Merge branch 'feature/cloud-agnostic' into feature/multi-cloud

sync
2026-04-22 22:06:31 +02:00 · 2026-04-22 21:56:43 +02:00 · 2026-04-22 21:53:44 +02:00 · 2026-04-22 21:48:02 +02:00 · 2026-04-22 14:45:23 +02:00 · 2026-04-22 14:42:02 +02:00
128 changed files with 2513 additions and 1910 deletions
@@ -1,2 +0,0 @@
-# Force LF line endings for shell scripts
-*.sh text eol=lf
@@ -57,7 +57,7 @@ This repository contains the complete GitOps configuration for our Kubernetes cl

 ### What's Inside

- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets, Homepage (platform dashboard)
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
 - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
@@ -84,25 +84,24 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
 │
 ├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
-│   ├── base/                  # Base ArgoCD Application manifests (one dir per component)
-│   │   ├── kustomization.yaml # Aggregates all component subdirectories
-│   │   ├── traefik-application/
-│   │   │   ├── kustomization.yaml
-│   │   │   └── traefik-application.yaml
-│   │   ├── keycloak/
-│   │   │   ├── kustomization.yaml
-│   │   │   └── keycloak.yaml
-│   │   ├── grafana/
-│   │   ├── prometheus/
-│   │   ├── ...               # Each component in its own subdirectory
-│   │   └── secrets/
+│   ├── base/                  # Base ArgoCD Application manifests (EU defaults)
+│   │   ├── kustomization.yaml
+│   │   ├── traefik-application.yaml
+│   │   ├── keycloak.yaml
+│   │   ├── grafana.yaml
+│   │   ├── gitea.yaml
+│   │   ├── gitea-actions.yaml
+│   │   ├── tempo.yaml
+│   │   ├── renovate.yaml
+│   │   ├── ...                # All other Application manifests
+│   │   └── secrets.yaml
 │   ├── overlays/              # Per-cluster overrides (Kustomize)
-│   │   ├── upc-dev/           # UpCloud Dev — includes all base components
-│   │   ├── upc-prod/         # UpCloud Prod — all components + patches
-│   │   ├── aks-dev/          # Azure AKS Dev — selective components only
-│   │   ├── aks-prod/         # Azure AKS Prod
+│   │   ├── upc-dev/           # UpCloud Dev (uses base as-is)
+│   │   ├── upc-prod/         # UpCloud Prod (patches value paths)
 │   │   ├── eks-dev/           # AWS EKS Dev
 │   │   ├── eks-prod/         # AWS EKS Prod
+│   │   ├── aks-dev/        # Azure AKS Dev
+│   │   ├── aks-prod/       # Azure AKS Prod
 │   │   ├── gke-dev/          # GCP GKE Dev
 │   │   └── gke-prod/         # GCP GKE Prod
 │   ├── dashboards/            # Grafana dashboard ConfigMaps
@@ -117,18 +116,11 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 │       ├── gke-dev/          # GCP GKE Dev
 │       └── gke-prod/         # GCP GKE Prod
 │
-├── apps/                      # Business Applications (Kustomize, same pattern as infra)
-│   ├── base/                  # One subdirectory per app
-│   │   ├── kustomization.yaml
-│   │   ├── musicman/
-│   │   ├── mcp10x/
-│   │   ├── dot-ai-stack/
-│   │   ├── ts-mcp/
-│   │   └── argo-mcp/
-│   └── overlays/              # Per-cluster: cherry-pick or include all
-│       ├── upc-dev/           # All apps
-│       ├── upc-prod/         # All apps + patches
-│       └── aks-dev/          # Selective apps only
+├── apps/                      # Business Applications
+│   ├── mcp10x.yaml
+│   ├── musicman.yaml
+│   ├── dot-ai-stack.yaml
+│   └── argo-mcp.yaml
 │
 ├── cluster-resources/         # Cluster-wide Kubernetes resources
 │   ├── letsencrypt-issuer.yaml
@@ -363,6 +355,7 @@ kubectl patch application myapp -n argocd \
 | **Fluent-Bit** | Log shipping | `monitoring` | DaemonSet |
 | **OpenCost** | Cost monitoring | `monitoring` | 1 |
 | **Renovate** | Dependency updates | `renovate` | CronJob |
+| **Trivy** | Vulnerability scanning | `trivy-system` | 1 |

 **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components)

@@ -380,7 +373,7 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts

 ### App-of-Apps Pattern
-`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Each component in `infra/base/` lives in its own subdirectory (e.g., `infra/base/grafana/`). Overlays can either include **all** components (via `../../base`) or **cherry-pick** specific ones (via `../../base/grafana`, `../../base/prometheus`, etc.). Per-cluster patches swap Helm value file paths. Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
+`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{cluster}/` render the base Applications with per-cluster patches (e.g., swapping value file paths). Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.

 ### Multi-Source Pattern
 Applications reference both:
@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- argo-mcp.yaml
- argocdmcp-auth-oidc-sealed.yaml
- argocd-mcp-credentials.yaml
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- dot-ai-stack.yaml
- dot-ai-secrets.yaml
@@ -1,8 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- dot-ai-stack
- mcp10x
- musicman
- ts-mcp
- argo-mcp
+- dot-ai-stack.yaml
+- mcp10x.yaml
+- musicman.yaml
+- argo-mcp.yaml
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- mcp10x.yaml
- forte10x-app-credentials-sealed.yaml
@@ -36,8 +36,13 @@ spec:
    automated:
      prune: true
      selfHeal: true
+      allowEmpty: false
+
    syncOptions:
    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=false
+    - Replace=false
    retry:
      limit: 5
      backoff:
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- musicman.yaml
- musicman-credentials.yaml
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- ts-mcp.yaml
- ts-mcp-secrets-sealed.yaml
@@ -1,13 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: ts-mcp-secrets
-  namespace: ts-mcp
-spec:
-  encryptedData:
-    AZURE_CLIENT_SECRET: AgCWj525+NHkZ8XG97hEe4RS0SDC0QIGDXmEvzSlIqJQ9XVZEeKxVuAYmJ+w/HH7zBXD3qlZISeOPKn3FbMEeRukmYK0d5PsH26tRUMPoMzwWCuQkZIQ83uX9Pz/wMiqW8aZFIxpdEiUgVdanxHSFoDRPC1VlSEtV9B9yN2MgXBID5s0oje5BM9ttc4WVRe6+9pMeaOC6u+YUgcfY7xPLetZfC9nQO4zn4jYhoQXfAddwMzNODvQNGPzIv6PXDXJweTwdmtGaxM6eDdcCJI/30bEV9prA5m6UlgTZ/Qp+onU70KdkBA9gM9tMMVUR6j/2sbWzqMP/rVaFLeUH1PjHv15n4EieWyuDyYEfmZNDFXc7O9RIK6P0jCIE+t3myxK2ZQ7cfXprdOSj94au0qP6leat0UUVoc9CFJHHtrNxXYWl7IYVhwvIQCMSgO2qoAXkdW4wKVJAcbJadJjoL2pWxzjaD4GgnUaAxWBANqZI2lD8CED4VfUVMB0ZUYRS/zvy/eqIGlT8WbzwTYFi3YDZRvAUIknxaWEavIG4x52d0FqTmFYY06W53fGYfBrUjJI54GWYyBpKdZTf7b/AlAN0+kwkk6OqsUWwWDqxR7LVCcPhjSIKd/THp+Tbq9z5TiPIHxOO9V60u51f8IoQrEgQfNov7CEGQZ8B9HUGObjNc5MhujzBJasMhrUcd2Ddk6KWk07B7223p/gIEM+81ZWQYUcc29+U/j1dQyRNZy/TC56ywe5DDBJSoGp
-  template:
-    metadata:
-      name: ts-mcp-secrets
-      namespace: ts-mcp
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- ../../base/musicman
@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: dbunk-demo
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "12"
-  labels:
-    app.kubernetes.io/name: dbunk-demo
-    app.kubernetes.io/part-of: apps
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
-    path: forteapp
-    targetRevision: HEAD
-    helm:
-      valueFiles:
-      - $values/dbunk-demo/values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: dbunk-demo
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-    retry:
-      limit: 5
-      backoff:
-        duration: 5s
-        factor: 2
-        maxDuration: 3m
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- dbunk-demo.yaml
@@ -1,53 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: feedback
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "12"
-  labels:
-    app.kubernetes.io/name: feedback
-    app.kubernetes.io/part-of: apps
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
-    path: forteapp
-    targetRevision: HEAD
-    helm:
-      valueFiles:
-      - $values/feedback/values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: feedback
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-    retry:
-      limit: 5
-      backoff:
-        duration: 5s
-        factor: 2
-        maxDuration: 3m
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- feedback.yaml
@@ -2,8 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
- dbunk-demo
- feedback

 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
@@ -1,5 +1,4 @@
 #!/bin/zsh
-
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh

@@ -18,7 +17,7 @@ echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
 Bootstrap()
 {
    ArgoCd
-    Gitea
+#    Gitea
 }


@@ -28,8 +27,8 @@ Bootstrap()
 Gitea()
 {
    echo "Installing secret..."
-    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
-    kubectl apply -f "private/${CLUSTER}/main.key"
+    kubectl apply -f private/gitea-repo-main.yaml
+    kubectl apply -f private/main.key
 }

 ############################################################
@@ -37,15 +36,10 @@ Gitea()
 ############################################################
 ArgoCd()
 {
-    # Pre-create ConfigMap for repo-server env (must exist before Helm upgrade)
-    kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
-    kubectl apply -f cluster-resources/argocd-repo-server-config.yaml
-
    # install argocd
    echo "Installing ArgoCD..."
    helm upgrade --install argocd argo-cd \
            --repo https://argoproj.github.io/argo-helm \
-            --version "7.8.0" \
            --namespace argocd --create-namespace \
            --values infra/values/base/argocd-values.yaml \
            --values "infra/values/${CLUSTER}/argocd-values.yaml" \
@@ -55,4 +49,4 @@ ArgoCd()
    kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }

-Bootstrap
+# Bootstrap
@@ -1,83 +0,0 @@
-# CronJob: syncs OIDC client secret from registrar-managed
-# argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
-# Runs every 2 min. No-ops if source secret doesn't exist yet
-# (safe for fresh deploys before Keycloak is up).
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argocd-oidc-sync
-  namespace: argocd
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: argocd-oidc-sync
-  namespace: argocd
-rules:
- apiGroups: [""]
-  resources: ["secrets"]
-  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
-  verbs: ["get", "patch"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: argocd-oidc-sync
-  namespace: argocd
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: argocd-oidc-sync
-subjects:
- kind: ServiceAccount
-  name: argocd-oidc-sync
-  namespace: argocd
---
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: argocd-oidc-sync
-  namespace: argocd
-spec:
-  schedule: "*/2 * * * *"
-  concurrencyPolicy: Forbid
-  successfulJobsHistoryLimit: 1
-  failedJobsHistoryLimit: 3
-  jobTemplate:
-    spec:
-      backoffLimit: 1
-      template:
-        spec:
-          serviceAccountName: argocd-oidc-sync
-          restartPolicy: Never
-          containers:
-          - name: sync
-            image: bitnami/kubectl:latest
-            command: ["/bin/sh", "-c"]
-            args:
-            - |
-              set -e
-
-              # Exit gracefully if source secret doesn't exist yet
-              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
-                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
-                exit 0
-              fi
-
-              # Read current OIDC client secret
-              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
-                -o jsonpath='{.data.client-secret}' | base64 -d)
-
-              # Read current value in argocd-secret (if any)
-              CURRENT=$(kubectl get secret argocd-secret -n argocd \
-                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")
-
-              # Only patch if changed
-              if [ "$NEW_SECRET" = "$CURRENT" ]; then
-                echo "oidc.clientSecret already up to date"
-                exit 0
-              fi
-
-              kubectl patch secret argocd-secret -n argocd --type merge \
-                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
-              echo "Patched argocd-secret with oidc.clientSecret"
@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: argocd-repo-server-config
-  namespace: argocd
-data:
-  # Disable git submodule checkout - submodules (e.g. shared-prompts)
-  # are not needed for K8s manifest generation
-  ARGOCD_GIT_MODULES_ENABLED: "false"
@@ -245,12 +245,6 @@ spec:
                secretKeyRef:
                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
-            - name: AUTH_OIDC_IDP_HINT
-              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-idp-hint\" || '' }}"
-            - name: AUTH_OIDC_BROKER_ALIAS
-              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-alias\" || '' }}"
-            - name: AUTH_OIDC_BROKER_TOKEN_HEADER
-              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-token-header\" || '' }}"
            resources:
              limits:
                cpu: 50m
@@ -330,8 +324,6 @@ spec:
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}"
            - name: AUTH_MCP_SCOPES_SUPPORTED
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'profile'  }}"
-            - name: AUTH_MCP_IDP_HINT
-              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-idp-hint\" || '' }}"
            resources:
              limits:
                cpu: 50m
@@ -26,6 +26,7 @@ spec:
          - monitoring
          - secrets
          - kyverno
+          - trivy-system
    match:
      any:
      - resources:
@@ -16,6 +16,7 @@ spec:
      - resources:
          namespaces:
          - kube-system
+          - trivy-system
          - monitoring
          - argocd
          - cert-manager
@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: k8s-launchpad # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
-domain: example.com # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-argocdDomain: argocd.example.com # → infra/values/aks-dev/argocd-values.yaml (global.domain)
-grafanaDomain: grafana.example.com # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
-keycloakDomain: id.example.com # → infra/values/aks-dev/keycloak-values.yaml (ingress.hostname)
-dotaiDomain: kubemcp.example.com # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
-dotaiUiDomain: kubemcpui.example.com # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
-letsencryptEmail: admin@example.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
-trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-dev/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
-cloudProvider: azure # → determines overlay directory and cloud-specific LB/storage annotations
+clusterName: dev-aks                  # <- adjust to your AKS cluster name
+domain: example.com                   # <- adjust to your domain
+argocdDomain: argocd.example.com
+grafanaDomain: grafana.example.com
+keycloakDomain: id.example.com
+dotaiDomain: kubemcp.example.com
+dotaiUiDomain: kubemcpui.example.com
+letsencryptEmail: admin@example.com   # <- adjust
+trustedIPs: "10.0.0.0/8,168.63.129.16/32"  # <- VNet CIDR + Azure health probe
+cloudProvider: azure
@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: prod-aks                    # → infra/values/aks-prod/argocd-values.yaml (notifications.context.clusterName)
-domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-argocdDomain: argocd.example.com         # → infra/values/aks-prod/argocd-values.yaml (global.domain)
-grafanaDomain: grafana.example.com       # → infra/values/aks-prod/grafana-values.yaml (ingress.hosts)
-keycloakDomain: id.example.com           # → infra/values/aks-prod/keycloak-values.yaml (ingress.hostname)
-dotaiDomain: kubemcp.example.com         # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
-dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
-letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
-trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-prod/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
-cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations
+clusterName: prod-aks                 # <- adjust to your AKS cluster name
+domain: example.com                   # <- adjust to your domain
+argocdDomain: argocd.example.com
+grafanaDomain: grafana.example.com
+keycloakDomain: id.example.com
+dotaiDomain: kubemcp.example.com
+dotaiUiDomain: kubemcpui.example.com
+letsencryptEmail: admin@example.com   # <- adjust
+trustedIPs: "10.0.0.0/8,168.63.129.16/32"  # <- VNet CIDR + Azure health probe
+cloudProvider: azure
@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: dev-eks                     # → infra/values/eks-dev/argocd-values.yaml (notifications.context.clusterName)
-domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-argocdDomain: argocd.example.com         # → infra/values/eks-dev/argocd-values.yaml (global.domain)
-grafanaDomain: grafana.example.com       # → infra/values/eks-dev/grafana-values.yaml (ingress.hosts)
-keycloakDomain: id.example.com           # → infra/values/eks-dev/keycloak-values.yaml (ingress.hostname)
-dotaiDomain: kubemcp.example.com         # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
-dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
-letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
-trustedIPs: "10.0.0.0/8"                # → infra/values/eks-dev/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
-cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations
+clusterName: dev-eks                  # <- adjust to your EKS cluster name
+domain: example.com                   # <- adjust to your domain
+argocdDomain: argocd.example.com
+grafanaDomain: grafana.example.com
+keycloakDomain: id.example.com
+dotaiDomain: kubemcp.example.com
+dotaiUiDomain: kubemcpui.example.com
+letsencryptEmail: admin@example.com   # <- adjust
+trustedIPs: "10.0.0.0/8"             # <- adjust to your VPC CIDR
+cloudProvider: eks
@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: prod-eks                    # → infra/values/eks-prod/argocd-values.yaml (notifications.context.clusterName)
-domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-argocdDomain: argocd.example.com         # → infra/values/eks-prod/argocd-values.yaml (global.domain)
-grafanaDomain: grafana.example.com       # → infra/values/eks-prod/grafana-values.yaml (ingress.hosts)
-keycloakDomain: id.example.com           # → infra/values/eks-prod/keycloak-values.yaml (ingress.hostname)
-dotaiDomain: kubemcp.example.com         # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
-dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
-letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
-trustedIPs: "10.0.0.0/8"                # → infra/values/eks-prod/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
-cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations
+clusterName: prod-eks                 # <- adjust to your EKS cluster name
+domain: example.com                   # <- adjust to your domain
+argocdDomain: argocd.example.com
+grafanaDomain: grafana.example.com
+keycloakDomain: id.example.com
+dotaiDomain: kubemcp.example.com
+dotaiUiDomain: kubemcpui.example.com
+letsencryptEmail: admin@example.com   # <- adjust
+trustedIPs: "10.0.0.0/8"             # <- adjust to your VPC CIDR
+cloudProvider: eks
@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: dev-gke                     # → infra/values/gke-dev/argocd-values.yaml (notifications.context.clusterName)
-domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-argocdDomain: argocd.example.com         # → infra/values/gke-dev/argocd-values.yaml (global.domain)
-grafanaDomain: grafana.example.com       # → infra/values/gke-dev/grafana-values.yaml (ingress.hosts)
-keycloakDomain: id.example.com           # → infra/values/gke-dev/keycloak-values.yaml (ingress.hostname)
-dotaiDomain: kubemcp.example.com         # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
-dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
-letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
-trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-dev/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
-cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations
+clusterName: dev-gke                  # <- adjust to your GKE cluster name
+domain: example.com                   # <- adjust to your domain
+argocdDomain: argocd.example.com
+grafanaDomain: grafana.example.com
+keycloakDomain: id.example.com
+dotaiDomain: kubemcp.example.com
+dotaiUiDomain: kubemcpui.example.com
+letsencryptEmail: admin@example.com   # <- adjust
+trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"  # <- subnet CIDR + GCP health checks
+cloudProvider: gke
@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: prod-gke                    # → infra/values/gke-prod/argocd-values.yaml (notifications.context.clusterName)
-domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-argocdDomain: argocd.example.com         # → infra/values/gke-prod/argocd-values.yaml (global.domain)
-grafanaDomain: grafana.example.com       # → infra/values/gke-prod/grafana-values.yaml (ingress.hosts)
-keycloakDomain: id.example.com           # → infra/values/gke-prod/keycloak-values.yaml (ingress.hostname)
-dotaiDomain: kubemcp.example.com         # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
-dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
-letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
-trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-prod/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
-cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations
+clusterName: prod-gke                 # <- adjust to your GKE cluster name
+domain: example.com                   # <- adjust to your domain
+argocdDomain: argocd.example.com
+grafanaDomain: grafana.example.com
+keycloakDomain: id.example.com
+dotaiDomain: kubemcp.example.com
+dotaiUiDomain: kubemcpui.example.com
+letsencryptEmail: admin@example.com   # <- adjust
+trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"  # <- subnet CIDR + GCP health checks
+cloudProvider: gke
@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: dev-fd-no-svg1              # → infra/values/upc-dev/argocd-values.yaml (notifications.context.clusterName)
-domain: forteapps.net                    # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-dev/argocd-values.yaml (global.domain)
-grafanaDomain: grafana.forteapps.net     # → infra/values/upc-dev/grafana-values.yaml (ingress.hosts)
-keycloakDomain: id.forteapps.net         # → infra/values/upc-dev/keycloak-values.yaml (ingress.hostname)
-dotaiDomain: kubemcp.forteapps.net       # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host)
-dotaiUiDomain: kubemcpui.forteapps.net   # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
-letsencryptEmail: danijels@gmail.com     # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
-trustedIPs: "172.16.1.0/24"             # → infra/values/upc-dev/traefik-values.yaml (ports.*.trustedIPs)
-cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations
+clusterName: dev-fd-no-svg1
+domain: forteapps.net
+argocdDomain: argocd.127.0.0.1.nip.io
+grafanaDomain: grafana.forteapps.net
+keycloakDomain: id.forteapps.net
+dotaiDomain: kubemcp.forteapps.net
+dotaiUiDomain: kubemcpui.forteapps.net
+letsencryptEmail: danijels@gmail.com
+trustedIPs: "172.16.1.0/24"
+cloudProvider: upcloud
@@ -1,12 +1,10 @@
-# Cluster config reference — values must match the corresponding overlay files.
-# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: prod-fd-no-svg1             # → infra/values/upc-prod/argocd-values.yaml (notifications.context.clusterName)
-domain: fortedigital.com                 # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
-argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-prod/argocd-values.yaml (global.domain)
-grafanaDomain: grafana.fortedigital.com  # → infra/values/upc-prod/grafana-values.yaml (ingress.hosts)
-keycloakDomain: id.fortedigital.com      # → infra/values/upc-prod/keycloak-values.yaml (ingress.hostname)
-dotaiDomain: kubemcp.fortedigital.com    # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host)
-dotaiUiDomain: kubemcpui.fortedigital.com # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
-letsencryptEmail: danijel.simeunovic@fortedigital.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
-trustedIPs: "172.16.1.0/24"             # → infra/values/upc-prod/traefik-values.yaml (ports.*.trustedIPs)
-cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations
+clusterName: prod-fd-no-svg1
+domain: fortedigital.com
+argocdDomain: argocd.127.0.0.1.nip.io
+grafanaDomain: grafana.fortedigital.com
+keycloakDomain: id.fortedigital.com
+dotaiDomain: kubemcp.fortedigital.com
+dotaiUiDomain: kubemcpui.fortedigital.com
+letsencryptEmail: danijel.simeunovic@fortedigital.com
+trustedIPs: "172.16.1.0/24"
+cloudProvider: upcloud
@@ -1,32 +0,0 @@
-{
-  "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.16.0/.schema/devbox.schema.json",
-  "packages": [
-    "kubectl@1.33.2",
-    "kubernetes-helm@3.18.4",
-    "k9s@0.50.7",
-    "kubeseal@0.30.0",
-    "argocd@2.14.11",
-    "kubecm@0.33.1",
-    "kubectl-tree@0.4.3",
-    "kind@0.29.0",
-    "kustomize@5.7.0",
-    "kyverno@1.14.3",
-    "syft@1.29.0",
-    "grype@0.92.2",
-    "traefik@3.6.7",
-    "claude-code@latest",
-    "go@latest",
-    "dotnet-sdk@latest",
-    "opentofu@1.11.6"
-  ],
-  "shell": {
-    "init_hook": [
-      "echo 'Welcome to devbox!' > /dev/null"
-    ],
-    "scripts": {
-      "test": [
-        "echo \"Error: no test specified\" && exit 1"
-      ]
-    }
-  }
-}
@@ -654,11 +654,21 @@ kubectl create secret generic myapp-credentials \

 #### Step 2: Seal the Secret

+Get the public certificate (one-time setup):
+
+```bash
+# Fetch public cert from cluster
+kubeseal --fetch-cert \
+  --controller-name=sealed-secrets-controller \
+  --controller-namespace=kube-system \
+  > pub-cert.pem
+```
+
 Seal your secret:

 ```bash
 kubeseal --format=yaml \
-  --namespace=myapp \
+  --cert=pub-cert.pem \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
 ```
@@ -701,7 +711,7 @@ kubectl create secret generic myapp-credentials \

 # 2. Seal it
 kubeseal --format=yaml \
-  --namespace=myapp \
+  --cert=pub-cert.pem \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml

@@ -952,46 +962,6 @@ User sees application (authenticated)

 ---

-### Accessing Authenticated User Information
-
-The auth sidecar handles all authentication before requests reach your application. Your app never sees unauthenticated traffic — the sidecar returns 401 or redirects to the IdP first.
-
-After successful authentication, the sidecar forwards the request to your application with user identity injected as HTTP headers:
-
-| Header | Description | Available in |
-|--------|-------------|-------------|
-| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
-| `X-Auth-Email` | User email address | OIDC |
-| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
-| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if scope includes `groups`) |
-| `X-Auth-Token` | The validated access token | All modes |
-
-**Your application reads these headers — no auth library needed:**
-
-```javascript
-// Express.js example
-app.get('/profile', (req, res) => {
-  const user = req.headers['x-auth-user'];
-  const email = req.headers['x-auth-email'];
-  res.json({ user, email });
-});
-```
-
-```python
-# Flask example
-@app.route('/profile')
-def profile():
-    user = request.headers.get('X-Auth-User')
-    email = request.headers.get('X-Auth-Email')
-    return jsonify(user=user, email=email)
-```
-
-**Why this is safe**: The Kyverno-generated NetworkPolicy restricts ingress to the sidecar port only. Traffic cannot bypass the sidecar to reach the application port directly, so the `X-Auth-*` headers can be trusted unconditionally.
-
-**Key principle**: Your application is zero-trust-unaware by design. It reads headers and renders UI. All authentication complexity lives in the sidecar and Kyverno policy.
-
---
-
 ### Authentication Configuration Reference

 #### Helm Values Schema
@@ -120,25 +120,24 @@ launchpad/
 ├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
 │
 ├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
-│   ├── base/                         # Base Application manifests (one dir per component)
-│   │   ├── kustomization.yaml        # Aggregates all component subdirectories
-│   │   ├── traefik-application/
-│   │   │   ├── kustomization.yaml
-│   │   │   └── traefik-application.yaml
-│   │   ├── keycloak/
-│   │   │   ├── kustomization.yaml
-│   │   │   └── keycloak.yaml
-│   │   ├── grafana/
-│   │   ├── prometheus/
-│   │   ├── ...                       # Each component in its own subdirectory
-│   │   └── secrets/
+│   ├── base/                         # Base Application manifests (upc-dev defaults)
+│   │   ├── kustomization.yaml
+│   │   ├── traefik-application.yaml
+│   │   ├── keycloak.yaml
+│   │   ├── grafana.yaml
+│   │   ├── gitea.yaml
+│   │   ├── gitea-actions.yaml
+│   │   ├── tempo.yaml
+│   │   ├── renovate.yaml
+│   │   ├── ...                       # All other Application manifests
+│   │   └── secrets.yaml
 │   ├── overlays/                     # Per-cluster Kustomize overrides
-│   │   ├── upc-dev/                  # UpCloud Dev — includes all (resources: ../../base)
-│   │   ├── upc-prod/                # UpCloud Prod — all + patches
-│   │   ├── aks-dev/                 # Azure AKS Dev — selective components
-│   │   ├── aks-prod/               # Azure AKS Prod
+│   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
+│   │   ├── upc-prod/                # UpCloud Prod (patches value paths)
 │   │   ├── eks-dev/                  # AWS EKS Dev
 │   │   ├── eks-prod/                # AWS EKS Prod
+│   │   ├── aks-dev/               # Azure AKS Dev
+│   │   ├── aks-prod/              # Azure AKS Prod
 │   │   ├── gke-dev/                 # GCP GKE Dev
 │   │   └── gke-prod/               # GCP GKE Prod
 │   ├── dashboards/                   # Grafana dashboard ConfigMaps
@@ -150,17 +149,13 @@ launchpad/
 │       └── gcp-{dev,prod}/           # GCP: premium-rwo, L4 LB
 │
 ├── apps/                             # Business Application ArgoCD manifests (Kustomize)
-│   ├── base/                         # One subdirectory per app
+│   ├── base/                         # Base app manifests
 │   │   ├── kustomization.yaml
-│   │   ├── musicman/
-│   │   ├── mcp10x/
-│   │   ├── dot-ai-stack/
-│   │   ├── ts-mcp/
-│   │   └── argo-mcp/
+│   │   ├── dot-ai-stack.yaml
+│   │   └── ...
 │   └── overlays/
-│       ├── upc-dev/                  # All apps (resources: ../../base)
-│       ├── upc-prod/                # All apps + patches
-│       └── aks-dev/                 # Selective apps only
+│       ├── upc-dev/                  # Uses base as-is
+│       └── upc-prod/                # Patches value paths
 │
 ├── cluster-resources/                # Cluster-wide Kubernetes resources
 │   ├── ...
@@ -176,8 +171,6 @@ launchpad/

 **Key Points**:
 - `_app-of-apps-upc-dev.yaml` and `_app-of-apps-upc-prod.yaml` are the per-cluster root Applications
- Each component in `base/` has its own subdirectory with a `kustomization.yaml`
- Overlays can include **all** components (`resources: [../../base]`) or **cherry-pick** specific ones (`resources: [../../base/grafana, ../../base/prometheus]`)
 - Kustomize overlays in `infra/overlays/` render base Applications with per-cluster patches
 - Helm values are split: `values/base/` (shared) + `values/upc-dev/` or `values/upc-prod/` (cluster-specific)
 - `apps/` follows the same base/overlays pattern for business applications
@@ -360,30 +353,16 @@ spec:

 ### Multi-Cluster Pattern

-Kustomize overlays enable deploying the same Applications across clusters with different configurations.
-
-Each component in `infra/base/` and `apps/base/` lives in its own subdirectory. Overlays define **which components to include** and optionally **patch** them:
+Kustomize overlays enable deploying the same Applications across clusters with different configurations:

 ```yaml
-# Option 1: Include ALL components (full cluster)
-# infra/overlays/upc-dev/kustomization.yaml
-resources:
- ../../base                    # Pulls in every component subdirectory
+# infra/base/ contains default (upc-dev) Applications
+# Helm values are layered: base + cluster-specific
+valueFiles:
+- $values/infra/values/base/traefik-values.yaml    # Shared config
+- $values/infra/values/upc-dev/traefik-values.yaml  # Cluster-specific

-# Option 2: Cherry-pick specific components (lightweight cluster)
-# infra/overlays/aks-dev/kustomization.yaml
-resources:
- ../../base/traefik-application
- ../../base/grafana
- ../../base/prometheus
- ../../base/loki
-# Only listed components are deployed — others are excluded
-```
-
-Per-cluster patches swap Helm value file paths:
-
-```yaml
-# infra/overlays/upc-prod/kustomization.yaml
+# infra/overlays/upc-prod/kustomization.yaml patches the second valueFile
 patches:
 - target:
    kind: Application
@@ -76,28 +76,34 @@ launchpad/
 ├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
 ├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
 │
-├── infra/                         # Infrastructure applications (Kustomize)
-│   ├── base/                      # One subdirectory per component
-│   │   ├── kustomization.yaml     # Aggregates all component subdirectories
-│   │   ├── traefik-application/
-│   │   │   ├── kustomization.yaml
-│   │   │   └── traefik-application.yaml
-│   │   ├── keycloak/
-│   │   │   ├── kustomization.yaml
-│   │   │   └── keycloak.yaml
-│   │   ├── grafana/
-│   │   ├── prometheus/
-│   │   ├── loki/
-│   │   ├── tempo/
-│   │   ├── gitea/
-│   │   ├── opencost/
-│   │   ├── ...                    # Each component in own directory
-│   │   └── secrets/
-│   ├── overlays/                  # Per-cluster: include all or cherry-pick
-│   │   ├── upc-dev/              # resources: [../../base] (all components)
-│   │   ├── upc-prod/            # resources: [../../base] + patches
-│   │   ├── aks-dev/             # resources: [../../base/grafana, ...] (selective)
-│   │   └── .../                  # 8 clusters total
+├── infra/                         # Infrastructure applications
+│   ├── cluster-resources-application.yaml
+│   ├── enterprise-apps.yaml
+│   ├── traefik-application.yaml
+│   ├── cert-manager-application.yaml
+│   ├── kyverno.yaml
+│   ├── kyverno-policies.yaml
+│   ├── prometheus.yaml
+│   ├── grafana.yaml
+│   ├── loki.yaml
+│   ├── tempo.yaml
+│   ├── fluent-bit.yaml
+│   ├── trivy.yaml
+│   ├── gitea.yaml
+│   ├── gitea-actions.yaml
+│   ├── sealedsecrets.yaml
+│   ├── secrets.yaml
+│   ├── renovate.yaml
+│   ├── base/                      # ArgoCD Application manifests (Kustomize base)
+│   │   ├── gitea.yaml
+│   │   ├── opencost.yaml
+│   │   ├── traefik-application.yaml
+│   │   ├── keycloak.yaml
+│   │   ├── grafana.yaml
+│   │   └── ...
+│   ├── overlays/
+│   │   └── upc-prod/
+│   │       └── kustomization.yaml # Patches upc-dev → upc-prod valueFile paths
 │   └── values/
 │       ├── base/                   # Cloud-agnostic Helm values
 │       │   ├── gitea-values.yaml
@@ -117,18 +123,11 @@ launchpad/
 │           ├── gitea-values.yaml
 │           └── opencost-values.yaml
 │
-├── apps/                          # Business applications (Kustomize)
-│   ├── base/                     # One subdirectory per app
-│   │   ├── kustomization.yaml
-│   │   ├── musicman/
-│   │   ├── mcp10x/
-│   │   ├── dot-ai-stack/
-│   │   ├── ts-mcp/
-│   │   └── argo-mcp/
-│   └── overlays/                 # Per-cluster: include all or cherry-pick
-│       ├── upc-dev/
-│       ├── upc-prod/
-│       └── aks-dev/              # Selective apps only
+├── apps/                          # Business applications
+│   ├── mcp10x.yaml
+│   ├── musicman.yaml
+│   ├── dot-ai-stack.yaml
+│   └── argo-mcp.yaml
 │
 ├── cluster-resources/             # Cluster-level resources
 │   ├── cert-manager-namespace.yaml
@@ -149,30 +148,12 @@ launchpad/
 │       └── auth-sidecar-injector.yaml
 │
 ├── secrets/                       # Application secrets (sealed)
-│   ├── base/                     # All SealedSecrets (shared across clouds)
-│   │   ├── kustomization.yaml
-│   │   ├── argocd-forte-helm-secret-sealed.yaml
-│   │   ├── argocd-mcp-credentials.yaml
-│   │   ├── argocdmcp-auth-oidc-sealed.yaml
-│   │   ├── dot-ai-secrets.yaml
-│   │   ├── forte10x-app-credentials-sealed.yaml
-│   │   ├── gitea-backup-s3-sealed.yaml
-│   │   ├── gitea-credentials-sealed.yaml
-│   │   ├── gitea-runner-token-sealed.yaml
-│   │   ├── gitea-smtp-secret-sealed.yaml
-│   │   ├── keycloak-credentials-sealed.yaml
-│   │   ├── musicman-auth-oidc-sealed.yaml
-│   │   ├── musicman-credentials.yaml
-│   │   └── renovate-env-sealed.yaml
-│   └── overlays/                 # Per-cloud overlays (reference base)
-│       ├── aks-dev/kustomization.yaml
-│       ├── aks-prod/kustomization.yaml
-│       ├── eks-dev/kustomization.yaml
-│       ├── eks-prod/kustomization.yaml
-│       ├── gke-dev/kustomization.yaml
-│       ├── gke-prod/kustomization.yaml
-│       ├── upc-dev/kustomization.yaml
-│       └── upc-prod/kustomization.yaml
+│   ├── argocd-mcp-credentials.yaml
+│   ├── dot-ai-secrets.yaml
+│   ├── gitea-credentials-sealed.yaml
+│   ├── gitea-runner-token-sealed.yaml
+│   ├── mcp10x-credentials-sealed.yaml
+│   └── musicman-credentials.yaml
 │
 ├── scripts/                       # Operational helper scripts
 │   ├── gitea-backup.sh            # S3 backup helper (list/download)
@@ -650,134 +631,10 @@ retry:
 4. 40 seconds
 5. 80 seconds (capped at 3 minutes)

-### Global Settings (`argocd-cm`)
-
-| Setting | Value | Purpose |
-|---------|-------|---------|
-| `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
-| `timeout.reconciliation` | `60s` | Reconciliation interval |
-| `admin.enabled` | `false` | Admin login disabled (SSO-only) |
-| `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
-
-**Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
-```yaml
-configs:
-  params:
-    "reposerver.enable.git.submodule": "false"
-```
-This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
-
-**Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
-```bash
-# Enable admin login
-kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
-# Log in as admin, do what's needed, then disable again
-kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
-```
-ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
-
-**OIDC Authentication** (Keycloak):
-```yaml
-configs:
-  cm:
-    oidc.config: |
-      name: Forte SSO
-      issuer: https://id.forteapps.net/realms/forte
-      clientID: argocd
-      clientSecret: $oidc.clientSecret
-      requestedScopes: ["openid", "email", "profile"]
-  rbacConfig:
-    policy.csv: |
-      g, ArgoCD Admins, role:admin
-      g, ArgoCD Viewers, role:readonly
-    # Deny users not in any declared KC group
-    policy.default: ""
-    scopes: '[groups]'
-```
-
-**Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console.
-
- ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
- Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
- `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
- OIDC secret is synced by CronJob `argocd-oidc-sync` (see `cluster-resources/argocd-oidc-secret-sync.yaml`)
- The CronJob bridges `argocd-oidc-credentials` (from KC registrar) → `argocd-secret` every 2 min
- Safe for fresh deploys: no-ops if source secret doesn't exist yet
-
-**Ingress** (Traefik + TLS):
-```yaml
-server:
-  ingress:
-    enabled: true
-    ingressClassName: traefik
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-    tls: true
-  extraArgs:
-  - --insecure
-configs:
-  params:
-    "server.insecure": true
-```
-TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
-
 ---

 ## Infrastructure Components

-### Homepage (Platform Dashboard)
-
-**Chart**: `jameswynn/homepage`
-**Namespace**: `homepage`
-**URL**: `https://start.forteapps.net`
-
-Platform dashboard that auto-discovers deployed apps via Kubernetes service annotations.
-
-**Discovery mechanism**: Services annotated with `gethomepage.dev/enabled: "true"` appear in the dashboard. Apps not deployed = annotations absent = not shown. Fully dynamic per environment.
-
-**Annotated services**:
-| Service | Namespace | Group | Widget |
-|---------|-----------|-------|--------|
-| `gitea-http` | `gitea` | DevOps | `gitea` |
-| `argocd-server` | `argocd` | DevOps | `argocd` |
-| `keycloak` | `keycloak` | Identity | none |
-| `grafana` | `monitoring` | Monitoring | `grafana` |
-| `karpor-server` | `karpor` | DevOps | none |
-
-**Adding a new app**: Annotate the app's Service in its Helm values:
-```yaml
-service:
-  annotations:
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "My App"
-    gethomepage.dev/description: "What it does"
-    gethomepage.dev/group: "GroupName"
-    gethomepage.dev/icon: "icon-name"     # https://github.com/walkxcode/dashboard-icons
-    gethomepage.dev/href: "https://myapp.forteapps.net"
-    # Optional live widget:
-    gethomepage.dev/widget.type: "myapp"
-    gethomepage.dev/widget.url: "https://myapp.forteapps.net"
-    # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_MYAPP_TOKEN}}"
-```
-
-**Widget API credentials**: Inject via env vars into the Homepage pod:
-```yaml
-# In homepage-values.yaml per environment
-env:
- name: HOMEPAGE_VAR_GRAFANA_TOKEN
-  valueFrom:
-    secretKeyRef:
-      name: homepage-widget-credentials
-      key: grafana-token
-```
-Then reference as `gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"`.
-
-**Values files**:
- `infra/values/base/homepage-values.yaml` — RBAC, kubernetes mode, layout
- `infra/values/{env}/homepage-values.yaml` — hostname per environment
-
---
-
 ### Traefik

 **Chart**: `traefik/traefik`
@@ -849,10 +706,6 @@ spec:
 **Chart**: `sealed-secrets/sealed-secrets-controller`
 **Namespace**: `kube-system`

-**Directory Structure**: `secrets/base/` contains all SealedSecrets with a `kustomization.yaml`. Per-cloud overlays in `secrets/overlays/<cloud>/` reference the base via Kustomize. The ArgoCD `secrets` Application points to the active overlay (e.g., `secrets/overlays/upc-dev`), and `infra/overlays/upc-prod` patches the path to `secrets/overlays/upc-prod`.
-
-To add cloud-specific secrets, create a new SealedSecret in the overlay directory and add it to the overlay's `kustomization.yaml`.
-
 **Public Certificate**:
 ```bash
 kubeseal --fetch-cert \
@@ -893,15 +746,6 @@ kubeStateMetrics:
 - Loki
 - Tempo

-**Ingress**: Exposed via Traefik at `https://grafana.forteapps.net` with cert-manager TLS.
-
-**OIDC Authentication** (Keycloak):
- Uses `grafana.ini.auth.generic_oauth` with KC `grafana` client
- Secret `grafana-oidc-credentials` synced by KC registrar, loaded via `envFromSecrets`
- SSO-only mode: `auth.disable_login_form: true` + `auth.generic_oauth.auto_login: true`
- Role mapping via JMESPath on `resource_access.grafana.roles` claim (requires KC client role mapper)
- Roles: KC client roles `Admin`/`Editor` map to Grafana roles; default is `Viewer`
-
 ### Loki

 **Chart**: `grafana/loki-stack`
@@ -1254,33 +1098,6 @@ kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.ann

 **See**: [Developer Guide - Adding a New Keycloak Client](DEVELOPER-GUIDE.md#adding-a-new-keycloak-client)

-### Karpor
-
-**Chart**: `karpor` from `https://kusionstack.github.io/charts`
-**Version**: 0.7.6 (app v0.6.4)
-**Namespace**: `karpor`
-**Sync Wave**: 1
-
-**Purpose**: Kubernetes visualization and intelligence tool. Provides cross-cluster resource search, compliance checking, and topology visualization. Gives platform engineers a unified view of all cluster resources and their relationships.
-
-**Architecture** (4 components):
- **Server** — main Karpor API/UI (port 7443)
- **Syncer** — syncs cluster state into the search index
- **ElasticSearch** — search backend for resource indexing
- **etcd** — persistent key-value store (10Gi PVC)
-
-**Configuration** (`infra/values/base/karpor-values.yaml`):
- `namespaceEnabled: false` — ArgoCD manages namespace creation
- Default resource limits tuned for small clusters
- ElasticSearch: 2 CPU / 4Gi memory (the heaviest component)
- AI features available but not enabled (requires `server.ai.authToken` + backend config)
-
-**Access**: Port-forward to reach the UI:
-```bash
-kubectl port-forward svc/karpor-release-server -n karpor 7443:7443
-# Open https://localhost:7443
-```
-
 ### Renovate

 **Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`)
@@ -1384,46 +1201,6 @@ spec:
 - Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
 - `synchronize: true` — changes to the source Secret are reflected in the clone

-### Keycloak Microsoft/Entra Identity Provider
-
-**File**: `infra/values/upc-dev/keycloak-values.yaml`
-**Namespace**: `keycloak`
-
-**Purpose**: Configures Microsoft Entra (Azure AD) as an external identity provider for the Forte realm, enabling SSO via Microsoft accounts with token storage for downstream API access (e.g., Microsoft Graph).
-
-**Configuration via keycloakConfigCli**:
- IdP alias: `forte-entra`, provider: `microsoft`
- Client secret injected from `microsoft-idp-credentials` Secret via `$(env:MS_IDP_CLIENT_SECRET)` syntax
- `extraEnvVarsSecret: microsoft-idp-credentials` makes the Secret available as env vars to config-cli
-
-**Key Configuration Notes**:
-
-| Field | Location | Notes |
-|-------|----------|-------|
-| `tenant` | `config.tenant` | **Must be `tenant`, NOT `tenantId`** — wrong key silently falls back to `common` (multi-tenant) |
-| `storeToken` | Top-level IdP field | **NOT inside `config`** — enables broker token storage for KC broker API |
-| `defaultScope` | `config.defaultScope` | Space-separated: `openid email profile User.Read Mail.Send` |
-| `syncMode` | `config.syncMode` | `IMPORT` — imports user on first login |
-
-**Token Storage & Broker Access**:
- `storeToken: true` persists the Entra access token in Keycloak
- Realm role `default-roles-forte` includes composite `broker.read-token` — grants all realm users access to broker token API
- Broker token retrievable via: `GET /realms/forte/broker/forte-entra/token`
-
-**Identity Provider Mappers**:
- `forte-entra-email`: Hardcodes `emailVerified=true` for Entra-authenticated users (Entra guarantees email verification)
-
-**Required Secret** (`microsoft-idp-credentials`):
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: microsoft-idp-credentials
-  namespace: keycloak
-stringData:
-  MS_IDP_CLIENT_SECRET: "<entra-app-client-secret>"
-```
-
 ### Default Namespace Blocker

 **File**: `cluster-resources/policies/default-ns-blocker.yaml`
@@ -1768,23 +1545,7 @@ Forward to Application (localhost:3000)
 Application processes request
 ```

-#### Forwarded Headers
-
-After successful authentication, the sidecar injects user identity as HTTP headers before forwarding the request to the application container:
-
-| Header | Description | Auth Modes |
-|--------|-------------|------------|
-| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
-| `X-Auth-Email` | User email address | OIDC |
-| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
-| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if `groups` scope) |
-| `X-Auth-Token` | The validated access token | All modes |
-
-These headers are trustworthy because the auto-generated `NetworkPolicy` restricts pod ingress to the sidecar port only — external traffic cannot reach the application container directly, so headers cannot be spoofed.
-
-Applications should read these headers to obtain authenticated user information (e.g. for display, authorisation decisions, or audit logging) instead of implementing their own authentication.
-
-**See**: [Developer Guide - Accessing Authenticated User Information](DEVELOPER-GUIDE.md#accessing-authenticated-user-information) for code examples.
+**See**: [Developer Guide - Enabling Authentication](DEVELOPER-GUIDE.md#enabling-authentication-for-applications) for usage examples.

 ---

@@ -1973,9 +1734,8 @@ To add support for a new cloud (e.g., `oci-dev` for Oracle Cloud):
   - `opencost-values.yaml` — pricing model or cloud billing integration
 3. **Kustomize overlay**: `infra/overlays/oci-dev/kustomization.yaml` — patch `valueFiles[1]` for each Application
 4. **App-of-apps**: `_app-of-apps-oci-dev.yaml` — points to `infra/overlays/oci-dev`
-5. **Secrets overlay**: `secrets/overlays/oci-dev/kustomization.yaml` — references `../../base`, add cloud-specific SealedSecrets if needed
-6. **Secrets patch**: Add patch to `infra/overlays/oci-dev/kustomization.yaml` to swap secrets path to `secrets/overlays/oci-dev`
-7. **Bootstrap**: `./bootstrap.sh oci-dev`
+5. **Sealed Secrets**: `secrets/oci-dev/` — TLS certs, credentials, backup S3 config
+6. **Bootstrap**: `./bootstrap.sh oci-dev`

 ---

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- cert-manager-application.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- cluster-resources-application.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- databunker.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- enterprise-apps.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- fluent-bit.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- gitea-actions.yaml
@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- gitea.yaml
- gitea-backup-s3-sealed.yaml
- gitea-credentials-sealed.yaml
- gitea-runner-token-sealed.yaml
- gitea-smtp-secret-sealed.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- grafana-dashboards.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- grafana.yaml
@@ -1,21 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: homepage-services-reader
-rules:
- apiGroups: [""]
-  resources: ["services"]
-  verbs: ["get", "list", "watch"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: homepage-services-reader
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: homepage-services-reader
-subjects:
- kind: ServiceAccount
-  name: homepage
-  namespace: homepage
@@ -1,16 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: homepage-widget-credentials
-  namespace: homepage
-spec:
-  encryptedData:
-    HOMEPAGE_VAR_GITEA_TOKEN: AgAVN1C931EQpn+sodr3CpjlhORfJVTW8aUr+pGZQb+65Pb8QLGeVGVa7Jv60gDJUX3r+93/jMrEbCOeDL6I4qCz/V35wMCxFZLnXIdkmto0W4MKt6cK8To1/OP7EhQJOGBlSuOFsrwoy+HDtvLIqmyF0nrxhTusm9/NHrw+gCVwSTPhiAX1MCuSOSRWpbXvyNphW8j7aqUaV6ixDt424Fe4alEIShYELcS3EX/VPgsf2p2bhvBRCQOh3LEprkuxSFMuPfCBk06TPTbIN4saNVm0Ke0zW/pxkVNSiIxEnKjOmpPJtacsfWN7du+nQbx276G2qvWrf+iawJVq0Z/SLikA/NUFBL6EjSRfgE3cSOri8sbxsd0AycsFGyp98EM29wE+WOQl52M/lwl02EmCivqkICSO7Jp9pM1ScbmRMa5vcnupsGbVDxhRKLqxhAskt/BXDkRzvHN31gH3YmelES3JuqNMHV0urFxmX2oOX9Pxbtv63csc+zhy1Ui5aoex7TPnLdk7kYLSAE2MSrzT6wHvVhBC5kNnDYVrLehvJrT+eNh0MOLx2wkuJmIOxRAGUyNi5DfDnP6qnvj2aefEymLuOXAIUXH8DbeBtrjsd74HX2hhIfBlPkXvhJR3ks7i5RXjK2/YYHkgJ+nJoW80S9N7ciaRy103g74TNJZt6QzzL5Vb80qZ6yQOD4G081KmTLDmhHjJVIIv9M3nLh2s0IeBV3/Z5qHZmtjN7sSaKAn4MIr5FaH9quhx
-    HOMEPAGE_VAR_GRAFANA_TOKEN: AgBloBlOlP+R/4VizE1CGpj0wyiwU14BemAnuUpld7OvOGc67dwfDPyponkQXjAZg3UU2cZ70A51WUAuVlAr+25Ktlf/FW2OBqj+1BJOCqMMyu+kv026yjX2aB8dKGzlTxgF8aji+j1mC8vP3vvmgI4Zf2HQAH7uFwLfeo8+QnV5EyhcExSS0xDne+VtOP9jNXbPRayry0DdyRVtaeKAiZacO+45oAJWszWOwmoMTg9FZQkLjER6Q0tyI6NnoNObsFCnh56chZTdzBOYtmPnwld1bP2FjoJDqn8AfRwbPTIj7t0eFP7WLUO7GQKpxVl+pFwJLb5xCOw2+HNtp1BhNCu7icuc0P88IlvwzkbN0lXJbYigVOzyjEo8f/al1DXPM4WaB/Nqmr7Mtt8KTRh2WMVTgiX5jsu25D0rGDvY9gqfBBqswkRhCLsG0v0EN32zXj1/52KYdmB7pk/+2lMwSaGMS11MOenHeU1Z95fGxm9f3EGF0E8xlFr4FowgsNwr+tJQqpM0bT/4mZnaQbGWtKPFizMtsfQFm+rHFcNCrGaOuecslmiIJs8lTm18KlrncsGfxNS64tVXk+LvydU0rwybvpg2rQjEWtAl1IQsaaiz96OAlYxxK1MGxN7KE6F8R4kfnWTZ5Fs1KMmd/DOIVBXyCbqXxk8pbekmaIeNSfv92JNZ0QNJWsBa2vgQ24WI2pb4XiR0BvtLpt3BVlZUcSK92SzUblWmYWVMwHYCJkEeEUV1PhYEmyiN+V/Kq5Qb
-  template:
-    metadata:
-      creationTimestamp: null
-      name: homepage-widget-credentials
-      namespace: homepage
@@ -1,43 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: homepage
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "3"
-  labels:
-    app.kubernetes.io/name: homepage
-    app.kubernetes.io/part-of: platform
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://jameswynn.github.io/helm-charts
-    chart: homepage
-    targetRevision: "2.1.0"
-    helm:
-      releaseName: homepage
-      valueFiles:
-      - $values/infra/values/base/homepage-values.yaml
-      - $values/infra/values/upc-dev/homepage-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: homepage
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- homepage.yaml
- homepage-widget-credentials-sealed.yaml
- homepage-extra-rbac.yaml
@@ -1,48 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: karpor
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: karpor
-    app.kubernetes.io/part-of: developer-portal
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://kusionstack.github.io/charts
-    chart: karpor
-    targetRevision: "0.7.6"
-    helm:
-      releaseName: karpor
-      valueFiles:
-      - $values/infra/values/base/karpor-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: karpor
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- karpor.yaml
@@ -15,7 +15,7 @@ spec:
  project: default

  sources:
-  - repoURL: registry-1.docker.io/bitnamicharts
+  - repoURL: https://charts.bitnami.com/bitnami
    chart: keycloak
    targetRevision: "25.2.0"
    helm:
@@ -47,7 +47,3 @@ spec:
    kind: CronJob
    jsonPointers:
    - /spec/jobTemplate/spec/template/spec/containers/0/args
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- keycloak.yaml
- keycloak-credentials-sealed.yaml
@@ -1,25 +1,24 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- traefik-application
- keycloak
- grafana
- cert-manager-application
- kyverno
- sealedsecrets
- prometheus
- loki
- fluent-bit
- enterprise-apps
- cluster-resources-application
- kyverno-policies
- gitea
- gitea-actions
- opencost
- renovate
- tempo
- grafana-dashboards
- karpor
- databunker
- homepage
- vault
+- traefik-application.yaml
+- keycloak.yaml
+- grafana.yaml
+- cert-manager-application.yaml
+- kyverno.yaml
+- sealedsecrets.yaml
+- prometheus.yaml
+- loki.yaml
+- fluent-bit.yaml
+- trivy.yaml
+- enterprise-apps.yaml
+- cluster-resources-application.yaml
+- kyverno-policies.yaml
+- secrets.yaml
+- gitea.yaml
+- gitea-actions.yaml
+- opencost.yaml
+- renovate.yaml
+- tempo.yaml
+- grafana-dashboards.yaml
+- network-policies-application.yaml
@@ -27,6 +27,7 @@ spec:
    automated:
      prune: true
      selfHeal: true
+      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- kyverno-policies.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- kyverno.yaml
@@ -40,9 +40,3 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- loki.yaml
@@ -1,42 +1,33 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: databunker
+  name: network-policies
  namespace: argocd
+  labels:
+    app.kubernetes.io/name: network-policies
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: databunker
-    app.kubernetes.io/part-of: identity
-    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default

-  sources:
-  - repoURL: https://securitybunker.github.io/databunkerpro-setup
-    chart: databunkerpro
-    targetRevision: "0.1.0"
-    helm:
-      releaseName: databunkerpro
-      valueFiles:
-      - $values/infra/values/base/databunker-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    ref: values
+    path: cluster-resources/network

  destination:
    server: https://kubernetes.default.svc
-    namespace: databunker

  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
+
    syncOptions:
-    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- opencost.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- prometheus.yaml
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- renovate.yaml
- renovate-env-sealed.yaml
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- sealedsecrets.yaml
- argocd-forte-helm-secret-sealed.yaml
@@ -1,37 +1,27 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: ts-mcp
+  name: secrets
  namespace: argocd
  annotations:
-    argocd.argoproj.io/sync-wave: "11"
+    argocd.argoproj.io/sync-wave: "2"
    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
    notifications.argoproj.io/subscribe.on-degraded.slack: ""
  labels:
-    app.kubernetes.io/name: ts-mcp
-    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/name: secrets
+    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
-  sources:
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
-    path: forteapp
-    targetRevision: HEAD
-    helm:
-      valueFiles:
-      - $values/ts-mcp/values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
-    targetRevision: HEAD
-    ref: values
-
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    path: secrets/upc-dev
  destination:
    server: https://kubernetes.default.svc
-    namespace: ts-mcp
-
+    namespace: secrets
  syncPolicy:
    automated:
      prune: true
@@ -40,9 +40,3 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- tempo.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- traefik-application.yaml
@@ -0,0 +1,67 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: trivy-system
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: trivy-operator
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  labels:
+    app.kubernetes.io/name: trivy-operator
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: https://aquasecurity.github.io/helm-charts
+    chart: trivy-operator
+    targetRevision: 0.31.0
+    helm:
+      releaseName: trivy-operator
+      valuesObject:
+        operator:
+          targetNamespaces: ""
+          excludeNamespaces: "argocd,trivy-system,kube-system,monitoring,kyverno,cert-manager"
+          scanJobsInSameNamespace: true
+          metricsVulnIdEnabled: true
+          metricsImageInfo: true
+        trivy:
+          ignoreUnfixed: false
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: trivy-system
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  ignoreDifferences:
+  - group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    jsonPointers:
+    - /metadata/labels
+    - /metadata/annotations
+    - /metadata/finalizers
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
- vault.yaml
@@ -1,49 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vault
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://helm.releases.hashicorp.com
-    chart: vault
-    targetRevision: "0.32.0"
-    helm:
-      releaseName: vault
-      valueFiles:
-      - $values/infra/values/base/vault-values.yaml
-      - $values/infra/values/upc-dev/vault-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: vault
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates
@@ -8,6 +8,9 @@ generatorOptions:
    grafana_dashboard: "1"

 configMapGenerator:
+- name: grafana-dashboard-trivy
+  files:
+  - trivy.json
 - name: grafana-dashboard-traefik-loki
  files:
  - traefik-loki.json
@@ -1,31 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
- ../../base/cluster-resources-application
- ../../base/grafana
- ../../base/grafana-dashboards
- ../../base/kyverno
- ../../base/kyverno-policies
- ../../base/loki
- ../../base/enterprise-apps
- ../../base/opencost
- ../../base/prometheus
- ../../base/sealedsecrets
- ../../base/tempo
- ../../base/homepage
- ../../base/traefik-application
+- ../../base

 patches:
-# Homepage: swap upc-dev → aks-dev
- target:
-    kind: Application
-    name: homepage
-  patch: |
-    - op: replace
-      path: /spec/sources/0/helm/valueFiles/1
-      value: $values/infra/values/aks-dev/homepage-values.yaml
-
 # Traefik: swap upc-dev → aks-dev
 - target:
    kind: Application
@@ -35,6 +13,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/traefik-values.yaml

+# Keycloak: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/keycloak-values.yaml
+
 # Grafana: swap upc-dev → aks-dev
 - target:
    kind: Application
@@ -44,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/grafana-values.yaml

+# Gitea: swap upc-dev → aks-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-dev/gitea-values.yaml
+
 # OpenCost: swap upc-dev → aks-dev
 - target:
    kind: Application
@@ -53,7 +49,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/opencost-values.yaml

-# Ent apps: swap upc-dev → aks-prod
+# Secrets: change path to aks-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/aks-dev
+
+# Enterprise-apps: point to aks-dev overlay
 - target:
    kind: Application
    name: enterprise-apps
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
- ../../base/cluster-resources-application
- ../../base/grafana
- ../../base/grafana-dashboards
- ../../base/kyverno
- ../../base/kyverno-policies
- ../../base/loki
- ../../base/opencost
- ../../base/prometheus
- ../../base/sealedsecrets
- ../../base/tempo
- ../../base/traefik-application
+- ../../base

 patches:
 # Traefik: swap upc-dev → aks-prod
@@ -24,7 +13,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/traefik-values.yaml

-# Grafana: swap upc-dev → aks-prod  
+# Keycloak: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: grafana
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/grafana-values.yaml

+# Gitea: swap upc-dev → aks-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/aks-prod/gitea-values.yaml
+
 # OpenCost: swap upc-dev → aks-prod
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/opencost-values.yaml
+
+# Secrets: change path to aks-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/aks-prod
+
+# Enterprise-apps: point to aks-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/aks-prod
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
- ../../base/cluster-resources-application
- ../../base/grafana
- ../../base/grafana-dashboards
- ../../base/kyverno
- ../../base/kyverno-policies
- ../../base/loki
- ../../base/opencost
- ../../base/prometheus
- ../../base/sealedsecrets
- ../../base/tempo
- ../../base/traefik-application
+- ../../base

 patches:
 # Traefik: swap upc-dev → eks-dev
@@ -24,7 +13,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/traefik-values.yaml

-# Grafana: swap upc-dev → eks-dev  
+# Keycloak: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/keycloak-values.yaml
+
+# Grafana: swap upc-dev → eks-dev
 - target:
    kind: Application
    name: grafana
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/grafana-values.yaml

+# Gitea: swap upc-dev → eks-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-dev/gitea-values.yaml
+
 # OpenCost: swap upc-dev → eks-dev
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/opencost-values.yaml
+
+# Secrets: change path to eks-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/eks-dev
+
+# Enterprise-apps: point to eks-dev overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/eks-dev
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
- ../../base/cluster-resources-application
- ../../base/grafana
- ../../base/grafana-dashboards
- ../../base/kyverno
- ../../base/kyverno-policies
- ../../base/loki
- ../../base/opencost
- ../../base/prometheus
- ../../base/sealedsecrets
- ../../base/tempo
- ../../base/traefik-application
+- ../../base

 patches:
 # Traefik: swap upc-dev → eks-prod
@@ -24,7 +13,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/traefik-values.yaml

-# Grafana: swap upc-dev → eks-prod  
+# Keycloak: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → eks-prod
 - target:
    kind: Application
    name: grafana
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/grafana-values.yaml

+# Gitea: swap upc-dev → eks-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/eks-prod/gitea-values.yaml
+
 # OpenCost: swap upc-dev → eks-prod
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/opencost-values.yaml
+
+# Secrets: change path to eks-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/eks-prod
+
+# Enterprise-apps: point to eks-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/eks-prod
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
- ../../base/cluster-resources-application
- ../../base/grafana
- ../../base/grafana-dashboards
- ../../base/kyverno
- ../../base/kyverno-policies
- ../../base/loki
- ../../base/opencost
- ../../base/prometheus
- ../../base/sealedsecrets
- ../../base/tempo
- ../../base/traefik-application
+- ../../base

 patches:
 # Traefik: swap upc-dev → gke-dev
@@ -24,7 +13,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/traefik-values.yaml

-# Grafana: swap upc-dev → gke-dev  
+# Keycloak: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/keycloak-values.yaml
+
+# Grafana: swap upc-dev → gke-dev
 - target:
    kind: Application
    name: grafana
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/grafana-values.yaml

+# Gitea: swap upc-dev → gke-dev
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-dev/gitea-values.yaml
+
 # OpenCost: swap upc-dev → gke-dev
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/opencost-values.yaml
+
+# Secrets: change path to gke-dev
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/gke-dev
+
+# Enterprise-apps: point to gke-dev overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/gke-dev
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
- ../../base/cluster-resources-application
- ../../base/grafana
- ../../base/grafana-dashboards
- ../../base/kyverno
- ../../base/kyverno-policies
- ../../base/loki
- ../../base/opencost
- ../../base/prometheus
- ../../base/sealedsecrets
- ../../base/tempo
- ../../base/traefik-application
+- ../../base

 patches:
 # Traefik: swap upc-dev → gke-prod
@@ -24,7 +13,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/traefik-values.yaml

-# Grafana: swap upc-dev → gke-prod  
+# Keycloak: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → gke-prod
 - target:
    kind: Application
    name: grafana
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/grafana-values.yaml

+# Gitea: swap upc-dev → gke-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/gke-prod/gitea-values.yaml
+
 # OpenCost: swap upc-dev → gke-prod
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/opencost-values.yaml
+
+# Secrets: change path to gke-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/gke-prod
+
+# Enterprise-apps: point to gke-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/gke-prod
@@ -1,15 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: microsoft-idp-credentials
-  namespace: keycloak
-spec:
-  encryptedData:
-    MS_IDP_CLIENT_SECRET: AgBGeloOR8LVop8yluydjc7qj4JUkb85z7B3h07i3xLPup1ojgSqtx08huv+8gvSaFoPdxOY8g23iuKeAr2b2A70paHv0ILSVRsIpxzjuao4aDRWxMHD/SFzvitvqaXD1eQUcBNRDk/1NOG0o5b9o4ddMWkNmyCYuZcmOyx18DC1kFrcWGUgJkLTr+YRZcLJ2T80obZ+y4zztYc+vNQlu11KSIALz++c9XzK2XYSdOMdFHmzadWxoCjvkJqG4W5C6AQBlYa7NSydyU6K3TnwS4VHF8w1DRNneM/IuHLMNbcL8WZjHlSS8xgXFUMhG4rkejwM6joQLx57OosTQe1/xdCOPBXq4NO8Q76RXXkoI0EYMbzfK33vr4NVh8zmBUYxhaeQySh2jYdYp7t/79UzvP7jtGYUgqIZNEBqbDKkzvXsJ4dHJnss8U8lWVgLev31ZhaTjIr3A8VKDPbJKIRZPO71/4DiCF0WKLYNKfbYJ5tsyTxivFWDY5NPNkKkgXk4QoScZ3r4bYNZjDp1rC5zCRPGf0Lt1C5Zovx1HTUjpGpAFVi7DyNmEc0uXn2sTwPARAuAj8str+RnlRNzBkpPWKdlOoDVPTSA41dSTfUVZMlQlluu4fdDgGj5sEnhEN0iIxZNRwU/2DD2AVSqG+KtdIkfH6/j0jzdFn4D3Ha6vwAsBIURK4Ird/pLuNGGCDB+LrrNGXDTTKAPFydCuRtpyoM9kFOtSZb7T7q6Vfkqa7LfgP8mdG9JGXJx
-  template:
-    metadata:
-      creationTimestamp: null
-      name: microsoft-idp-credentials
-      namespace: keycloak
@@ -2,16 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
- entra-upc-dev-credentials-sealed.yaml

 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
-
-patches:
- target:
-    kind: Application
-    name: databunker
-  patch: |
-    - op: add
-      path: /spec/sources/0/helm/valueFiles/-
-      value: $values/infra/values/upc-dev/databunker-values.yaml
@@ -1,21 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
- ../../base/cluster-resources-application
- ../../base/grafana
- ../../base/grafana-dashboards
- ../../base/kyverno
- ../../base/kyverno-policies
- ../../base/loki
- ../../base/opencost
- ../../base/prometheus
- ../../base/sealedsecrets
- ../../base/tempo
- ../../base/traefik-application
+- ../../base

 patches:
-# Traefik: swap upc-dev → upc-prod
+# Traefik: swap upc-dev → upc-prod in valueFiles
 - target:
    kind: Application
    name: traefik
@@ -24,7 +13,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/traefik-values.yaml

-# Grafana: swap upc-dev → upc-prod  
+# Keycloak: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/keycloak-values.yaml
+
+# Grafana: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: grafana
@@ -33,6 +31,51 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/grafana-values.yaml

+# Gitea: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/gitea-values.yaml
+
+# OpenCost: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: opencost
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/opencost-values.yaml
+
+# Secrets: change path to upc-prod
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/upc-prod
+
+# Enterprise-apps: point to upc-prod overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/upc-prod
+
+# Gitea: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/gitea-values.yaml
+
 # OpenCost: swap upc-dev → upc-prod
 - target:
    kind: Application
@@ -1,5 +0,0 @@
-global:
-  domain: argocd.127.0.0.1.nip.io
-notifications:
-  context:
-    clusterName: "aks-dev-launchpad"
@@ -1,15 +0,0 @@
-ingress:
-  main:
-    enabled: true
-    ingressClassName: traefik
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-    hosts:
-    - host: start.forteapps.net
-      paths:
-      - path: /
-        pathType: Prefix
-    tls:
-    - secretName: homepage-tls
-      hosts:
-      - start.forteapps.net
@@ -2,46 +2,16 @@ configs:
  secret:
    createSecret: true
    argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
-    # oidc.clientSecret managed by argocd-oidc-sync CronJob
-    # (reads from argocd-oidc-credentials, patches argocd-secret)
-  ssh:
-    knownHosts: |
-      [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
  cm:
    application.resourceTrackingMethod: annotation
    timeout.reconciliation: 60s
-    # Admin login disabled — SSO only. Break-glass: kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
-    admin.enabled: "false"
-    url: https://argocd.forteapps.net
-    oidc.config: |
-      name: Forte SSO
-      issuer: https://id.forteapps.net/realms/forte
-      clientID: argocd
-      clientSecret: $oidc.clientSecret
-      requestedScopes: ["openid", "email", "profile"]
-  rbac:
-    policy.csv: |
-      g, ArgoCD Admins, role:admin
-      g, ArgoCD Viewers, role:readonly
-    # Deny users not in any declared KC group (ArgoCD Admins / ArgoCD Viewers)
-    policy.default: ""
-    scopes: '[groups]'
+    admin.enabled: "true"
  params:
    "server.insecure": true
-    "reposerver.enable.git.submodule": "false"
 server:
  ingress:
-    enabled: true
-    ingressClassName: traefik
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-      gethomepage.dev/enabled: "true"
-      gethomepage.dev/name: "ArgoCD"
-      gethomepage.dev/description: "GitOps continuous delivery"
-      gethomepage.dev/group: "DevOps"
-      gethomepage.dev/icon: "argo-cd"
-      gethomepage.dev/href: "https://argocd.forteapps.net"
-    tls: true
+    enabled: false
+    ingressClassName: nginx
  extraArgs:
  - --insecure

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
danijel.simeunovic	9a7e03b794	Merge branch 'feature/cloud-agnostic' into feature/multi-cloud	2026-04-22 22:06:31 +02:00
danijel.simeunovic	f1dd61cece	sync	2026-04-22 21:56:43 +02:00
danijel.simeunovic	acc9bb1a85	sync	2026-04-22 21:53:44 +02:00
danijel.simeunovic	c8c2dedea5	rename	2026-04-22 21:48:02 +02:00
danijel.simeunovic	a471f11740	repo url	2026-04-22 14:45:23 +02:00
danijel.simeunovic	92ddc22322	azure>aks	2026-04-22 14:42:02 +02:00
danijel.simeunovic	7d2fb8bc0c	azure>aks	2026-04-22 14:41:42 +02:00
danijel.simeunovic	79f9c62012	azure>aks	2026-04-22 14:35:59 +02:00
danijel.simeunovic	dea54e469e	repo url	2026-04-22 14:34:20 +02:00
danijel.simeunovic	333acdea26	multi-cloud overlays AI Code Review / ai-review (pull_request) Successful in 6s Details	2026-04-22 14:30:13 +02:00
gitea_admin	03d526208b	Merge branch 'main' into feature/cloud-agnostic AI Code Review / ai-review (pull_request) Successful in 7s Details	2026-04-22 12:08:08 +00:00
gitea_admin	458f7b23ad	Merge branch 'main' into feature/multi-cloud AI Code Review / ai-review (pull_request) Successful in 28s Details	2026-04-22 11:55:05 +00:00
gitea_admin	41c8b85bf8	Merge branch 'main' into feature/multi-cloud AI Code Review / ai-review (pull_request) Successful in 26s Details	2026-04-22 11:52:22 +00:00
danijel.simeunovic	c3f723333b	Merge branch 'feature/cloud-agnostic' of ssh://git.forteapps.net:2222/Forte/launchpad into feature/cloud-agnostic AI Code Review / ai-review (pull_request) Successful in 1m3s Details	2026-04-22 13:43:09 +02:00
danijel.simeunovic	4144b1c1ac	token	2026-04-22 13:39:43 +02:00
danijel.simeunovic	16eadbe181	Merge remote-tracking branch 'origin/main' into feature/cloud-agnostic	2026-04-22 13:38:55 +02:00
danijel.simeunovic	4e6a84785a	token AI Code Review / ai-review (pull_request) Successful in 28s Details	2026-04-22 13:37:32 +02:00
danijel.simeunovic	e0bdaab422	multi-cloud + mcp AI Code Review / ai-review (pull_request) Failing after 2s Details	2026-04-22 13:34:48 +02:00
danijel.simeunovic	230ea7ebeb	Merge branch 'main' into feature/cloud-agnostic AI Code Review / ai-review (pull_request) Failing after 3s Details	2026-04-22 11:33:03 +00:00
danijel.simeunovic	cab0866e14	multi-cloud no mcp	2026-04-22 13:31:09 +02:00