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
 │   ├── base/                  # Base ArgoCD Application manifests (one dir per component)
@@ -187,7 +202,7 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A
 **Quick version**:
 1. Create `apps/myapp.yaml` (ArgoCD Application manifest)
 2. Create `helm-prod-values/myapp/values.yaml` (configuration)
-3. Write secrets to Vault and create VaultStaticSecret CRD if needed
+3. Create sealed secrets if needed
 4. Commit and push - ArgoCD auto-syncs!
 
 ### Update an Existing Application
@@ -200,18 +215,22 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A
 
 ### Manage Secrets
 
-**See detailed guide**: [Vault Secrets Operator Reference](docs/vault-secrets-operator.md)
+**See detailed guide**: [Developer Guide - Working with Secrets](docs/DEVELOPER-GUIDE.md#working-with-secrets)
 
 ```bash
-# 1. Write secret to Vault
-vault kv put kv/myapp/myapp-creds KEY=value
+# Create plain secret
+kubectl create secret generic myapp-creds \
+  --from-literal=KEY=value \
+  --dry-run=client -o yaml > private/myapp-creds.yaml
 
-# 2. Create VaultStaticSecret CRD (one-time, commit to git)
-# See docs/vault-secrets-operator.md for CRD template
+# Seal it
+kubeseal --format=yaml --cert=pub-cert.pem \
+  < private/myapp-creds.yaml > secrets/myapp-creds-sealed.yaml
 
-# 3. Rotate secrets — no git commit needed!
-vault kv put kv/myapp/myapp-creds KEY=new-value
-# VSO picks up changes within 30 seconds
+# Commit sealed version
+git add secrets/myapp-creds-sealed.yaml
+git commit -m "Add myapp credentials"
+git push
 ```
 
 ### Enable Authentication
@@ -324,7 +343,7 @@ kubectl patch application myapp -n argocd \
 ## 🔐 Security
 
 ### Secret Management
-- ✅ Vault Secrets Operator (VSO) for secret management
+- ✅ Sealed Secrets for Git storage
 - ✅ Kyverno auto-clones secrets to namespaces
 - ❌ Never commit plain secrets
 
@@ -351,8 +370,7 @@ kubectl patch application myapp -n argocd \
 | **Traefik** | Ingress controller | `traefik` | 2 |
 | **Cert-Manager** | TLS certificates | `cert-manager` | 1 |
 | **Kyverno** | Policy engine | `kyverno` | 1 |
-| **Vault** | Secret storage | `vault` | 1 |
-| **Vault Secrets Operator** | Secret sync (Vault → K8s) | `vault-secrets-operator-system` | 1 |
+| **Sealed Secrets** | Secret encryption | `kube-system` | 1 |
 | **Prometheus** | Metrics | `monitoring` | 1 |
 | **Grafana** | Dashboards | `monitoring` | 1 |
 | **Loki** | Logs | `monitoring` | 1 |
@@ -452,7 +470,7 @@ Applications deploy in order using `argocd.argoproj.io/sync-wave`:
 1. Read [Developer Guide - Deploying Your First Application](docs/DEVELOPER-GUIDE.md#deploying-your-first-application)
 2. Create ArgoCD Application manifest in `apps/`
 3. Create Helm values in `helm-prod-values/`
-4. Write secrets to Vault and create VaultStaticSecret CRD if needed
+4. Create sealed secrets if needed
 5. Commit and push - ArgoCD handles the rest!
 
 ### Modifying Infrastructure
@@ -496,8 +514,7 @@ Documentation lives in `docs/`. To update:
 - [Traefik Documentation](https://doc.traefik.io/traefik/)
 - [Cert-Manager Documentation](https://cert-manager.io/docs/)
 - [Grafana Tempo Documentation](https://grafana.com/docs/tempo/)
-- [Vault Secrets Operator](https://developer.hashicorp.com/vault/docs/platform/k8s/vso)
-- [HashiCorp Vault](https://developer.hashicorp.com/vault/docs)
+- [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
 
 ### Related Repositories
 - [forte-helm](https://git.forteapps.net/Forte/forte-helm) - Helm chart templates

apps/base/argo-mcp/argocd-mcp-credentials-vault.yaml

@@ -1,14 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: argocd-mcp-credentials
-  namespace: argocd-mcp
-spec:
-  type: kv-v2
-  mount: kv
-  path: argocd-mcp/argocd-mcp-credentials
-  destination:
-    name: argocd-mcp-credentials
-    create: true
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

apps/base/argo-mcp/auth-oidc-vault.yaml

@@ -1,14 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: auth-oidc
-  namespace: argocd-mcp
-spec:
-  type: kv-v2
-  mount: kv
-  path: argocd-mcp/auth-oidc
-  destination:
-    name: auth-oidc
-    create: true
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

apps/base/argo-mcp/kustomization.yaml

@@ -2,7 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - argo-mcp.yaml
-- vault-auth.yaml
-- auth-oidc-vault.yaml
-- argocd-mcp-credentials-vault.yaml
-# Removed: argocdmcp-auth-oidc-sealed.yaml, argocd-mcp-credentials.yaml (migrated to VSO)
+- argocdmcp-auth-oidc-sealed.yaml
+- argocd-mcp-credentials.yaml

apps/base/argo-mcp/vault-auth.yaml

@@ -1,20 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault-auth-argocd-mcp
-  namespace: argocd-mcp
----
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultAuth
-metadata:
-  name: vault-auth
-  namespace: argocd-mcp
-spec:
-  method: kubernetes
-  mount: kubernetes
-  kubernetes:
-    role: ns-argocd-mcp
-    serviceAccount: vault-auth-argocd-mcp
-    audiences:
-    - vault

apps/base/dot-ai-stack/dot-ai-secrets-vault.yaml

@@ -1,14 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: dot-ai-secrets
-  namespace: dot-ai
-spec:
-  type: kv-v2
-  mount: kv
-  path: dot-ai/dot-ai-secrets
-  destination:
-    name: dot-ai-secrets
-    create: true
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

apps/base/dot-ai-stack/kustomization.yaml

@@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - dot-ai-stack.yaml
-- vault-auth.yaml
-- dot-ai-secrets-vault.yaml
-# Removed: dot-ai-secrets.yaml (migrated to VSO)
+- dot-ai-secrets.yaml

apps/base/dot-ai-stack/vault-auth.yaml

@@ -1,20 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault-auth-dot-ai
-  namespace: dot-ai
----
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultAuth
-metadata:
-  name: vault-auth
-  namespace: dot-ai
-spec:
-  method: kubernetes
-  mount: kubernetes
-  kubernetes:
-    role: ns-dot-ai
-    serviceAccount: vault-auth-dot-ai
-    audiences:
-    - vault

apps/base/mcp10x/app-credentials-vault.yaml

@@ -1,15 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: app-credentials
-  namespace: mcp10x
-spec:
-  type: kv-v2
-  mount: kv
-  path: mcp10x/app-credentials
-  destination:
-    name: app-credentials
-    create: true
-    type: Opaque
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

apps/base/mcp10x/kustomization.yaml

@@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - mcp10x.yaml
-- vault-auth.yaml
-- app-credentials-vault.yaml
-# Removed: forte10x-app-credentials-sealed.yaml (migrated to VSO)
+- forte10x-app-credentials-sealed.yaml

apps/base/mcp10x/vault-auth.yaml

@@ -1,20 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault-auth-mcp10x
-  namespace: mcp10x
----
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultAuth
-metadata:
-  name: vault-auth
-  namespace: mcp10x
-spec:
-  method: kubernetes
-  mount: kubernetes
-  kubernetes:
-    role: ns-mcp10x
-    serviceAccount: vault-auth-mcp10x
-    audiences:
-    - vault

apps/base/musicman/kustomization.yaml

@@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - musicman.yaml
-- vault-auth.yaml
-- musicman-credentials-vault.yaml
-# Removed: musicman-credentials.yaml (migrated to VSO)
+- musicman-credentials.yaml

apps/base/musicman/musicman-credentials-vault.yaml

@@ -1,15 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: musicman-credentials
-  namespace: music-man
-spec:
-  type: kv-v2
-  mount: kv
-  path: music-man/musicman-credentials
-  destination:
-    name: musicman-credentials
-    create: true
-    type: Opaque
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

apps/base/musicman/vault-auth.yaml

@@ -1,20 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault-auth-music-man
-  namespace: music-man
----
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultAuth
-metadata:
-  name: vault-auth
-  namespace: music-man
-spec:
-  method: kubernetes
-  mount: kubernetes
-  kubernetes:
-    role: ns-music-man
-    serviceAccount: vault-auth-music-man
-    audiences:
-    - vault

apps/base/ts-mcp/kustomization.yaml

@@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ts-mcp.yaml
-- vault-auth.yaml
-- ts-mcp-secrets-vault.yaml
-# Removed: ts-mcp-secrets-sealed.yaml (migrated to VSO)
+- ts-mcp-secrets-sealed.yaml

apps/base/ts-mcp/ts-mcp-secrets-vault.yaml

@@ -1,14 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: ts-mcp-secrets
-  namespace: ts-mcp
-spec:
-  type: kv-v2
-  mount: kv
-  path: ts-mcp/ts-mcp-secrets
-  destination:
-    name: ts-mcp-secrets
-    create: true
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

apps/base/ts-mcp/vault-auth.yaml

@@ -1,20 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault-auth-ts-mcp
-  namespace: ts-mcp
----
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultAuth
-metadata:
-  name: vault-auth
-  namespace: ts-mcp
-spec:
-  method: kubernetes
-  mount: kubernetes
-  kubernetes:
-    role: ns-ts-mcp
-    serviceAccount: vault-auth-ts-mcp
-    audiences:
-    - vault

apps/overlays/upc-dev/kustomization.yaml

@@ -3,7 +3,6 @@ kind: Kustomization
 resources:
 - ../../base
 - dbunk-demo
-- feedback
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster

cluster-resources/argocd-notifications-secret-vault.yaml

@@ -1,15 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: argocd-notifications-secret
-  namespace: argocd
-spec:
-  type: kv-v2
-  mount: kv
-  path: argocd/argocd-notifications-secret
-  destination:
-    name: argocd-notifications-secret
-    create: true
-    type: Opaque
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

cluster-resources/forte-helm-repo-vault.yaml

@@ -1,16 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: forte-helm-repo
-  namespace: argocd
-spec:
-  type: kv-v2
-  mount: kv
-  path: argocd/forte-helm-repo
-  destination:
-    name: forte-helm-repo
-    create: true
-    labels:
-      argocd.argoproj.io/secret-type: repository
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

cluster-resources/forte10x-repo-credentials-vault.yaml

@@ -1,17 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: forte10x-repo-creds
-  namespace: argocd
-spec:
-  type: kv-v2
-  mount: kv
-  path: argocd/forte10x-repo-creds
-  destination:
-    name: forte10x-repo-creds
-    create: true
-    type: Opaque
-    labels:
-      argocd.argoproj.io/secret-type: repository
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

cluster-resources/letsencrypt-issuer.yaml

@@ -12,6 +12,18 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-staging-key
     solvers:
+    # DNS-01 solver for wildcard certificates (*.example.com)
+    - dns01:
+        cloudflare:
+          email: danijels@gmail.com
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token
+      selector:
+        dnsNames:
+        - '*.example.com'
+        - 'example.com'
+    # HTTP-01 fallback for non-wildcard certificates
     - http01:
         ingress:
           class: traefik
@@ -30,6 +42,116 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-prod-key
     solvers:
+    # DNS-01 solver for wildcard certificates (*.example.com)
+    - dns01:
+        cloudflare:
+          email: danijels@gmail.com
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token
+      selector:
+        dnsNames:
+        - '*.example.com'
+        - 'example.com'
+    # HTTP-01 fallback for non-wildcard certificates
     - http01:
         ingress:
           class: traefik
+
+# =============================================================================
+# DNS PROVIDER EXAMPLES - Uncomment and configure based on your provider:
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Option 1: Cloudflare (recommended - supports API tokens with limited scope)
+# -----------------------------------------------------------------------------
+# Create secret with: kubectl create secret generic cloudflare-api-token-secret \
+#   --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager
+#
+# dns01:
+#   cloudflare:
+#     email: your-cloudflare-email@example.com
+#     apiTokenSecretRef:
+#       name: cloudflare-api-token-secret
+#       key: api-token
+
+# -----------------------------------------------------------------------------
+# Option 2: AWS Route53
+# -----------------------------------------------------------------------------
+# Create secret with: kubectl create secret generic route53-credentials \
+#   --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager
+#
+# dns01:
+#   route53:
+#     region: us-east-1
+#     hostedZoneID: ZXXXXXXXXXXXXX  # Optional: auto-detected if not specified
+#     accessKeyID: YOUR_ACCESS_KEY_ID
+#     secretAccessKeySecretRef:
+#       name: route53-credentials
+#       key: secret-access-key
+
+# -----------------------------------------------------------------------------
+# Option 3: Azure DNS
+# -----------------------------------------------------------------------------
+# Create secret with: kubectl create secret generic azuredns-config \
+#   --from-literal=client-secret=YOUR_CLIENT_SECRET -n cert-manager
+#
+# dns01:
+#   azureDNS:
+#     subscriptionID: YOUR_SUBSCRIPTION_ID
+#     resourceGroupName: YOUR_RESOURCE_GROUP
+#     hostedZoneName: example.com
+#     environment: AzurePublicCloud
+#     managedIdentity:
+#       clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID  # For AKS with pod identity
+#     # OR use service principal:
+#     # clientID: YOUR_SERVICE_PRINCIPAL_CLIENT_ID
+#     # clientSecretSecretRef:
+#     #   name: azuredns-config
+#     #   key: client-secret
+
+# -----------------------------------------------------------------------------
+# Option 4: Google Cloud DNS
+# -----------------------------------------------------------------------------
+# Create secret with service account JSON key:
+# kubectl create secret generic clouddns-service-account \
+#   --from-file=service-account.json=path/to/key.json -n cert-manager
+#
+# dns01:
+#   cloudDNS:
+#     project: YOUR_GCP_PROJECT_ID
+#     hostedZoneName: example-com  # Managed zone name in Cloud DNS
+#     serviceAccountSecretRef:
+#       name: clouddns-service-account
+#       key: service-account.json
+
+# -----------------------------------------------------------------------------
+# Option 5: GoDaddy
+# -----------------------------------------------------------------------------
+# Requires external webhook: https://github.com/snowdrop/godaddy-webhook
+#
+# dns01:
+#   webhook:
+#     groupName: acme.yourcompany.com
+#     solverName: godaddy
+#     config:
+#       apiKeySecretRef:
+#         name: godaddy-api-credentials
+#         key: api-key
+#       apiSecretSecretRef:
+#         name: godaddy-api-credentials
+#         key: api-secret
+
+# -----------------------------------------------------------------------------
+# Option 6: Manual/Dynamic DNS (for homelab)
+# -----------------------------------------------------------------------------
+# Requires RFC2136 provider or external webhook
+#
+# dns01:
+#   rfc2136:
+#     nameserver: your-dns-server.example.com
+#     tsigKeyName: cert-manager-key
+#     tsigAlgorithm: HMACSHA256
+#     tsigSecretSecretRef:
+#       name: tsig-secret
+#       key: secret

cluster-resources/mcp10x-repo-credentials-vault.yaml

@@ -1,17 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: mcp10x-repo-creds
-  namespace: argocd
-spec:
-  type: kv-v2
-  mount: kv
-  path: argocd/mcp10x-repo-creds
-  destination:
-    name: mcp10x-repo-creds
-    create: true
-    type: Opaque
-    labels:
-      argocd.argoproj.io/secret-type: repository
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

cluster-resources/policies/auth-sidecar-injector.yaml

@@ -245,12 +245,6 @@ spec:
                 secretKeyRef:
                   name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
                   key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
-            - name: AUTH_OIDC_IDP_HINT
-              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-idp-hint\" || '' }}"
-            - name: AUTH_OIDC_BROKER_ALIAS
-              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-alias\" || '' }}"
-            - name: AUTH_OIDC_BROKER_TOKEN_HEADER
-              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-token-header\" || '' }}"
             resources:
               limits:
                 cpu: 50m
@@ -330,8 +324,6 @@ spec:
               value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}"
             - name: AUTH_MCP_SCOPES_SUPPORTED
               value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'profile'  }}"
-            - name: AUTH_MCP_IDP_HINT
-              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-idp-hint\" || '' }}"
             resources:
               limits:
                 cpu: 50m

cluster-resources/policies/label-checker.yaml

@@ -1,40 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: require-labels
-  annotations:
-    policies.kyverno.io/title: Require Labels
-    policies.kyverno.io/category: Best Practices
-    policies.kyverno.io/minversion: 1.6.0
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Pod, Label
-    policies.kyverno.io/description: Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
-spec:
-  validationFailureAction: Audit
-  background: true
-  rules:
-  - name: check-for-labels
-    skipBackgroundRequests: true
-    exclude:
-      any:
-      - resources:
-          namespaces:
-          - kube-system
-          - istio-system
-          - argocd
-          - cert-manager
-          - monitoring
-          - secrets
-          - kyverno
-    match:
-      any:
-      - resources:
-          kinds:
-          - Pod
-    validate:
-      message: The label `app.kubernetes.io/name` is required.
-      allowExistingViolations: true
-      pattern:
-        metadata:
-          labels:
-            app.kubernetes.io/name: "?*"

cluster-resources/vault-auth-argocd.yaml

@@ -1,20 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault-auth-argocd
-  namespace: argocd
----
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultAuth
-metadata:
-  name: vault-auth
-  namespace: argocd
-spec:
-  method: kubernetes
-  mount: kubernetes
-  kubernetes:
-    role: ns-argocd
-    serviceAccount: vault-auth-argocd
-    audiences:
-    - vault

cluster-resources/wildcard-certificate-example.yaml

@@ -0,0 +1,92 @@
+---
+# Example: Wildcard Certificate for *.example.com
+# This creates a certificate that covers ALL subdomains of example.com
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-example-com
+  namespace: default  # Change to your application's namespace
+spec:
+  # The secret where the TLS certificate will be stored
+  secretName: wildcard-example-com-tls
+  
+  # Use the production issuer (use letsencrypt-staging for testing)
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+    
+  # DNS names this certificate will cover
+  # Both wildcard AND apex domain are recommended
+  dnsNames:
+    - '*.example.com'    # Covers: app.example.com, api.example.com, etc.
+    - 'example.com'      # Also include apex domain explicitly
+  
+  # Optional: Configure certificate duration and renewal
+  duration: 2160h0m0s    # 90 days (Let's Encrypt default)
+  renewBefore: 720h0m0s  # Renew 30 days before expiry
+  
+  # Optional: Private key settings
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 4096
+
+---
+# Example: Using the wildcard certificate with a Traefik IngressRoute
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: app-ingress
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    # Match any subdomain - the wildcard cert covers all of them
+    - match: Host(`app.example.com`) || Host(`api.example.com`) || Host(`www.example.com`)
+      kind: Rule
+      services:
+        - name: my-service
+          port: 80
+  tls:
+    # Reference the secret created by the Certificate
+    secretName: wildcard-example-com-tls
+
+---
+# Example: Using wildcard certificate with standard Kubernetes Ingress
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: wildcard-ingress
+  namespace: default
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  tls:
+    - hosts:
+        - '*.example.com'
+        - 'example.com'
+      secretName: wildcard-example-com-tls
+  rules:
+    - host: app.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: app-service
+                port:
+                  number: 80
+    - host: api.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: api-service
+                port:
+                  number: 80

devbox.json

@@ -17,7 +17,9 @@
     "claude-code@latest",
     "go@latest",
     "dotnet-sdk@latest",
-    "opentofu@1.11.6"
+    "opentofu@1.11.6",
+    "_1password@latest",
+    "github-cli@latest"
   ],
   "shell": {
     "init_hook": [

docs/DEVELOPER-GUIDE.md

@@ -60,16 +60,18 @@ If you do need cluster access, install:
    curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
    ```
 
-2. **vault** CLI - For managing secrets in HashiCorp Vault
+2. **kubeseal** - For sealing secrets
    ```bash
    # macOS
-   brew install hashicorp/tap/vault
+   brew install kubeseal
 
    # Windows
-   choco install vault
+   choco install kubeseal
 
    # Linux
-   # See https://developer.hashicorp.com/vault/install
+   wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/kubeseal-0.24.0-linux-amd64.tar.gz
+   tar -xvzf kubeseal-0.24.0-linux-amd64.tar.gz
+   sudo mv kubeseal /usr/local/bin/
    ```
 
 3. **Git** - Version control
@@ -632,100 +634,115 @@ git push
 
 ### Understanding Secret Management
 
-Secrets are managed via **HashiCorp Vault** and synced to Kubernetes by the **Vault Secrets Operator (VSO)**. See [Vault Secrets Operator Reference](vault-secrets-operator.md) for full details.
-
-**NEVER commit plain secret values to Git.** Only VaultStaticSecret CRD manifests are committed.
+**NEVER commit plain secrets to Git.** We use **Sealed Secrets** to encrypt secrets before committing.
 
 ### Creating a New Secret
 
-#### Step 1: Write Secret to Vault
+#### Step 1: Create Plain Secret Locally
 
 ```bash
-vault kv put kv/myapp/myapp-credentials \
-  API_KEY=your-secret-key-here \
-  DB_PASSWORD=super-secret-password
+cd ~/dev/k8s/launchpad
+
+# Create secret in private/ folder (Git-ignored)
+kubectl create secret generic myapp-credentials \
+  --from-literal=API_KEY=your-secret-key-here \
+  --from-literal=DB_PASSWORD=super-secret-password \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
 ```
 
-#### Step 2: Create VaultStaticSecret CRD
+**DO NOT commit this file!** It's in `private/` which is Git-ignored.
 
-Create a YAML file (e.g., `apps/base/myapp/myapp-credentials-vault.yaml`):
+#### Step 2: Seal the Secret
 
-```yaml
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: myapp-credentials
-  namespace: myapp
-spec:
-  type: kv-v2
-  mount: kv
-  path: myapp/myapp-credentials
-  destination:
-    name: myapp-credentials
-    create: true
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth
-```
-
-#### Step 3: Add VaultAuth (if new namespace)
-
-If this is a new namespace, also create a `vault-auth.yaml` with a ServiceAccount and VaultAuth CRD. See [VSO Reference](vault-secrets-operator.md#vaultauth) for template.
-
-#### Step 4: Commit and Push
+Seal your secret:
 
 ```bash
-git add apps/base/myapp/myapp-credentials-vault.yaml
-git commit -m "Add myapp credentials (VSO)"
+kubeseal --format=yaml \
+  --namespace=myapp \
+  < private/myapp-credentials.yaml \
+  > secrets/myapp-credentials-sealed.yaml
+```
+
+#### Step 3: Commit Sealed Secret
+
+```bash
+git add secrets/myapp-credentials-sealed.yaml
+git commit -m "Add myapp credentials (sealed)"
 git push
 ```
 
-ArgoCD syncs the CRD, VSO creates the K8s Secret.
-
-#### Step 5: Reference Secret in Application
+#### Step 4: Reference Secret in Application
 
 Update your `helm-prod-values/myapp/values.yaml`:
 
 ```yaml
 app:
-  envSecretName: "myapp-credentials"  # VSO creates this K8s Secret
+  envSecretName: "myapp-credentials"  # References the SealedSecret
 ```
 
-### Updating / Rotating a Secret
-
-**No git commit needed** — just update in Vault:
-
+Commit and push:
 ```bash
-vault kv put kv/myapp/myapp-credentials \
-  API_KEY=new-key-here \
-  DB_PASSWORD=new-password
+cd ~/dev/k8s/helm-prod-values
+git add myapp/values.yaml
+git commit -m "Reference myapp credentials"
+git push
 ```
 
-VSO picks up changes within 30 seconds. Restart pods if they don't watch for secret updates:
+### Updating a Secret
+
+To update an existing secret:
 
 ```bash
+# 1. Create new version of secret
+kubectl create secret generic myapp-credentials \
+  --from-literal=API_KEY=new-key-here \
+  --from-literal=DB_PASSWORD=new-password \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
+
+# 2. Seal it
+kubeseal --format=yaml \
+  --namespace=myapp \
+  < private/myapp-credentials.yaml \
+  > secrets/myapp-credentials-sealed.yaml
+
+# 3. Commit sealed version
+git add secrets/myapp-credentials-sealed.yaml
+git commit -m "Update myapp credentials"
+git push
+
+# 4. Restart pods to pick up new secret
 kubectl rollout restart deployment myapp -n myapp
 ```
 
 ### Secret Best Practices
 
-- Write secrets to Vault via UI or CLI — never commit values to Git
-- Use meaningful secret names matching the KV path convention: `kv/{namespace}/{secret-name}`
+✅ **DO**:
+- Store secrets in `private/` folder locally
+- Always seal secrets before committing
+- Delete plain secrets after sealing
+- Use meaningful secret names
 - Document what each secret contains
-- Use Vault's versioning for audit trail
+
+❌ **DON'T**:
+- Commit plain secrets to Git
+- Share secrets via Slack/email
+- Hard-code secrets in code
+- Use the same secret across multiple environments
+- Store secrets in Docker images
 
 ### Where Secrets Are Stored
 
 ```
-┌──────────────────────────────────────────────────────────────────┐
-│  Location                  │  Content                │  In Git? │
-├────────────────────────────┼─────────────────────────┼──────────┤
-│  Vault KV (kv/{ns}/{name}) │  Secret values          │  ❌ NO   │
-│  VaultStaticSecret CRD     │  Sync config (no values)│  ✅ YES  │
-│  Kubernetes cluster        │  K8s Secret (synced)    │  N/A     │
-└──────────────────────────────────────────────────────────────────┘
+┌─────────────────────────────────────────────────────────────┐
+│  Location                │  Content           │  Committed?│
+├──────────────────────────┼────────────────────┼────────────┤
+│  private/                │  Plain secrets     │  ❌ NO      │
+│  secrets/                │  Sealed secrets    │  ✅ YES     │
+│  Kubernetes cluster      │  Unsealed secrets  │  N/A       │
+└─────────────────────────────────────────────────────────────┘
 ```
 
-**Vault Secrets Operator** syncs secrets from Vault to K8s automatically (30s refresh).
+**Sealed Secrets Controller** in the cluster decrypts sealed secrets automatically.
 
 ---
 
@@ -859,13 +876,28 @@ In your identity provider (e.g., Keycloak):
 #### Step 2: Create OIDC Secret
 
 ```bash
-# Write OIDC secret to Vault
-vault kv put kv/myapp/auth-oidc \
-  client-secret=your-oidc-client-secret \
-  cookie-secret=$(openssl rand -hex 32)
+# Create plain secret
+kubectl create secret generic auth-oidc \
+  --from-literal=client-secret=your-oidc-client-secret \
+  --from-literal=cookie-secret=$(openssl rand -hex 32) \
+  --namespace=myapp \
+  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
 
-# Create VaultStaticSecret CRD (see docs/vault-secrets-operator.md for template)
-# Add to apps/base/myapp/auth-oidc-vault.yaml and commit
+# Seal it
+kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  --namespace=myapp \
+  < private/myapp-auth-oidc.yaml \
+  > secrets/myapp-auth-oidc-sealed.yaml
+
+# Commit sealed secret
+cd ~/dev/k8s/launchpad
+git add secrets/myapp-auth-oidc-sealed.yaml
+git commit -m "Add OIDC secrets for myapp"
+git push
+
+# Clean up
+rm private/myapp-auth-oidc.yaml
 ```
 
 #### Step 3: Configure Helm Values
@@ -1095,13 +1127,16 @@ ingress:
   host: web-app.forteapps.net
 ```
 
-**With Vault OIDC secret**:
+**With sealed OIDC secret**:
 ```bash
-# Write OIDC secret to Vault
-vault kv put kv/web-app/auth-oidc \
-  client-secret=super-secret-value \
-  cookie-secret=$(openssl rand -hex 32)
-# Then create VaultStaticSecret CRD — see docs/vault-secrets-operator.md
+# Create and seal secret
+kubectl create secret generic auth-oidc \
+  --from-literal=client-secret=super-secret-value \
+  --from-literal=cookie-secret=$(openssl rand -hex 32) \
+  --namespace=web-app \
+  --dry-run=client -o yaml | \
+  kubeseal --format=yaml --cert=pub-cert.pem --namespace=web-app \
+  > secrets/web-app-auth-oidc-sealed.yaml
 ```
 
 #### Example 3: MCP Server with OAuth 2.0
@@ -1229,7 +1264,7 @@ kubectl logs -n myapp <pod-name> -c authn
 - Use token auth for service-to-service communication
 - Rotate tokens and secrets regularly
 - Use strong random tokens (32+ bytes)
-- Store client secrets in Vault
+- Store client secrets in SealedSecrets
 - Test authentication before deploying to production
 - Document which tokens/users have access
 
@@ -1301,16 +1336,34 @@ stringData:
 
 | Field | Required | Description |
 |-------|----------|-------------|
-| `clientId` | Yes | Keycloak client ID |
-| `name` | Yes | Display name in Keycloak |
-| `redirectUris` | Yes | Allowed redirect URIs |
-| `webOrigins` | Yes | Allowed web origins (CORS) |
-| `defaultClientScopes` | No | Scopes (default: `["openid", "email", "profile"]`) |
-| `protocolMappers` | No | Custom claim mappers (default: `[]`) |
-| `secret.namespace` | No | Namespace for the credential Secret (default: source namespace) |
-| `secret.name` | No | Name of the credential Secret (default: `<clientId>-oidc-credentials`) |
-| `secret.keys.clientId` | No | Key name for client ID in credential Secret (default: `client-id`) |
-| `secret.keys.clientSecret` | No | Key name for client secret in credential Secret (default: `client-secret`) |
+| `clientId` | Yes | Keycloak client ID (must be unique in realm) |
+| `name` | Yes | Display name in Keycloak UI |
+| `redirectUris` | Yes | Allowed OAuth redirect URLs (supports wildcards like `/*`) |
+| `webOrigins` | Yes | Allowed CORS origins |
+| `defaultClientScopes` | No | OIDC scopes (default: `["openid", "email", "profile"]`) |
+| `protocolMappers` | No | Custom claim mappers for tokens (see examples below) |
+| `secret.namespace` | No | Target namespace for credentials (default: `source-namespace` annotation value) |
+| `secret.name` | No | Credential Secret name (default: `<clientId>-oidc-credentials`) |
+| `secret.keys.clientId` | No | Key name for client ID (default: `client-id`) |
+| `secret.keys.clientSecret` | No | Key name for client secret (default: `client-secret`) |
+
+**Protocol Mappers Example**:
+```json
+"protocolMappers": [
+  {
+    "name": "groups",
+    "protocol": "openid-connect",
+    "protocolMapper": "oidc-group-membership-mapper",
+    "config": {
+      "claim.name": "groups",
+      "full.path": "false",
+      "id.token.claim": "true",
+      "access.token.claim": "true",
+      "userinfo.token.claim": "true"
+    }
+  }
+]
+```
 
 #### Step 2: Reference the Credential Secret
 
@@ -1533,22 +1586,22 @@ curl http://localhost:8080
 
 #### Problem: Secret not found
 
-**Check VSO sync status:**
+**Check if SealedSecret exists:**
 ```bash
-kubectl get vaultstaticsecret -n myapp
+kubectl get sealedsecret -n myapp
 kubectl get secret -n myapp
 ```
 
 **Solutions:**
 ```bash
-# Check VaultAuth is authenticated
-kubectl get vaultauth -n myapp
+# Check if secret is in Git
+ls -l secrets/myapp-credentials-sealed.yaml
 
-# Check VaultStaticSecret events
-kubectl describe vaultstaticsecret myapp-credentials -n myapp
+# Re-apply sealed secret
+kubectl apply -f secrets/myapp-credentials-sealed.yaml
 
-# Verify secret exists in Vault
-vault kv get kv/myapp/myapp-credentials
+# Check sealed-secrets-controller logs
+kubectl logs -n kube-system deployment/sealed-secrets-controller
 ```
 
 #### Problem: Secret exists but pods can't access it
@@ -1659,7 +1712,7 @@ If you're stuck:
 ### Secret Management
 
 ✅ **DO**:
-- Use Vault for all secrets (see docs/vault-secrets-operator.md)
+- Use kubeseal for all secrets
 - Store plain secrets in password manager
 - Rotate secrets regularly
 - Use different secrets per environment
@@ -1711,9 +1764,16 @@ kubectl rollout restart deployment myapp -n myapp
 # Port-forward to service
 kubectl port-forward -n myapp service/myapp 8080:3000
 
-# Write secret to Vault
-vault kv put kv/myapp/myapp-credentials KEY=value
-# Create VaultStaticSecret CRD — see docs/vault-secrets-operator.md
+# Create secret
+kubectl create secret generic myapp-credentials \
+  --from-literal=KEY=value \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
+
+# Seal secret
+kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  < private/myapp-credentials.yaml \
+  > secrets/myapp-credentials-sealed.yaml
 ```
 
 ### Repository Locations

docs/GITOPS-ARCHITECTURE.md

@@ -115,9 +115,30 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
 
 ```
 launchpad/
-├── bootstrap.sh                      # Cluster initialization script
-├── _app-of-apps-upc-dev.yaml        # Root ArgoCD Application (upc-dev cluster)
-├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
+├── bootstrap.sh                      # Cluster initialization (ArgoCD + GitOps)
+├── _app-of-apps-{cluster}.yaml      # Root ArgoCD Application (per cluster)
+│
+├── .tofu/                            # Infrastructure provisioning (OpenTofu)
+│   ├── platforms/                    # Per-platform IaC
+│   │   ├── aks/                      # Azure AKS
+│   │   │   ├── modules/cluster/     # Reusable AKS module
+│   │   │   ├── dev/                 # tofu root for aks-dev
+│   │   │   ├── prod/                # tofu root for aks-prod
+│   │   │   └── workload/            # workload cluster (no data services)
+│   │   ├── eks/                      # AWS EKS (same structure)
+│   │   ├── gke/                      # GCP GKE
+│   │   └── upc/                      # UpCloud
+│   ├── configs/                      # Platform credentials (git-ignored)
+│   │   └── {platform}.env.example   # Template per platform
+│   └── scripts/
+│       ├── setup-cluster.sh          # ./setup-cluster.sh <cluster> [--plan|--auto]
+│       ├── teardown-cluster.sh       # ./teardown-cluster.sh <cluster>
+│       └── get-kubeconfig.sh         # ./get-kubeconfig.sh <cluster>
+│
+├── clusters/                         # Cluster metadata YAML (domain, IPs, etc.)
+│   ├── aks-dev.yaml
+│   ├── upc-dev.yaml
+│   └── ...
 │
 ├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
 │   ├── base/                         # Base Application manifests (one dir per component)

docs/OPERATIONS-RUNBOOK.md

@@ -188,15 +188,13 @@ Save the following file in private/ (gitignored) folder as secret.yaml
       <paste your private key here>
     project: default
 ```
-Write the secret to Vault:
+Seal the secret using `kubeseal` command 
 ```bash
-vault kv put kv/argocd/forte-helm-repo \
-  type=git \
-  url=ssh://git@git.forteapps.net:2222/Forte/forte-helm.git \
-  sshPrivateKey="$(cat private/ssh-key)" \
-  project=default
+kubeseal --format=yaml \
+  --namespace=argocd \
+  < private/secret.yaml \
+  > secrets/forte-helm-repo-secret-sealed.yaml
 ```
-Then create a VaultStaticSecret CRD with `argocd.argoproj.io/secret-type: repository` label.
 
 **Step 4: Register Repository in ArgoCD**
 
@@ -501,7 +499,7 @@ See [Developer Guide](DEVELOPER-GUIDE.md#deploying-your-first-application) for d
 **Quick checklist:**
 - [ ] Create `helm-prod-values/myapp/values.yaml`
 - [ ] Create `apps/myapp.yaml` in config repo
-- [ ] Write secrets to Vault and create VaultStaticSecret CRD if needed
+- [ ] Create SealedSecret if needed
 - [ ] Commit and push changes
 - [ ] Verify sync in Slack/ArgoCD
 - [ ] Configure DNS for domain
@@ -672,61 +670,92 @@ db:
 
 ## Secret Management
 
-Secrets are managed via **HashiCorp Vault** and synced to Kubernetes by the **Vault Secrets Operator (VSO)**. See [Vault Secrets Operator Reference](vault-secrets-operator.md) for full details.
-
 ### Creating Secrets
 
-#### Step 1: Write to Vault
+#### Step 1: Get Public Certificate
 
 ```bash
-# From literal values
-vault kv put kv/myapp/myapp-credentials \
-  API_KEY=secret123 \
-  DB_PASSWORD=pass456
+# Fetch sealed-secrets public cert (one-time)
+kubeseal --fetch-cert \
+  --controller-name=sealed-secrets-controller \
+  --controller-namespace=kube-system \
+  > pub-cert.pem
+
+# Save this certificate for future use
 ```
 
-#### Step 2: Create VaultStaticSecret CRD
-
-```yaml
-# apps/base/myapp/myapp-credentials-vault.yaml
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: myapp-credentials
-  namespace: myapp
-spec:
-  type: kv-v2
-  mount: kv
-  path: myapp/myapp-credentials
-  destination:
-    name: myapp-credentials
-    create: true
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth
-```
-
-#### Step 3: Commit CRD
+#### Step 2: Create Plain Secret
 
 ```bash
-git add apps/base/myapp/myapp-credentials-vault.yaml
-git commit -m "Add myapp credentials (VSO)"
+# Method 1: From literal values
+kubectl create secret generic myapp-credentials \
+  --from-literal=API_KEY=secret123 \
+  --from-literal=DB_PASSWORD=pass456 \
+  --namespace=myapp \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
+
+# Method 2: From file
+kubectl create secret generic myapp-credentials \
+  --from-file=.env \
+  --namespace=myapp \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
+
+# Method 3: From multiple files
+kubectl create secret generic myapp-credentials \
+  --from-file=api-key.txt \
+  --from-file=db-password.txt \
+  --namespace=myapp \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
+```
+
+#### Step 3: Seal Secret
+
+```bash
+kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  --namespace=myapp \
+  < private/myapp-credentials.yaml \
+  > secrets/myapp-credentials-sealed.yaml
+```
+
+#### Step 4: Commit Sealed Secret
+
+```bash
+git add secrets/myapp-credentials-sealed.yaml
+git commit -m "Add myapp credentials"
 git push
+
+# Delete plain secret
+rm private/myapp-credentials.yaml
 ```
 
-ArgoCD syncs the CRD, VSO creates the K8s Secret automatically.
-
-### Updating / Rotating Secrets
-
-**No git commit needed** — just update in Vault:
+### Updating Secrets
 
 ```bash
-vault kv put kv/myapp/myapp-credentials \
-  API_KEY=new-secret-key \
-  DB_PASSWORD=new-password
+# 1. Create new version
+kubectl create secret generic myapp-credentials \
+  --from-literal=API_KEY=new-secret-key \
+  --from-literal=DB_PASSWORD=new-password \
+  --namespace=myapp \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
 
-# VSO picks up changes within 30 seconds
-# Restart pods if needed
+# 2. Seal it
+kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  --namespace=myapp \
+  < private/myapp-credentials.yaml \
+  > secrets/myapp-credentials-sealed.yaml
+
+# 3. Commit
+git add secrets/myapp-credentials-sealed.yaml
+git commit -m "Update myapp credentials"
+git push
+
+# 4. Restart pods to pick up new secret
 kubectl rollout restart deployment myapp -n myapp
+
+# 5. Delete plain secret
+rm private/myapp-credentials.yaml
 ```
 
 ### Viewing Secrets (Unsealed)
@@ -803,13 +832,30 @@ OIDC auth requires an `auth-oidc` Secret with two keys:
 CLIENT_SECRET="your-oidc-client-secret-from-provider"
 COOKIE_SECRET=$(openssl rand -hex 32)
 
-# Write to Vault
-vault kv put kv/myapp/auth-oidc \
-  client-secret=$CLIENT_SECRET \
-  cookie-secret=$COOKIE_SECRET
+# Create plain secret
+kubectl create secret generic auth-oidc \
+  --from-literal=client-secret=$CLIENT_SECRET \
+  --from-literal=cookie-secret=$COOKIE_SECRET \
+  --namespace=myapp \
+  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
 
-# Create VaultStaticSecret CRD (one-time) and commit
-# See docs/vault-secrets-operator.md for CRD template
+# Seal it
+kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  --namespace=myapp \
+  < private/myapp-auth-oidc.yaml \
+  > secrets/myapp-auth-oidc-sealed.yaml
+
+# Apply sealed secret
+kubectl apply -f secrets/myapp-auth-oidc-sealed.yaml
+
+# Commit to Git
+git add secrets/myapp-auth-oidc-sealed.yaml
+git commit -m "Add OIDC secrets for myapp"
+git push
+
+# Clean up
+rm private/myapp-auth-oidc.yaml
 ```
 
 #### Rotating Authentication Secrets
@@ -836,12 +882,16 @@ kubectl rollout restart deployment myapp -n myapp
 # Rotate cookie secret (safe - invalidates existing sessions)
 NEW_COOKIE_SECRET=$(openssl rand -hex 32)
 
-# Update in Vault — no git commit needed
-vault kv put kv/myapp/auth-oidc \
-  client-secret=$CLIENT_SECRET \
-  cookie-secret=$NEW_COOKIE_SECRET
+# Recreate secret
+kubectl create secret generic auth-oidc \
+  --from-literal=client-secret=$CLIENT_SECRET \
+  --from-literal=cookie-secret=$NEW_COOKIE_SECRET \
+  --namespace=myapp \
+  --dry-run=client -o yaml | \
+  kubeseal --format=yaml --cert=pub-cert.pem --namespace=myapp | \
+  kubectl apply -f -
 
-# VSO picks up within 30s. Restart pods to use new secret:
+# Restart to pick up new secret
 kubectl rollout restart deployment myapp -n myapp
 ```
 
@@ -1292,11 +1342,13 @@ kubectl get applications -n argocd -w
                - pg_dump -U $DB_USER -d $DB_NAME > /backup/dump-$(date +%Y%m%d).sql
    ```
 
-3. **Vault backup**
+3. **Sealed Secrets private key backup**
    ```bash
-   # Vault data is stored on PVC — ensure PVC snapshots are configured
-   # For disaster recovery, maintain Vault unseal keys in a secure location
-   # All secrets can be re-seeded from source if needed
+   # Backup sealed-secrets controller private key
+   kubectl get secret -n kube-system sealed-secrets-key \
+     -o yaml > sealed-secrets-key-backup.yaml
+
+   # Store in secure location (password manager, vault)
    ```
 
 ---
@@ -1616,7 +1668,7 @@ echo "Remember to delete: $SECRET_FILE"
 - [ ] Gitea Actions workflow configured
 - [ ] Helm values created in `helm-prod-values/`
 - [ ] ArgoCD application manifest created in `apps/`
-- [ ] Secrets written to Vault and VaultStaticSecret CRD created
+- [ ] Secrets created and sealed
 - [ ] DNS record added for domain
 - [ ] Application synced successfully
 - [ ] Health check passed

docs/REFERENCE.md

@@ -72,9 +72,22 @@ Internet
 
 ```
 launchpad/
-├── bootstrap.sh                   # Cluster initialization script
-├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
-├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
+├── bootstrap.sh                   # Cluster initialization (ArgoCD + GitOps)
+├── _app-of-apps-{cluster}.yaml   # Root ArgoCD Application (per cluster)
+│
+├── .tofu/                         # Infrastructure provisioning (OpenTofu)
+│   ├── platforms/                 # Per-platform IaC
+│   │   ├── aks/                   # Azure: modules/cluster/, dev/, prod/, workload/
+│   │   ├── eks/                   # AWS: same structure
+│   │   ├── gke/                   # GCP
+│   │   └── upc/                   # UpCloud
+│   ├── configs/                   # Platform credentials (git-ignored)
+│   └── scripts/                   # setup-cluster.sh, teardown-cluster.sh, get-kubeconfig.sh
+│
+├── clusters/                      # Cluster metadata YAML
+│   ├── aks-dev.yaml
+│   ├── upc-dev.yaml
+│   └── ...
 │
 ├── infra/                         # Infrastructure applications (Kustomize)
 │   ├── base/                      # One subdirectory per component
@@ -1063,6 +1076,52 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes
 
+### Vaultwarden
+
+**Chart**: `guerzon/vaultwarden`
+**Version**: 0.36.4 (app v1.36.0-alpine)
+**Namespace**: `vaultwarden`
+
+**Purpose**: Self-hosted Bitwarden-compatible password manager.
+
+**Configuration**:
+```yaml
+# infra/overlays/upc-dev/vaultwarden/ + infra/values/
+domain: "https://bitwarden.forteapps.net"
+
+ingress:
+  enabled: true
+  class: "traefik"
+  tls: true
+  tlsSecret: vaultwarden-tls
+  hostname: bitwarden.forteapps.net
+  additionalAnnotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+
+database:
+  type: postgresql
+  host: vaultwarden-postgresql  # StatefulSet in overlay
+  existingSecret: prod-db-creds
+
+storage:
+  data: 5Gi (ReadWriteOnce)
+  attachments: 5Gi (ReadWriteOnce)
+```
+
+**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc).
+
+**SSO**: Keycloak OIDC via `forte` realm (client ID: `vaultwarden`). Self-service client config Secret (`keycloak-client-vaultwarden`) triggers registrar to create KC client and sync credentials to `vaultwarden-oidc-credentials`. PKCE enabled.
+
+**Endpoints**:
+- Web UI: `https://bitwarden.forteapps.net`
+
+**Database**: Separate ArgoCD Application `vaultwarden-postgresql` (sync-wave `"0"`) deploys PostgreSQL 16 StatefulSet + SealedSecret before Vaultwarden (wave `"1"`). 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately.
+
+**Secrets**:
+- `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials
+- `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
+- `vaultwarden-tls` — auto-managed by cert-manager
+
 ### AI Code Review (ai-review)
 
 **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
@@ -1141,6 +1200,30 @@ ignore:
 - Check Gitea Actions tab for workflow run status and logs
 - Monitor Anthropic usage dashboard for token consumption
 
+### Keycloak Browser Flow (IdP Auto-Redirect)
+
+**File**: `infra/values/base/keycloak-values.yaml` (inside `forte-realm.json`)
+
+The realm uses a custom browser authentication flow (`browser-auto-idp`) that skips the Keycloak login page and redirects directly to the Entra ID identity provider.
+
+**Flow executions**:
+
+| Priority | Authenticator | Requirement | Purpose |
+|----------|--------------|-------------|---------|
+| 10 | `auth-cookie` | ALTERNATIVE | Reuse existing session (no redirect) |
+| 20 | `identity-provider-redirector` | ALTERNATIVE | Auto-redirect to `forte-entra` IdP |
+
+**Key fields in realm JSON**:
+- `"browserFlow": "browser-auto-idp"` — overrides the default `browser` flow at realm level
+- `"authenticationFlows"` — defines the custom flow with its executions
+- `"authenticatorConfig"` — sets `defaultProvider: "forte-entra"` on the redirector
+
+**Why custom flow**: The default KC browser flow shows a username/password form with an IdP button. Since all authentication is via Entra ID, the custom flow eliminates this step. The `auth-cookie` execution preserves session reuse so returning users aren't redirected again.
+
+**Important**: The `forte-entra` identity provider must exist in Keycloak (currently configured manually in the KC admin console). If the IdP alias changes, update the `defaultProvider` value in the realm JSON.
+
+---
+
 ### Keycloak Client Registrar
 
 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
@@ -1172,9 +1255,18 @@ ignore:
 
 **Resources**:
 - `ServiceAccount`: `keycloak-client-registrar` (namespace: `keycloak`)
-- `ClusterRole`: `keycloak-client-registrar` (secrets: get/list/create/update/patch; namespaces: get/list)
+- `ClusterRole`: `keycloak-client-registrar` 
+  - Secrets: `get`, `list`, `create`, `update`, `patch`
+  - Namespaces: `get`, `list`
 - `ClusterRoleBinding`: `keycloak-client-registrar`
 - `CronJob`: `keycloak-client-registrar`
+  - **Schedule**: `*/2 * * * *` (every 2 minutes)
+  - **Concurrency Policy**: `Forbid` (prevents concurrent runs)
+  - **Backoff Limit**: 3 retries per job
+  - **History**: 1 successful job, 3 failed jobs retained
+  - **Resources**: 50m CPU / 64Mi memory (requests), 200m CPU / 128Mi memory (limits)
+
+**Container**: Alpine 3.20 with `curl` and `jq` installed
 
 **Kyverno Policy**: `keycloak-client-config-cloner` — clones labeled Secrets from app namespaces to `keycloak` namespace (see [Kyverno Policies](#kyverno-policies))
 
@@ -1384,46 +1476,6 @@ spec:
 - Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
 - `synchronize: true` — changes to the source Secret are reflected in the clone
 
-### Keycloak Microsoft/Entra Identity Provider
-
-**File**: `infra/values/upc-dev/keycloak-values.yaml`
-**Namespace**: `keycloak`
-
-**Purpose**: Configures Microsoft Entra (Azure AD) as an external identity provider for the Forte realm, enabling SSO via Microsoft accounts with token storage for downstream API access (e.g., Microsoft Graph).
-
-**Configuration via keycloakConfigCli**:
-- IdP alias: `forte-entra`, provider: `microsoft`
-- Client secret injected from `microsoft-idp-credentials` Secret via `$(env:MS_IDP_CLIENT_SECRET)` syntax
-- `extraEnvVarsSecret: microsoft-idp-credentials` makes the Secret available as env vars to config-cli
-
-**Key Configuration Notes**:
-
-| Field | Location | Notes |
-|-------|----------|-------|
-| `tenant` | `config.tenant` | **Must be `tenant`, NOT `tenantId`** — wrong key silently falls back to `common` (multi-tenant) |
-| `storeToken` | Top-level IdP field | **NOT inside `config`** — enables broker token storage for KC broker API |
-| `defaultScope` | `config.defaultScope` | Space-separated: `openid email profile User.Read Mail.Send` |
-| `syncMode` | `config.syncMode` | `IMPORT` — imports user on first login |
-
-**Token Storage & Broker Access**:
-- `storeToken: true` persists the Entra access token in Keycloak
-- Realm role `default-roles-forte` includes composite `broker.read-token` — grants all realm users access to broker token API
-- Broker token retrievable via: `GET /realms/forte/broker/forte-entra/token`
-
-**Identity Provider Mappers**:
-- `forte-entra-email`: Hardcodes `emailVerified=true` for Entra-authenticated users (Entra guarantees email verification)
-
-**Required Secret** (`microsoft-idp-credentials`):
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: microsoft-idp-credentials
-  namespace: keycloak
-stringData:
-  MS_IDP_CLIENT_SECRET: "<entra-app-client-secret>"
-```
-
 ### Default Namespace Blocker
 
 **File**: `cluster-resources/policies/default-ns-blocker.yaml`

docs/vault-secrets-operator.md

@@ -1,206 +0,0 @@
-# Vault Secrets Operator (VSO) Reference
-
-## Overview
-
-The platform uses HashiCorp Vault Secrets Operator (VSO) to sync secrets from Vault KV v2 to native Kubernetes Secrets. This replaces the previous SealedSecrets workflow.
-
-**Key benefit**: Secret values can be rotated via Vault UI/CLI without a git commit. Only new VaultStaticSecret CRDs need to be committed.
-
-## Architecture
-
-```
-Vault (KV v2)                VSO                        K8s Secret
-kv/{namespace}/{name}  -->  VaultStaticSecret CRD  -->  Secret in namespace
-                            (polls every 30s)
-```
-
-- **Vault**: Standalone instance in `vault` namespace, KV v2 at `kv/`
-- **VSO**: Deployed in `vault-secrets-operator-system` namespace via ArgoCD
-- **Auth**: Kubernetes auth method — each namespace has its own ServiceAccount + VaultAuth CRD
-
-## KV Path Convention
-
-```
-kv/{namespace}/{secret-name}
-```
-
-Examples:
-- `kv/homepage/homepage-widget-credentials`
-- `kv/argocd/forte-helm-repo`
-- `kv/gitea/gitea-smtp-secret`
-- `kv/keycloak/keycloak-credentials`
-
-## Vault Policy Structure
-
-Each namespace gets a read-only policy:
-
-```hcl
-# Policy: ns-{namespace}
-path "kv/data/{namespace}/*" {
-  capabilities = ["read"]
-}
-path "kv/metadata/{namespace}/*" {
-  capabilities = ["read", "list"]
-}
-```
-
-## Kubernetes Auth Roles
-
-Each namespace has a bound ServiceAccount:
-
-```
-Role: ns-{namespace}
-  bound_service_account_names: vault-auth-{namespace}
-  bound_service_account_namespaces: {namespace}
-  policies: ns-{namespace}
-  audience: vault
-  ttl: 1h
-```
-
-## CRD Reference
-
-### VaultAuth
-
-Per-namespace auth binding. One per namespace.
-
-```yaml
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultAuth
-metadata:
-  name: vault-auth
-  namespace: {namespace}
-spec:
-  method: kubernetes
-  mount: kubernetes
-  kubernetes:
-    role: ns-{namespace}
-    serviceAccount: vault-auth-{namespace}
-    audiences:
-    - vault
-```
-
-Each VaultAuth requires a corresponding ServiceAccount:
-
-```yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault-auth-{namespace}
-  namespace: {namespace}
-```
-
-### VaultStaticSecret
-
-One per secret. Syncs a Vault KV path to a K8s Secret.
-
-```yaml
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: {secret-name}
-  namespace: {namespace}
-spec:
-  type: kv-v2
-  mount: kv
-  path: {namespace}/{secret-name}
-  destination:
-    name: {secret-name}        # K8s Secret name (must match what apps expect)
-    create: true
-    type: Opaque               # Optional, defaults to Opaque
-    labels:                    # Optional, for secrets that need labels
-      some-label: "value"
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth
-```
-
-## Special Labels
-
-Some secrets require specific labels for correct operation:
-
-| Secret | Label | Purpose |
-|--------|-------|---------|
-| `renovate-env` | `allowedToBeCloned: "true"` | Kyverno secret-cloner policy |
-| `gitea-smtp-secret` | `allowedToBeCloned: "true"` | Kyverno secret-cloner policy |
-| `forte-helm-repo` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
-| `forte10x-repo-creds` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
-| `mcp10x-repo-creds` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
-
-These are set in `destination.labels` of the VaultStaticSecret CRD.
-
-## Namespaces & Secrets Map
-
-| Namespace | Secrets |
-|-----------|---------|
-| `homepage` | homepage-widget-credentials |
-| `renovate` | renovate-env |
-| `gitea` | gitea-credentials, gitea-backup-s3, gitea-smtp-secret, gitea-runner-token |
-| `keycloak` | keycloak-credentials, microsoft-idp-credentials (overlay) |
-| `argocd` | forte-helm-repo, forte10x-repo-creds, mcp10x-repo-creds, argocd-notifications-secret |
-| `mcp10x` | app-credentials |
-| `ts-mcp` | ts-mcp-secrets |
-| `argocd-mcp` | auth-oidc, argocd-mcp-credentials |
-| `dot-ai` | dot-ai-secrets |
-| `music-man` | musicman-credentials |
-
-## Common Operations
-
-### Add a new secret
-
-1. Write to Vault:
-   ```bash
-   vault kv put kv/{namespace}/{secret-name} key1=val1 key2=val2
-   ```
-
-2. Create VaultStaticSecret YAML (see template above)
-
-3. Add to kustomization.yaml in the appropriate directory
-
-4. Commit and push — ArgoCD syncs the CRD, VSO creates the K8s Secret
-
-### Rotate a secret value
-
-No git commit needed:
-```bash
-vault kv put kv/{namespace}/{secret-name} key1=new-val1 key2=new-val2
-```
-VSO picks up changes within 30 seconds.
-
-### Check sync status
-
-```bash
-# VaultAuth status
-kubectl get vaultauth -n {namespace}
-
-# VaultStaticSecret status
-kubectl get vaultstaticsecret -n {namespace}
-
-# Verify K8s Secret exists with correct keys
-kubectl get secret {name} -n {namespace} -o jsonpath='{.data}' | jq
-```
-
-### Troubleshooting
-
-1. **VaultAuth not authenticating**: Check ServiceAccount exists, Vault role matches SA name/namespace
-2. **VaultStaticSecret not syncing**: Check `kubectl describe vaultstaticsecret {name} -n {ns}` for events
-3. **Secret missing keys**: Verify Vault KV path has all expected keys: `vault kv get kv/{ns}/{name}`
-4. **Permission denied**: Verify Vault policy allows read on `kv/data/{ns}/*`
-
-## File Locations
-
-| Type | Location |
-|------|----------|
-| VSO ArgoCD Application | `infra/base/vault-secrets-operator/` |
-| VSO Helm values | `infra/values/base/vault-secrets-operator-values.yaml` |
-| Vault policies script | `scripts/vault-setup-policies.sh` |
-| Seed script | `scripts/seed-vault-from-cluster.sh` |
-| VaultAuth + VaultStaticSecret | Alongside ArgoCD Application in each component directory |
-
-## Setup Scripts
-
-```bash
-# Create all Vault policies and auth roles
-./scripts/vault-setup-policies.sh
-
-# Seed Vault KV from existing K8s Secrets
-./scripts/seed-vault-from-cluster.sh
-```

infra/base/gitea/gitea-backup-s3-vault.yaml

@@ -1,15 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: gitea-backup-s3
-  namespace: gitea
-spec:
-  type: kv-v2
-  mount: kv
-  path: gitea/gitea-backup-s3
-  destination:
-    name: gitea-backup-s3
-    create: true
-    type: Opaque
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

infra/base/gitea/gitea-credentials-vault.yaml

@@ -1,14 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: gitea-credentials
-  namespace: gitea
-spec:
-  type: kv-v2
-  mount: kv
-  path: gitea/gitea-credentials
-  destination:
-    name: gitea-credentials
-    create: true
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

infra/base/gitea/gitea-runner-token-vault.yaml

@@ -1,14 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: gitea-runner-token
-  namespace: gitea
-spec:
-  type: kv-v2
-  mount: kv
-  path: gitea/gitea-runner-token
-  destination:
-    name: gitea-runner-token
-    create: true
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

infra/base/gitea/gitea-smtp-secret-vault.yaml

@@ -1,17 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: gitea-smtp-secret
-  namespace: gitea
-spec:
-  type: kv-v2
-  mount: kv
-  path: gitea/gitea-smtp-secret
-  destination:
-    name: gitea-smtp-secret
-    create: true
-    type: Opaque
-    labels:
-      allowedToBeCloned: "true"
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth

infra/base/gitea/kustomization.yaml

@@ -2,9 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gitea.yaml
-- vault-auth.yaml
-- gitea-credentials-vault.yaml
-- gitea-backup-s3-vault.yaml
-- gitea-smtp-secret-vault.yaml
-- gitea-runner-token-vault.yaml
-# Removed: gitea-*-sealed.yaml (migrated to VSO)
+- gitea-backup-s3-sealed.yaml
+- gitea-credentials-sealed.yaml
+- gitea-runner-token-sealed.yaml
+- gitea-smtp-secret-sealed.yaml

infra/base/gitea/vault-auth.yaml

@@ -1,20 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault-auth-gitea
-  namespace: gitea
----
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultAuth
-metadata:
-  name: vault-auth
-  namespace: gitea
-spec:
-  method: kubernetes
-  mount: kubernetes
-  kubernetes:
-    role: ns-gitea
-    serviceAccount: vault-auth-gitea
-    audiences:
-    - vault

infra/base/homepage/homepage-widget-credentials-vault.yaml

@@ -1,14 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: homepage-widget-credentials
-  namespace: homepage
-spec:
-  type: kv-v2
-  mount: kv
-  path: homepage/homepage-widget-credentials
-  destination:
-    name: homepage-widget-credentials
-    create: true
-  refreshAfter: 30s
-  vaultAuthRef: vault-auth