Merge branch 'main' into feature/multi-cloud

details
Merge branch 'feature/cloud-agnostic' into feature/multi-cloud
2026-04-24 08:24:34 +00:00 · 2026-04-22 22:26:57 +02:00 · 2026-04-22 22:06:31 +02:00 · 2026-04-22 21:56:43 +02:00 · 2026-04-22 21:53:44 +02:00 · 2026-04-22 21:48:02 +02:00
121 changed files with 2455 additions and 1619 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +0,0 @@
 # Force LF line endings for shell scripts
 *.sh text eol=lf
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ### What's Inside
- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets, Homepage (platform dashboard)
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
 - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
@@ -84,25 +84,24 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
 │
 ├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
-│   ├── base/                  # Base ArgoCD Application manifests (one dir per component)
+│   ├── base/                  # Base ArgoCD Application manifests (EU defaults)
-│   │   ├── kustomization.yaml # Aggregates all component subdirectories
+│   │   ├── kustomization.yaml
-│   │   ├── traefik-application/
+│   │   ├── traefik-application.yaml
-│   │   │   ├── kustomization.yaml
+│   │   ├── keycloak.yaml
-│   │   │   └── traefik-application.yaml
+│   │   ├── grafana.yaml
-│   │   ├── keycloak/
+│   │   ├── gitea.yaml
-│   │   │   ├── kustomization.yaml
+│   │   ├── gitea-actions.yaml
-│   │   │   └── keycloak.yaml
+│   │   ├── tempo.yaml
-│   │   ├── grafana/
+│   │   ├── renovate.yaml
-│   │   ├── prometheus/
+│   │   ├── ...                # All other Application manifests
-│   │   ├── ...               # Each component in its own subdirectory
+│   │   └── secrets.yaml
 │   │   └── secrets/
 │   ├── overlays/              # Per-cluster overrides (Kustomize)
-│   │   ├── upc-dev/           # UpCloud Dev — includes all base components
+│   │   ├── upc-dev/           # UpCloud Dev (uses base as-is)
-│   │   ├── upc-prod/         # UpCloud Prod — all components + patches
+│   │   ├── upc-prod/         # UpCloud Prod (patches value paths)
 │   │   ├── aks-dev/          # Azure AKS Dev — selective components only
 │   │   ├── aks-prod/         # Azure AKS Prod
 │   │   ├── eks-dev/           # AWS EKS Dev
 │   │   ├── eks-prod/         # AWS EKS Prod
 │   │   ├── aks-dev/        # Azure AKS Dev
 │   │   ├── aks-prod/       # Azure AKS Prod
 │   │   ├── gke-dev/          # GCP GKE Dev
 │   │   └── gke-prod/         # GCP GKE Prod
 │   ├── dashboards/            # Grafana dashboard ConfigMaps
@@ -117,18 +116,11 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 │       ├── gke-dev/          # GCP GKE Dev
 │       └── gke-prod/         # GCP GKE Prod
 │
-├── apps/                      # Business Applications (Kustomize, same pattern as infra)
+├── apps/                      # Business Applications
-│   ├── base/                  # One subdirectory per app
+│   ├── mcp10x.yaml
-│   │   ├── kustomization.yaml
+│   ├── musicman.yaml
-│   │   ├── musicman/
+│   ├── dot-ai-stack.yaml
-│   │   ├── mcp10x/
+│   └── argo-mcp.yaml
 │   │   ├── dot-ai-stack/
 │   │   ├── ts-mcp/
 │   │   └── argo-mcp/
 │   └── overlays/              # Per-cluster: cherry-pick or include all
 │       ├── upc-dev/           # All apps
 │       ├── upc-prod/         # All apps + patches
 │       └── aks-dev/          # Selective apps only
 │
 ├── cluster-resources/         # Cluster-wide Kubernetes resources
 │   ├── letsencrypt-issuer.yaml
@@ -363,6 +355,7 @@ kubectl patch application myapp -n argocd \
 | **Fluent-Bit** | Log shipping | `monitoring` | DaemonSet |
 | **OpenCost** | Cost monitoring | `monitoring` | 1 |
 | **Renovate** | Dependency updates | `renovate` | CronJob |
 | **Trivy** | Vulnerability scanning | `trivy-system` | 1 |
 **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components)
@@ -380,7 +373,7 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts
 ### App-of-Apps Pattern
-`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Each component in `infra/base/` lives in its own subdirectory (e.g., `infra/base/grafana/`). Overlays can either include **all** components (via `../../base`) or **cherry-pick** specific ones (via `../../base/grafana`, `../../base/prometheus`, etc.). Per-cluster patches swap Helm value file paths. Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
+`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{cluster}/` render the base Applications with per-cluster patches (e.g., swapping value file paths). Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.
 ### Multi-Source Pattern
 Applications reference both:
--- a/apps/base/argo-mcp/argo-mcp.yaml
+++ b/apps/base/argo-mcp/argo-mcp.yaml
--- a/apps/base/argo-mcp/kustomization.yaml
+++ b/apps/base/argo-mcp/kustomization.yaml
@@ -1,6 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - argo-mcp.yaml
 - argocdmcp-auth-oidc-sealed.yaml
 - argocd-mcp-credentials.yaml
--- a/apps/base/dot-ai-stack/dot-ai-stack.yaml
+++ b/apps/base/dot-ai-stack/dot-ai-stack.yaml
--- a/apps/base/dot-ai-stack/kustomization.yaml
+++ b/apps/base/dot-ai-stack/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - dot-ai-stack.yaml
 - dot-ai-secrets.yaml
--- a/apps/base/kustomization.yaml
+++ b/apps/base/kustomization.yaml
@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- dot-ai-stack
+- dot-ai-stack.yaml
- mcp10x
+- mcp10x.yaml
- musicman
+- musicman.yaml
- ts-mcp
+- ts-mcp.yaml
- argo-mcp
+- argo-mcp.yaml
--- a/apps/base/mcp10x/mcp10x.yaml
+++ b/apps/base/mcp10x/mcp10x.yaml
--- a/apps/base/mcp10x/kustomization.yaml
+++ b/apps/base/mcp10x/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - mcp10x.yaml
 - forte10x-app-credentials-sealed.yaml
--- a/apps/base/musicman/musicman.yaml
+++ b/apps/base/musicman/musicman.yaml
@@ -36,8 +36,13 @@ spec:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=false
    - Replace=false
    retry:
      limit: 5
      backoff:
--- a/apps/base/musicman/kustomization.yaml
+++ b/apps/base/musicman/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - musicman.yaml
 - musicman-credentials.yaml
--- a/apps/base/ts-mcp/ts-mcp.yaml
+++ b/apps/base/ts-mcp/ts-mcp.yaml
--- a/apps/base/ts-mcp/kustomization.yaml
+++ b/apps/base/ts-mcp/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ts-mcp.yaml
 - ts-mcp-secrets-sealed.yaml
--- a/apps/base/ts-mcp/ts-mcp-secrets-sealed.yaml
+++ b/apps/base/ts-mcp/ts-mcp-secrets-sealed.yaml
@@ -1,13 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: ts-mcp-secrets
  namespace: ts-mcp
 spec:
  encryptedData:
    AZURE_CLIENT_SECRET: AgCWj525+NHkZ8XG97hEe4RS0SDC0QIGDXmEvzSlIqJQ9XVZEeKxVuAYmJ+w/HH7zBXD3qlZISeOPKn3FbMEeRukmYK0d5PsH26tRUMPoMzwWCuQkZIQ83uX9Pz/wMiqW8aZFIxpdEiUgVdanxHSFoDRPC1VlSEtV9B9yN2MgXBID5s0oje5BM9ttc4WVRe6+9pMeaOC6u+YUgcfY7xPLetZfC9nQO4zn4jYhoQXfAddwMzNODvQNGPzIv6PXDXJweTwdmtGaxM6eDdcCJI/30bEV9prA5m6UlgTZ/Qp+onU70KdkBA9gM9tMMVUR6j/2sbWzqMP/rVaFLeUH1PjHv15n4EieWyuDyYEfmZNDFXc7O9RIK6P0jCIE+t3myxK2ZQ7cfXprdOSj94au0qP6leat0UUVoc9CFJHHtrNxXYWl7IYVhwvIQCMSgO2qoAXkdW4wKVJAcbJadJjoL2pWxzjaD4GgnUaAxWBANqZI2lD8CED4VfUVMB0ZUYRS/zvy/eqIGlT8WbzwTYFi3YDZRvAUIknxaWEavIG4x52d0FqTmFYY06W53fGYfBrUjJI54GWYyBpKdZTf7b/AlAN0+kwkk6OqsUWwWDqxR7LVCcPhjSIKd/THp+Tbq9z5TiPIHxOO9V60u51f8IoQrEgQfNov7CEGQZ8B9HUGObjNc5MhujzBJasMhrUcd2Ddk6KWk07B7223p/gIEM+81ZWQYUcc29+U/j1dQyRNZy/TC56ywe5DDBJSoGp
  template:
    metadata:
      name: ts-mcp-secrets
      namespace: ts-mcp
--- a/apps/overlays/aks-dev/kustomization.yaml
+++ b/apps/overlays/aks-dev/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base/musicman
--- a/apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml
+++ b/apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml
@@ -1,47 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: dbunk-demo
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "12"
  labels:
    app.kubernetes.io/name: dbunk-demo
    app.kubernetes.io/part-of: apps
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
      - $values/dbunk-demo/values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: dbunk-demo
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m
--- a/apps/overlays/upc-dev/dbunk-demo/kustomization.yaml
+++ b/apps/overlays/upc-dev/dbunk-demo/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - dbunk-demo.yaml
--- a/apps/overlays/upc-dev/feedback/feedback.yaml
+++ b/apps/overlays/upc-dev/feedback/feedback.yaml
@@ -1,53 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: feedback
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "12"
  labels:
    app.kubernetes.io/name: feedback
    app.kubernetes.io/part-of: apps
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
      - $values/feedback/values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: feedback
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/apps/overlays/upc-dev/feedback/kustomization.yaml
+++ b/apps/overlays/upc-dev/feedback/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - feedback.yaml
--- a/apps/overlays/upc-dev/kustomization.yaml
+++ b/apps/overlays/upc-dev/kustomization.yaml
@@ -2,8 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 - dbunk-demo
 - feedback
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -1,5 +1,4 @@
 #!/bin/zsh
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
@@ -18,7 +17,7 @@ echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
 Bootstrap()
 {
    ArgoCd
-    Gitea
+#    Gitea
 }
@@ -28,8 +27,8 @@ Bootstrap()
 Gitea()
 {
    echo "Installing secret..."
-    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
+    kubectl apply -f private/gitea-repo-main.yaml
-    kubectl apply -f "private/${CLUSTER}/main.key"
+    kubectl apply -f private/main.key
 }
 ############################################################
@@ -37,15 +36,10 @@ Gitea()
 ############################################################
 ArgoCd()
 {
    # Pre-create ConfigMap for repo-server env (must exist before Helm upgrade)
    kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
    kubectl apply -f cluster-resources/argocd-repo-server-config.yaml
    # install argocd
    echo "Installing ArgoCD..."
    helm upgrade --install argocd argo-cd \
            --repo https://argoproj.github.io/argo-helm \
            --version "7.8.0" \
            --namespace argocd --create-namespace \
            --values infra/values/base/argocd-values.yaml \
            --values "infra/values/${CLUSTER}/argocd-values.yaml" \
@@ -55,4 +49,4 @@ ArgoCd()
    kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }
-Bootstrap
+# Bootstrap
--- a/cluster-resources/argocd-oidc-secret-sync.yaml
+++ b/cluster-resources/argocd-oidc-secret-sync.yaml
@@ -1,83 +0,0 @@
 # CronJob: syncs OIDC client secret from registrar-managed
 # argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
 # Runs every 2 min. No-ops if source secret doesn't exist yet
 # (safe for fresh deploys before Keycloak is up).
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
  verbs: ["get", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argocd-oidc-sync
 subjects:
 - kind: ServiceAccount
  name: argocd-oidc-sync
  namespace: argocd
 ---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 spec:
  schedule: "*/2 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        spec:
          serviceAccountName: argocd-oidc-sync
          restartPolicy: Never
          containers:
          - name: sync
            image: bitnami/kubectl:latest
            command: ["/bin/sh", "-c"]
            args:
            - |
              set -e
              # Exit gracefully if source secret doesn't exist yet
              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
                exit 0
              fi
              # Read current OIDC client secret
              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
                -o jsonpath='{.data.client-secret}' | base64 -d)
              # Read current value in argocd-secret (if any)
              CURRENT=$(kubectl get secret argocd-secret -n argocd \
                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")
              # Only patch if changed
              if [ "$NEW_SECRET" = "$CURRENT" ]; then
                echo "oidc.clientSecret already up to date"
                exit 0
              fi
              kubectl patch secret argocd-secret -n argocd --type merge \
                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
              echo "Patched argocd-secret with oidc.clientSecret"
--- a/cluster-resources/argocd-repo-server-config.yaml
+++ b/cluster-resources/argocd-repo-server-config.yaml
@@ -1,9 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: argocd-repo-server-config
  namespace: argocd
 data:
  # Disable git submodule checkout - submodules (e.g. shared-prompts)
  # are not needed for K8s manifest generation
  ARGOCD_GIT_MODULES_ENABLED: "false"
--- a/cluster-resources/policies/auth-sidecar-injector.yaml
+++ b/cluster-resources/policies/auth-sidecar-injector.yaml
@@ -245,12 +245,6 @@ spec:
                secretKeyRef:
                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
            - name: AUTH_OIDC_IDP_HINT
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-idp-hint\" || '' }}"
            - name: AUTH_OIDC_BROKER_ALIAS
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-alias\" || '' }}"
            - name: AUTH_OIDC_BROKER_TOKEN_HEADER
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-token-header\" || '' }}"
            resources:
              limits:
                cpu: 50m
@@ -330,8 +324,6 @@ spec:
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}"
            - name: AUTH_MCP_SCOPES_SUPPORTED
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'profile'  }}"
            - name: AUTH_MCP_IDP_HINT
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-idp-hint\" || '' }}"
            resources:
              limits:
                cpu: 50m
--- a/cluster-resources/policies/label-checker.yaml
+++ b/cluster-resources/policies/label-checker.yaml
@@ -26,6 +26,7 @@ spec:
          - monitoring
          - secrets
          - kyverno
          - trivy-system
    match:
      any:
      - resources:
--- a/cluster-resources/policies/secret-cloner.yaml
+++ b/cluster-resources/policies/secret-cloner.yaml
@@ -16,6 +16,7 @@ spec:
      - resources:
          namespaces:
          - kube-system
          - trivy-system
          - monitoring
          - argocd
          - cert-manager
--- a/clusters/aks-dev.yaml
+++ b/clusters/aks-dev.yaml
@@ -1,6 +1,6 @@
 # Cluster config reference — values must match the corresponding overlay files.
 # Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
-clusterName: k8s-launchpad # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
+clusterName: dev-aks                     # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
 domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
 argocdDomain: argocd.example.com         # → infra/values/aks-dev/argocd-values.yaml (global.domain)
 grafanaDomain: grafana.example.com       # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
--- a/devbox.json
+++ b/devbox.json
@@ -1,32 +0,0 @@
 {
  "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.16.0/.schema/devbox.schema.json",
  "packages": [
    "kubectl@1.33.2",
    "kubernetes-helm@3.18.4",
    "k9s@0.50.7",
    "kubeseal@0.30.0",
    "argocd@2.14.11",
    "kubecm@0.33.1",
    "kubectl-tree@0.4.3",
    "kind@0.29.0",
    "kustomize@5.7.0",
    "kyverno@1.14.3",
    "syft@1.29.0",
    "grype@0.92.2",
    "traefik@3.6.7",
    "claude-code@latest",
    "go@latest",
    "dotnet-sdk@latest",
    "opentofu@1.11.6"
  ],
  "shell": {
    "init_hook": [
      "echo 'Welcome to devbox!' > /dev/null"
    ],
    "scripts": {
      "test": [
        "echo \"Error: no test specified\" && exit 1"
      ]
    }
  }
 }
--- a/docs/DEVELOPER-GUIDE.md
+++ b/docs/DEVELOPER-GUIDE.md
@@ -654,11 +654,21 @@ kubectl create secret generic myapp-credentials \
 #### Step 2: Seal the Secret
 Get the public certificate (one-time setup):
 ```bash
 # Fetch public cert from cluster
 kubeseal --fetch-cert \
  --controller-name=sealed-secrets-controller \
  --controller-namespace=kube-system \
  > pub-cert.pem
 ```
 Seal your secret:
 ```bash
 kubeseal --format=yaml \
-  --namespace=myapp \
+  --cert=pub-cert.pem \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
 ```
@@ -701,7 +711,7 @@ kubectl create secret generic myapp-credentials \
 # 2. Seal it
 kubeseal --format=yaml \
-  --namespace=myapp \
+  --cert=pub-cert.pem \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
--- a/docs/GITOPS-ARCHITECTURE.md
+++ b/docs/GITOPS-ARCHITECTURE.md
@@ -120,25 +120,24 @@ launchpad/
 ├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
 │
 ├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
-│   ├── base/                         # Base Application manifests (one dir per component)
+│   ├── base/                         # Base Application manifests (upc-dev defaults)
-│   │   ├── kustomization.yaml        # Aggregates all component subdirectories
+│   │   ├── kustomization.yaml
-│   │   ├── traefik-application/
+│   │   ├── traefik-application.yaml
-│   │   │   ├── kustomization.yaml
+│   │   ├── keycloak.yaml
-│   │   │   └── traefik-application.yaml
+│   │   ├── grafana.yaml
-│   │   ├── keycloak/
+│   │   ├── gitea.yaml
-│   │   │   ├── kustomization.yaml
+│   │   ├── gitea-actions.yaml
-│   │   │   └── keycloak.yaml
+│   │   ├── tempo.yaml
-│   │   ├── grafana/
+│   │   ├── renovate.yaml
-│   │   ├── prometheus/
+│   │   ├── ...                       # All other Application manifests
-│   │   ├── ...                       # Each component in its own subdirectory
+│   │   └── secrets.yaml
 │   │   └── secrets/
 │   ├── overlays/                     # Per-cluster Kustomize overrides
-│   │   ├── upc-dev/                  # UpCloud Dev — includes all (resources: ../../base)
+│   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
-│   │   ├── upc-prod/                # UpCloud Prod — all + patches
+│   │   ├── upc-prod/                # UpCloud Prod (patches value paths)
 │   │   ├── aks-dev/                 # Azure AKS Dev — selective components
 │   │   ├── aks-prod/               # Azure AKS Prod
 │   │   ├── eks-dev/                  # AWS EKS Dev
 │   │   ├── eks-prod/                # AWS EKS Prod
 │   │   ├── aks-dev/               # Azure AKS Dev
 │   │   ├── aks-prod/              # Azure AKS Prod
 │   │   ├── gke-dev/                 # GCP GKE Dev
 │   │   └── gke-prod/               # GCP GKE Prod
 │   ├── dashboards/                   # Grafana dashboard ConfigMaps
@@ -150,17 +149,13 @@ launchpad/
 │       └── gcp-{dev,prod}/           # GCP: premium-rwo, L4 LB
 │
 ├── apps/                             # Business Application ArgoCD manifests (Kustomize)
-│   ├── base/                         # One subdirectory per app
+│   ├── base/                         # Base app manifests
 │   │   ├── kustomization.yaml
-│   │   ├── musicman/
+│   │   ├── dot-ai-stack.yaml
-│   │   ├── mcp10x/
+│   │   └── ...
 │   │   ├── dot-ai-stack/
 │   │   ├── ts-mcp/
 │   │   └── argo-mcp/
 │   └── overlays/
-│       ├── upc-dev/                  # All apps (resources: ../../base)
+│       ├── upc-dev/                  # Uses base as-is
-│       ├── upc-prod/                # All apps + patches
+│       └── upc-prod/                # Patches value paths
 │       └── aks-dev/                 # Selective apps only
 │
 ├── cluster-resources/                # Cluster-wide Kubernetes resources
 │   ├── ...
@@ -176,8 +171,6 @@ launchpad/
 **Key Points**:
 - `_app-of-apps-upc-dev.yaml` and `_app-of-apps-upc-prod.yaml` are the per-cluster root Applications
 - Each component in `base/` has its own subdirectory with a `kustomization.yaml`
 - Overlays can include **all** components (`resources: [../../base]`) or **cherry-pick** specific ones (`resources: [../../base/grafana, ../../base/prometheus]`)
 - Kustomize overlays in `infra/overlays/` render base Applications with per-cluster patches
 - Helm values are split: `values/base/` (shared) + `values/upc-dev/` or `values/upc-prod/` (cluster-specific)
 - `apps/` follows the same base/overlays pattern for business applications
@@ -360,30 +353,16 @@ spec:
 ### Multi-Cluster Pattern
-Kustomize overlays enable deploying the same Applications across clusters with different configurations.
+Kustomize overlays enable deploying the same Applications across clusters with different configurations:
 Each component in `infra/base/` and `apps/base/` lives in its own subdirectory. Overlays define **which components to include** and optionally **patch** them:
 ```yaml
-# Option 1: Include ALL components (full cluster)
+# infra/base/ contains default (upc-dev) Applications
-# infra/overlays/upc-dev/kustomization.yaml
+# Helm values are layered: base + cluster-specific
-resources:
+valueFiles:
- ../../base                    # Pulls in every component subdirectory
+- $values/infra/values/base/traefik-values.yaml    # Shared config
 - $values/infra/values/upc-dev/traefik-values.yaml  # Cluster-specific
-# Option 2: Cherry-pick specific components (lightweight cluster)
+# infra/overlays/upc-prod/kustomization.yaml patches the second valueFile
 # infra/overlays/aks-dev/kustomization.yaml
 resources:
 - ../../base/traefik-application
 - ../../base/grafana
 - ../../base/prometheus
 - ../../base/loki
 # Only listed components are deployed — others are excluded
 ```
 Per-cluster patches swap Helm value file paths:
 ```yaml
 # infra/overlays/upc-prod/kustomization.yaml
 patches:
 - target:
    kind: Application
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -76,28 +76,34 @@ launchpad/
 ├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
 ├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
 │
-├── infra/                         # Infrastructure applications (Kustomize)
+├── infra/                         # Infrastructure applications
-│   ├── base/                      # One subdirectory per component
+│   ├── cluster-resources-application.yaml
-│   │   ├── kustomization.yaml     # Aggregates all component subdirectories
+│   ├── enterprise-apps.yaml
-│   │   ├── traefik-application/
+│   ├── traefik-application.yaml
-│   │   │   ├── kustomization.yaml
+│   ├── cert-manager-application.yaml
-│   │   │   └── traefik-application.yaml
+│   ├── kyverno.yaml
-│   │   ├── keycloak/
+│   ├── kyverno-policies.yaml
-│   │   │   ├── kustomization.yaml
+│   ├── prometheus.yaml
-│   │   │   └── keycloak.yaml
+│   ├── grafana.yaml
-│   │   ├── grafana/
+│   ├── loki.yaml
-│   │   ├── prometheus/
+│   ├── tempo.yaml
-│   │   ├── loki/
+│   ├── fluent-bit.yaml
-│   │   ├── tempo/
+│   ├── trivy.yaml
-│   │   ├── gitea/
+│   ├── gitea.yaml
-│   │   ├── opencost/
+│   ├── gitea-actions.yaml
-│   │   ├── ...                    # Each component in own directory
+│   ├── sealedsecrets.yaml
-│   │   └── secrets/
+│   ├── secrets.yaml
-│   ├── overlays/                  # Per-cluster: include all or cherry-pick
+│   ├── renovate.yaml
-│   │   ├── upc-dev/              # resources: [../../base] (all components)
+│   ├── base/                      # ArgoCD Application manifests (Kustomize base)
-│   │   ├── upc-prod/            # resources: [../../base] + patches
+│   │   ├── gitea.yaml
-│   │   ├── aks-dev/             # resources: [../../base/grafana, ...] (selective)
+│   │   ├── opencost.yaml
-│   │   └── .../                  # 8 clusters total
+│   │   ├── traefik-application.yaml
 │   │   ├── keycloak.yaml
 │   │   ├── grafana.yaml
 │   │   └── ...
 │   ├── overlays/
 │   │   └── upc-prod/
 │   │       └── kustomization.yaml # Patches upc-dev → upc-prod valueFile paths
 │   └── values/
 │       ├── base/                   # Cloud-agnostic Helm values
 │       │   ├── gitea-values.yaml
@@ -117,18 +123,11 @@ launchpad/
 │           ├── gitea-values.yaml
 │           └── opencost-values.yaml
 │
-├── apps/                          # Business applications (Kustomize)
+├── apps/                          # Business applications
-│   ├── base/                     # One subdirectory per app
+│   ├── mcp10x.yaml
-│   │   ├── kustomization.yaml
+│   ├── musicman.yaml
-│   │   ├── musicman/
+│   ├── dot-ai-stack.yaml
-│   │   ├── mcp10x/
+│   └── argo-mcp.yaml
 │   │   ├── dot-ai-stack/
 │   │   ├── ts-mcp/
 │   │   └── argo-mcp/
 │   └── overlays/                 # Per-cluster: include all or cherry-pick
 │       ├── upc-dev/
 │       ├── upc-prod/
 │       └── aks-dev/              # Selective apps only
 │
 ├── cluster-resources/             # Cluster-level resources
 │   ├── cert-manager-namespace.yaml
@@ -149,30 +148,12 @@ launchpad/
 │       └── auth-sidecar-injector.yaml
 │
 ├── secrets/                       # Application secrets (sealed)
-│   ├── base/                     # All SealedSecrets (shared across clouds)
+│   ├── argocd-mcp-credentials.yaml
-│   │   ├── kustomization.yaml
+│   ├── dot-ai-secrets.yaml
-│   │   ├── argocd-forte-helm-secret-sealed.yaml
+│   ├── gitea-credentials-sealed.yaml
-│   │   ├── argocd-mcp-credentials.yaml
+│   ├── gitea-runner-token-sealed.yaml
-│   │   ├── argocdmcp-auth-oidc-sealed.yaml
+│   ├── mcp10x-credentials-sealed.yaml
-│   │   ├── dot-ai-secrets.yaml
+│   └── musicman-credentials.yaml
 │   │   ├── forte10x-app-credentials-sealed.yaml
 │   │   ├── gitea-backup-s3-sealed.yaml
 │   │   ├── gitea-credentials-sealed.yaml
 │   │   ├── gitea-runner-token-sealed.yaml
 │   │   ├── gitea-smtp-secret-sealed.yaml
 │   │   ├── keycloak-credentials-sealed.yaml
 │   │   ├── musicman-auth-oidc-sealed.yaml
 │   │   ├── musicman-credentials.yaml
 │   │   └── renovate-env-sealed.yaml
 │   └── overlays/                 # Per-cloud overlays (reference base)
 │       ├── aks-dev/kustomization.yaml
 │       ├── aks-prod/kustomization.yaml
 │       ├── eks-dev/kustomization.yaml
 │       ├── eks-prod/kustomization.yaml
 │       ├── gke-dev/kustomization.yaml
 │       ├── gke-prod/kustomization.yaml
 │       ├── upc-dev/kustomization.yaml
 │       └── upc-prod/kustomization.yaml
 │
 ├── scripts/                       # Operational helper scripts
 │   ├── gitea-backup.sh            # S3 backup helper (list/download)
@@ -656,128 +637,13 @@ retry:
 |---------|-------|---------|
 | `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
 | `timeout.reconciliation` | `60s` | Reconciliation interval |
-| `admin.enabled` | `false` | Admin login disabled (SSO-only) |
+| `admin.enabled` | `true` | Enable admin account |
-| `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
+| `git.submodule.enabled` | `false` | Disable git submodule checkout — submodules are not needed for manifest generation |
 **Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
 ```yaml
 configs:
  params:
    "reposerver.enable.git.submodule": "false"
 ```
 This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
 **Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
 ```bash
 # Enable admin login
 kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
 # Log in as admin, do what's needed, then disable again
 kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
 ```
 ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
 **OIDC Authentication** (Keycloak):
 ```yaml
 configs:
  cm:
    oidc.config: |
      name: Forte SSO
      issuer: https://id.forteapps.net/realms/forte
      clientID: argocd
      clientSecret: $oidc.clientSecret
      requestedScopes: ["openid", "email", "profile"]
  rbacConfig:
    policy.csv: |
      g, ArgoCD Admins, role:admin
      g, ArgoCD Viewers, role:readonly
    # Deny users not in any declared KC group
    policy.default: ""
    scopes: '[groups]'
 ```
 **Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console.
 - ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
 - Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
 - `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
 - OIDC secret is synced by CronJob `argocd-oidc-sync` (see `cluster-resources/argocd-oidc-secret-sync.yaml`)
 - The CronJob bridges `argocd-oidc-credentials` (from KC registrar) → `argocd-secret` every 2 min
 - Safe for fresh deploys: no-ops if source secret doesn't exist yet
 **Ingress** (Traefik + TLS):
 ```yaml
 server:
  ingress:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    tls: true
  extraArgs:
  - --insecure
 configs:
  params:
    "server.insecure": true
 ```
 TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
 ---
 ## Infrastructure Components
 ### Homepage (Platform Dashboard)
 **Chart**: `jameswynn/homepage`
 **Namespace**: `homepage`
 **URL**: `https://start.forteapps.net`
 Platform dashboard that auto-discovers deployed apps via Kubernetes service annotations.
 **Discovery mechanism**: Services annotated with `gethomepage.dev/enabled: "true"` appear in the dashboard. Apps not deployed = annotations absent = not shown. Fully dynamic per environment.
 **Annotated services**:
 | Service | Namespace | Group | Widget |
 |---------|-----------|-------|--------|
 | `gitea-http` | `gitea` | DevOps | `gitea` |
 | `argocd-server` | `argocd` | DevOps | `argocd` |
 | `keycloak` | `keycloak` | Identity | none |
 | `grafana` | `monitoring` | Monitoring | `grafana` |
 | `karpor-server` | `karpor` | DevOps | none |
 **Adding a new app**: Annotate the app's Service in its Helm values:
 ```yaml
 service:
  annotations:
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "My App"
    gethomepage.dev/description: "What it does"
    gethomepage.dev/group: "GroupName"
    gethomepage.dev/icon: "icon-name"     # https://github.com/walkxcode/dashboard-icons
    gethomepage.dev/href: "https://myapp.forteapps.net"
    # Optional live widget:
    gethomepage.dev/widget.type: "myapp"
    gethomepage.dev/widget.url: "https://myapp.forteapps.net"
    # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_MYAPP_TOKEN}}"
 ```
 **Widget API credentials**: Inject via env vars into the Homepage pod:
 ```yaml
 # In homepage-values.yaml per environment
 env:
 - name: HOMEPAGE_VAR_GRAFANA_TOKEN
  valueFrom:
    secretKeyRef:
      name: homepage-widget-credentials
      key: grafana-token
 ```
 Then reference as `gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"`.
 **Values files**:
 - `infra/values/base/homepage-values.yaml` — RBAC, kubernetes mode, layout
 - `infra/values/{env}/homepage-values.yaml` — hostname per environment
 ---
 ### Traefik
 **Chart**: `traefik/traefik`
@@ -849,10 +715,6 @@ spec:
 **Chart**: `sealed-secrets/sealed-secrets-controller`
 **Namespace**: `kube-system`
 **Directory Structure**: `secrets/base/` contains all SealedSecrets with a `kustomization.yaml`. Per-cloud overlays in `secrets/overlays/<cloud>/` reference the base via Kustomize. The ArgoCD `secrets` Application points to the active overlay (e.g., `secrets/overlays/upc-dev`), and `infra/overlays/upc-prod` patches the path to `secrets/overlays/upc-prod`.
 To add cloud-specific secrets, create a new SealedSecret in the overlay directory and add it to the overlay's `kustomization.yaml`.
 **Public Certificate**:
 ```bash
 kubeseal --fetch-cert \
@@ -893,15 +755,6 @@ kubeStateMetrics:
 - Loki
 - Tempo
 **Ingress**: Exposed via Traefik at `https://grafana.forteapps.net` with cert-manager TLS.
 **OIDC Authentication** (Keycloak):
 - Uses `grafana.ini.auth.generic_oauth` with KC `grafana` client
 - Secret `grafana-oidc-credentials` synced by KC registrar, loaded via `envFromSecrets`
 - SSO-only mode: `auth.disable_login_form: true` + `auth.generic_oauth.auto_login: true`
 - Role mapping via JMESPath on `resource_access.grafana.roles` claim (requires KC client role mapper)
 - Roles: KC client roles `Admin`/`Editor` map to Grafana roles; default is `Viewer`
 ### Loki
 **Chart**: `grafana/loki-stack`
@@ -1384,46 +1237,6 @@ spec:
 - Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
 - `synchronize: true` — changes to the source Secret are reflected in the clone
 ### Keycloak Microsoft/Entra Identity Provider
 **File**: `infra/values/upc-dev/keycloak-values.yaml`
 **Namespace**: `keycloak`
 **Purpose**: Configures Microsoft Entra (Azure AD) as an external identity provider for the Forte realm, enabling SSO via Microsoft accounts with token storage for downstream API access (e.g., Microsoft Graph).
 **Configuration via keycloakConfigCli**:
 - IdP alias: `forte-entra`, provider: `microsoft`
 - Client secret injected from `microsoft-idp-credentials` Secret via `$(env:MS_IDP_CLIENT_SECRET)` syntax
 - `extraEnvVarsSecret: microsoft-idp-credentials` makes the Secret available as env vars to config-cli
 **Key Configuration Notes**:
 | Field | Location | Notes |
 |-------|----------|-------|
 | `tenant` | `config.tenant` | **Must be `tenant`, NOT `tenantId`** — wrong key silently falls back to `common` (multi-tenant) |
 | `storeToken` | Top-level IdP field | **NOT inside `config`** — enables broker token storage for KC broker API |
 | `defaultScope` | `config.defaultScope` | Space-separated: `openid email profile User.Read Mail.Send` |
 | `syncMode` | `config.syncMode` | `IMPORT` — imports user on first login |
 **Token Storage & Broker Access**:
 - `storeToken: true` persists the Entra access token in Keycloak
 - Realm role `default-roles-forte` includes composite `broker.read-token` — grants all realm users access to broker token API
 - Broker token retrievable via: `GET /realms/forte/broker/forte-entra/token`
 **Identity Provider Mappers**:
 - `forte-entra-email`: Hardcodes `emailVerified=true` for Entra-authenticated users (Entra guarantees email verification)
 **Required Secret** (`microsoft-idp-credentials`):
 ```yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: microsoft-idp-credentials
  namespace: keycloak
 stringData:
  MS_IDP_CLIENT_SECRET: "<entra-app-client-secret>"
 ```
 ### Default Namespace Blocker
 **File**: `cluster-resources/policies/default-ns-blocker.yaml`
@@ -1973,9 +1786,8 @@ To add support for a new cloud (e.g., `oci-dev` for Oracle Cloud):
   - `opencost-values.yaml` — pricing model or cloud billing integration
 3. **Kustomize overlay**: `infra/overlays/oci-dev/kustomization.yaml` — patch `valueFiles[1]` for each Application
 4. **App-of-apps**: `_app-of-apps-oci-dev.yaml` — points to `infra/overlays/oci-dev`
-5. **Secrets overlay**: `secrets/overlays/oci-dev/kustomization.yaml` — references `../../base`, add cloud-specific SealedSecrets if needed
+5. **Sealed Secrets**: `secrets/oci-dev/` — TLS certs, credentials, backup S3 config
-6. **Secrets patch**: Add patch to `infra/overlays/oci-dev/kustomization.yaml` to swap secrets path to `secrets/overlays/oci-dev`
+6. **Bootstrap**: `./bootstrap.sh oci-dev`
 7. **Bootstrap**: `./bootstrap.sh oci-dev`
 ---
--- a/infra/base/cert-manager-application/cert-manager-application.yaml
+++ b/infra/base/cert-manager-application/cert-manager-application.yaml
--- a/infra/base/cert-manager-application/kustomization.yaml
+++ b/infra/base/cert-manager-application/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - cert-manager-application.yaml
--- a/infra/base/cluster-resources-application/cluster-resources-application.yaml
+++ b/infra/base/cluster-resources-application/cluster-resources-application.yaml
--- a/infra/base/cluster-resources-application/kustomization.yaml
+++ b/infra/base/cluster-resources-application/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - cluster-resources-application.yaml
--- a/infra/base/databunker/kustomization.yaml
+++ b/infra/base/databunker/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - databunker.yaml
--- a/infra/base/enterprise-apps/enterprise-apps.yaml
+++ b/infra/base/enterprise-apps/enterprise-apps.yaml
--- a/infra/base/enterprise-apps/kustomization.yaml
+++ b/infra/base/enterprise-apps/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - enterprise-apps.yaml
--- a/infra/base/fluent-bit/fluent-bit.yaml
+++ b/infra/base/fluent-bit/fluent-bit.yaml
--- a/infra/base/fluent-bit/kustomization.yaml
+++ b/infra/base/fluent-bit/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - fluent-bit.yaml
--- a/infra/base/gitea-actions/gitea-actions.yaml
+++ b/infra/base/gitea-actions/gitea-actions.yaml
--- a/infra/base/gitea-actions/kustomization.yaml
+++ b/infra/base/gitea-actions/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gitea-actions.yaml
--- a/infra/base/gitea/gitea.yaml
+++ b/infra/base/gitea/gitea.yaml
--- a/infra/base/gitea/kustomization.yaml
+++ b/infra/base/gitea/kustomization.yaml
@@ -1,8 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gitea.yaml
 - gitea-backup-s3-sealed.yaml
 - gitea-credentials-sealed.yaml
 - gitea-runner-token-sealed.yaml
 - gitea-smtp-secret-sealed.yaml
--- a/infra/base/grafana-dashboards/grafana-dashboards.yaml
+++ b/infra/base/grafana-dashboards/grafana-dashboards.yaml
--- a/infra/base/grafana-dashboards/kustomization.yaml
+++ b/infra/base/grafana-dashboards/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - grafana-dashboards.yaml
--- a/infra/base/grafana/grafana.yaml
+++ b/infra/base/grafana/grafana.yaml
--- a/infra/base/grafana/kustomization.yaml
+++ b/infra/base/grafana/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - grafana.yaml
--- a/infra/base/homepage/homepage-extra-rbac.yaml
+++ b/infra/base/homepage/homepage-extra-rbac.yaml
@@ -1,21 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: homepage-services-reader
 rules:
 - apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: homepage-services-reader
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: homepage-services-reader
 subjects:
 - kind: ServiceAccount
  name: homepage
  namespace: homepage
--- a/infra/base/homepage/homepage-widget-credentials-sealed.yaml
+++ b/infra/base/homepage/homepage-widget-credentials-sealed.yaml
@@ -1,16 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: homepage-widget-credentials
  namespace: homepage
 spec:
  encryptedData:
    HOMEPAGE_VAR_GITEA_TOKEN: AgAVN1C931EQpn+sodr3CpjlhORfJVTW8aUr+pGZQb+65Pb8QLGeVGVa7Jv60gDJUX3r+93/jMrEbCOeDL6I4qCz/V35wMCxFZLnXIdkmto0W4MKt6cK8To1/OP7EhQJOGBlSuOFsrwoy+HDtvLIqmyF0nrxhTusm9/NHrw+gCVwSTPhiAX1MCuSOSRWpbXvyNphW8j7aqUaV6ixDt424Fe4alEIShYELcS3EX/VPgsf2p2bhvBRCQOh3LEprkuxSFMuPfCBk06TPTbIN4saNVm0Ke0zW/pxkVNSiIxEnKjOmpPJtacsfWN7du+nQbx276G2qvWrf+iawJVq0Z/SLikA/NUFBL6EjSRfgE3cSOri8sbxsd0AycsFGyp98EM29wE+WOQl52M/lwl02EmCivqkICSO7Jp9pM1ScbmRMa5vcnupsGbVDxhRKLqxhAskt/BXDkRzvHN31gH3YmelES3JuqNMHV0urFxmX2oOX9Pxbtv63csc+zhy1Ui5aoex7TPnLdk7kYLSAE2MSrzT6wHvVhBC5kNnDYVrLehvJrT+eNh0MOLx2wkuJmIOxRAGUyNi5DfDnP6qnvj2aefEymLuOXAIUXH8DbeBtrjsd74HX2hhIfBlPkXvhJR3ks7i5RXjK2/YYHkgJ+nJoW80S9N7ciaRy103g74TNJZt6QzzL5Vb80qZ6yQOD4G081KmTLDmhHjJVIIv9M3nLh2s0IeBV3/Z5qHZmtjN7sSaKAn4MIr5FaH9quhx
    HOMEPAGE_VAR_GRAFANA_TOKEN: AgBloBlOlP+R/4VizE1CGpj0wyiwU14BemAnuUpld7OvOGc67dwfDPyponkQXjAZg3UU2cZ70A51WUAuVlAr+25Ktlf/FW2OBqj+1BJOCqMMyu+kv026yjX2aB8dKGzlTxgF8aji+j1mC8vP3vvmgI4Zf2HQAH7uFwLfeo8+QnV5EyhcExSS0xDne+VtOP9jNXbPRayry0DdyRVtaeKAiZacO+45oAJWszWOwmoMTg9FZQkLjER6Q0tyI6NnoNObsFCnh56chZTdzBOYtmPnwld1bP2FjoJDqn8AfRwbPTIj7t0eFP7WLUO7GQKpxVl+pFwJLb5xCOw2+HNtp1BhNCu7icuc0P88IlvwzkbN0lXJbYigVOzyjEo8f/al1DXPM4WaB/Nqmr7Mtt8KTRh2WMVTgiX5jsu25D0rGDvY9gqfBBqswkRhCLsG0v0EN32zXj1/52KYdmB7pk/+2lMwSaGMS11MOenHeU1Z95fGxm9f3EGF0E8xlFr4FowgsNwr+tJQqpM0bT/4mZnaQbGWtKPFizMtsfQFm+rHFcNCrGaOuecslmiIJs8lTm18KlrncsGfxNS64tVXk+LvydU0rwybvpg2rQjEWtAl1IQsaaiz96OAlYxxK1MGxN7KE6F8R4kfnWTZ5Fs1KMmd/DOIVBXyCbqXxk8pbekmaIeNSfv92JNZ0QNJWsBa2vgQ24WI2pb4XiR0BvtLpt3BVlZUcSK92SzUblWmYWVMwHYCJkEeEUV1PhYEmyiN+V/Kq5Qb
  template:
    metadata:
      creationTimestamp: null
      name: homepage-widget-credentials
      namespace: homepage
--- a/infra/base/homepage/homepage.yaml
+++ b/infra/base/homepage/homepage.yaml
@@ -1,43 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: homepage
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "3"
  labels:
    app.kubernetes.io/name: homepage
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: https://jameswynn.github.io/helm-charts
    chart: homepage
    targetRevision: "2.1.0"
    helm:
      releaseName: homepage
      valueFiles:
      - $values/infra/values/base/homepage-values.yaml
      - $values/infra/values/upc-dev/homepage-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: homepage
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
--- a/infra/base/homepage/kustomization.yaml
+++ b/infra/base/homepage/kustomization.yaml
@@ -1,6 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - homepage.yaml
 - homepage-widget-credentials-sealed.yaml
 - homepage-extra-rbac.yaml
--- a/infra/base/karpor/karpor.yaml
+++ b/infra/base/karpor/karpor.yaml
--- a/infra/base/karpor/kustomization.yaml
+++ b/infra/base/karpor/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - karpor.yaml
--- a/infra/base/keycloak/keycloak.yaml
+++ b/infra/base/keycloak/keycloak.yaml
@@ -15,7 +15,7 @@ spec:
  project: default
  sources:
-  - repoURL: registry-1.docker.io/bitnamicharts
+  - repoURL: https://charts.bitnami.com/bitnami
    chart: keycloak
    targetRevision: "25.2.0"
    helm:
@@ -47,7 +47,3 @@ spec:
    kind: CronJob
    jsonPointers:
    - /spec/jobTemplate/spec/template/spec/containers/0/args
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/keycloak/kustomization.yaml
+++ b/infra/base/keycloak/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - keycloak.yaml
 - keycloak-credentials-sealed.yaml
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -1,25 +1,25 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- traefik-application
+- traefik-application.yaml
- keycloak
+- keycloak.yaml
- grafana
+- grafana.yaml
- cert-manager-application
+- cert-manager-application.yaml
- kyverno
+- kyverno.yaml
- sealedsecrets
+- sealedsecrets.yaml
- prometheus
+- prometheus.yaml
- loki
+- loki.yaml
- fluent-bit
+- fluent-bit.yaml
- enterprise-apps
+- trivy.yaml
- cluster-resources-application
+- enterprise-apps.yaml
- kyverno-policies
+- cluster-resources-application.yaml
- gitea
+- kyverno-policies.yaml
- gitea-actions
+- secrets.yaml
- opencost
+- gitea.yaml
- renovate
+- gitea-actions.yaml
- tempo
+- opencost.yaml
- grafana-dashboards
+- renovate.yaml
- karpor
+- tempo.yaml
- databunker
+- grafana-dashboards.yaml
- homepage
+- network-policies-application.yaml
- vault
+- karpor.yaml
--- a/infra/base/kyverno-policies/kyverno-policies.yaml
+++ b/infra/base/kyverno-policies/kyverno-policies.yaml
@@ -27,6 +27,7 @@ spec:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
--- a/infra/base/kyverno-policies/kustomization.yaml
+++ b/infra/base/kyverno-policies/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - kyverno-policies.yaml
--- a/infra/base/kyverno/kyverno.yaml
+++ b/infra/base/kyverno/kyverno.yaml
--- a/infra/base/kyverno/kustomization.yaml
+++ b/infra/base/kyverno/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - kyverno.yaml
--- a/infra/base/loki/loki.yaml
+++ b/infra/base/loki/loki.yaml
@@ -40,9 +40,3 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/loki/kustomization.yaml
+++ b/infra/base/loki/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - loki.yaml
--- a/infra/base/network-policies-application.yaml
+++ b/infra/base/network-policies-application.yaml
@@ -1,42 +1,33 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: databunker
+  name: network-policies
  namespace: argocd
  labels:
    app.kubernetes.io/name: network-policies
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  labels:
    app.kubernetes.io/name: databunker
    app.kubernetes.io/part-of: identity
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
-  sources:
+  source:
-  - repoURL: https://securitybunker.github.io/databunkerpro-setup
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    chart: databunkerpro
    targetRevision: "0.1.0"
    helm:
      releaseName: databunkerpro
      valueFiles:
      - $values/infra/values/base/databunker-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    ref: values
+    path: cluster-resources/network
  destination:
    server: https://kubernetes.default.svc
    namespace: databunker
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
--- a/infra/base/opencost/opencost.yaml
+++ b/infra/base/opencost/opencost.yaml
--- a/infra/base/opencost/kustomization.yaml
+++ b/infra/base/opencost/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - opencost.yaml
--- a/infra/base/prometheus/prometheus.yaml
+++ b/infra/base/prometheus/prometheus.yaml
--- a/infra/base/prometheus/kustomization.yaml
+++ b/infra/base/prometheus/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - prometheus.yaml
--- a/infra/base/renovate/renovate.yaml
+++ b/infra/base/renovate/renovate.yaml
--- a/infra/base/renovate/kustomization.yaml
+++ b/infra/base/renovate/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - renovate.yaml
 - renovate-env-sealed.yaml
--- a/infra/base/sealedsecrets/sealedsecrets.yaml
+++ b/infra/base/sealedsecrets/sealedsecrets.yaml
--- a/infra/base/sealedsecrets/kustomization.yaml
+++ b/infra/base/sealedsecrets/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - sealedsecrets.yaml
 - argocd-forte-helm-secret-sealed.yaml
--- a/infra/base/secrets.yaml
+++ b/infra/base/secrets.yaml
@@ -0,0 +1,30 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: secrets
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "2"
    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
    notifications.argoproj.io/subscribe.on-degraded.slack: ""
  labels:
    app.kubernetes.io/name: secrets
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    path: secrets/upc-dev
  destination:
    server: https://kubernetes.default.svc
    namespace: secrets
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
--- a/infra/base/tempo/tempo.yaml
+++ b/infra/base/tempo/tempo.yaml
@@ -40,9 +40,3 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/tempo/kustomization.yaml
+++ b/infra/base/tempo/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - tempo.yaml
--- a/infra/base/traefik-application/traefik-application.yaml
+++ b/infra/base/traefik-application/traefik-application.yaml
--- a/infra/base/traefik-application/kustomization.yaml
+++ b/infra/base/traefik-application/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - traefik-application.yaml
--- a/infra/base/trivy.yaml
+++ b/infra/base/trivy.yaml
@@ -0,0 +1,67 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: trivy-system
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: trivy-operator
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "0"
  labels:
    app.kubernetes.io/name: trivy-operator
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://aquasecurity.github.io/helm-charts
    chart: trivy-operator
    targetRevision: 0.31.0
    helm:
      releaseName: trivy-operator
      valuesObject:
        operator:
          targetNamespaces: ""
          excludeNamespaces: "argocd,trivy-system,kube-system,monitoring,kyverno,cert-manager"
          scanJobsInSameNamespace: true
          metricsVulnIdEnabled: true
          metricsImageInfo: true
        trivy:
          ignoreUnfixed: false
  destination:
    server: https://kubernetes.default.svc
    namespace: trivy-system
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m
  ignoreDifferences:
  - group: apiextensions.k8s.io
    kind: CustomResourceDefinition
    jsonPointers:
    - /metadata/labels
    - /metadata/annotations
    - /metadata/finalizers
--- a/infra/base/vault/kustomization.yaml
+++ b/infra/base/vault/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - vault.yaml
--- a/infra/base/vault/vault.yaml
+++ b/infra/base/vault/vault.yaml
@@ -1,49 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: vault
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  labels:
    app.kubernetes.io/name: vault
    app.kubernetes.io/part-of: security
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: https://helm.releases.hashicorp.com
    chart: vault
    targetRevision: "0.32.0"
    helm:
      releaseName: vault
      valueFiles:
      - $values/infra/values/base/vault-values.yaml
      - $values/infra/values/upc-dev/vault-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: vault
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/dashboards/kustomization.yaml
+++ b/infra/dashboards/kustomization.yaml
@@ -8,6 +8,9 @@ generatorOptions:
    grafana_dashboard: "1"
 configMapGenerator:
 - name: grafana-dashboard-trivy
  files:
  - trivy.json
 - name: grafana-dashboard-traefik-loki
  files:
  - traefik-loki.json
--- a/infra/dashboards/trivy.json
+++ b/infra/dashboards/trivy.json
--- a/infra/overlays/aks-dev/kustomization.yaml
+++ b/infra/overlays/aks-dev/kustomization.yaml
@@ -1,31 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/enterprise-apps
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/homepage
 - ../../base/traefik-application
 patches:
 # Homepage: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: homepage
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/homepage-values.yaml
 # Traefik: swap upc-dev → aks-dev
 - target:
    kind: Application
@@ -35,6 +13,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/traefik-values.yaml
 # Keycloak: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/keycloak-values.yaml
 # Grafana: swap upc-dev → aks-dev
 - target:
    kind: Application
@@ -44,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/grafana-values.yaml
 # Gitea: swap upc-dev → aks-dev
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/gitea-values.yaml
 # OpenCost: swap upc-dev → aks-dev
 - target:
    kind: Application
@@ -53,7 +49,16 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-dev/opencost-values.yaml
-# Ent apps: swap upc-dev → aks-prod
+# Secrets: change path to aks-dev
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/aks-dev
 # Enterprise-apps: point to aks-dev overlay
 - target:
    kind: Application
    name: enterprise-apps
--- a/infra/overlays/aks-prod/kustomization.yaml
+++ b/infra/overlays/aks-prod/kustomization.yaml
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → aks-prod
@@ -24,6 +13,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/traefik-values.yaml
 # Keycloak: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → aks-prod
 - target:
    kind: Application
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/grafana-values.yaml
 # Gitea: swap upc-dev → aks-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → aks-prod
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/aks-prod/opencost-values.yaml
 # Secrets: change path to aks-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/aks-prod
 # Enterprise-apps: point to aks-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/aks-prod
--- a/infra/overlays/eks-dev/kustomization.yaml
+++ b/infra/overlays/eks-dev/kustomization.yaml
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → eks-dev
@@ -24,6 +13,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/traefik-values.yaml
 # Keycloak: swap upc-dev → eks-dev
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/keycloak-values.yaml
 # Grafana: swap upc-dev → eks-dev
 - target:
    kind: Application
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/grafana-values.yaml
 # Gitea: swap upc-dev → eks-dev
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/gitea-values.yaml
 # OpenCost: swap upc-dev → eks-dev
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-dev/opencost-values.yaml
 # Secrets: change path to eks-dev
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/eks-dev
 # Enterprise-apps: point to eks-dev overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/eks-dev
--- a/infra/overlays/eks-prod/kustomization.yaml
+++ b/infra/overlays/eks-prod/kustomization.yaml
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → eks-prod
@@ -24,6 +13,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/traefik-values.yaml
 # Keycloak: swap upc-dev → eks-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → eks-prod
 - target:
    kind: Application
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/grafana-values.yaml
 # Gitea: swap upc-dev → eks-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → eks-prod
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/eks-prod/opencost-values.yaml
 # Secrets: change path to eks-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/eks-prod
 # Enterprise-apps: point to eks-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/eks-prod
--- a/infra/overlays/gke-dev/kustomization.yaml
+++ b/infra/overlays/gke-dev/kustomization.yaml
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → gke-dev
@@ -24,6 +13,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/traefik-values.yaml
 # Keycloak: swap upc-dev → gke-dev
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/keycloak-values.yaml
 # Grafana: swap upc-dev → gke-dev
 - target:
    kind: Application
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/grafana-values.yaml
 # Gitea: swap upc-dev → gke-dev
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/gitea-values.yaml
 # OpenCost: swap upc-dev → gke-dev
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-dev/opencost-values.yaml
 # Secrets: change path to gke-dev
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/gke-dev
 # Enterprise-apps: point to gke-dev overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/gke-dev
--- a/infra/overlays/gke-prod/kustomization.yaml
+++ b/infra/overlays/gke-prod/kustomization.yaml
@@ -1,18 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
 # Traefik: swap upc-dev → gke-prod
@@ -24,6 +13,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/traefik-values.yaml
 # Keycloak: swap upc-dev → gke-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → gke-prod
 - target:
    kind: Application
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/grafana-values.yaml
 # Gitea: swap upc-dev → gke-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → gke-prod
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/gke-prod/opencost-values.yaml
 # Secrets: change path to gke-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/gke-prod
 # Enterprise-apps: point to gke-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/gke-prod
--- a/infra/overlays/upc-dev/entra-upc-dev-credentials-sealed.yaml
+++ b/infra/overlays/upc-dev/entra-upc-dev-credentials-sealed.yaml
@@ -1,15 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: microsoft-idp-credentials
  namespace: keycloak
 spec:
  encryptedData:
    MS_IDP_CLIENT_SECRET: AgBGeloOR8LVop8yluydjc7qj4JUkb85z7B3h07i3xLPup1ojgSqtx08huv+8gvSaFoPdxOY8g23iuKeAr2b2A70paHv0ILSVRsIpxzjuao4aDRWxMHD/SFzvitvqaXD1eQUcBNRDk/1NOG0o5b9o4ddMWkNmyCYuZcmOyx18DC1kFrcWGUgJkLTr+YRZcLJ2T80obZ+y4zztYc+vNQlu11KSIALz++c9XzK2XYSdOMdFHmzadWxoCjvkJqG4W5C6AQBlYa7NSydyU6K3TnwS4VHF8w1DRNneM/IuHLMNbcL8WZjHlSS8xgXFUMhG4rkejwM6joQLx57OosTQe1/xdCOPBXq4NO8Q76RXXkoI0EYMbzfK33vr4NVh8zmBUYxhaeQySh2jYdYp7t/79UzvP7jtGYUgqIZNEBqbDKkzvXsJ4dHJnss8U8lWVgLev31ZhaTjIr3A8VKDPbJKIRZPO71/4DiCF0WKLYNKfbYJ5tsyTxivFWDY5NPNkKkgXk4QoScZ3r4bYNZjDp1rC5zCRPGf0Lt1C5Zovx1HTUjpGpAFVi7DyNmEc0uXn2sTwPARAuAj8str+RnlRNzBkpPWKdlOoDVPTSA41dSTfUVZMlQlluu4fdDgGj5sEnhEN0iIxZNRwU/2DD2AVSqG+KtdIkfH6/j0jzdFn4D3Ha6vwAsBIURK4Ird/pLuNGGCDB+LrrNGXDTTKAPFydCuRtpyoM9kFOtSZb7T7q6Vfkqa7LfgP8mdG9JGXJx
  template:
    metadata:
      creationTimestamp: null
      name: microsoft-idp-credentials
      namespace: keycloak
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -2,16 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 - entra-upc-dev-credentials-sealed.yaml
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
 patches:
 - target:
    kind: Application
    name: databunker
  patch: |
    - op: add
      path: /spec/sources/0/helm/valueFiles/-
      value: $values/infra/values/upc-dev/databunker-values.yaml
--- a/infra/overlays/upc-prod/kustomization.yaml
+++ b/infra/overlays/upc-prod/kustomization.yaml
@@ -1,21 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ../../base/cert-manager-application
+- ../../base
 - ../../base/cluster-resources-application
 - ../../base/grafana
 - ../../base/grafana-dashboards
 - ../../base/kyverno
 - ../../base/kyverno-policies
 - ../../base/loki
 - ../../base/opencost
 - ../../base/prometheus
 - ../../base/sealedsecrets
 - ../../base/tempo
 - ../../base/traefik-application
 patches:
-# Traefik: swap upc-dev → upc-prod
+# Traefik: swap upc-dev → upc-prod in valueFiles
 - target:
    kind: Application
    name: traefik
@@ -24,6 +13,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/traefik-values.yaml
 # Keycloak: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → upc-prod
 - target:
    kind: Application
@@ -33,6 +31,15 @@ patches:
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/grafana-values.yaml
 # Gitea: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: gitea
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/gitea-values.yaml
 # OpenCost: swap upc-dev → upc-prod
 - target:
    kind: Application
@@ -41,3 +48,21 @@ patches:
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/opencost-values.yaml
 # Secrets: change path to upc-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/upc-prod
 # Enterprise-apps: point to upc-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/upc-prod
--- a/infra/values/aks-dev/argocd-values.yaml
+++ b/infra/values/aks-dev/argocd-values.yaml
@@ -1,5 +0,0 @@
 global:
  domain: argocd.127.0.0.1.nip.io
 notifications:
  context:
    clusterName: "aks-dev-launchpad"
--- a/infra/values/aks-dev/homepage-values.yaml
+++ b/infra/values/aks-dev/homepage-values.yaml
@@ -1,15 +0,0 @@
 ingress:
  main:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
    - host: start.forteapps.net
      paths:
      - path: /
        pathType: Prefix
    tls:
    - secretName: homepage-tls
      hosts:
      - start.forteapps.net
--- a/infra/values/base/argocd-values.yaml
+++ b/infra/values/base/argocd-values.yaml
@@ -2,46 +2,25 @@ configs:
  secret:
    createSecret: true
    argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
    # oidc.clientSecret managed by argocd-oidc-sync CronJob
    # (reads from argocd-oidc-credentials, patches argocd-secret)
  ssh:
    knownHosts: |
      [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
  cm:
    application.resourceTrackingMethod: annotation
    timeout.reconciliation: 60s
-    # Admin login disabled — SSO only. Break-glass: kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
+    admin.enabled: "true"
    admin.enabled: "false"
    url: https://argocd.forteapps.net
    oidc.config: |
      name: Forte SSO
      issuer: https://id.forteapps.net/realms/forte
      clientID: argocd
      clientSecret: $oidc.clientSecret
      requestedScopes: ["openid", "email", "profile"]
  rbac:
    policy.csv: |
      g, ArgoCD Admins, role:admin
      g, ArgoCD Viewers, role:readonly
    # Deny users not in any declared KC group (ArgoCD Admins / ArgoCD Viewers)
    policy.default: ""
    scopes: '[groups]'
  params:
    "server.insecure": true
-    "reposerver.enable.git.submodule": "false"
+repoServer:
  env:
  # Disable git submodule checkout - submodules (e.g. shared-prompts)
  # are not needed for K8s manifest generation
  - name: ARGOCD_GIT_MODULES_ENABLED
    value: "false"
 server:
  ingress:
-    enabled: true
+    enabled: false
-    ingressClassName: traefik
+    ingressClassName: nginx
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
      gethomepage.dev/enabled: "true"
      gethomepage.dev/name: "ArgoCD"
      gethomepage.dev/description: "GitOps continuous delivery"
      gethomepage.dev/group: "DevOps"
      gethomepage.dev/icon: "argo-cd"
      gethomepage.dev/href: "https://argocd.forteapps.net"
    tls: true
  extraArgs:
  - --insecure
--- a/infra/values/base/databunker-values.yaml
+++ b/infra/values/base/databunker-values.yaml
@@ -1,42 +0,0 @@
 # Default values for databunkerpro
 image:
  tag: 0.14.15
 ingress:
  enabled: false # Set to true to enable ingress
  className: traefik
  # Set host to enable ingress
  host: databunker.example.com
  annotations:
    kubernetes.io/ingress.class: traefik
    cert-manager.io/cluster-issuer: "letsencrypt-prod" # or your cluster issuer
    traefik.ingress.kubernetes.io/ssl-redirect: "true"
    traefik.ingress.kubernetes.io/force-ssl-redirect: "true"
    traefik.ingress.kubernetes.io/ssl-passthrough: "false"
    # Security headers
    traefik.ingress.kubernetes.io/configuration-snippet: |
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
      add_header X-Frame-Options DENY always;
      add_header X-Content-Type-Options nosniff always;
      add_header X-XSS-Protection "1; mode=block" always;
  # TLS configuration
  tls:
    enabled: true # Set to true to enable TLS
    secretName: "databunker-tls" # Name of the secret containing TLS certificate
 # Pin PostgreSQL password — chart uses randAlphaNum without lookup,
 # so each ArgoCD sync would regenerate the password while PVC keeps the old one.
 # Same issue as Backstage PostgreSQL (see MEMORY.md).
 internal:
  postgresql:
    auth:
      password: "databunker-pg-pass-2026"
 resources:
  # Uncomment and adjust these values based on your requirements
  # requests:
  #   memory: "512Mi"
  #   cpu: "250m"
  # limits:
  #   memory: "1Gi"
  #   cpu: "500m"
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -77,7 +77,7 @@ gitea:
      FROM: "noreply@fortedigital.com"
    admin:
-      DEFAULT_EMAIL_NOTIFICATIONS: onmention
+      DEFAULT_EMAIL_NOTIFICATIONS: enabled
  # -- SMTP credentials injected from secret (USER and PASSWD)
  additionalConfigFromEnvs:
@@ -98,7 +98,7 @@ gitea:
    existingSecret: gitea-oidc-credentials
    key: gitea
    autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
-    scopes: "email profile organization"
+    scopes: "openid email profile organization"
    groupClaimName: "groups"
    adminGroup: ""
    restrictedGroup: ""
@@ -114,15 +114,6 @@ ingress:
  className: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "Gitea"
    gethomepage.dev/description: "Git hosting & CI/CD"
    gethomepage.dev/group: "DevOps"
    gethomepage.dev/icon: "gitea"
    gethomepage.dev/href: "https://git.forteapps.net"
    gethomepage.dev/widget.type: "gitea"
    gethomepage.dev/widget.url: "https://git.forteapps.net"
    gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GITEA_TOKEN}}"
  hosts:
  - host: git.forteapps.net
    paths:
--- a/infra/values/base/grafana-values.yaml
+++ b/infra/values/base/grafana-values.yaml
@@ -1,23 +1,5 @@
 ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "Grafana"
    gethomepage.dev/description: "Metrics & observability dashboards"
    gethomepage.dev/group: "Monitoring"
    gethomepage.dev/icon: "grafana"
    gethomepage.dev/href: "https://grafana.forteapps.net"
  tls:
  - secretName: grafana-tls
    hosts:
    - grafana.forteapps.net
 persistence:
  enabled: true
  size: 1Gi
 resources:
  requests:
    cpu: 50m
@@ -29,29 +11,6 @@ resources:
 adminUser: admin
 adminPassword: "forte"
 envFromSecrets:
 - name: grafana-oidc-credentials
 grafana.ini:
  server:
    root_url: https://grafana.forteapps.net
  auth.generic_oauth:
    enabled: true
    name: Forte SSO
    allow_sign_up: true
    client_id: ${client-id}
    client_secret: ${client-secret}
    scopes: openid email profile
    auth_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/auth
    token_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/token
    api_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/userinfo
    role_attribute_path: "contains(resource_access.grafana.roles[*], 'Admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor' || 'Viewer'"
    role_attribute_strict: true
    allow_assign_grafana_admin: true
    auto_login: true
  auth:
    disable_login_form: true
 datasources:
  datasources.yaml:
    apiVersion: 1
--- a/infra/values/base/homepage-values.yaml
+++ b/infra/values/base/homepage-values.yaml
@@ -1,72 +0,0 @@
 # Homepage Helm Values
 # Chart: jameswynn/homepage — https://gethomepage.dev
 # Discovery: K8s service annotations (gethomepage.dev/*)
 # Each deployed app annotates its own Service — apps not deployed = not visible.
 # RBAC ClusterRole — required for cluster-wide service annotation scanning
 enableRbac: true
 serviceAccount:
  create: true
  name: homepage
 config:
  # Scan all namespaces for services with gethomepage.dev/enabled: "true"
  kubernetes:
    mode: cluster
    traefik: true
  settings:
    title: "Platform"
    headerStyle: clean
    layout:
      Apps:
        style: row
        columns: 3
      Security:
        style: row
        columns: 3
      Tools:
        style: row
        header: false
        columns: 2
        DevOps:
          style: column
          rows: 2
        Monitoring:
          style: column
          rows: 1
  # Top-of-page cluster overview widget
  widgets:
  - kubernetes:
      cluster:
        show: true
        cpu: true
        memory: true
        showLabel: true
        label: "Cluster"
      nodes:
        show: true
        cpu: true
        memory: true
        showLabel: true
  # In-cluster entries come from K8s service annotations.
  # External (out-of-cluster) services are listed here statically.
  bookmarks: []
  services: []
 resources:
  requests:
    cpu: 10m
    memory: 128Mi
  limits:
    cpu: 100m
    memory: 256Mi
 env:
 - name: HOMEPAGE_ALLOWED_HOSTS
  value: start.forteapps.net
 envFrom:
 - secretRef:
    name: homepage-widget-credentials
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -18,12 +18,6 @@ ingress:
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "Keycloak"
    gethomepage.dev/description: "Identity & access management"
    gethomepage.dev/group: "Security"
    gethomepage.dev/icon: "keycloak"
    gethomepage.dev/href: "https://id.forteapps.net/admin/forte-test/console/"
 metrics:
  enabled: true
@@ -81,6 +75,7 @@ keycloakConfigCli:
            "publicClient": false,
            "redirectUris": ["https://git.forteapps.net/*"],
            "webOrigins": ["https://git.forteapps.net"],
            "defaultClientScopes": ["openid", "email", "profile"],
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "gitea",
@@ -103,84 +98,6 @@ keycloakConfigCli:
                }
              }
            ]
          },
          {
            "clientId": "grafana",
            "name": "Grafana",
            "enabled": true,
            "protocol": "openid-connect",
            "clientAuthenticatorType": "client-secret",
            "standardFlowEnabled": true,
            "directAccessGrantsEnabled": false,
            "publicClient": false,
            "redirectUris": ["https://grafana.forteapps.net/*"],
            "webOrigins": ["https://grafana.forteapps.net"],
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "monitoring",
              "k8s.secret.name": "grafana-oidc-credentials",
              "k8s.secret.client-id-key": "client-id",
              "k8s.secret.client-secret-key": "client-secret"
            },
            "protocolMappers": [
              {
                "name": "client-roles",
                "protocol": "openid-connect",
                "protocolMapper": "oidc-usermodel-client-role-mapper",
                "config": {
                  "claim.name": "resource_access.grafana.roles",
                  "jsonType.label": "String",
                  "multivalued": "true",
                  "usermodel.clientRoleMapping.clientId": "grafana",
                  "id.token.claim": "true",
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
              }
            ]
          },
          {
            "clientId": "argocd",
            "name": "ArgoCD",
            "enabled": true,
            "protocol": "openid-connect",
            "clientAuthenticatorType": "client-secret",
            "standardFlowEnabled": true,
            "directAccessGrantsEnabled": false,
            "publicClient": false,
            "redirectUris": ["https://argocd.forteapps.net/auth/callback"],
            "webOrigins": ["https://argocd.forteapps.net"],
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "argocd",
              "k8s.secret.name": "argocd-oidc-credentials",
              "k8s.secret.client-id-key": "client-id",
              "k8s.secret.client-secret-key": "client-secret"
            },
            "protocolMappers": [
              {
                "name": "groups",
                "protocol": "openid-connect",
                "protocolMapper": "oidc-group-membership-mapper",
                "config": {
                  "claim.name": "groups",
                  "full.path": "false",
                  "id.token.claim": "true",
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
              }
            ]
          }
        ],
        "groups": [
          {
            "name": "ArgoCD Admins",
            "path": "/ArgoCD Admins"
          },
          {
            "name": "ArgoCD Viewers",
            "path": "/ArgoCD Viewers"
          }
        ]
      }
@@ -259,7 +176,7 @@ extraDeploy:
                ADMIN_PASS=$(cat /secrets/admin-password)
                echo "Authenticating to Keycloak..."
-                TOKEN=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
+                TOKEN=$(curl -sf -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
                  -d "client_id=admin-cli" \
                  -d "username=${ADMIN_USER}" \
                  -d "password=${ADMIN_PASS}" \
@@ -276,7 +193,7 @@ extraDeploy:
                upsert_secret() {
                  local ns="$1" name="$2" manifest="$3"
                  local code
-                  code=$(curl -s -o /dev/null -w "%{http_code}" \
+                  code=$(curl -sf -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/json" \
@@ -285,7 +202,7 @@ extraDeploy:
                  if [ "$code" = "200" ]; then
                    echo "  Updated secret '${ns}/${name}'"
                  elif [ "$code" = "404" ]; then
-                    code=$(curl -s -o /dev/null -w "%{http_code}" \
+                    code=$(curl -sf -o /dev/null -w "%{http_code}" \
                      --cacert "$CA_CERT" \
                      -H "Authorization: Bearer ${SA_TOKEN}" \
                      -H "Content-Type: application/json" \
@@ -332,7 +249,7 @@ extraDeploy:
                  # Get the client secret from Keycloak
                  local secret_value
-                  secret_value=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                  secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
                    | jq -r '.value')
@@ -347,7 +264,7 @@ extraDeploy:
                  # Write to target namespace (if it exists)
                  local ns_status
-                  ns_status=$(curl -s -o /dev/null -w "%{http_code}" \
+                  ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    "${K8S_API}/api/v1/namespaces/${target_ns}")
@@ -371,12 +288,12 @@ extraDeploy:
                  local ns="$1" name="$2" key="$3" value="$4"
                  local patch
                  patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
-                  curl -s -o /dev/null \
+                  curl -sf -o /dev/null \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/strategic-merge-patch+json" \
                    -X PATCH -d "$patch" \
-                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" || true
+                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}"
                }
                # =============================================
@@ -384,7 +301,7 @@ extraDeploy:
                # =============================================
                echo "=== Legacy sync: clients with k8s.secret.sync=true ==="
-                CLIENTS=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                CLIENTS=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                  "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
                SYNC_CLIENTS=$(echo "$CLIENTS" | jq -c '[.[] | select(.attributes["k8s.secret.sync"] == "true")]')
@@ -409,7 +326,7 @@ extraDeploy:
                echo ""
                echo "=== Self-service: config Secrets with label keycloak.forteapps.net/client-config=true ==="
-                CONFIG_SECRETS=$(curl -s \
+                CONFIG_SECRETS=$(curl -sf \
                  --cacert "$CA_CERT" \
                  -H "Authorization: Bearer ${SA_TOKEN}" \
                  "${K8S_API}/api/v1/namespaces/keycloak/secrets?labelSelector=keycloak.forteapps.net/client-config=true")
@@ -430,10 +347,6 @@ extraDeploy:
                  CLIENT_JSON=$(printf '%s' "$CLIENT_JSON_B64" | base64 -d)
                  CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId')
                  if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
                    echo "ERROR: Could not extract clientId from config '${CONFIG_NAME}', skipping"
                    continue
                  fi
                  echo "Processing self-service client '${CLIENT_ID}' from config '${CONFIG_NAME}'"
                  # Compute config hash for change detection
@@ -447,7 +360,7 @@ extraDeploy:
                  CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"')
                  # Check if credential Secret already exists in target namespace
-                  CRED_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
+                  CRED_EXISTS=$(curl -sf -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")
@@ -470,17 +383,18 @@ extraDeploy:
                    publicClient: false,
                    redirectUris: .redirectUris,
                    webOrigins: .webOrigins,
                    defaultClientScopes: .defaultClientScopes,
                    protocolMappers: (.protocolMappers // [])
-                  } + if .defaultClientScopes then {defaultClientScopes: .defaultClientScopes} else {} end')
+                  }')
                  # Check if client already exists
-                  EXISTING=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                  EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
                    | jq -r '.[0].id // empty')
                  if [ -n "$EXISTING" ]; then
                    echo "  Updating existing Keycloak client (uuid: ${EXISTING})"
-                    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X PUT -d "$KC_CLIENT" \
@@ -493,7 +407,7 @@ extraDeploy:
                    CLIENT_UUID="$EXISTING"
                  else
                    echo "  Creating new Keycloak client '${CLIENT_ID}'"
-                    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X POST -d "$KC_CLIENT" \
@@ -504,37 +418,11 @@ extraDeploy:
                      continue
                    fi
                    # Fetch the newly created client's UUID
-                    CLIENT_UUID=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                    CLIENT_UUID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
                      | jq -r '.[0].id')
                  fi
                  # Assign default client scopes (KC REST API ignores defaultClientScopes in POST/PUT body)
                  REQUESTED_SCOPES=$(echo "$CLIENT_JSON" | jq -r '.defaultClientScopes // [] | .[]' 2>/dev/null)
                  if [ -n "$REQUESTED_SCOPES" ]; then
                    # Fetch all realm client scopes once
                    ALL_SCOPES=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/client-scopes")
                    echo "$REQUESTED_SCOPES" | while read -r SCOPE_NAME; do
                      [ -z "$SCOPE_NAME" ] && continue
                      SCOPE_ID=$(echo "$ALL_SCOPES" | jq -r --arg name "$SCOPE_NAME" '.[] | select(.name == $name) | .id // empty')
                      if [ -z "$SCOPE_ID" ]; then
                        echo "  WARNING: Scope '${SCOPE_NAME}' not found in realm, skipping"
                        continue
                      fi
                      SC_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
                        -H "Authorization: Bearer ${TOKEN}" \
                        -X PUT \
                        "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${CLIENT_UUID}/default-client-scopes/${SCOPE_ID}")
                      if [ "$SC_CODE" = "204" ] || [ "$SC_CODE" = "200" ]; then
                        echo "  Assigned scope '${SCOPE_NAME}'"
                      else
                        echo "  WARNING: Failed to assign scope '${SCOPE_NAME}' (HTTP ${SC_CODE})"
                      fi
                    done
                  fi
                  # Sync credentials to target namespace
                  sync_credentials "$CLIENT_ID" "$CLIENT_UUID" "$CRED_NS" "$CRED_NAME" "$CRED_ID_KEY" "$CRED_SECRET_KEY"
--- a/infra/values/base/prometheus-values.yaml
+++ b/infra/values/base/prometheus-values.yaml
@@ -36,6 +36,28 @@ extraScrapeConfigs: |
      - source_labels: [__meta_kubernetes_namespace]
        target_label: namespace
  - job_name: trivy-operator
    scrape_interval: 30s
    metrics_path: /metrics
    kubernetes_sd_configs:
      - role: pod
        namespaces:
          names:
            - trivy-system
    relabel_configs:
      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name]
        regex: trivy-operator
        action: keep
      - source_labels: [__meta_kubernetes_pod_container_port_number]
        regex: "8080"
        action: keep
      - source_labels: [__meta_kubernetes_pod_name]
        target_label: pod
      - source_labels: [__meta_kubernetes_namespace]
        target_label: namespace
      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance]
        target_label: instance
  - job_name: traefik
    scrape_interval: 15s
    metrics_path: /metrics
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
gitea_admin	ddccdacd6d	Merge branch 'main' into feature/multi-cloud All checks were successful AI Code Review / ai-review (pull_request) Has been skipped Details	2026-04-24 08:24:34 +00:00
Danijel Simeunovic	a89f2f30ce	details	2026-04-22 22:26:57 +02:00
Danijel Simeunovic	9a7e03b794	Merge branch 'feature/cloud-agnostic' into feature/multi-cloud	2026-04-22 22:06:31 +02:00
Danijel Simeunovic	f1dd61cece	sync	2026-04-22 21:56:43 +02:00
Danijel Simeunovic	acc9bb1a85	sync	2026-04-22 21:53:44 +02:00
Danijel Simeunovic	c8c2dedea5	rename	2026-04-22 21:48:02 +02:00
Danijel Simeunovic	a471f11740	repo url	2026-04-22 14:45:23 +02:00
Danijel Simeunovic	92ddc22322	azure>aks	2026-04-22 14:42:02 +02:00
Danijel Simeunovic	7d2fb8bc0c	azure>aks	2026-04-22 14:41:42 +02:00
Danijel Simeunovic	79f9c62012	azure>aks	2026-04-22 14:35:59 +02:00
Danijel Simeunovic	dea54e469e	repo url	2026-04-22 14:34:20 +02:00
Danijel Simeunovic	333acdea26	multi-cloud overlays All checks were successful AI Code Review / ai-review (pull_request) Successful in 6s Details	2026-04-22 14:30:13 +02:00
gitea_admin	03d526208b	Merge branch 'main' into feature/cloud-agnostic All checks were successful AI Code Review / ai-review (pull_request) Successful in 7s Details	2026-04-22 12:08:08 +00:00
gitea_admin	458f7b23ad	Merge branch 'main' into feature/multi-cloud All checks were successful AI Code Review / ai-review (pull_request) Successful in 28s Details	2026-04-22 11:55:05 +00:00
gitea_admin	41c8b85bf8	Merge branch 'main' into feature/multi-cloud All checks were successful AI Code Review / ai-review (pull_request) Successful in 26s Details	2026-04-22 11:52:22 +00:00
Danijel Simeunovic	c3f723333b	Merge branch 'feature/cloud-agnostic' of ssh://git.forteapps.net:2222/Forte/launchpad into feature/cloud-agnostic All checks were successful AI Code Review / ai-review (pull_request) Successful in 1m3s Details	2026-04-22 13:43:09 +02:00
Danijel Simeunovic	4144b1c1ac	token	2026-04-22 13:39:43 +02:00
Danijel Simeunovic	16eadbe181	Merge remote-tracking branch 'origin/main' into feature/cloud-agnostic	2026-04-22 13:38:55 +02:00
Danijel Simeunovic	4e6a84785a	token All checks were successful AI Code Review / ai-review (pull_request) Successful in 28s Details	2026-04-22 13:37:32 +02:00
Danijel Simeunovic	e0bdaab422	multi-cloud + mcp Some checks failed AI Code Review / ai-review (pull_request) Failing after 2s Details	2026-04-22 13:34:48 +02:00
Danijel Simeunovic	230ea7ebeb	Merge branch 'main' into feature/cloud-agnostic Some checks failed AI Code Review / ai-review (pull_request) Failing after 3s Details	2026-04-22 11:33:03 +00:00
Danijel Simeunovic	cab0866e14	multi-cloud no mcp	2026-04-22 13:31:09 +02:00
		`@@ -1,2 +0,0 @@`
			`# Force LF line endings for shell scripts`
			`*.sh text eol=lf`