homepage annotations

more mem homepage
homepage
2026-04-28 14:10:12 +02:00 · 2026-04-28 14:03:21 +02:00 · 2026-04-28 13:58:34 +02:00 · 2026-04-27 20:35:27 +02:00 · 2026-04-27 20:16:06 +02:00 · 2026-04-27 17:40:46 +02:00
196 changed files with 4270 additions and 2729 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1,2 @@
+# Force LF line endings for shell scripts
+*.sh text eol=lf
--- a/.gitea/workflows/ai-review.yaml
+++ b/.gitea/workflows/ai-review.yaml
@@ -0,0 +1,47 @@
+name: AI Code Review
+
+on:
+  pull_request:
+    types: [ labeled, synchronize ]
+
+jobs:
+  ai-review:
+    if: >-
+      (github.event.action == 'synchronized' && contains(toJSON(github.event.pull_request.labels), 'ai-review')) || contains(toJSON(gitea.event.changes.added_labels), 'ai-review')
+    runs-on: ubuntu-latest
+
+    env:
+      AI_REVIEW_CONFIG_FILE_YAML: ./shared-prompts/iac/.ai-review.yaml
+      # VCS configuration
+      VCS__PROVIDER: GITEA
+      VCS__PIPELINE__OWNER: ${{ github.repository_owner }}
+      VCS__PIPELINE__REPO: ${{ github.event.repository.name }}
+      VCS__PIPELINE__PULL_NUMBER: ${{ github.event.pull_request.number }}
+      VCS__HTTP_CLIENT__API_URL: https://git.forteapps.net/api/v1
+      VCS__HTTP_CLIENT__API_TOKEN: ${{ secrets.AI_REVIEW_TOKEN }}
+      # Review — disable fallback to see real Gitea API errors
+      REVIEW__INLINE_COMMENT_FALLBACK: "false"
+      # LLM configuration
+      LLM__PROVIDER: CLAUDE
+      LLM__META__MODEL: claude-sonnet-4-20250514
+      LLM__META__MAX_TOKENS: "4096"
+      LLM__HTTP_CLIENT__API_URL: https://api.anthropic.com
+      LLM__HTTP_CLIENT__API_TOKEN: ${{ secrets.ANTHROPIC_API_KEY }}
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        submodules: true
+        fetch-depth: 0
+        token: ${{ secrets.AI_REVIEW_TOKEN }}
+
+    - name: Run inline review
+      uses: docker://nikitafilonov/ai-review:v0.64.0
+      with:
+        args: ai-review run-inline
+
+    - name: Run summary review
+      uses: docker://nikitafilonov/ai-review:v0.64.0
+      with:
+        args: ai-review run-summary
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,34 +0,0 @@
-name: Deploy Gitea Pages
-
-on:
-  push:
-    branches: [ main ]
-    paths:
-    - 'docs/**'
-    - 'mkdocs.yml'
-  workflow_dispatch:
-
-
-jobs:
-  build-and-deploy:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-
-    - name: Install dependencies
-      run: |
-        apt-get update -qq
-        apt-get install -y -qq python3-pip
-        pip3 install --break-system-packages mkdocs mkdocs-material
-
-    - run: mkdocs build
-
-    - name: Deploy to Gitea Pages
-      run: |
-        cd site
-        git init
-        git config user.name "gitea-actions"
-        git config user.email "actions@forteapps.net"
-        git add .
-        git commit -m "Deploy docs"
-        git push --force "https://x-token:${{ secrets.GITEA_TOKEN }}@git.forteapps.net/Forte/launchpad.git" HEAD:gitea-pages
--- a/.gitmodules
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "shared-prompts"]
+	path = shared-prompts
+	url = https://git.forteapps.net/Forte/ai-review-prompts.git
--- a/.project-standards.yaml
+++ b/.project-standards.yaml
@@ -1,7 +0,0 @@
-standards_version: "2025.1"
-last_configured: "2026-04-04"
-components:
-  github-pages: "2025.1"
-  github-pages-generator: "mkdocs"
-  github-pages-source: "docs/"
-  github-pages-theme: "material"
--- a/README.md
+++ b/README.md
@@ -1,9 +1,9 @@
 # Kubernetes Cluster - GitOps Configuration

-> **Kubernetes cluster bootstrapping and GitOps configuration repository** using ArgoCD for UpCloud Managed Kubernetes
+> **Kubernetes cluster bootstrapping and GitOps configuration repository** using ArgoCD for multi-cloud Kubernetes (UpCloud, AWS EKS, Azure AKS, GCP GKE)

 [![GitOps](https://img.shields.io/badge/GitOps-ArgoCD-blue)](https://argoproj.github.io/cd/)
-[![Kubernetes](https://img.shields.io/badge/Kubernetes-UpCloud-orange)](https://upcloud.com/)
+[![Kubernetes](https://img.shields.io/badge/Kubernetes-Multi--Cloud-orange)]()

 ---

@@ -57,7 +57,7 @@ This repository contains the complete GitOps configuration for our Kubernetes cl

 ### What's Inside

- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets, Homepage (platform dashboard)
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
 - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
@@ -83,26 +83,52 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ├── bootstrap.sh                # Cluster initialization script
 ├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
 │
-├── infra/                     # Infrastructure ArgoCD Applications
-│   ├── enterprise-apps.yaml   # Manages all apps in apps/ folder
-│   ├── traefik-application.yaml
-│   ├── cert-manager-application.yaml
-│   ├── kyverno.yaml
-│   ├── prometheus.yaml
-│   ├── grafana.yaml
-│   ├── loki.yaml
-│   ├── tempo.yaml
-│   ├── fluent-bit.yaml
-│   ├── trivy.yaml
-│   ├── sealedsecrets.yaml
-│   ├── renovate.yaml
+├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
+│   ├── base/                  # Base ArgoCD Application manifests (one dir per component)
+│   │   ├── kustomization.yaml # Aggregates all component subdirectories
+│   │   ├── traefik-application/
+│   │   │   ├── kustomization.yaml
+│   │   │   └── traefik-application.yaml
+│   │   ├── keycloak/
+│   │   │   ├── kustomization.yaml
+│   │   │   └── keycloak.yaml
+│   │   ├── grafana/
+│   │   ├── prometheus/
+│   │   ├── ...               # Each component in its own subdirectory
+│   │   └── secrets/
+│   ├── overlays/              # Per-cluster overrides (Kustomize)
+│   │   ├── upc-dev/           # UpCloud Dev — includes all base components
+│   │   ├── upc-prod/         # UpCloud Prod — all components + patches
+│   │   ├── aks-dev/          # Azure AKS Dev — selective components only
+│   │   ├── aks-prod/         # Azure AKS Prod
+│   │   ├── eks-dev/           # AWS EKS Dev
+│   │   ├── eks-prod/         # AWS EKS Prod
+│   │   ├── gke-dev/          # GCP GKE Dev
+│   │   └── gke-prod/         # GCP GKE Prod
+│   ├── dashboards/            # Grafana dashboard ConfigMaps
 │   └── values/                # Helm value overrides
+│       ├── base/              # Shared cloud-agnostic values
+│       ├── upc-dev/           # UpCloud Dev (storage, LB, pricing)
+│       ├── upc-prod/         # UpCloud Prod
+│       ├── eks-dev/           # AWS EKS Dev
+│       ├── eks-prod/         # AWS EKS Prod
+│       ├── aks-dev/        # Azure AKS Dev
+│       ├── aks-prod/       # Azure AKS Prod
+│       ├── gke-dev/          # GCP GKE Dev
+│       └── gke-prod/         # GCP GKE Prod
 │
-├── apps/                      # Business Applications
-│   ├── mcp10x.yaml
-│   ├── musicman.yaml
-│   ├── dot-ai-stack.yaml
-│   └── argo-mcp.yaml
+├── apps/                      # Business Applications (Kustomize, same pattern as infra)
+│   ├── base/                  # One subdirectory per app
+│   │   ├── kustomization.yaml
+│   │   ├── musicman/
+│   │   ├── mcp10x/
+│   │   ├── dot-ai-stack/
+│   │   ├── ts-mcp/
+│   │   └── argo-mcp/
+│   └── overlays/              # Per-cluster: cherry-pick or include all
+│       ├── upc-dev/           # All apps
+│       ├── upc-prod/         # All apps + patches
+│       └── aks-dev/          # Selective apps only
 │
 ├── cluster-resources/         # Cluster-wide Kubernetes resources
 │   ├── letsencrypt-issuer.yaml
@@ -140,12 +166,12 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 |------------|---------|-----------|-----------|
 | **[launchpad](https://git.forteapps.net/Forte/launchpad)** (this repo) | ArgoCD Applications, cluster resources | Platform / DevOps engineers | ✅ Often |
 | **[forte-helm](https://git.forteapps.net/Forte/forte-helm)** | Generic Helm chart templates | Platform engineers | ❌ Rarely |
-| **[helm-values](ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git)** | App-specific configuration & versions | Developers / CI pipelines | ✅ Sometimes |
+| **[helm-prod-values](ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git)** | App-specific configuration & versions | Developers / CI pipelines | ✅ Sometimes |

 ### GitOps Workflow

 ```
-Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD syncs → Deployed to cluster
+Developer commits code → CI/CD builds image → Updates helm-prod-values → ArgoCD syncs → Deployed to cluster
 ```

 **Learn more**: [GitOps Architecture - GitOps Workflow](docs/GITOPS-ARCHITECTURE.md#gitops-workflow)
@@ -160,7 +186,7 @@ Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD

 **Quick version**:
 1. Create `apps/myapp.yaml` (ArgoCD Application manifest)
-2. Create `helm-values/myapp/values.yaml` (configuration)
+2. Create `helm-prod-values/myapp/values.yaml` (configuration)
 3. Create sealed secrets if needed
 4. Commit and push - ArgoCD auto-syncs!

@@ -169,8 +195,8 @@ Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD
 **See detailed guide**: [Developer Guide - Updating an Existing Application](docs/DEVELOPER-GUIDE.md#updating-an-existing-application)

 **Quick version**:
- **Update code**: Push to app repo → CI/CD updates image tag in helm-values
- **Update config**: Edit `helm-values/myapp/values.yaml` → commit → push
+- **Update code**: Push to app repo → CI/CD updates image tag in helm-prod-values
+- **Update config**: Edit `helm-prod-values/myapp/values.yaml` → commit → push

 ### Manage Secrets

@@ -198,7 +224,7 @@ git push

 **Quick version**:
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml

 # Token-based auth (simple)
 auth:
@@ -337,7 +363,6 @@ kubectl patch application myapp -n argocd \
 | **Fluent-Bit** | Log shipping | `monitoring` | DaemonSet |
 | **OpenCost** | Cost monitoring | `monitoring` | 1 |
 | **Renovate** | Dependency updates | `renovate` | CronJob |
-| **Trivy** | Vulnerability scanning | `trivy-system` | 1 |

 **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components)

@@ -355,12 +380,12 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts

 ### App-of-Apps Pattern
-`_app-of-apps.yaml` is the root Application that manages all other Applications in `infra/`. Each YAML in `infra/` becomes a child Application managed by ArgoCD.
+`_app-of-apps-{cluster}.yaml` is the root Application that manages all other Applications in `infra/`. Each component in `infra/base/` lives in its own subdirectory (e.g., `infra/base/grafana/`). Overlays can either include **all** components (via `../../base`) or **cherry-pick** specific ones (via `../../base/grafana`, `../../base/prometheus`, etc.). Per-cluster patches swap Helm value file paths. Supported clusters: `upc-dev`, `upc-prod`, `eks-dev`, `eks-prod`, `aks-dev`, `aks-prod`, `gke-dev`, `gke-prod`.

 ### Multi-Source Pattern
 Applications reference both:
 1. **Helm charts** from `forte-helm` (templates)
-2. **Values** from `helm-values` (configuration)
+2. **Values** from `helm-prod-values` (configuration)

 This separates reusable templates from environment-specific config.

@@ -429,7 +454,7 @@ Applications deploy in order using `argocd.argoproj.io/sync-wave`:
 ### Adding a New Application
 1. Read [Developer Guide - Deploying Your First Application](docs/DEVELOPER-GUIDE.md#deploying-your-first-application)
 2. Create ArgoCD Application manifest in `apps/`
-3. Create Helm values in `helm-values/`
+3. Create Helm values in `helm-prod-values/`
 4. Create sealed secrets if needed
 5. Commit and push - ArgoCD handles the rest!

@@ -452,16 +477,14 @@ Documentation lives in `docs/`. To update:
 ## 📝 Notes

 ### Current Environment
- **Provider**: UpCloud Managed Kubernetes
+- **Provider**: Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE)
+- **Active clusters**: UpCloud (upc-dev, upc-prod)
 - **Environment**: Production (internal use only)
- **Cluster**: Single cluster
 - **Auth**: Disabled for ArgoCD (internal access)
- **Backup**: None (cluster rebuildable via GitOps)
+- **Backup**: Gitea daily backup to S3-compatible storage

 ### Known Limitations
- No automated backups (yet)
 - Secret rotation not automated
- Single cluster (no multi-cluster setup)
 - DNS management is manual

 **Future improvements**: See [Operations Runbook - Disaster Recovery](docs/OPERATIONS-RUNBOOK.md#disaster-recovery)
@@ -479,8 +502,8 @@ Documentation lives in `docs/`. To update:
 - [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)

 ### Related Repositories
- [forte-helm](https://github.com/fortedigital/forte-helm) - Helm chart templates
- [helm-values](git@github.com:fortedigital/helm-values.git) - Application values
+- [forte-helm](https://git.forteapps.net/Forte/forte-helm) - Helm chart templates
+- [helm-prod-values](git@github.com:fortedigital/helm-prod-values.git) - Application values

 ---

@@ -498,7 +521,7 @@ Internal use only. Not for public distribution.

 ---

-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-22
 **Documentation Version**: 1.0.0

 **🚀 Ready to get started? Check out the [Documentation Index](docs/README.md)!**
--- a/_app-of-apps-aks-dev.yaml
+++ b/_app-of-apps-aks-dev.yaml
@@ -20,7 +20,7 @@ spec:
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    path: infra
+    path: infra/overlays/aks-dev
  destination:
    server: https://kubernetes.default.svc
    namespace: default
--- a/_app-of-apps-aks-prod.yaml
+++ b/_app-of-apps-aks-prod.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/aks-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
--- a/infra/network-policies-application.yaml
+++ b/infra/network-policies-application.yaml
@@ -1,33 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: network-policies
+  name: infrastructure-apps
  namespace: argocd
  labels:
-    app.kubernetes.io/name: network-policies
+    app.kubernetes.io/name: infrastructure-apps
    app.kubernetes.io/part-of: platform
-    app.kubernetes.io/managed-by: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
-
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    path: cluster-resources/network
-
+    path: infra/overlays/eks-dev
  destination:
    server: https://kubernetes.default.svc
-
+    namespace: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
-      allowEmpty: false
-
    syncOptions:
-    - Validate=true
-    - ServerSideApply=true
+    - CreateNamespace=true
--- a/_app-of-apps-eks-prod.yaml
+++ b/_app-of-apps-eks-prod.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/eks-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
--- a/_app-of-apps-gke-dev.yaml
+++ b/_app-of-apps-gke-dev.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/gke-dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
--- a/_app-of-apps-gke-prod.yaml
+++ b/_app-of-apps-gke-prod.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/gke-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
--- a/_app-of-apps-upc-dev.yaml
+++ b/_app-of-apps-upc-dev.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/upc-dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
--- a/_app-of-apps-upc-prod.yaml
+++ b/_app-of-apps-upc-prod.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/upc-prod
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
--- a/apps/base/argo-mcp/argo-mcp.yaml
+++ b/apps/base/argo-mcp/argo-mcp.yaml
--- a/apps/base/argo-mcp/argocd-mcp-credentials.yaml
+++ b/apps/base/argo-mcp/argocd-mcp-credentials.yaml
--- a/apps/base/argo-mcp/argocdmcp-auth-oidc-sealed.yaml
+++ b/apps/base/argo-mcp/argocdmcp-auth-oidc-sealed.yaml
--- a/apps/base/argo-mcp/kustomization.yaml
+++ b/apps/base/argo-mcp/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- argo-mcp.yaml
+- argocdmcp-auth-oidc-sealed.yaml
+- argocd-mcp-credentials.yaml
--- a/apps/base/dot-ai-stack/dot-ai-secrets.yaml
+++ b/apps/base/dot-ai-stack/dot-ai-secrets.yaml
@@ -0,0 +1,18 @@
+# SealedSecret created after namespace (sync-wave: 0)
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: dot-ai-secrets
+  namespace: dot-ai
+spec:
+  encryptedData:
+    anthropic-api-key: AgASIRVNs7kIvZ/XwFJ4j9TJ05TW4YlFNzi2lx+6URlvzjTkMignK+y4/HD3wTK37BkIonnOXf/DGJcMgqgxOrHBVu9tLkSamve5qgf+SOZ8jxaqpLX2e5hdmHrgMp7rVWKiOoxM+bvu8Gdve3eMwXX8Eazj7W7vi430LsvW4BmPrQp+A9SOP+hwMlV5r+P5pUogC3hddt5KoSwpgnpOb8fRGlLDpc548eDNBJrhsAZiiFqc8+CycHX6idxWzlWOTPR05LBs7YrTIP/LUXWdyq6UG8yB5D0c9JNndnGo6kSfJxdaxCNO7GhMAOmo4CitzYn/zhICwuHPLKwUYQBcEHVpFxgub0U9fY7s4i0SAH9aF1kk8yqHWaCicHzi6B3AxMZYr+knS5vVNB+uGZmSKgZ7QNE1bF6E4Gg5bXRwk7OVQhuJSBzxVNDoXoJ6stL8ejU+MP5FtI792FxZbNDImu3kqor/t9wB49ZeB9Ngks2yvtlSrQ3G2lxJaOgNBPmKYhAX95JFI3xUSHOMa18ftn+aXmEQTXOHtM/IT8A95gUvIKz8Hrt03CwgZ8E+3lcsjAVsfNjqn/erqV+xi93OYOL6o9ivmTIem3MzsqjKuQ57HKaghnd+Ygdt/WfotRBSgZtCweOkZBV0XKxI1RmCQXk6dce8x4T7FDEeaSQwkc4yZ77LfQJnyVgU1rds9Hqv0RbymHK8JCQEMMb6PcK+Ow068fdj4NP27HkuYMB5JdPp682KIRwGznN2d3+QPXRd/ZHshnixudY7CLirlZl9xD0HssfSBI+uCrFEAln8D93UYbn7trF5gkKWYQsQ07CVZ5Z1qXieqwJWjHRY+oY=
+    auth-token: AgB65rUY3yJuTTLbGyrCtJPZp8UyEOr+kznSMGvUaZ9PoHq+kIEhazRdVKHa/WGvMWuc4x+XYRuIGj+2KiooyilUPrLcE3bz9fUOAFbRw3+iUh3WAgwK+f3eBUG6/0OoFw+GJ583IRidDW1t2BchMxSM1m+3vmQoF24qj7k9j/lWPsnX2IX3DhM0SomD1xmG+LsQMo2e4vQXB0BxhVDIQ621JTrvUPYzYx0NlPqZO/MtR1JWYS7WBTvegvgeBKLxfy9KLnqsuzu7rc2t9BYt7TRqvBg/prrKPdSV6Ei4GOZq+AcG15iOKXhsj8SxejPpM0QDemFTRQkdfz+k8ms4/SM0eylr5fEaa99TMTvjYGCfjJJyRcVm5Ef/XdmXiM3OI1u+9QNPiqXh1zmtp0yQMZ7nRE70kKQ2MHVhEmSUkBjovybIzLk4OL1v0FGDDqa1BN9KmNEBlo8H7DqXzfamVoNPyuuO625B3HgSeR3Udq8hngy9W/wiolmMNSc9C6vBA0HzE7Mkq79fHh/ruTi5zOJLfyEP7KQQqlNKfEtDFQfabaV9ERthQjuUs8ZIrdfCTOyQkrmmGY/sH5yodLRSYSEpHFrhPepwHS7lGzbVucW3Fn34D4OxJXyXQQObZKybLV7g6Oglf2Pdn11CEu/4+19RlykuOlm1dlj852a5NWWmmX319laLGlEd1BpG4cZyc9UZud68dGumwzrUupUMTLlJx8bR5rLgqaMpQMluwvq8MQbBXm4ySOcQ2jQhjw==
+    openai-api-key: AgBc4cSrd0riSxKPrp7AqrNYMDAZJTe3aCjTOwEb5pS/KARkgoEGz+0ZhLXa2bcCsPlQzqRzZ1c1cUCnBACkp1xoMfhSOoIJUWJQHRgZx5kEDhNIE/M8PQe8es7jYsW7/ui6iK8uj3Ljk21r8l/ctnP/KiKyML4553el28Ya7XsPQynRvpVexFC4BoJw50nkauLnvl3in0cKmEVAkMWorUP3Etapaj4DWkCQQ22RPN0xGNo9yiIUEAVE+uTRFNKGEHMIvJzgB291FJQtG/WoN/Sy/DeoZkUYndA7CbfFgiz9sq3GqJwyqTM+Ikzw6VCQ3TVWYO/6+yaEzT1NZ/rw00YhDyFoH+yGTkX5lrSUo8lGf3T9OODTdSS1203xtj4dhGbY70sPGMxDfucnO6piVcuRfh9bWg1VX+MTjqpBQE1J0DKJanhoh6lKbPOJhRbi0TIoCz1a3btbbKLDq2YJl7FXA3QNdBsR4qVJ3xmgWlH/eTUskCE2YxDzHmkxgZN2mL22SfeUJYtDRswRG0UGc6pvg2xrR0iEDB0UbH4FQK46fWv8aiOejteLlAAyA9HNA8yi73rTEjq55wpO19/MYj+6oUGEHpFaJje77INTHAKpdbfkp8iKotNXFYLM2hsjyau+x/AFjg87kEdIUVVHHLVMDhOq6NO+foM0nFOIv4lr2Yjl15+ImMSTEfcBr+nWaomnb9G8i5ptqz9bMHbxAcHpzWUBH9SZhzrCWZNDzOm2X2K6mpXhg4WX7VJMoIJk/f+bxTTKnWBawdnpCdbdG5GYQh7usqjPuELFYRTsx+6Tqoddp4KIEyMMxO81XObiN5vEBg74ygunxrjKNg5FoOkUA79YvcGBVVU1FNRl3d8IslXFqhEOT35nxGBB0T7ZORii34tZ2E551NkIo1WbCwilD3Dlgw==
+    ui-auth-token: AgDStP4jHhMehx/SAv5x2aQrJwChnWq8WhV/LVTSuuCSSy9kFQGa3Izyl21sMhLKUgrlS030GH50lbku+IY90S+MSBfaCq0Xb8qwohfH+qJulMRgljoU8r58/3ZsaBzbGJjiNMgBCwGlvuK85t3R3662ftwikahWqLfwAahi12L0llUDNyG9UB0Os3oR2CVAt83+YB07YspCWRzwuOz9D1SgOL/g/JF2hoL43pDD65BqYKdEuLFInJZx1Ul68V/FPmJK1gmJb/Kv8pgtk0sGTzxbbTdIQ1Ugf6+8//CWEq6GsMeEZG9VwExL/KYqobnbqd02FRgSSvWybhWLjiALLQvAFtce6FR6bur0rsariyogGjYCuXYdRnhf7QnB6NopwplhFP37Qf6E4q2pJTJ6Fzv0xq+XlfzNkn9Jvebrdkk/5CThW+wPAfx8r1VIySqBsYnPO/ZQDkfQ5ocX6fmzZ1iCg+0NI24k2YwCeMZtEAGpKEtejS0BLvqrilUG6Oz9sHCGHro4Bv5B/jzUjGbye0DSDj1f6c2RcpqMiUxfPvydJIcJGhrTx8sZS3qhEWME7kwjJCZpHEzfdv0weSJbgVGBSh9e1wjZxxeJGXuZKdFzdhpNEWP4uScGW0UnRDwxZzHMsLjS/W30mQmwmgJVTKdPl6VQrvdq7m4AC6+/d7iXlHazieC1KpBme4hWzO+/h7qRw1P5Va/ZWZtnGs8476J8hIojRtOJ/CdWwVLUa0gHo4CYnempIMwCIS3GtA==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: dot-ai-secrets
+      namespace: dot-ai
--- a/apps/base/dot-ai-stack/dot-ai-stack.yaml
+++ b/apps/base/dot-ai-stack/dot-ai-stack.yaml
@@ -27,29 +27,19 @@ metadata:
 spec:
  project: default

-  source:
-    repoURL: ghcr.io/vfarcic/dot-ai-stack/charts
+  sources:
+  - repoURL: ghcr.io/vfarcic/dot-ai-stack/charts
    chart: dot-ai-stack
    targetRevision: "0.56.0"
-
    helm:
      releaseName: dot-ai-stack
-      values: |
-        dot-ai:
-          ingress:
-            enabled: true
-            className: traefik
-            host: kubemcp.forteapps.net
-          webUI:
-            baseUrl: http://kubemcpui.forteapps.net
-        dot-ai-ui:
-          uiAuth:
-            secretRef:
-              name: dot-ai-secrets
-          ingress:
-            enabled: true
-            className: traefik
-            host: kubemcpui.forteapps.net
+      valueFiles:
+      - $values/infra/values/base/dot-ai-stack-values.yaml
+      - $values/infra/values/upc-dev/dot-ai-stack-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values

  destination:
    server: https://kubernetes.default.svc
--- a/apps/base/dot-ai-stack/kustomization.yaml
+++ b/apps/base/dot-ai-stack/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- dot-ai-stack.yaml
+- dot-ai-secrets.yaml
--- a/apps/base/kustomization.yaml
+++ b/apps/base/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- dot-ai-stack
+- mcp10x
+- musicman
+- ts-mcp
+- argo-mcp
--- a/apps/base/mcp10x/forte10x-app-credentials-sealed.yaml
+++ b/apps/base/mcp10x/forte10x-app-credentials-sealed.yaml
--- a/apps/base/mcp10x/kustomization.yaml
+++ b/apps/base/mcp10x/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- mcp10x.yaml
+- forte10x-app-credentials-sealed.yaml
--- a/apps/base/mcp10x/mcp10x.yaml
+++ b/apps/base/mcp10x/mcp10x.yaml
--- a/apps/base/musicman/kustomization.yaml
+++ b/apps/base/musicman/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- musicman.yaml
+- musicman-credentials.yaml
--- a/apps/base/musicman/musicman-credentials.yaml
+++ b/apps/base/musicman/musicman-credentials.yaml
@@ -4,6 +4,8 @@ metadata:
  creationTimestamp: null
  name: musicman-credentials
  namespace: music-man
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
 spec:
  encryptedData:
    DATABASE_URL: AgBGLu8Rw9z9WMo3uX7fezN7tOVlEsmWtikFlyBxuSuQ1dCv6KTCePkwxJx4LuKvaHXlwdWl5yP8wQxMJP0BNJ1wewFb9zeUkP1YuCz4MrfuXq1zrecIr86R5hNbPiOb66e/4oOTCY/z3QREX9WjZdLJV/PCyBz8MP0D51pgWXpM6CBdhwpFbHSALyJk89+q44c9KkRxAUG2OLnesMeRe9nXJt5ariUCl9Qd2POIjx2hSNII1l0KbTcjI9hCf91DYM6poqKYYQUpnrjKv3LJwWS79I2b56+iTtroH3usIRgaiwgtFt2INm+8gwLBmC4xxKJ5VAjjYB/3dcN9XeboXvj0NB05P9jS3e77imUFANIB9coeaNlcvRWxwGCewYMp8+7RT7jPVA41/+aT/zT74tq9WhkKvgrr1It9/5fRnXtFEkhZg5bBcYCChzooarHkiwKlA3Wo0CrFsDPqy89oZrnwMRnVqKWBf79koZV4l7uCA0do9ojf55lTy8mt3mKQkwfqK9UdzZNbYzH0/Fk6gxlSxANOOqe7kt6VPywYUBnh6JS5U+kdTgNeSrFy/xqLFz28fXuikSJvLEouSFu66MeT+6uvYEmdfdLeh7quW/n+p7QTok3v3kRYJ/1Dl8ZtgvM7e8F/J5bLcacj394AJ/bBt+RIDa+XBjNNPrWKcWt/mkudZ25F/84G+hNxYQv7PIbhYfA1JTuHmQSoF+xah5QhKpyNpI3+knJmJj/4MhPKLnTuebg0xfbPevm2CU9fSa4sPIqmSvSGtqlXODvCfDSFEYzWfyfXV5Tys1NGAt04V8fl9A9UxULUm510NCeD0jzFeeYm3ZJiyavA5xF6hXCHoqLE
--- a/apps/base/musicman/musicman.yaml
+++ b/apps/base/musicman/musicman.yaml
@@ -36,13 +36,8 @@ spec:
    automated:
      prune: true
      selfHeal: true
-      allowEmpty: false
-
    syncOptions:
    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=false
-    - Replace=false
    retry:
      limit: 5
      backoff:
--- a/apps/base/ts-mcp/kustomization.yaml
+++ b/apps/base/ts-mcp/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ts-mcp.yaml
+- ts-mcp-secrets-sealed.yaml
--- a/apps/base/ts-mcp/ts-mcp-secrets-sealed.yaml
+++ b/apps/base/ts-mcp/ts-mcp-secrets-sealed.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: ts-mcp-secrets
+  namespace: ts-mcp
+spec:
+  encryptedData:
+    AZURE_CLIENT_SECRET: AgCWj525+NHkZ8XG97hEe4RS0SDC0QIGDXmEvzSlIqJQ9XVZEeKxVuAYmJ+w/HH7zBXD3qlZISeOPKn3FbMEeRukmYK0d5PsH26tRUMPoMzwWCuQkZIQ83uX9Pz/wMiqW8aZFIxpdEiUgVdanxHSFoDRPC1VlSEtV9B9yN2MgXBID5s0oje5BM9ttc4WVRe6+9pMeaOC6u+YUgcfY7xPLetZfC9nQO4zn4jYhoQXfAddwMzNODvQNGPzIv6PXDXJweTwdmtGaxM6eDdcCJI/30bEV9prA5m6UlgTZ/Qp+onU70KdkBA9gM9tMMVUR6j/2sbWzqMP/rVaFLeUH1PjHv15n4EieWyuDyYEfmZNDFXc7O9RIK6P0jCIE+t3myxK2ZQ7cfXprdOSj94au0qP6leat0UUVoc9CFJHHtrNxXYWl7IYVhwvIQCMSgO2qoAXkdW4wKVJAcbJadJjoL2pWxzjaD4GgnUaAxWBANqZI2lD8CED4VfUVMB0ZUYRS/zvy/eqIGlT8WbzwTYFi3YDZRvAUIknxaWEavIG4x52d0FqTmFYY06W53fGYfBrUjJI54GWYyBpKdZTf7b/AlAN0+kwkk6OqsUWwWDqxR7LVCcPhjSIKd/THp+Tbq9z5TiPIHxOO9V60u51f8IoQrEgQfNov7CEGQZ8B9HUGObjNc5MhujzBJasMhrUcd2Ddk6KWk07B7223p/gIEM+81ZWQYUcc29+U/j1dQyRNZy/TC56ywe5DDBJSoGp
+  template:
+    metadata:
+      name: ts-mcp-secrets
+      namespace: ts-mcp
--- a/apps/base/ts-mcp/ts-mcp.yaml
+++ b/apps/base/ts-mcp/ts-mcp.yaml
@@ -1,27 +1,37 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: secrets
+  name: ts-mcp
  namespace: argocd
  annotations:
-    argocd.argoproj.io/sync-wave: "2"
+    argocd.argoproj.io/sync-wave: "11"
    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
    notifications.argoproj.io/subscribe.on-degraded.slack: ""
  labels:
-    app.kubernetes.io/name: secrets
-    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/name: ts-mcp
+    app.kubernetes.io/part-of: apps
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    path: secrets
+  sources:
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/ts-mcp/values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
+    targetRevision: HEAD
+    ref: values
+
  destination:
    server: https://kubernetes.default.svc
-    namespace: secrets
+    namespace: ts-mcp
+
  syncPolicy:
    automated:
      prune: true
--- a/apps/overlays/aks-dev/kustomization.yaml
+++ b/apps/overlays/aks-dev/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base/musicman
--- a/apps/overlays/upc-dev/kustomization.yaml
+++ b/apps/overlays/upc-dev/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+# No patches needed — base already has "upc-dev" paths
+# upc-dev is the default/base cluster
--- a/apps/overlays/upc-prod/kustomization.yaml
+++ b/apps/overlays/upc-prod/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# dot-ai-stack: swap upc-dev → upc-prod
+- target:
+    kind: Application
+    name: dot-ai-stack
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/dot-ai-stack-values.yaml
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -1,8 +1,16 @@
 #!/bin/zsh
+
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh

-echo "running $0..."
+CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod|aks-dev|aks-prod|eks-dev|eks-prod|gke-dev|gke-prod)}"
+
+echo "running $0 for cluster: ${CLUSTER}..."
+
+# Source cluster config
+eval $(yq -r 'to_entries[] | "export \(.key)=\"\(.value)\""' "clusters/${CLUSTER}.yaml")
+
+echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."

 ############################################################
 # Bootstrap                                                     #
@@ -10,18 +18,19 @@ echo "running $0..."
 Bootstrap()
 {
    ArgoCd
-#    Github
+    Gitea
 }


 ############################################################
-# Github                                                     #
+# Gitea                                                     #
 ############################################################
-Github()
+Gitea()
 {
    echo "Installing secret..."
-    kubectl apply -f private/github.yaml
-    kubectl apply -f private/main.key
+    kubectl apply -f "secrets/"
+    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
+    kubectl apply -f "private/${CLUSTER}/main.key"
 }

 ############################################################
@@ -29,17 +38,22 @@ Github()
 ############################################################
 ArgoCd()
 {
+    # Pre-create ConfigMap for repo-server env (must exist before Helm upgrade)
+    kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
+    kubectl apply -f cluster-resources/argocd-repo-server-config.yaml
+
    # install argocd
    echo "Installing ArgoCD..."
-    CLUSTER_NAME="${CLUSTER_NAME:-dev-fd-no-svg1}"
    helm upgrade --install argocd argo-cd \
            --repo https://argoproj.github.io/argo-helm \
+            --version "7.8.0" \
            --namespace argocd --create-namespace \
-            --values infra/values/argocd-values.yaml \
-            --set notifications.context.clusterName="$CLUSTER_NAME" \
+            --values infra/values/base/argocd-values.yaml \
+            --values "infra/values/${CLUSTER}/argocd-values.yaml" \
+            --set notifications.context.clusterName="${clusterName}" \
            --timeout 60s --atomic

-    kubectl apply -f _app-of-apps.yaml -n argocd
+    kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }

 Bootstrap
--- a/cluster-resources/argocd-oidc-secret-sync.yaml
+++ b/cluster-resources/argocd-oidc-secret-sync.yaml
@@ -0,0 +1,83 @@
+# CronJob: syncs OIDC client secret from registrar-managed
+# argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
+# Runs every 2 min. No-ops if source secret doesn't exist yet
+# (safe for fresh deploys before Keycloak is up).
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
+  verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-oidc-sync
+subjects:
+- kind: ServiceAccount
+  name: argocd-oidc-sync
+  namespace: argocd
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+spec:
+  schedule: "*/2 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        spec:
+          serviceAccountName: argocd-oidc-sync
+          restartPolicy: Never
+          containers:
+          - name: sync
+            image: bitnami/kubectl:latest
+            command: ["/bin/sh", "-c"]
+            args:
+            - |
+              set -e
+
+              # Exit gracefully if source secret doesn't exist yet
+              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
+                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
+                exit 0
+              fi
+
+              # Read current OIDC client secret
+              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
+                -o jsonpath='{.data.client-secret}' | base64 -d)
+
+              # Read current value in argocd-secret (if any)
+              CURRENT=$(kubectl get secret argocd-secret -n argocd \
+                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")
+
+              # Only patch if changed
+              if [ "$NEW_SECRET" = "$CURRENT" ]; then
+                echo "oidc.clientSecret already up to date"
+                exit 0
+              fi
+
+              kubectl patch secret argocd-secret -n argocd --type merge \
+                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
+              echo "Patched argocd-secret with oidc.clientSecret"
--- a/cluster-resources/argocd-repo-server-config.yaml
+++ b/cluster-resources/argocd-repo-server-config.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-repo-server-config
+  namespace: argocd
+data:
+  # Disable git submodule checkout - submodules (e.g. shared-prompts)
+  # are not needed for K8s manifest generation
+  ARGOCD_GIT_MODULES_ENABLED: "false"
--- a/cluster-resources/gitea-backup-cronjob.yaml
+++ b/cluster-resources/gitea-backup-cronjob.yaml
@@ -57,17 +57,17 @@ spec:
                - sh
                - -c
                - |
-                  mc alias set upcloud "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}"
+                  mc alias set s3 "${S3_ENDPOINT}" "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}"

                  TIMESTAMP=$(date +%Y%m%d-%H%M%S)
                  KEY="gitea-dump-${TIMESTAMP}.zip"
                  echo "Uploading ${KEY}..."
-                  mc cp /backup/gitea-dump.zip "upcloud/${S3_BUCKET}/${KEY}" && \
+                  mc cp /backup/gitea-dump.zip "s3/${S3_BUCKET}/${KEY}" && \
                  echo "Upload complete."

                  # Prune backups older than 7 days
                  echo "Pruning backups older than 7 days..."
-                  mc rm --older-than 7d --force "upcloud/${S3_BUCKET}/" 2>&1 || true
+                  mc rm --older-than 7d --force "s3/${S3_BUCKET}/" 2>&1 || true
                  echo "Pruning complete."
              envFrom:
                - secretRef:
--- a/cluster-resources/policies/auth-sidecar-injector.yaml
+++ b/cluster-resources/policies/auth-sidecar-injector.yaml
@@ -243,8 +243,8 @@ spec:
            - name: AUTH_OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: auth-oidc
-                  key: client-secret
+                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
+                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
            resources:
              limits:
                cpu: 50m
@@ -410,8 +410,8 @@ spec:
            - name: AUTH_OAUTH_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: auth-oauth
-                  key: client-secret
+                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-credentials-secret\" || 'auth-oauth' }}"
+                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-credentials-secret-key\" || 'client-secret' }}"
            - name: AUTH_OAUTH_DELEGATION_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
--- a/cluster-resources/policies/keycloak-client-cloner.yaml
+++ b/cluster-resources/policies/keycloak-client-cloner.yaml
@@ -0,0 +1,37 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: keycloak-client-config-cloner
+spec:
+  rules:
+  - name: clone-client-config-to-keycloak
+    skipBackgroundRequests: false
+    match:
+      any:
+      - resources:
+          kinds:
+          - Secret
+          selector:
+            matchLabels:
+              keycloak.forteapps.net/client-config: "true"
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - keycloak
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: "{{request.object.metadata.name}}"
+      namespace: keycloak
+      synchronize: true
+      data:
+        metadata:
+          labels:
+            keycloak.forteapps.net/client-config: "true"
+            keycloak.forteapps.net/source-namespace: "{{request.object.metadata.namespace}}"
+          annotations:
+            keycloak.forteapps.net/source-name: "{{request.object.metadata.name}}"
+            keycloak.forteapps.net/source-namespace: "{{request.object.metadata.namespace}}"
+        data: "{{request.object.data}}"
+        type: "{{request.object.type}}"
--- a/cluster-resources/policies/label-checker.yaml
+++ b/cluster-resources/policies/label-checker.yaml
@@ -26,7 +26,6 @@ spec:
          - monitoring
          - secrets
          - kyverno
-          - trivy-system
    match:
      any:
      - resources:
--- a/cluster-resources/policies/secret-cloner.yaml
+++ b/cluster-resources/policies/secret-cloner.yaml
@@ -16,7 +16,6 @@ spec:
      - resources:
          namespaces:
          - kube-system
-          - trivy-system
          - monitoring
          - argocd
          - cert-manager
--- a/clusters/aks-dev.yaml
+++ b/clusters/aks-dev.yaml
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: k8s-launchpad # → infra/values/aks-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com # → infra/values/aks-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com # → infra/values/aks-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com # → infra/values/aks-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com # → infra/values/aks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-dev/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
+cloudProvider: azure # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/aks-prod.yaml
+++ b/clusters/aks-prod.yaml
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-aks                    # → infra/values/aks-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/aks-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/aks-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/aks-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/aks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,168.63.129.16/32" # → infra/values/aks-prod/traefik-values.yaml (ports.*.trustedIPs) — VNet CIDR + Azure health probe
+cloudProvider: azure                     # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/eks-dev.yaml
+++ b/clusters/eks-dev.yaml
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: dev-eks                     # → infra/values/eks-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/eks-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/eks-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/eks-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8"                # → infra/values/eks-dev/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
+cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/eks-prod.yaml
+++ b/clusters/eks-prod.yaml
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-eks                    # → infra/values/eks-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/eks-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/eks-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/eks-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/eks-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8"                # → infra/values/eks-prod/traefik-values.yaml (ports.*.trustedIPs) — VPC CIDR
+cloudProvider: eks                       # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/gke-dev.yaml
+++ b/clusters/gke-dev.yaml
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: dev-gke                     # → infra/values/gke-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/gke-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/gke-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/gke-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-dev/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
+cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/gke-prod.yaml
+++ b/clusters/gke-prod.yaml
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-gke                    # → infra/values/gke-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: example.com                      # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.example.com         # → infra/values/gke-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.example.com       # → infra/values/gke-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.example.com           # → infra/values/gke-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.example.com         # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host) — create if needed
+dotaiUiDomain: kubemcpui.example.com     # → infra/values/gke-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host) — create if needed
+letsencryptEmail: admin@example.com      # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22" # → infra/values/gke-prod/traefik-values.yaml (ports.*.trustedIPs) — subnet + GCP health checks
+cloudProvider: gke                       # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/upc-dev.yaml
+++ b/clusters/upc-dev.yaml
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: dev-fd-no-svg1              # → infra/values/upc-dev/argocd-values.yaml (notifications.context.clusterName)
+domain: forteapps.net                    # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-dev/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.forteapps.net     # → infra/values/upc-dev/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.forteapps.net         # → infra/values/upc-dev/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.forteapps.net       # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai.ingress.host)
+dotaiUiDomain: kubemcpui.forteapps.net   # → infra/values/upc-dev/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
+letsencryptEmail: danijels@gmail.com     # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "172.16.1.0/24"             # → infra/values/upc-dev/traefik-values.yaml (ports.*.trustedIPs)
+cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations
--- a/clusters/upc-prod.yaml
+++ b/clusters/upc-prod.yaml
@@ -0,0 +1,12 @@
+# Cluster config reference — values must match the corresponding overlay files.
+# Read by bootstrap.sh at install time; NOT auto-propagated to ArgoCD value files.
+clusterName: prod-fd-no-svg1             # → infra/values/upc-prod/argocd-values.yaml (notifications.context.clusterName)
+domain: fortedigital.com                 # → infra/values/base/gitea-values.yaml, renovate-values.yaml, keycloak-values.yaml (subdomains)
+argocdDomain: argocd.127.0.0.1.nip.io   # → infra/values/upc-prod/argocd-values.yaml (global.domain)
+grafanaDomain: grafana.fortedigital.com  # → infra/values/upc-prod/grafana-values.yaml (ingress.hosts)
+keycloakDomain: id.fortedigital.com      # → infra/values/upc-prod/keycloak-values.yaml (ingress.hostname)
+dotaiDomain: kubemcp.fortedigital.com    # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai.ingress.host)
+dotaiUiDomain: kubemcpui.fortedigital.com # → infra/values/upc-prod/dot-ai-stack-values.yaml (dot-ai-ui.ingress.host)
+letsencryptEmail: danijel.simeunovic@fortedigital.com # → cluster-resources/letsencrypt-issuer.yaml (spec.acme.email)
+trustedIPs: "172.16.1.0/24"             # → infra/values/upc-prod/traefik-values.yaml (ports.*.trustedIPs)
+cloudProvider: upcloud                   # → determines overlay directory and cloud-specific LB/storage annotations
--- a/devbox.json
+++ b/devbox.json
@@ -0,0 +1,32 @@
+{
+  "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.16.0/.schema/devbox.schema.json",
+  "packages": [
+    "kubectl@1.33.2",
+    "kubernetes-helm@3.18.4",
+    "k9s@0.50.7",
+    "kubeseal@0.30.0",
+    "argocd@2.14.11",
+    "kubecm@0.33.1",
+    "kubectl-tree@0.4.3",
+    "kind@0.29.0",
+    "kustomize@5.7.0",
+    "kyverno@1.14.3",
+    "syft@1.29.0",
+    "grype@0.92.2",
+    "traefik@3.6.7",
+    "claude-code@latest",
+    "go@latest",
+    "dotnet-sdk@latest",
+    "opentofu@1.11.6"
+  ],
+  "shell": {
+    "init_hook": [
+      "echo 'Welcome to devbox!' > /dev/null"
+    ],
+    "scripts": {
+      "test": [
+        "echo \"Error: no test specified\" && exit 1"
+      ]
+    }
+  }
+}
--- a/docs/DEVELOPER-GUIDE.md
+++ b/docs/DEVELOPER-GUIDE.md
@@ -9,6 +9,7 @@
 - [Updating an Existing Application](#updating-an-existing-application)
 - [Working with Secrets](#working-with-secrets)
 - [Enabling Authentication for Applications](#enabling-authentication-for-applications)
+- [Adding a New Keycloak Client](#adding-a-new-keycloak-client)
 - [Troubleshooting](#troubleshooting)
 - [Best Practices](#best-practices)

@@ -95,10 +96,10 @@ You'll need read/write access to these repositories:
   cd launchpad
   ```

-2. **helm-values** (Values repo)
+2. **helm-prod-values** (Values repo)
   ```bash
   git clone https://git.forteapps.net/Forte/helm-prod-values.git
-   cd helm-values
+   cd helm-prod-values
   ```

 3. **forte-helm** (Chart repo - read-only for most developers)
@@ -174,13 +175,13 @@ npm run dev
 │  - GitHub Actions builds image                                  │
 │  - Pushes to container registry (GHCR, Docker Hub)              │
 │  - Tags with version (e.g., v2.0.4)                             │
-│  - Updates helm-values repository with new tag                  │
+│  - Updates helm-prod-values repository with new tag                  │
 └─────────────────────────────────────────────────────────────────┘
                            │
                            ▼
 ┌─────────────────────────────────────────────────────────────────┐
 │  Step 3: GitOps Sync (Automated)                                │
-│  - ArgoCD detects change in helm-values                         │
+│  - ArgoCD detects change in helm-prod-values                         │
 │  - Pulls updated configuration                                  │
 │  - Syncs to Kubernetes cluster                                  │
 │  - Sends Slack notification on success/failure                  │
@@ -200,7 +201,7 @@ Our setup uses three repositories:
 | Repository | Purpose | Who Edits | How Often |
 |------------|---------|-----------|-----------|
 | **forte-helm** | Helm chart templates (generic, reusable) | Platform engineers | ❌ Rarely |
-| **helm-values** | Application configuration (image tag, env vars) | Developers / CI pipelines | ✅ Sometimes |
+| **helm-prod-values** | Application configuration (image tag, env vars) | Developers / CI pipelines | ✅ Sometimes |
 | **launchpad** | ArgoCD Applications (what gets deployed) | Platform / DevOps engineers | ✅ Per new app |

 ### Example: Deploying "myapp"
@@ -222,7 +223,7 @@ spec:
      value: {{ .Values.app.port }}
 ```

-#### Repository: `helm-values` (Your App Config)
+#### Repository: `helm-prod-values` (Your App Config)
 ```yaml
 # myapp/values.yaml
 # Your app's specific configuration
@@ -247,13 +248,13 @@ metadata:
  namespace: argocd
 spec:
  sources:
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
    path: forteapp
    helm:
      valueFiles:
      - $values/myapp/values.yaml

-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
    ref: values

  destination:
@@ -315,10 +316,10 @@ Ensure your app repository has:
             docker build -t ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }} .
             docker push ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }}

-         - name: Update helm-values
+         - name: Update helm-prod-values
           run: |
-             git clone git@github.com:fortedigital/helm-values.git
-             cd helm-values
+             git clone git@github.com:fortedigital/helm-prod-values.git
+             cd helm-prod-values
             mkdir -p hello-world
             cat > hello-world/values.yaml <<EOF
             app:
@@ -333,7 +334,7 @@ Ensure your app repository has:

 ### Step 2: Create Helm Values

-Create a folder in `helm-values` repository:
+Create a folder in `helm-prod-values` repository:

 ```bash
 cd ~/dev/k8s/helm-prod-values
@@ -411,7 +412,7 @@ spec:

  sources:
  # Source 1: Helm chart templates
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
    path: forteapp
    targetRevision: HEAD
    helm:
@@ -419,7 +420,7 @@ spec:
      - $values/hello-world/values.yaml

  # Source 2: Helm values
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
    targetRevision: HEAD
    ref: values

@@ -527,7 +528,7 @@ git push origin main
 2. ✅ Builds new Docker image
 3. ✅ Tags with new version (e.g., `v20260316-143022`)
 4. ✅ Pushes to container registry
-5. ✅ Updates `helm-values/myapp/values.yaml` with new tag
+5. ✅ Updates `helm-prod-values/myapp/values.yaml` with new tag
 6. ✅ ArgoCD detects change
 7. ✅ Syncs new version to cluster
 8. ✅ Sends Slack notification
@@ -653,21 +654,11 @@ kubectl create secret generic myapp-credentials \

 #### Step 2: Seal the Secret

-Get the public certificate (one-time setup):
-
-```bash
-# Fetch public cert from cluster
-kubeseal --fetch-cert \
-  --controller-name=sealed-secrets-controller \
-  --controller-namespace=kube-system \
-  > pub-cert.pem
-```
-
 Seal your secret:

 ```bash
 kubeseal --format=yaml \
-  --cert=pub-cert.pem \
+  --namespace=myapp \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
 ```
@@ -682,7 +673,7 @@ git push

 #### Step 4: Reference Secret in Application

-Update your `helm-values/myapp/values.yaml`:
+Update your `helm-prod-values/myapp/values.yaml`:

 ```yaml
 app:
@@ -710,7 +701,7 @@ kubectl create secret generic myapp-credentials \

 # 2. Seal it
 kubeseal --format=yaml \
-  --cert=pub-cert.pem \
+  --namespace=myapp \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml

@@ -790,7 +781,7 @@ Three authentication modes are supported:
 #### Step 1: Configure Helm Values

 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 auth:
  enabled: true
  type: token                    # Token mode (default)
@@ -912,7 +903,7 @@ rm private/myapp-auth-oidc.yaml
 #### Step 3: Configure Helm Values

 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 auth:
  enabled: true
  type: oidc                     # OIDC mode
@@ -961,6 +952,46 @@ User sees application (authenticated)

 ---

+### Accessing Authenticated User Information
+
+The auth sidecar handles all authentication before requests reach your application. Your app never sees unauthenticated traffic — the sidecar returns 401 or redirects to the IdP first.
+
+After successful authentication, the sidecar forwards the request to your application with user identity injected as HTTP headers:
+
+| Header | Description | Available in |
+|--------|-------------|-------------|
+| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
+| `X-Auth-Email` | User email address | OIDC |
+| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
+| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if scope includes `groups`) |
+| `X-Auth-Token` | The validated access token | All modes |
+
+**Your application reads these headers — no auth library needed:**
+
+```javascript
+// Express.js example
+app.get('/profile', (req, res) => {
+  const user = req.headers['x-auth-user'];
+  const email = req.headers['x-auth-email'];
+  res.json({ user, email });
+});
+```
+
+```python
+# Flask example
+@app.route('/profile')
+def profile():
+    user = request.headers.get('X-Auth-User')
+    email = request.headers.get('X-Auth-Email')
+    return jsonify(user=user, email=email)
+```
+
+**Why this is safe**: The Kyverno-generated NetworkPolicy restricts ingress to the sidecar port only. Traffic cannot bypass the sidecar to reach the application port directly, so the `X-Auth-*` headers can be trusted unconditionally.
+
+**Key principle**: Your application is zero-trust-unaware by design. It reads headers and renders UI. All authentication complexity lives in the sidecar and Kyverno policy.
+
+---
+
 ### Authentication Configuration Reference

 #### Helm Values Schema
@@ -1048,7 +1079,7 @@ policies.forteapps.io/auth-image-version: "v1.2.3"
 #### Example 1: Internal API with Token Auth

 ```yaml
-# helm-values/internal-api/values.yaml
+# helm-prod-values/internal-api/values.yaml
 app:
  image:
    repository: ghcr.io/company/internal-api
@@ -1076,7 +1107,7 @@ curl -H "Authorization: Bearer d4f88f..." \
 #### Example 2: User-Facing App with OIDC

 ```yaml
-# helm-values/web-app/values.yaml
+# helm-prod-values/web-app/values.yaml
 app:
  image:
    repository: ghcr.io/company/web-app
@@ -1111,7 +1142,7 @@ kubectl create secret generic auth-oidc \
 #### Example 3: MCP Server with OAuth 2.0

 ```yaml
-# helm-values/mcp-server/values.yaml
+# helm-prod-values/mcp-server/values.yaml
 app:
  image:
    repository: ghcr.io/company/mcp-server
@@ -1135,7 +1166,7 @@ The MCP auth mode implements RFC 9728 (OAuth 2.0 Protected Resource Metadata) fo
 #### Example 4: Disabling Authentication

 ```yaml
-# helm-values/public-api/values.yaml
+# helm-prod-values/public-api/values.yaml
 auth:
  enabled: false                 # No authentication

@@ -1247,6 +1278,202 @@ kubectl logs -n myapp <pod-name> -c authn

 ---

+## Adding a New Keycloak Client
+
+There are two ways to add an OIDC client, depending on your use case:
+
+| Method | Best for | Who edits the infra repo? |
+|--------|----------|--------------------------|
+| **Self-service** (recommended) | New apps that deploy their own resources | App developer — no infra changes needed |
+| **Legacy (realm JSON)** | Existing clients already defined in forte-realm.json (e.g., Gitea) | Platform engineer |
+
+Both methods are served by the **Keycloak Client Registrar** CronJob, which runs every 2 minutes.
+
+### Self-Service OIDC Client Registration
+
+This is the recommended flow for new applications. Your app deploys a labeled config Secret in its own namespace; the platform handles everything else.
+
+#### How It Works
+
+1. You deploy a Secret with label `keycloak.forteapps.net/client-config: "true"` containing a `client.json` definition
+2. A **Kyverno ClusterPolicy** (`keycloak-client-config-cloner`) clones it to the `keycloak` namespace
+3. The **Client Registrar CronJob** picks it up within 2 minutes:
+   - Registers (or updates) the client in Keycloak
+   - Fetches the auto-generated client secret
+   - Creates a credential Secret in your app's namespace
+   - Annotates the config Secret with sync status
+
+#### Step 1: Create the Config Secret
+
+Deploy this Secret in your application's namespace (e.g., as part of your Helm chart or Kustomize overlay):
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-myapp
+  namespace: myapp
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "myapp",
+      "name": "My Application",
+      "redirectUris": ["https://myapp.forteapps.net/*"],
+      "webOrigins": ["https://myapp.forteapps.net"],
+      "defaultClientScopes": ["openid", "email", "profile"],
+      "protocolMappers": [],
+      "secret": {
+        "namespace": "myapp",
+        "name": "myapp-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }
+```
+
+**`client.json` fields**:
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| `clientId` | Yes | Keycloak client ID |
+| `name` | Yes | Display name in Keycloak |
+| `redirectUris` | Yes | Allowed redirect URIs |
+| `webOrigins` | Yes | Allowed web origins (CORS) |
+| `defaultClientScopes` | No | Scopes (default: `["openid", "email", "profile"]`) |
+| `protocolMappers` | No | Custom claim mappers (default: `[]`) |
+| `secret.namespace` | No | Namespace for the credential Secret (default: source namespace) |
+| `secret.name` | No | Name of the credential Secret (default: `<clientId>-oidc-credentials`) |
+| `secret.keys.clientId` | No | Key name for client ID in credential Secret (default: `client-id`) |
+| `secret.keys.clientSecret` | No | Key name for client secret in credential Secret (default: `client-secret`) |
+
+#### Step 2: Reference the Credential Secret
+
+In your application's deployment config, reference the credential Secret that the registrar creates:
+
+```yaml
+env:
+- name: OIDC_CLIENT_ID
+  valueFrom:
+    secretKeyRef:
+      name: myapp-oidc-credentials
+      key: client-id
+- name: OIDC_CLIENT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: myapp-oidc-credentials
+      key: client-secret
+```
+
+#### Step 3: Deploy and Wait
+
+Commit and push your changes. The credential Secret will appear within 2 minutes:
+
+```bash
+# Watch for the credential Secret to be created
+kubectl get secret myapp-oidc-credentials -n myapp -w
+
+# Check registrar logs
+kubectl logs -n keycloak job/$(kubectl get jobs -n keycloak --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[-1].metadata.name}')
+
+# Check sync status on the config Secret
+kubectl get secret keycloak-client-myapp -n keycloak -o jsonpath='{.metadata.annotations}'
+```
+
+#### Change Detection
+
+The registrar computes a SHA-256 hash of `client.json` and stores it as an annotation. On subsequent runs, it skips processing if:
+- The hash hasn't changed, AND
+- The credential Secret already exists in the target namespace
+
+To force a re-sync, update any field in `client.json` (e.g., add a trailing space to `name`).
+
+### Legacy Method: Realm JSON
+
+Existing clients (like Gitea) are defined directly in `forte-realm.json` inside `keycloak-values.yaml`. The registrar syncs their secrets via client attributes.
+
+#### Step 1: Add Client to Realm Config
+
+In `infra/values/base/keycloak-values.yaml`, add a new entry to the `clients` array in `forte-realm.json`:
+
+```json
+{
+  "clientId": "myapp",
+  "name": "My Application",
+  "enabled": true,
+  "protocol": "openid-connect",
+  "clientAuthenticatorType": "client-secret",
+  "standardFlowEnabled": true,
+  "directAccessGrantsEnabled": false,
+  "publicClient": false,
+  "redirectUris": ["https://myapp.forteapps.net/*"],
+  "webOrigins": ["https://myapp.forteapps.net"],
+  "defaultClientScopes": ["openid", "email", "profile"],
+  "attributes": {
+    "k8s.secret.sync": "true",
+    "k8s.secret.namespace": "myapp",
+    "k8s.secret.name": "myapp-oidc-credentials",
+    "k8s.secret.client-id-key": "key",
+    "k8s.secret.client-secret-key": "secret"
+  }
+}
+```
+
+**Important**:
+- Do **NOT** include a `"secret"` field — Keycloak generates one automatically
+- The `attributes` block tells the registrar where to create the K8s Secret
+- Set `client-id-key` / `client-secret-key` to match what the consuming app expects (defaults: `client-id` / `client-secret`)
+
+#### Step 2: Reference the Secret in Your Application
+
+```yaml
+existingSecret: myapp-oidc-credentials
+```
+
+#### Step 3: Commit and Push
+
+```bash
+cd ~/dev/k8s/launchpad
+git add infra/values/base/keycloak-values.yaml
+git commit -m "Add myapp Keycloak client with auto-sync"
+git push
+```
+
+ArgoCD will sync the Keycloak config, and the registrar CronJob will pick up the new client within 2 minutes.
+
+#### Legacy Sync Attribute Reference
+
+| Attribute | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
+| `k8s.secret.namespace` | Yes | — | Target K8s namespace for the secret |
+| `k8s.secret.name` | Yes | — | Name of the K8s Secret to create |
+| `k8s.secret.client-id-key` | No | `client-id` | Field name for the client ID in the K8s Secret |
+| `k8s.secret.client-secret-key` | No | `client-secret` | Field name for the client secret in the K8s Secret |
+
+### Retrieving Secrets for External Deployments
+
+The registrar always writes a **central copy** of every synced secret to the `secrets` namespace, in addition to the target namespace. This allows operators to retrieve client credentials for applications deployed outside this cluster:
+
+```bash
+# View the central copy
+kubectl get secret gitea-oidc-credentials -n secrets -o yaml
+
+# Extract the client secret for use elsewhere
+kubectl get secret myapp-oidc-credentials -n secrets \
+  -o jsonpath='{.data.client-secret}' | base64 -d
+```
+
+### Registrar Behavior Notes
+
+- The registrar runs as a CronJob every 2 minutes (`concurrencyPolicy: Forbid`)
+- If the target namespace doesn't exist, the target write is skipped with a warning (the central copy still happens)
+- A central copy is **always** written to the `secrets` namespace for every synced client
+- The registrar uses the `keycloak-credentials` secret for admin authentication
+- Created secrets have the label `app.kubernetes.io/managed-by: keycloak-client-registrar`
+
+---
+
 ## Troubleshooting

 ### Application Not Deploying
@@ -1303,7 +1530,7 @@ kubectl exec -n myapp <pod-name> -- env
 # Check if secrets exist
 kubectl get secrets -n myapp

-# Increase resources in helm-values
+# Increase resources in helm-prod-values
 vim ~/dev/k8s/helm-prod-values/myapp/values.yaml
 ```

@@ -1452,7 +1679,7 @@ If you're stuck:
 ### Configuration Management

 ✅ **DO**:
- Keep configuration in `helm-values` repository
+- Keep configuration in `helm-prod-values` repository
 - Use environment variables for config
 - Document what each value does
 - Use reasonable resource limits
@@ -1579,4 +1806,4 @@ Now that you understand the basics:
 - Docs: [Full documentation index](README.md)
 - Help: Contact platform team

-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-16
--- a/docs/GITOPS-ARCHITECTURE.md
+++ b/docs/GITOPS-ARCHITECTURE.md
@@ -12,11 +12,11 @@

 ## Overview

-This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where Git repositories serve as the single source of truth for both infrastructure and application deployments. The cluster is running on **UpCloud Managed Kubernetes** but is designed to be cloud-agnostic.
+This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where Git repositories serve as the single source of truth for both infrastructure and application deployments. The cluster setup is **cloud-agnostic**, with ready-to-use configurations for **UpCloud**, **AWS EKS**, **Azure AKS**, and **GCP GKE**.

 ### Key Characteristics
 - **Environment**: Production (internal use only)
- **Cluster Type**: Single cluster, single environment
+- **Cluster Type**: Multi-cloud, multi-cluster via Kustomize overlays (UpCloud, AWS, Azure, GCP)
 - **GitOps Tool**: ArgoCD
 - **Deployment Pattern**: App-of-Apps
 - **Secret Management**: Sealed Secrets (kubeseal)
@@ -47,7 +47,7 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
         │                            │                          │
         │                            │                          │
         └────────► Update image tag ─┴──────────────────────────┘
-                    in helm-values                               │
+                    in helm-prod-values                               │
                                                                 │
                                                                 ▼
                                           ┌────────────────────────────────┐
@@ -62,8 +62,8 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
                                                        │
                                                        ▼
                                           ┌────────────────────────────────┐
-                                           │   Kubernetes Cluster           │
-                                           │   (UpCloud Managed)            │
+                                           │   Kubernetes Clusters          │
+                                           │   (UpCloud, AWS, Azure, GCP)    │
                                           │                                │
                                           │  ┌──────────────────────────┐  │
                                           │  │    ArgoCD                │  │
@@ -116,81 +116,78 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
 ```
 launchpad/
 ├── bootstrap.sh                      # Cluster initialization script
-├── _app-of-apps.yaml                 # Root ArgoCD Application (App-of-Apps pattern)
+├── _app-of-apps-upc-dev.yaml        # Root ArgoCD Application (upc-dev cluster)
+├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
 │
-├── infra/                            # Infrastructure ArgoCD Applications
-│   ├── enterprise-apps.yaml          # Parent app managing all apps in apps/
-│   ├── cluster-resources-application.yaml
-│   ├── traefik-application.yaml
-│   ├── cert-manager-application.yaml
-│   ├── kyverno.yaml
-│   ├── kyverno-policies.yaml
-│   ├── prometheus.yaml
-│   ├── grafana.yaml
-│   ├── loki.yaml
-│   ├── tempo.yaml
-│   ├── fluent-bit.yaml
-│   ├── trivy.yaml
-│   ├── sealedsecrets.yaml
-│   ├── secrets.yaml
+├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
+│   ├── base/                         # Base Application manifests (one dir per component)
+│   │   ├── kustomization.yaml        # Aggregates all component subdirectories
+│   │   ├── traefik-application/
+│   │   │   ├── kustomization.yaml
+│   │   │   └── traefik-application.yaml
+│   │   ├── keycloak/
+│   │   │   ├── kustomization.yaml
+│   │   │   └── keycloak.yaml
+│   │   ├── grafana/
+│   │   ├── prometheus/
+│   │   ├── ...                       # Each component in its own subdirectory
+│   │   └── secrets/
+│   ├── overlays/                     # Per-cluster Kustomize overrides
+│   │   ├── upc-dev/                  # UpCloud Dev — includes all (resources: ../../base)
+│   │   ├── upc-prod/                # UpCloud Prod — all + patches
+│   │   ├── aks-dev/                 # Azure AKS Dev — selective components
+│   │   ├── aks-prod/               # Azure AKS Prod
+│   │   ├── eks-dev/                  # AWS EKS Dev
+│   │   ├── eks-prod/                # AWS EKS Prod
+│   │   ├── gke-dev/                 # GCP GKE Dev
+│   │   └── gke-prod/               # GCP GKE Prod
+│   ├── dashboards/                   # Grafana dashboard ConfigMaps
 │   └── values/                       # Helm value overrides for infra
-│       ├── argocd-values.yaml
-│       ├── prometheus-values.yaml
-│       ├── grafana-values.yaml
-│       ├── loki-values.yaml
-│       ├── tempo-values.yaml
-│       └── fluent-bit-values.yaml
+│       ├── base/                     # Cloud-agnostic shared values
+│       ├── upc-{dev,prod}/           # UpCloud: storage class, LB, pricing
+│       ├── aws-{dev,prod}/           # AWS: gp3, NLB, CUR pricing
+│       ├── aks-{dev,prod}/         # Azure: managed-csi-premium, Standard LB
+│       └── gcp-{dev,prod}/           # GCP: premium-rwo, L4 LB
 │
-├── apps/                             # Business Application ArgoCD manifests
-│   ├── mcp10x.yaml                   # MCP 10X application
-│   ├── musicman.yaml                 # Music Man application
-│   ├── dot-ai-stack.yaml             # Dot AI Stack
-│   └── argo-mcp.yaml                 # ArgoCD MCP server
+├── apps/                             # Business Application ArgoCD manifests (Kustomize)
+│   ├── base/                         # One subdirectory per app
+│   │   ├── kustomization.yaml
+│   │   ├── musicman/
+│   │   ├── mcp10x/
+│   │   ├── dot-ai-stack/
+│   │   ├── ts-mcp/
+│   │   └── argo-mcp/
+│   └── overlays/
+│       ├── upc-dev/                  # All apps (resources: ../../base)
+│       ├── upc-prod/                # All apps + patches
+│       └── aks-dev/                 # Selective apps only
 │
 ├── cluster-resources/                # Cluster-wide Kubernetes resources
-│   ├── cert-manager-namespace.yaml
-│   ├── secrets-namespace.yaml
-│   ├── letsencrypt-issuer.yaml       # Let's Encrypt ClusterIssuer
-│   ├── kyverno-config.yaml
-│   ├── argocd-notifications-secret-sealed.yaml
-│   ├── forte10x-repo-credentials-sealed.yaml
-│   ├── mcp10x-repo-credentials-sealed.yaml
+│   ├── ...
 │   └── policies/                     # Kyverno policies
-│       ├── deployment-verifier.yaml
-│       ├── label-checker.yaml
-│       ├── bare-pod-cleaner.yaml
-│       ├── replicaset-cleaner.yaml
-│       ├── default-ns-blocker.yaml
-│       ├── secret-cloner.yaml
-│       └── auth-sidecar-injector.yaml
 │
-├── secrets/                          # Application secrets (sealed)
-│   ├── argocd-mcp-credentials.yaml
-│   ├── dot-ai-secrets.yaml
-│   ├── mcp10x-credentials-sealed.yaml
-│   └── musicman-credentials.yaml
+├── secrets/                          # Application secrets (sealed, per-cluster)
+│   └── upc-dev/                      # Secrets for upc-dev cluster
 │
 ├── private/                          # Local-only files (NOT in Git)
-│   ├── *.yaml                        # Unsealed secrets
-│   └── *.sh                          # Helper scripts
 │
 └── docs/                             # Documentation
-    ├── GITOPS-ARCHITECTURE.md        # This file
-    ├── DEVELOPER-GUIDE.md
-    ├── OPERATIONS-RUNBOOK.md
-    └── REFERENCE.md
 ```

 **Key Points**:
- `_app-of-apps.yaml` is the root Application that ArgoCD monitors
- `infra/enterprise-apps.yaml` auto-discovers all apps in `apps/` folder
+- `_app-of-apps-upc-dev.yaml` and `_app-of-apps-upc-prod.yaml` are the per-cluster root Applications
+- Each component in `base/` has its own subdirectory with a `kustomization.yaml`
+- Overlays can include **all** components (`resources: [../../base]`) or **cherry-pick** specific ones (`resources: [../../base/grafana, ../../base/prometheus]`)
+- Kustomize overlays in `infra/overlays/` render base Applications with per-cluster patches
+- Helm values are split: `values/base/` (shared) + `values/upc-dev/` or `values/upc-prod/` (cluster-specific)
+- `apps/` follows the same base/overlays pattern for business applications
 - Changes pushed to this repo trigger automatic syncs in ArgoCD
 - `private/` folder contains local-only files (Git-ignored)

 ---

 ### 2. **Helm Charts Repository**
-**Repository**: `https://github.com/fortedigital/forte-helm`
+**Repository**: `https://git.forteapps.net/Forte/forte-helm`
 **Purpose**: Reusable Helm chart templates for Forte applications
 **Location**: `C:\dev\k8s\forte-helm`

@@ -224,7 +221,7 @@ forte-helm/
 ---

 ### 3. **Helm Values Repository**
-**Repository**: `git@github.com:fortedigital/helm-values.git`
+**Repository**: `git@github.com:fortedigital/helm-prod-values.git`
 **Purpose**: Environment-specific configuration for each application
 **Location**: `C:\dev\k8s\helm-prod-values`

@@ -234,8 +231,6 @@ helm-prod-values/
 │   └── values.yaml                   # MCP 10X configuration
 ├── musicman/
 │   └── values.yaml                   # Music Man configuration
-├── mcpcoder/
-│   └── values.yaml                   # MCP Coder configuration
 └── argocd-mcp/
    └── values.yaml                   # ArgoCD MCP configuration
 ```
@@ -285,7 +280,7 @@ app-repository/
 2. Build Docker image
 3. Tag with version (e.g., `v2.0.4`)
 4. Push to container registry (GHCR, Docker Hub, etc.)
-5. Update image tag in `helm-values` repository
+5. Update image tag in `helm-prod-values` repository
 6. ArgoCD detects change and syncs automatically

 ---
@@ -295,7 +290,7 @@ app-repository/
 ### The App-of-Apps Pattern

 ```
-_app-of-apps.yaml (Root)
+_app-of-apps-{cluster}.yaml (Root, per cluster — e.g. upc-dev, eks-prod, gke-dev)
    │
    ├── infrastructure-apps (manages infra/)
    │   ├── cluster-resources-application
@@ -315,10 +310,10 @@ _app-of-apps.yaml (Root)
 ```

 **How It Works**:
-1. Bootstrap script installs ArgoCD and applies `_app-of-apps.yaml`
-2. ArgoCD creates the root Application which monitors `infra/` folder
-3. Each YAML in `infra/` becomes a child Application
-4. `enterprise-apps.yaml` monitors `apps/` folder and auto-discovers applications
+1. Bootstrap script installs ArgoCD and applies `_app-of-apps-upc-dev.yaml` (or `upc-prod`)
+2. ArgoCD creates the root Application which monitors the appropriate `infra/overlays/` folder
+3. Kustomize renders base Applications with cluster-specific patches
+4. `enterprise-apps` Application monitors the cluster's `apps/overlays/` folder
 5. ArgoCD continuously syncs (every 60s) and auto-heals drift

 ### Sync Waves & Ordering
@@ -346,13 +341,13 @@ Applications like `mcp10x` and `musicman` use multiple sources:
 ```yaml
 spec:
  sources:
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
    path: forteapp                     # Helm chart templates
    helm:
      valueFiles:
      - $values/mcp10x/values.yaml     # Reference to second source

-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
    targetRevision: HEAD
    ref: values                        # Named reference
 ```
@@ -363,6 +358,57 @@ spec:
 - Easy to update all apps by changing the chart
 - Environment-specific values isolated in separate repo

+### Multi-Cluster Pattern
+
+Kustomize overlays enable deploying the same Applications across clusters with different configurations.
+
+Each component in `infra/base/` and `apps/base/` lives in its own subdirectory. Overlays define **which components to include** and optionally **patch** them:
+
+```yaml
+# Option 1: Include ALL components (full cluster)
+# infra/overlays/upc-dev/kustomization.yaml
+resources:
+- ../../base                    # Pulls in every component subdirectory
+
+# Option 2: Cherry-pick specific components (lightweight cluster)
+# infra/overlays/aks-dev/kustomization.yaml
+resources:
+- ../../base/traefik-application
+- ../../base/grafana
+- ../../base/prometheus
+- ../../base/loki
+# Only listed components are deployed — others are excluded
+```
+
+Per-cluster patches swap Helm value file paths:
+
+```yaml
+# infra/overlays/upc-prod/kustomization.yaml
+patches:
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/traefik-values.yaml
+```
+
+Cloud-specific values (storage classes, load balancer annotations, cost model) are isolated in per-cluster value files. Base values are fully cloud-agnostic:
+
+| Cloud | Storage Class | Load Balancer | OpenCost Provider |
+|-------|--------------|---------------|-------------------|
+| **UpCloud** | `upcloud-block-storage-maxiops` | UpCloud LB (ProxyProtocol v2) | Custom pricing |
+| **AWS EKS** | `gp3` (EBS CSI) | NLB (ProxyProtocol v2) | AWS CUR |
+| **Azure AKS** | `managed-csi-premium` | Standard LB (`externalTrafficPolicy: Local`) | Azure Billing API |
+| **GCP GKE** | `premium-rwo` (PD CSI) | L4 passthrough NLB | GCP Cloud Billing |
+
+**Benefits**:
+- Single source of truth for Application definitions
+- Cluster-specific values isolated per overlay
+- Easy to add new clusters by creating a new overlay
+- Base values shared across all clusters reduce duplication
+
 ---

 ## CI/CD Pipeline
@@ -392,8 +438,8 @@ jobs:

      - name: Update Helm values
        run: |
-          git clone git@github.com:fortedigital/helm-values.git
-          cd helm-values/app
+          git clone git@github.com:fortedigital/helm-prod-values.git
+          cd helm-prod-values/app
          sed -i "s/tag: .*/tag: $VERSION/" values.yaml
          git commit -am "Update app to $VERSION"
          git push
@@ -410,7 +456,7 @@ jobs:
   - Syncs application to cluster

 2. **Helm Values Change**:
-   - CI/CD updates `helm-values/myapp/values.yaml`
+   - CI/CD updates `helm-prod-values/myapp/values.yaml`
   - ArgoCD detects change
   - Pulls new Helm chart with updated values
   - Applies to cluster
@@ -617,7 +663,7 @@ Notifications include:
 ✅ **DO**:
 - Follow the `forteapp` chart pattern
 - Use semantic versioning for image tags
- Update helm-values via CI/CD
+- Update helm-prod-values via CI/CD
 - Test locally with Docker Compose
 - Document environment variables

@@ -638,6 +684,6 @@ Notifications include:

 ---

-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-22
 **Maintained By**: Platform Team
 **Questions?**: Contact #platform-support on Slack
--- a/docs/OPERATIONS-RUNBOOK.md
+++ b/docs/OPERATIONS-RUNBOOK.md
@@ -37,7 +37,7 @@ Bootstrap a new cluster from scratch:

 #### Prerequisites

-1. **Kubernetes cluster running** (UpCloud or any K8s cluster)
+1. **Kubernetes cluster running** (UpCloud, AWS EKS, Azure AKS, GCP GKE, or any K8s cluster)
 2. **kubectl configured** with admin access
 3. **Repositories cloned** locally

@@ -54,11 +54,13 @@ kubectl get nodes
 git clone https://git.forteapps.net/Forte/launchpad
 cd launchpad

-# 2. Set cluster name (optional)
-export CLUSTER_NAME="prod-cluster-01"
+# 2. Run bootstrap script with cluster target
+# Available clusters: upc-dev, upc-prod, eks-dev, eks-prod,
+#                     aks-dev, aks-prod, gke-dev, gke-prod
+./bootstrap.sh upc-dev

-# 3. Run bootstrap script
-./bootstrap.sh
+# Cluster config is loaded from clusters/<cluster>.yaml
+# (cloudProvider, trustedIPs, domain, etc.)
 ```

 **What Happens:**
@@ -85,7 +87,8 @@ kubectl get applications -n argocd

 1. **Configure DNS** for ingress domains:
   - `argocd.127.0.0.1.nip.io` (local dev)
-   - `*.forteapps.net` (production)
+   - `*.forteapps.net` (dev)
+   - `*.fortedigital.com` (production)

 2. **Verify Let's Encrypt certificates**:
   ```bash
@@ -107,7 +110,7 @@ kubectl get applications -n argocd

 ### ArgoCD Repository Access Setup

-ArgoCD needs SSH access to private Git repositories to pull manifests and Helm values. This section covers setting up deploy keys for GitHub repositories.
+ArgoCD needs SSH access to private Git repositories to pull manifests and Helm values. This section covers setting up deploy keys for Gitea repositories.

 #### Why Deploy Keys?

@@ -119,7 +122,7 @@ ArgoCD needs SSH access to private Git repositories to pull manifests and Helm v
 #### Prerequisites

 - kubectl access to the cluster
- Write access to the GitHub repository
+- Write access to the Gitea repository
 - ArgoCD installed and running

 #### Setup Procedure
@@ -138,16 +141,16 @@ ssh-keygen -t rsa -b 4096 -C "argocd-deploy-key-launchpad" -f argocd-deploy-key

 This creates two files:
 - `argocd-deploy-key` - Private key (keep secret)
- `argocd-deploy-key.pub` - Public key (add to GitHub)
+- `argocd-deploy-key.pub` - Public key (add to Gitea)

-**Step 2: Add Public Key to GitHub**
+**Step 2: Add Public Key to Gitea**

 1. Copy the public key:
   ```bash
   cat argocd-deploy-key.pub
   ```

-2. Go to GitHub repository settings:
+2. Go to Gitea repository settings:
   - Navigate to: `https://git.forteapps.net/Forte/launchpad/settings/keys`
   - Or: Repository → Settings → Deploy keys

@@ -157,12 +160,12 @@ This creates two files:
   - ☐ Allow write access (leave unchecked - read-only is sufficient)
   - Click **"Add key"**

-4. Repeat for the `helm-values` repository if it's private:
+4. Repeat for the `helm-prod-values` repository if it's private:
   ```bash
-   # Generate separate key for helm-values repo
-   ssh-keygen -t ed25519 -C "argocd-deploy-key-helm-values" -f argocd-helm-values-key -N ""
+   # Generate separate key for helm-prod-values repo
+   ssh-keygen -t ed25519 -C "argocd-deploy-key-helm-prod-values" -f argocd-helm-prod-values-key -N ""

-   # Add to: https://github.com/fortedigital/helm-values/settings/keys
+   # Add to: https://git.forteapps.net/Forte/helm-prod-values/settings/keys
   ```

 **Step 3: Create Kubernetes Secret**
@@ -207,7 +210,7 @@ kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=repository
 # Settings → Repositories → Should show "Successful" status

 # Test by creating an application
-kubectl apply -f _app-of-apps.yaml
+kubectl apply -f _app-of-apps-upc-dev.yaml   # or _app-of-apps-upc-prod.yaml

 # Check application sync status
 kubectl get applications -n argocd
@@ -270,7 +273,7 @@ rm /tmp/test-repo-access.yaml
   # Generate new key
   ssh-keygen -t ed25519 -C "argocd-deploy-key-$(date +%Y%m)" -f argocd-new-key -N ""

-   # Add new public key to GitHub (keep old key for now)
+   # Add new public key to Gitea (keep old key for now)

   # Update Kubernetes secret
   kubectl create secret generic repo-launchpad \
@@ -278,7 +281,7 @@ rm /tmp/test-repo-access.yaml
     --namespace=argocd \
     --dry-run=client -o yaml | kubectl apply -f -

-   # Test access, then remove old deploy key from GitHub
+   # Test access, then remove old deploy key from Gitea

   # Clean up
   shred -u argocd-new-key
@@ -289,7 +292,7 @@ rm /tmp/test-repo-access.yaml
   # List all repository secrets
   kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=repository

-   # Review deploy keys in GitHub
+   # Review deploy keys in Gitea
   # Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
   ```

@@ -312,16 +315,16 @@ kubectl get secret repo-launchpad -n argocd -o yaml | grep argocd.argoproj.io/se
 # Check ArgoCD application controller logs
 kubectl logs -n argocd deployment/argocd-application-controller | grep -i "permission denied"

-# Verify deploy key is added to GitHub
+# Verify deploy key is added to Gitea
 # Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
 ```

 **Issue: "Host key verification failed"**

 ```bash
-# Add GitHub to known_hosts
+# Add Gitea to known_hosts
 kubectl exec -n argocd deployment/argocd-repo-server -- \
-  ssh-keyscan github.com >> ~/.ssh/known_hosts
+  ssh-keyscan git.forteapps.net >> ~/.ssh/known_hosts

 # Or disable strict host key checking (less secure)
 kubectl patch secret repo-launchpad -n argocd \
@@ -346,16 +349,16 @@ kubectl rollout restart deployment argocd-application-controller -n argocd

 #### Multiple Repository Setup

-For the three-repository pattern (launchpad, forte-helm, helm-values):
+For the three-repository pattern (launchpad, forte-helm, helm-prod-values):

 ```bash
 # 1. launchpad (main config repo)
 ssh-keygen -t ed25519 -C "argocd-launchpad" -f key-sturdy -N ""
 # Add key-sturdy.pub to: https://git.forteapps.net/Forte/launchpad/settings/keys

-# 2. helm-values (private values repo)
-ssh-keygen -t ed25519 -C "argocd-helm-values" -f key-helm-values -N ""
-# Add key-helm-values.pub to: https://github.com/fortedigital/helm-values/settings/keys
+# 2. helm-prod-values (private values repo)
+ssh-keygen -t ed25519 -C "argocd-helm-prod-values" -f key-helm-prod-values -N ""
+# Add key-helm-prod-values.pub to: https://git.forteapps.net/Forte/helm-prod-values/settings/keys

 # 3. forte-helm (private helm charts repo)

@@ -366,14 +369,14 @@ kubectl create secret generic repo-launchpad \
  kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
  kubectl apply -f -

-kubectl create secret generic repo-helm-values \
-  --from-file=sshPrivateKey=key-helm-values \
+kubectl create secret generic repo-helm-prod-values \
+  --from-file=sshPrivateKey=key-helm-prod-values \
  --namespace=argocd --dry-run=client -o yaml | \
  kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
  kubectl apply -f -

 # Clean up keys
-shred -u key-sturdy key-helm-values
+shred -u key-sturdy key-helm-prod-values
 ```

 #### Converting HTTPS to SSH
@@ -390,7 +393,7 @@ If you're currently using HTTPS and want to switch to SSH:
 #   repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git

 # 3. Update and commit
-find . -name "*.yaml" -type f -exec sed -i 's|https://github.com/fortedigital/|git@github.com:fortedigital/|g' {} +
+find . -name "*.yaml" -type f -exec sed -i 's|https://git.forteapps.net/Forte/|git@git.forteapps.net:Forte/|g' {} +

 git add .
 git commit -m "Switch from HTTPS to SSH for repository access"
@@ -494,7 +497,7 @@ spec:
 See [Developer Guide](DEVELOPER-GUIDE.md#deploying-your-first-application) for detailed steps.

 **Quick checklist:**
- [ ] Create `helm-values/myapp/values.yaml`
+- [ ] Create `helm-prod-values/myapp/values.yaml`
 - [ ] Create `apps/myapp.yaml` in config repo
 - [ ] Create SealedSecret if needed
 - [ ] Commit and push changes
@@ -559,7 +562,7 @@ kubectl scale deployment myapp -n myapp --replicas=3

 #### GitOps Scaling

-Update `helm-values/myapp/values.yaml`:
+Update `helm-prod-values/myapp/values.yaml`:

 ```yaml
 app:
@@ -573,7 +576,7 @@ Commit and push - ArgoCD will sync.
 Enable Horizontal Pod Autoscaler:

 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 app:
  hpa:
    enabled: true
@@ -622,7 +625,7 @@ kubectl rollout undo deployment myapp -n myapp
 #### Option 3: Change Image Tag

 ```bash
-# Edit helm-values
+# Edit helm-prod-values
 cd ~/dev/k8s/helm-prod-values
 vim myapp/values.yaml

@@ -642,7 +645,7 @@ git push
 #### Update Resource Limits

 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 app:
  resources:
    requests:
@@ -656,7 +659,7 @@ app:
 #### Enable Database

 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 db:
  enabled: true
  persistence:
@@ -1261,13 +1264,21 @@ spec:

 ### Backup Strategy

-**Current State**: No automated backups
+**Current State**: Gitea daily backups to S3-compatible storage

-**What Needs Backup**:
- ❌ Cluster state (not backed up - recreate via GitOps)
- ❌ Persistent volumes (currently not critical)
- ✅ Git repositories (GitHub provides backup)
- ⚠️ Secrets (sealed secrets in Git, unseal keys need safekeeping)
+**What Is Backed Up**:
+- ✅ Gitea repositories + database: Daily CronJob (`cluster-resources/gitea-backup-cronjob.yaml`) uploads to S3-compatible storage with 7-day retention
+- ✅ Git repositories: Full cluster config recoverable from Git
+- ⚠️ Secrets: Sealed secrets in Git; unseal keys need safekeeping
+
+**What Is NOT Backed Up**:
+- ❌ Cluster state (recreate via GitOps)
+- ❌ Other persistent volumes (Prometheus, Loki, Tempo data)
+
+**Per-cloud backup scripts** (manual restore helpers):
+- UpCloud/AWS: `scripts/gitea-backup.sh` / `scripts/gitea-backup-eks.sh` (MinIO CLI, S3-compatible)
+- Azure: `scripts/gitea-backup-aks.sh` (Azure CLI + Blob Storage)
+- GCP: `scripts/gitea-backup-gke.sh` (gsutil + GCS)

 ### Cluster Rebuild

@@ -1352,13 +1363,13 @@ kubectl get deployment argocd-server -n argocd \
  -o jsonpath='{.spec.template.spec.containers[0].image}'

 # Update version in values
-vim infra/values/argocd-values.yaml
+vim infra/values/base/argocd-values.yaml

 # Or upgrade via Helm directly
 helm upgrade argocd argo-cd \
  --repo https://argoproj.github.io/argo-helm \
  --namespace argocd \
-  --values infra/values/argocd-values.yaml \
+  --values infra/values/base/argocd-values.yaml \
  --version 6.0.0  # New version

 # Verify
@@ -1369,6 +1380,9 @@ kubectl get pods -n argocd

 ```bash
 # UpCloud: Upgrade via control panel or CLI
+# AWS EKS: eksctl upgrade cluster / AWS Console
+# Azure AKS: az aks upgrade / Azure Portal
+# GCP GKE: gcloud container clusters upgrade / Cloud Console

 # After upgrade, verify cluster
 kubectl version
@@ -1454,8 +1468,8 @@ kubectl top pods --all-namespaces --sort-by=cpu
 Example: Adding Redis

 ```bash
-# 1. Create application manifest
-cat > infra/redis-application.yaml <<EOF
+# 1. Create application manifest in base/
+cat > infra/base/redis-application.yaml <<EOF
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -1465,15 +1479,17 @@ metadata:
    argocd.argoproj.io/sync-wave: "1"
 spec:
  project: default
-  source:
-    repoURL: https://charts.bitnami.com/bitnami
+  sources:
+  - repoURL: https://charts.bitnami.com/bitnami
    chart: redis
    targetRevision: 18.0.0
    helm:
-      values: |
-        auth:
-          enabled: true
-          password: changeme
+      releaseName: redis
+      valueFiles:
+      - \$values/infra/values/base/redis-values.yaml
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: redis
@@ -1485,30 +1501,54 @@ spec:
    - CreateNamespace=true
 EOF

-# 2. Commit and push
-git add infra/redis-application.yaml
+# 2. Add to base kustomization
+# Edit infra/base/kustomization.yaml and add: - redis-application.yaml
+
+# 3. Create base values file
+cat > infra/values/base/redis-values.yaml <<EOF
+auth:
+  enabled: true
+EOF
+
+# 4. Commit and push
+git add infra/base/redis-application.yaml infra/values/base/redis-values.yaml infra/base/kustomization.yaml
 git commit -m "Add Redis infrastructure component"
 git push

-# 3. ArgoCD will auto-sync within 60 seconds
+# 5. ArgoCD will auto-sync within 60 seconds
 ```

-### Multi-Cluster Setup (Future)
+### Multi-Cluster Setup

-For multi-cluster deployments:
+The repository supports multiple clusters across multiple clouds via Kustomize overlays:

-```yaml
-# Different destinations per environment
-# dev-cluster
-destination:
-  server: https://dev.k8s.example.com
-  namespace: myapp
+**Active clusters:**
+- **upc-dev** (default): `infra/overlays/upc-dev/` — uses base Applications as-is
+- **upc-prod**: `infra/overlays/upc-prod/` — patches value file paths from `upc-dev` to `upc-prod`

-# prod-cluster
-destination:
-  server: https://prod.k8s.example.com
-  namespace: myapp
-```
+**Cloud-ready templates (fill in `clusters/*.yaml` before use):**
+- **eks-dev** / **eks-prod**: AWS EKS with NLB, gp3 storage, AWS CUR pricing
+- **aks-dev** / **aks-prod**: Azure AKS with Standard LB, managed-csi-premium storage
+- **gke-dev** / **gke-prod**: GCP GKE with L4 LB, premium-rwo storage
+
+Each cluster has its own:
+- Root app-of-apps: `_app-of-apps-{cluster}.yaml`
+- Cluster config: `clusters/{cluster}.yaml` (domain, trustedIPs, cloudProvider)
+- Kustomize overlay: `infra/overlays/{cluster}/kustomization.yaml`
+- Helm value overrides: `infra/values/{cluster}/` (traefik, gitea, opencost)
+- Sealed secrets: `secrets/{cluster}/` (as needed)
+- Apps overlay: `apps/overlays/{cluster}/`
+
+Cloud-specific values handled per-cluster:
+
+| Concern | UpCloud | AWS EKS | Azure AKS | GCP GKE |
+|---------|---------|---------|-----------|---------|
+| **Storage class** | `upcloud-block-storage-maxiops` | `gp3` | `managed-csi-premium` | `premium-rwo` |
+| **Load balancer** | UpCloud LB + ProxyProtocol v2 | NLB + ProxyProtocol v2 | Standard LB + `externalTrafficPolicy: Local` | L4 passthrough NLB |
+| **Cost monitoring** | Custom pricing | AWS CUR | Azure Billing API | GCP Cloud Billing |
+| **Backup storage** | UpCloud S3-compat | AWS S3 (native) | Azure Blob Storage | GCS |
+
+To add a new cluster, create a new overlay directory (e.g., `infra/overlays/eks-staging/`) with patches that swap the value file paths, and a matching `clusters/eks-staging.yaml`.

 ### Blue-Green Deployments

@@ -1552,7 +1592,7 @@ git push
 kubectl scale deployment myapp -n myapp --replicas=0

 # Update Git
-vim helm-values/myapp/values.yaml
+vim helm-prod-values/myapp/values.yaml
 # Set replicaCount: 0
 git commit -am "Scale down myapp for maintenance"
 git push
@@ -1625,7 +1665,7 @@ echo "Remember to delete: $SECRET_FILE"

 - [ ] Application code repository created
 - [ ] Dockerfile created and tested
- [ ] GitHub Actions workflow configured
+- [ ] Gitea Actions workflow configured
 - [ ] Helm values created in `helm-prod-values/`
 - [ ] ArgoCD application manifest created in `apps/`
 - [ ] Secrets created and sealed
@@ -1651,6 +1691,6 @@ echo "Remember to delete: $SECRET_FILE"

 ---

-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-22
 **Maintained By**: Platform Team
 **Emergency Contact**: #platform-support on Slack
--- a/docs/README.md
+++ b/docs/README.md
@@ -180,7 +180,7 @@ Reference for:
                            │
                            ▼
 ┌──────────────────────────────────────────────────────────────┐
-│               Kubernetes Cluster (UpCloud)                    │
+│          Kubernetes Clusters (UpCloud, AWS, Azure, GCP)       │
 │  ┌──────────────────────────────────────────────────────┐    │
 │  │  Infrastructure: Traefik, Cert-Manager, Kyverno     │    │
 │  ├──────────────────────────────────────────────────────┤    │
@@ -194,7 +194,7 @@ Reference for:
 ### Key Technologies

 - **GitOps**: ArgoCD
- **Kubernetes**: UpCloud Managed Kubernetes
+- **Kubernetes**: Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE)
 - **Ingress**: Traefik v2
 - **Certificates**: Cert-Manager + Let's Encrypt
 - **Policies**: Kyverno
@@ -299,11 +299,16 @@ docs/
 ## 🔄 Documentation Versions

 **Current Version**: 1.0.0
-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-22
 **Maintained By**: Platform Team

 ### Changelog

+- **v1.1.0 (2026-04-22)**: Multi-cloud support
+  - Cloud-agnostic base values (storage, LB, pricing moved to per-cluster overlays)
+  - Added AWS EKS, Azure AKS, GCP GKE configurations
+  - Per-cloud backup scripts
+  - Updated all documentation
 - **v1.0.0 (2026-03-16)**: Initial comprehensive documentation release
  - GitOps Architecture guide
  - Developer Onboarding guide
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -9,6 +9,7 @@
 - [Kyverno Policies](#kyverno-policies)
 - [Configuration Reference](#configuration-reference)
 - [API Endpoints](#api-endpoints)
+- [Cloud Overlay Pattern](#cloud-overlay-pattern)
 - [Glossary](#glossary)

 ---
@@ -19,9 +20,10 @@

 | Component | Value |
 |-----------|-------|
-| **Provider** | UpCloud Managed Kubernetes |
-| **Environment** | Production (internal use) |
-| **Cluster Count** | Single cluster |
+| **Provider** | Multi-cloud (UpCloud, AWS EKS, Azure AKS, GCP GKE) |
+| **Environment** | Dev + Production per cloud |
+| **Active clusters** | UpCloud (upc-dev, upc-prod) |
+| **Cloud-ready templates** | EKS, AKS, GKE (dev + prod each) |
 | **GitOps Tool** | ArgoCD |
 | **Ingress Controller** | Traefik v2 |
 | **Certificate Management** | Cert-Manager + Let's Encrypt |
@@ -42,7 +44,7 @@ Internet
 [DNS: *.forteapps.net]
   │
   ▼
-[UpCloud LoadBalancer]
+[Cloud Load Balancer]
   │
   ▼
 [Traefik Ingress Controller]
@@ -71,42 +73,62 @@ Internet
 ```
 launchpad/
 ├── bootstrap.sh                   # Cluster initialization script
-├── _app-of-apps.yaml              # Root ArgoCD Application
+├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
+├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
 │
-├── infra/                         # Infrastructure applications
-│   ├── cluster-resources-application.yaml
-│   ├── enterprise-apps.yaml
-│   ├── traefik-application.yaml
-│   ├── cert-manager-application.yaml
-│   ├── kyverno.yaml
-│   ├── kyverno-policies.yaml
-│   ├── prometheus.yaml
-│   ├── grafana.yaml
-│   ├── loki.yaml
-│   ├── tempo.yaml
-│   ├── fluent-bit.yaml
-│   ├── trivy.yaml
-│   ├── gitea.yaml
-│   ├── gitea-actions.yaml
-│   ├── sealedsecrets.yaml
-│   ├── secrets.yaml
-│   ├── renovate.yaml
+├── infra/                         # Infrastructure applications (Kustomize)
+│   ├── base/                      # One subdirectory per component
+│   │   ├── kustomization.yaml     # Aggregates all component subdirectories
+│   │   ├── traefik-application/
+│   │   │   ├── kustomization.yaml
+│   │   │   └── traefik-application.yaml
+│   │   ├── keycloak/
+│   │   │   ├── kustomization.yaml
+│   │   │   └── keycloak.yaml
+│   │   ├── grafana/
+│   │   ├── prometheus/
+│   │   ├── loki/
+│   │   ├── tempo/
+│   │   ├── gitea/
+│   │   ├── opencost/
+│   │   ├── ...                    # Each component in own directory
+│   │   └── secrets/
+│   ├── overlays/                  # Per-cluster: include all or cherry-pick
+│   │   ├── upc-dev/              # resources: [../../base] (all components)
+│   │   ├── upc-prod/            # resources: [../../base] + patches
+│   │   ├── aks-dev/             # resources: [../../base/grafana, ...] (selective)
+│   │   └── .../                  # 8 clusters total
 │   └── values/
-│       ├── argocd-values.yaml
-│       ├── prometheus-values.yaml
+│       ├── base/                   # Cloud-agnostic Helm values
+│       │   ├── gitea-values.yaml
+│       │   ├── opencost-values.yaml
+│       │   ├── prometheus-values.yaml
+│       │   └── ...
+│       ├── upc-dev/               # UpCloud dev overlay values
+│       │   ├── traefik-values.yaml
+│       │   ├── keycloak-values.yaml
+│       │   ├── grafana-values.yaml
+│       │   ├── gitea-values.yaml
+│       │   └── opencost-values.yaml
+│       └── upc-prod/              # UpCloud prod overlay values
+│           ├── traefik-values.yaml
+│           ├── keycloak-values.yaml
 │           ├── grafana-values.yaml
-│       ├── loki-values.yaml
-│       ├── tempo-values.yaml
 │           ├── gitea-values.yaml
-│       ├── gitea-actions-values.yaml
-│       ├── fluent-bit-values.yaml
-│       └── renovate-values.yaml
+│           └── opencost-values.yaml
 │
-├── apps/                          # Business applications
-│   ├── mcp10x.yaml
-│   ├── musicman.yaml
-│   ├── dot-ai-stack.yaml
-│   └── argo-mcp.yaml
+├── apps/                          # Business applications (Kustomize)
+│   ├── base/                     # One subdirectory per app
+│   │   ├── kustomization.yaml
+│   │   ├── musicman/
+│   │   ├── mcp10x/
+│   │   ├── dot-ai-stack/
+│   │   ├── ts-mcp/
+│   │   └── argo-mcp/
+│   └── overlays/                 # Per-cluster: include all or cherry-pick
+│       ├── upc-dev/
+│       ├── upc-prod/
+│       └── aks-dev/              # Selective apps only
 │
 ├── cluster-resources/             # Cluster-level resources
 │   ├── cert-manager-namespace.yaml
@@ -123,15 +145,43 @@ launchpad/
 │       ├── replicaset-cleaner.yaml
 │       ├── default-ns-blocker.yaml
 │       ├── secret-cloner.yaml
+│       ├── keycloak-client-cloner.yaml
 │       └── auth-sidecar-injector.yaml
 │
 ├── secrets/                       # Application secrets (sealed)
-│   ├── argocd-mcp-credentials.yaml
-│   ├── dot-ai-secrets.yaml
-│   ├── gitea-credentials-sealed.yaml
-│   ├── gitea-runner-token-sealed.yaml
-│   ├── mcp10x-credentials-sealed.yaml
-│   └── musicman-credentials.yaml
+│   ├── base/                     # All SealedSecrets (shared across clouds)
+│   │   ├── kustomization.yaml
+│   │   ├── argocd-forte-helm-secret-sealed.yaml
+│   │   ├── argocd-mcp-credentials.yaml
+│   │   ├── argocdmcp-auth-oidc-sealed.yaml
+│   │   ├── dot-ai-secrets.yaml
+│   │   ├── forte10x-app-credentials-sealed.yaml
+│   │   ├── gitea-backup-s3-sealed.yaml
+│   │   ├── gitea-credentials-sealed.yaml
+│   │   ├── gitea-runner-token-sealed.yaml
+│   │   ├── gitea-smtp-secret-sealed.yaml
+│   │   ├── keycloak-credentials-sealed.yaml
+│   │   ├── musicman-auth-oidc-sealed.yaml
+│   │   ├── musicman-credentials.yaml
+│   │   └── renovate-env-sealed.yaml
+│   └── overlays/                 # Per-cloud overlays (reference base)
+│       ├── aks-dev/kustomization.yaml
+│       ├── aks-prod/kustomization.yaml
+│       ├── eks-dev/kustomization.yaml
+│       ├── eks-prod/kustomization.yaml
+│       ├── gke-dev/kustomization.yaml
+│       ├── gke-prod/kustomization.yaml
+│       ├── upc-dev/kustomization.yaml
+│       └── upc-prod/kustomization.yaml
+│
+├── scripts/                       # Operational helper scripts
+│   ├── gitea-backup.sh            # S3 backup helper (list/download)
+│   ├── gitea-restore.sh
+│   └── backup/                    # Per-cloud backup reference scripts
+│       ├── s3-minio.sh            # S3-compatible (UpCloud, MinIO, Wasabi)
+│       ├── aws-s3.sh              # Native AWS S3
+│       ├── azure-blob.sh          # Azure Blob Storage
+│       └── gcp-gcs.sh             # GCP Cloud Storage
 │
 ├── private/                       # Local-only (Git-ignored)
 │   ├── *.yaml
@@ -155,15 +205,15 @@ ArgoCd() {
  helm upgrade --install argocd argo-cd \
    --repo https://argoproj.github.io/argo-helm \
    --namespace argocd --create-namespace \
-    --values infra/values/argocd-values.yaml \
+    --values infra/values/base/argocd-values.yaml \
    --set notifications.context.clusterName="$CLUSTER_NAME" \
    --timeout 60s --atomic

-  kubectl apply -f _app-of-apps.yaml -n argocd
+  kubectl apply -f _app-of-apps-upc-dev.yaml -n argocd   # or _app-of-apps-upc-prod.yaml
 }
 ```

-**`_app-of-apps.yaml`**
+**`_app-of-apps-upc-dev.yaml`** / **`_app-of-apps-upc-prod.yaml`**
 ```yaml
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -188,7 +238,7 @@ spec:

 ### Helm Charts Repository: `forte-helm`

-**URL**: `https://github.com/fortedigital/forte-helm`
+**URL**: `https://git.forteapps.net/Forte/forte-helm`

 #### Chart: `forteapp`

@@ -335,20 +385,18 @@ configmap: []                    # Application ConfigMap key-value pairs

 ---

-### Helm Values Repository: `helm-values`
+### Helm Values Repository: `helm-prod-values`

-**URL**: `https://github.com/fortedigital/helm-values.git`
+**URL**: `https://git.forteapps.net/Forte/helm-prod-values.git`

 #### Structure

 ```
-helm-values/
+helm-prod-values/
 ├── mcp10x/
 │   └── values.yaml
 ├── musicman/
 │   └── values.yaml
-├── mcpcoder/
-│   └── values.yaml
 └── argocd-mcp/
    └── values.yaml
 ```
@@ -524,14 +572,14 @@ spec:

  # Multi-source configuration
  sources:
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
      - $values/<app-name>/values.yaml

-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
    targetRevision: HEAD
    ref: values

@@ -602,10 +650,134 @@ retry:
 4. 40 seconds
 5. 80 seconds (capped at 3 minutes)

+### Global Settings (`argocd-cm`)
+
+| Setting | Value | Purpose |
+|---------|-------|---------|
+| `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
+| `timeout.reconciliation` | `60s` | Reconciliation interval |
+| `admin.enabled` | `false` | Admin login disabled (SSO-only) |
+| `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
+
+**Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
+```yaml
+configs:
+  params:
+    "reposerver.enable.git.submodule": "false"
+```
+This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
+
+**Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
+```bash
+# Enable admin login
+kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
+# Log in as admin, do what's needed, then disable again
+kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
+```
+ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
+
+**OIDC Authentication** (Keycloak):
+```yaml
+configs:
+  cm:
+    oidc.config: |
+      name: Forte SSO
+      issuer: https://id.forteapps.net/realms/forte
+      clientID: argocd
+      clientSecret: $oidc.clientSecret
+      requestedScopes: ["openid", "email", "profile"]
+  rbacConfig:
+    policy.csv: |
+      g, ArgoCD Admins, role:admin
+      g, ArgoCD Viewers, role:readonly
+    # Deny users not in any declared KC group
+    policy.default: ""
+    scopes: '[groups]'
+```
+
+**Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console.
+
+- ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
+- Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
+- `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
+- OIDC secret is synced by CronJob `argocd-oidc-sync` (see `cluster-resources/argocd-oidc-secret-sync.yaml`)
+- The CronJob bridges `argocd-oidc-credentials` (from KC registrar) → `argocd-secret` every 2 min
+- Safe for fresh deploys: no-ops if source secret doesn't exist yet
+
+**Ingress** (Traefik + TLS):
+```yaml
+server:
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls: true
+  extraArgs:
+  - --insecure
+configs:
+  params:
+    "server.insecure": true
+```
+TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
+
 ---

 ## Infrastructure Components

+### Homepage (Platform Dashboard)
+
+**Chart**: `jameswynn/homepage`
+**Namespace**: `homepage`
+**URL**: `https://start.forteapps.net`
+
+Platform dashboard that auto-discovers deployed apps via Kubernetes service annotations.
+
+**Discovery mechanism**: Services annotated with `gethomepage.dev/enabled: "true"` appear in the dashboard. Apps not deployed = annotations absent = not shown. Fully dynamic per environment.
+
+**Annotated services**:
+| Service | Namespace | Group | Widget |
+|---------|-----------|-------|--------|
+| `gitea-http` | `gitea` | DevOps | `gitea` |
+| `argocd-server` | `argocd` | DevOps | `argocd` |
+| `keycloak` | `keycloak` | Identity | none |
+| `grafana` | `monitoring` | Monitoring | `grafana` |
+| `karpor-server` | `karpor` | DevOps | none |
+
+**Adding a new app**: Annotate the app's Service in its Helm values:
+```yaml
+service:
+  annotations:
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/name: "My App"
+    gethomepage.dev/description: "What it does"
+    gethomepage.dev/group: "GroupName"
+    gethomepage.dev/icon: "icon-name"     # https://github.com/walkxcode/dashboard-icons
+    gethomepage.dev/href: "https://myapp.forteapps.net"
+    # Optional live widget:
+    gethomepage.dev/widget.type: "myapp"
+    gethomepage.dev/widget.url: "https://myapp.forteapps.net"
+    # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_MYAPP_TOKEN}}"
+```
+
+**Widget API credentials**: Inject via env vars into the Homepage pod:
+```yaml
+# In homepage-values.yaml per environment
+env:
+- name: HOMEPAGE_VAR_GRAFANA_TOKEN
+  valueFrom:
+    secretKeyRef:
+      name: homepage-widget-credentials
+      key: grafana-token
+```
+Then reference as `gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"`.
+
+**Values files**:
+- `infra/values/base/homepage-values.yaml` — RBAC, kubernetes mode, layout
+- `infra/values/{env}/homepage-values.yaml` — hostname per environment
+
+---
+
 ### Traefik

 **Chart**: `traefik/traefik`
@@ -614,7 +786,7 @@ retry:

 **Configuration**:
 ```yaml
-# infra/traefik-application.yaml
+# infra/base/traefik-application.yaml
 replicas: 2

 service:
@@ -677,6 +849,10 @@ spec:
 **Chart**: `sealed-secrets/sealed-secrets-controller`
 **Namespace**: `kube-system`

+**Directory Structure**: `secrets/base/` contains all SealedSecrets with a `kustomization.yaml`. Per-cloud overlays in `secrets/overlays/<cloud>/` reference the base via Kustomize. The ArgoCD `secrets` Application points to the active overlay (e.g., `secrets/overlays/upc-dev`), and `infra/overlays/upc-prod` patches the path to `secrets/overlays/upc-prod`.
+
+To add cloud-specific secrets, create a new SealedSecret in the overlay directory and add it to the overlay's `kustomization.yaml`.
+
 **Public Certificate**:
 ```bash
 kubeseal --fetch-cert \
@@ -717,6 +893,15 @@ kubeStateMetrics:
 - Loki
 - Tempo

+**Ingress**: Exposed via Traefik at `https://grafana.forteapps.net` with cert-manager TLS.
+
+**OIDC Authentication** (Keycloak):
+- Uses `grafana.ini.auth.generic_oauth` with KC `grafana` client
+- Secret `grafana-oidc-credentials` synced by KC registrar, loaded via `envFromSecrets`
+- SSO-only mode: `auth.disable_login_form: true` + `auth.generic_oauth.auto_login: true`
+- Role mapping via JMESPath on `resource_access.grafana.roles` claim (requires KC client role mapper)
+- Roles: KC client roles `Admin`/`Editor` map to Grafana roles; default is `Viewer`
+
 ### Loki

 **Chart**: `grafana/loki-stack`
@@ -789,7 +974,7 @@ persistence:

 **Configuration**:
 ```yaml
-# infra/gitea.yaml + infra/values/gitea-values.yaml
+# infra/base/gitea.yaml + infra/values/base/gitea-values.yaml
 ingress:
  host: git.forteapps.net
  tls: cert-manager (letsencrypt-prod)
@@ -813,14 +998,23 @@ postgresql:
  persistence: 8Gi (upcloud-block-storage-maxiops)
 ```

-**Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`)
+**Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`). Protocol mapper: `email_verified` hardcoded claim (`true`, boolean) on ID token, Access token, and Userinfo.
+
+**External User Sync**: Disabled (`cron.sync_external_users.ENABLED: false`). This Gitea cron job is designed for LDAP and deactivates OIDC-only users because it cannot enumerate them — causing "Sign-in prohibited" errors after the sync runs.
+
+**Email Notifications**: Enabled (`ENABLE_NOTIFY_MAIL: true`). SMTP credentials injected via `gitea-smtp-secret` using `additionalConfigFromEnvs` with `GITEA__mailer__USER` / `GITEA__mailer__PASSWD` environment variables.
+
+**Auto-Watch**: Disabled (`AUTO_WATCH_ON_CHANGES: false`, `AUTO_WATCH_NEW_REPOS: false`). Prevents contributors from being auto-subscribed to repo notifications on push, reducing email noise from CI bots (e.g., ai-review PR comments). Users who were already watching before this change need to manually unwatch or switch to "Only participating".

 **Endpoints**:
 - Web UI: `https://git.forteapps.net`
 - SSH: port 22 (ClusterIP)
 - Metrics: `/metrics` (Prometheus scrape)

-**Secrets**: `gitea-credentials` (SealedSecret) containing `admin-password`, `postgres-password`, `secret` (OIDC client secret)
+**Secrets**:
+- `gitea-credentials` (SealedSecret) — admin password
+- `gitea-oidc-credentials` (registrar-managed) — OIDC client ID + secret
+- `gitea-smtp-secret` (SealedSecret) — SMTP username + password

 ### Gitea Actions Runners

@@ -832,7 +1026,7 @@ postgresql:

 **Configuration**:
 ```yaml
-# infra/gitea-actions.yaml + infra/values/gitea-actions-values.yaml
+# infra/base/gitea-actions.yaml + infra/values/base/gitea-actions-values.yaml
 replicaCount: 3

 runner:
@@ -869,6 +1063,224 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes

+### AI Code Review (ai-review)
+
+**Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
+**Trigger**: `pull_request` events (`opened`, `synchronize`)
+**Runner**: `ubuntu-latest` (container: `nikitafilonov/ai-review:latest`)
+
+**Purpose**: Automated AI-powered code review on pull requests using Claude (Anthropic). Posts inline comments on changed lines and a PR summary comment highlighting infrastructure impact.
+
+**Architecture**:
+- Uses [xai-review](https://github.com/nicktechnologies/xai-review) Docker image
+- Shared configuration and prompts live in the `shared-prompts` Git submodule (→ `Forte/ai-review-prompts`)
+- Review mode: `ONLY_ADDED_WITH_CONTEXT` — reviews only new/changed lines plus surrounding context (token-efficient)
+- Agent mode: disabled (one-shot review, no multi-turn reasoning)
+- LLM: Claude Sonnet (`claude-sonnet-4-20250514`)
+
+**Shared Prompts Structure** (submodule: `Forte/ai-review-prompts`):
+```
+shared-prompts/
+  base/
+    security.md          # org-wide security rules (all profiles)
+  iac/
+    .ai-review.yaml      # IaC/GitOps profile config
+    inline.md            # inline review prompt
+    summary.md           # PR summary prompt
+  # future profiles: backend/, frontend/, etc.
+```
+
+**Configuration** (`shared-prompts/iac/.ai-review.yaml`):
+```yaml
+llm:
+  provider: CLAUDE
+  model: claude-sonnet-4-20250514
+vcs:
+  provider: GITEA
+review:
+  mode: ONLY_ADDED_WITH_CONTEXT
+agent:
+  enabled: false
+prompt:
+  inline_prompt_files:            # concatenated in order
+    - ./shared-prompts/base/security.md
+    - ./shared-prompts/iac/inline.md
+  summary_prompt_files:
+    - ./shared-prompts/iac/summary.md
+ignore:
+  - "*.sealed.yaml"
+  - "*.lock"
+  - "docs/**"
+```
+
+**Custom Prompts** (IaC profile):
+- `shared-prompts/base/security.md` — org-wide security rules, concatenated before every inline review prompt
+- `shared-prompts/iac/inline.md` — IaC-specific inline review (YAML, Helm, K8s manifests, shell scripts), max 7 comments
+- `shared-prompts/iac/summary.md` — PR summary: affected services/namespaces, infrastructure impact, security flags
+
+**Prompt composition**: ai-review does not support Jinja includes. Instead, list multiple files under `inline_prompt_files` / `summary_prompt_files` — they are concatenated in order with double newlines.
+
+**Adding a new profile**: Create a new directory (e.g., `backend/`) with its own `.ai-review.yaml`, `inline.md`, and `summary.md`. The `inline_prompt_files` list should include `base/security.md` first, then the profile-specific prompt. Reference it in the consuming repo's workflow: `AI_REVIEW_CONFIG_FILE_YAML=./shared-prompts/backend/.ai-review.yaml`
+
+**Required Secrets** (configure in Gitea repo or org settings):
+
+| Secret | Purpose |
+|--------|---------|
+| `ANTHROPIC_API_KEY` | Claude API key (from Anthropic console) |
+| `AI_REVIEW_TOKEN` | Gitea API token with `write:repository` + `read:repository` scopes (use a bot/service account) |
+
+**Setup Steps**:
+1. Create a Gitea bot/service account and generate an API token with `write:repository` + `read:repository` scopes
+2. Add `AI_REVIEW_TOKEN` secret in Gitea repo settings → Actions → Secrets
+3. Add `ANTHROPIC_API_KEY` secret with your Anthropic API key
+4. Ensure the `shared-prompts` submodule is initialized (`git submodule update --init`)
+5. Push the workflow file — it triggers automatically on PR creation/update
+
+**Verification**:
+- Open a PR with infrastructure changes → workflow runs → inline comments + summary appear
+- Check Gitea Actions tab for workflow run status and logs
+- Monitor Anthropic usage dashboard for token consumption
+
+### Keycloak Client Registrar
+
+**Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
+**Namespace**: `keycloak`
+**Schedule**: `*/2 * * * *` (every 2 minutes)
+
+**Purpose**: Handles two responsibilities:
+1. **Legacy sync** — extracts secrets from Keycloak clients with `k8s.secret.sync: "true"` attribute (same as former PostSync syncer)
+2. **Self-service registration** — processes config Secrets (cloned by Kyverno) to register new OIDC clients and sync their credentials
+
+**How It Works**:
+
+*Legacy path (existing clients like Gitea):*
+1. Authenticates to Keycloak Admin API using admin credentials from `keycloak-credentials` secret
+2. Queries all clients in the `forte` realm
+3. Filters clients with `k8s.secret.sync: "true"` attribute
+4. For each matching client, retrieves the auto-generated secret via Keycloak Admin API
+5. Creates/updates a K8s Secret in the target namespace (from `k8s.secret.namespace` attribute)
+6. Always writes a central copy to the `secrets` namespace
+
+*Self-service path (new clients):*
+1. Lists Secrets in `keycloak` namespace with label `keycloak.forteapps.net/client-config=true`
+2. For each config Secret, parses `client.json` and computes a config hash
+3. Skips if hash matches annotation and credential Secret already exists
+4. Creates or updates the Keycloak client via Admin API
+5. Fetches the generated client secret
+6. Upserts credential Secret in target namespace + central `secrets` namespace
+7. Annotates config Secret with sync status, config hash, and timestamp
+
+**Resources**:
+- `ServiceAccount`: `keycloak-client-registrar` (namespace: `keycloak`)
+- `ClusterRole`: `keycloak-client-registrar` (secrets: get/list/create/update/patch; namespaces: get/list)
+- `ClusterRoleBinding`: `keycloak-client-registrar`
+- `CronJob`: `keycloak-client-registrar`
+
+**Kyverno Policy**: `keycloak-client-config-cloner` — clones labeled Secrets from app namespaces to `keycloak` namespace (see [Kyverno Policies](#kyverno-policies))
+
+**Legacy Client Attributes** (set in `forte-realm.json`):
+
+| Attribute | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
+| `k8s.secret.namespace` | Yes | — | Target K8s namespace |
+| `k8s.secret.name` | Yes | — | Name of the K8s Secret |
+| `k8s.secret.client-id-key` | No | `client-id` | Field name for client ID in the Secret |
+| `k8s.secret.client-secret-key` | No | `client-secret` | Field name for client secret in the Secret |
+
+**Self-Service Config Secret Schema**:
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-<app>
+  namespace: <app-namespace>
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "<app>",
+      "name": "<App Name>",
+      "redirectUris": ["https://<app>.forteapps.net/*"],
+      "webOrigins": ["https://<app>.forteapps.net"],
+      "defaultClientScopes": ["openid", "email", "profile"],
+      "protocolMappers": [],
+      "secret": {
+        "namespace": "<app-namespace>",
+        "name": "<app>-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }
+```
+
+**Created Credential Secret Format**:
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <target-name>
+  namespace: <target-namespace>
+  labels:
+    app.kubernetes.io/managed-by: keycloak-client-registrar
+type: Opaque
+data:
+  <client-id-key>: <base64-encoded client ID>
+  <client-secret-key>: <base64-encoded client secret>
+```
+
+**Config Secret Annotations** (set by registrar):
+
+| Annotation | Description |
+|-----------|-------------|
+| `keycloak.forteapps.net/config-hash` | SHA-256 hash of client.json for change detection |
+| `keycloak.forteapps.net/sync-status` | `synced` or `error` |
+| `keycloak.forteapps.net/last-sync` | ISO 8601 timestamp of last successful sync |
+
+**Verification**:
+```bash
+# Check CronJob status
+kubectl get cronjobs -n keycloak
+
+# View latest registrar logs
+kubectl logs -n keycloak job/$(kubectl get jobs -n keycloak --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[-1].metadata.name}')
+
+# Verify created secret
+kubectl get secret <name> -n <namespace> -o yaml
+
+# Check config Secret annotations (self-service)
+kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.annotations}'
+```
+
+**See**: [Developer Guide - Adding a New Keycloak Client](DEVELOPER-GUIDE.md#adding-a-new-keycloak-client)
+
+### Karpor
+
+**Chart**: `karpor` from `https://kusionstack.github.io/charts`
+**Version**: 0.7.6 (app v0.6.4)
+**Namespace**: `karpor`
+**Sync Wave**: 1
+
+**Purpose**: Kubernetes visualization and intelligence tool. Provides cross-cluster resource search, compliance checking, and topology visualization. Gives platform engineers a unified view of all cluster resources and their relationships.
+
+**Architecture** (4 components):
+- **Server** — main Karpor API/UI (port 7443)
+- **Syncer** — syncs cluster state into the search index
+- **ElasticSearch** — search backend for resource indexing
+- **etcd** — persistent key-value store (10Gi PVC)
+
+**Configuration** (`infra/values/base/karpor-values.yaml`):
+- `namespaceEnabled: false` — ArgoCD manages namespace creation
+- Default resource limits tuned for small clusters
+- ElasticSearch: 2 CPU / 4Gi memory (the heaviest component)
+- AI features available but not enabled (requires `server.ai.authToken` + backend config)
+
+**Access**: Port-forward to reach the UI:
+```bash
+kubectl port-forward svc/karpor-release-server -n karpor 7443:7443
+# Open https://localhost:7443
+```
+
 ### Renovate

 **Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`)
@@ -880,9 +1292,9 @@ dind:

 **Configuration**:
 ```yaml
-# infra/renovate.yaml + infra/values/renovate-values.yaml
+# infra/base/renovate.yaml + infra/values/base/renovate-values.yaml
 cronjob:
-  schedule: "@hourly"
+  schedule: "@daily"
  concurrencyPolicy: Forbid

 renovate:
@@ -891,12 +1303,24 @@ renovate:
    endpoint: https://git.forteapps.net
    autodiscover: true
    gitAuthor: "Renovate Bot <renovate@forteapps.net>"
+    packageRules:
+      - matchRepositories: ["**/10x"]
+        assignees: ["edvard.unsvag"]
+        reviewers: ["edvard.unsvag"]
+      - matchRepositories: ["**/auth-sidecar"]
+        assignees: ["danijel.simeunovic"]
+        reviewers: ["danijel.simeunovic"]
+      - matchRepositories: ["**/forte-helm"]
+        assignees: ["danijel.simeunovic"]
+        reviewers: ["danijel.simeunovic"]

 resources:
-  requests: { cpu: 250m, memory: 512Mi }
-  limits: { cpu: "1", memory: 1Gi }
+  requests: { cpu: 500m, memory: 1Gi }
+  limits: { cpu: "2", memory: 4Gi }
 ```

+**Note**: Assignees and reviewers are only applied at PR creation time. Existing PRs must be closed and recreated for new assignment rules to take effect.
+
 **Secrets**: `renovate-env` (SealedSecret in `secrets` namespace, cloned by Kyverno) containing:
 - `RENOVATE_TOKEN` — Gitea PAT with repo write + issue write permissions
 - `RENOVATE_GITHUB_COM_TOKEN` — GitHub PAT (public_repo read-only) for changelog fetching
@@ -947,6 +1371,19 @@ spec:

 **Label Requirement**: Secrets must have `allowedToBeCloned: "true"`

+### Keycloak Client Config Cloner
+
+**File**: `cluster-resources/policies/keycloak-client-cloner.yaml`
+
+**Purpose**: Clones Secrets labeled `keycloak.forteapps.net/client-config: "true"` from app namespaces to the `keycloak` namespace. This allows apps to declare their OIDC client configuration in their own namespace, which the [Keycloak Client Registrar](#keycloak-client-registrar) then processes.
+
+**Trigger**: Any Secret with label `keycloak.forteapps.net/client-config: "true"` created outside the `keycloak` namespace.
+
+**Behavior**:
+- Generates a copy of the Secret in the `keycloak` namespace with the same name
+- Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
+- `synchronize: true` — changes to the source Secret are reflected in the clone
+
 ### Default Namespace Blocker

 **File**: `cluster-resources/policies/default-ns-blocker.yaml`
@@ -1291,7 +1728,23 @@ Forward to Application (localhost:3000)
 Application processes request
 ```

-**See**: [Developer Guide - Enabling Authentication](DEVELOPER-GUIDE.md#enabling-authentication-for-applications) for usage examples.
+#### Forwarded Headers
+
+After successful authentication, the sidecar injects user identity as HTTP headers before forwarding the request to the application container:
+
+| Header | Description | Auth Modes |
+|--------|-------------|------------|
+| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
+| `X-Auth-Email` | User email address | OIDC |
+| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
+| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if `groups` scope) |
+| `X-Auth-Token` | The validated access token | All modes |
+
+These headers are trustworthy because the auto-generated `NetworkPolicy` restricts pod ingress to the sidecar port only — external traffic cannot reach the application container directly, so headers cannot be spoofed.
+
+Applications should read these headers to obtain authenticated user information (e.g. for display, authorisation decisions, or audit logging) instead of implementing their own authentication.
+
+**See**: [Developer Guide - Accessing Authenticated User Information](DEVELOPER-GUIDE.md#accessing-authenticated-user-information) for code examples.

 ---

@@ -1325,14 +1778,22 @@ Recommended resource allocation:

 ### Storage Classes

-Default storage class used: **UpCloud default** (varies by provider)
+Storage classes are cloud-specific and configured in per-cluster value overrides (`infra/values/{cluster}/gitea-values.yaml`):
+
+| Cloud | Storage Class | Driver |
+|-------|--------------|--------|
+| **UpCloud** | `upcloud-block-storage-maxiops` | UpCloud CSI |
+| **AWS EKS** | `gp3` | EBS CSI |
+| **Azure AKS** | `managed-csi-premium` | Azure Disk CSI |
+| **GCP GKE** | `premium-rwo` | PD CSI |

 ```yaml
+# Example: base values omit storageClass (set in per-cluster overlay)
 persistence:
  enabled: true
-  storageClass: ""     # Uses default
  accessMode: ReadWriteOnce
  size: 5Gi
+  # storageClass set by infra/values/{cluster}/gitea-values.yaml
 ```

 ---
@@ -1396,6 +1857,88 @@ POST /loki/api/v1/push

 ---

+## Cloud Overlay Pattern
+
+### Overview
+
+Cloud-specific configuration (StorageClass, LoadBalancer annotations, pricing models, etc.) lives in per-cloud overlay value files, **not** in `base/`. Adding a new cloud provider only requires a new overlay directory — no base changes.
+
+### Supported Clouds
+
+| Cloud | Dev overlay | Prod overlay | StorageClass | LB type |
+|-------|-----------|-------------|-------------|---------|
+| **UpCloud** | `upc-dev` | `upc-prod` | `upcloud-block-storage-maxiops` | UpCloud LB (proxy protocol v2) |
+| **Azure AKS** | `aks-dev` | `aks-prod` | `managed-csi-premium` | Azure LB |
+| **AWS EKS** | `eks-dev` | `eks-prod` | `gp3` | AWS NLB (proxy protocol) |
+| **GCP GKE** | `gke-dev` | `gke-prod` | `premium-rwo` | GCP NEG |
+
+Bootstrap any cluster with: `./bootstrap.sh <cluster>` (e.g., `./bootstrap.sh aks-dev`)
+
+### How It Works
+
+Each ArgoCD Application uses **multi-source Helm values** with two value files:
+
+```yaml
+# infra/base/gitea.yaml (example)
+helm:
+  valueFiles:
+  - $values/infra/values/base/gitea-values.yaml      # [0] cloud-agnostic
+  - $values/infra/values/upc-dev/gitea-values.yaml    # [1] cloud-specific (default: upc-dev)
+```
+
+The `upc-prod` Kustomize overlay patches index `[1]` to swap the cloud-specific file:
+
+```yaml
+# infra/overlays/upc-prod/kustomization.yaml
+- target:
+    kind: Application
+    name: gitea
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/gitea-values.yaml
+```
+
+### Components Using Cloud Overlays
+
+| Component | Cloud-specific config | Overlay value file |
+|-----------|----------------------|-------------------|
+| **Traefik** | LB annotations, proxy protocol IPs | `traefik-values.yaml` |
+| **Keycloak** | Hostname, TLS settings | `keycloak-values.yaml` |
+| **Grafana** | Hostname, datasource URLs | `grafana-values.yaml` |
+| **Gitea** | StorageClass (persistence + PostgreSQL) | `gitea-values.yaml` |
+| **OpenCost** | Custom pricing model (CPU/RAM/storage rates) | `opencost-values.yaml` |
+
+### Backup CronJob
+
+The `gitea-backup` CronJob uses a generic `s3` alias for `minio/mc`. The actual endpoint and credentials come from the `gitea-backup-s3` Sealed Secret, which is per-cloud. Reference scripts for different cloud providers are in `scripts/backup/`:
+
+| Script | Provider | Tool |
+|--------|----------|------|
+| `s3-minio.sh` | S3-compatible (UpCloud, MinIO, Wasabi) | `minio/mc` |
+| `aws-s3.sh` | AWS S3 | `aws` CLI |
+| `azure-blob.sh` | Azure Blob Storage | `az` CLI |
+| `gcp-gcs.sh` | GCP Cloud Storage | `gsutil` |
+
+### Adding a New Cloud Provider
+
+To add support for a new cloud (e.g., `oci-dev` for Oracle Cloud):
+
+1. **Cluster config**: `clusters/oci-dev.yaml` — clusterName, domain, trustedIPs, cloudProvider
+2. **Overlay value files** in `infra/values/oci-dev/`:
+   - `traefik-values.yaml` — LB annotations, proxy protocol config
+   - `keycloak-values.yaml` — hostname
+   - `grafana-values.yaml` — hostname
+   - `gitea-values.yaml` — `storageClass` for persistence + PostgreSQL
+   - `opencost-values.yaml` — pricing model or cloud billing integration
+3. **Kustomize overlay**: `infra/overlays/oci-dev/kustomization.yaml` — patch `valueFiles[1]` for each Application
+4. **App-of-apps**: `_app-of-apps-oci-dev.yaml` — points to `infra/overlays/oci-dev`
+5. **Secrets overlay**: `secrets/overlays/oci-dev/kustomization.yaml` — references `../../base`, add cloud-specific SealedSecrets if needed
+6. **Secrets patch**: Add patch to `infra/overlays/oci-dev/kustomization.yaml` to swap secrets path to `secrets/overlays/oci-dev`
+7. **Bootstrap**: `./bootstrap.sh oci-dev`
+
+---
+
 ## Glossary

 ### Terms
@@ -1528,6 +2071,6 @@ team: platform

 ---

-**Last Updated**: 2026-04-14
+**Last Updated**: 2026-04-22
 **Maintained By**: Platform Team
 **Version**: 1.0.0
--- a/infra/base/cert-manager-application/cert-manager-application.yaml
+++ b/infra/base/cert-manager-application/cert-manager-application.yaml
--- a/infra/base/cert-manager-application/kustomization.yaml
+++ b/infra/base/cert-manager-application/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- cert-manager-application.yaml
--- a/infra/base/cluster-resources-application/cluster-resources-application.yaml
+++ b/infra/base/cluster-resources-application/cluster-resources-application.yaml
--- a/infra/base/cluster-resources-application/kustomization.yaml
+++ b/infra/base/cluster-resources-application/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- cluster-resources-application.yaml
--- a/infra/base/databunker/databunker.yaml
+++ b/infra/base/databunker/databunker.yaml
@@ -1,12 +1,12 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: keycloak
+  name: databunker
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  labels:
-    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/name: databunker
    app.kubernetes.io/part-of: identity
    app.kubernetes.io/managed-by: argocd
  finalizers:
@@ -15,13 +15,13 @@ spec:
  project: default

  sources:
-  - repoURL: https://charts.bitnami.com/bitnami
-    chart: keycloak
-    targetRevision: "25.2.0"
+  - repoURL: https://securitybunker.github.io/databunkerpro-setup
+    chart: databunkerpro
+    targetRevision: "0.1.0"
    helm:
-      releaseName: keycloak
+      releaseName: databunkerpro
      valueFiles:
-      - $values/infra/values/keycloak-values.yaml
+      - $values/infra/values/base/databunker-values.yaml

  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
@@ -29,7 +29,7 @@ spec:

  destination:
    server: https://kubernetes.default.svc
-    namespace: keycloak
+    namespace: databunker

  syncPolicy:
    automated:
--- a/infra/base/databunker/kustomization.yaml
+++ b/infra/base/databunker/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- databunker.yaml
--- a/infra/base/enterprise-apps/enterprise-apps.yaml
+++ b/infra/base/enterprise-apps/enterprise-apps.yaml
@@ -18,7 +18,7 @@ spec:
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    path: apps
+    path: apps/overlays/upc-dev
  destination:
    server: https://kubernetes.default.svc
    namespace: apps
--- a/infra/base/enterprise-apps/kustomization.yaml
+++ b/infra/base/enterprise-apps/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- enterprise-apps.yaml
--- a/infra/base/fluent-bit/fluent-bit.yaml
+++ b/infra/base/fluent-bit/fluent-bit.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: fluent-bit
      valueFiles:
-      - $values/infra/values/fluent-bit-values.yaml
+      - $values/infra/values/base/fluent-bit-values.yaml

  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/fluent-bit/kustomization.yaml
+++ b/infra/base/fluent-bit/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- fluent-bit.yaml
--- a/infra/base/gitea-actions/gitea-actions.yaml
+++ b/infra/base/gitea-actions/gitea-actions.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: gitea-actions
      valueFiles:
-      - $values/infra/values/gitea-actions-values.yaml
+      - $values/infra/values/base/gitea-actions-values.yaml

  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/gitea-actions/kustomization.yaml
+++ b/infra/base/gitea-actions/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gitea-actions.yaml
--- a/infra/base/gitea/gitea-backup-s3-sealed.yaml
+++ b/infra/base/gitea/gitea-backup-s3-sealed.yaml
--- a/infra/base/gitea/gitea-credentials-sealed.yaml
+++ b/infra/base/gitea/gitea-credentials-sealed.yaml
--- a/infra/base/gitea/gitea-runner-token-sealed.yaml
+++ b/infra/base/gitea/gitea-runner-token-sealed.yaml
--- a/infra/base/gitea/gitea-smtp-secret-sealed.yaml
+++ b/infra/base/gitea/gitea-smtp-secret-sealed.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: gitea-smtp-secret
+  namespace: gitea
+spec:
+  encryptedData:
+    password: AgBMuISQeA41mtBIOo686sND2EO12Jv7BIogL5G7xxt7wKfIk88dQrU74vs+fv3OtPce2Ra63QkR6po31M9fZkoiYba5yqJtEOc6em3y0ZxM/UzavbRvHwrvsWEYqmHBnkCUjcJijdGbSX+rHyGsXLfZO0gOjqXO379Zl1fzmV4p3F5REXFQm6HorVtWX/LOSRj9GDW76l6KgPR/A+CbtAx8Cq0m3D3fyiaVLEReP3uOgBOo70APHj9Yp56EcgOtVa1pEgCxR4ctXeS4t/EliWcHc/JT4TBdRBRDYPKLfME6FvJxjLjaSZcWxtJrJzCv3+vA5LlfObuHY31aSDRqYwO4VBCPhf3Aa6Z5UXgUnmAtJRhHa9pKSSjW48jgNb1jDPIkQn5XgB2/twJ+gX3inAkrTQ82JJ75Rz7XWC8KmYkOtkgXgU2buCa4nIfPeXOr5qvutyywxV1Ge1nK0fQYneQZVFXlHTbAQXBJMpVvJoJ+G3xGjm1904/iBGkVKmNrQwaABUsGBC6ZIHGOTa45GBqrg3ODU2Gr61SCYxv6m3pMU1msR7QYne0oqLCVD8mLDaeSeiQI4ZY9u4ddsVwM6l2BFrT6+3IQuYPBgOoodzDVlCgmA7hoekhpak9vZ0loSHaWDXdNt75SemAjsQfwCO5sSEkr+wbCJEQpXh5p38RMZKTuOh3nYEGQEx/MQNl3VD4FarK/zOJM9EO9IkqdM4LnqVo3zPX4KAPosS1PPKS8
+    username: AgBF6MiaI1x2xQOUoF4NUh4MeFF64Db3vywcEO0FdJ0U9EirVFMsBSSiqJLy8ok43ha72s+/RLBNHiSSRKX1UMWwwCsfs+LQJNh9EetgHRxoyqkHiqRMX5V2acU2scdPE/FCFQFOYzAjweup+kP8xNu1WKuDtPBRiAgBNDfW59ihFi9TgOJQ2AnDHottjm5CNaWsbTOSgZrXqzCEChfHu5K0W9cty9ENHYqnYDfcm/zPLYeUPW0gVN5GJq3lPo9vZjM7T2JnwryjOkBaPCRCzHOpRF3bMrArFrjbUlH6gdI0APf4CzGLMMKol/jTMG2tLBseaNQHfbz6p1vFYExCL60gSN46fzh10zIWaIC2O+SgoLLOizkQZWf/v86cdRerBSl6PFmbRUO18XUQ4SyR/WPM71HD1jeLnUZjKtkOu+fqQKlv8kBSELHGqiURNYDnbmUA1LQpdNkDnMkRS+uzQ3XwWCSQBAn+u9wh69kg1oPVEN60Nc4KpNwFIg25aycGkP3cMklfl3/u9nr5KruwtJe+hl2ynSk8zeEFWWQrBki7+88CH9aWVW/GTA8Ho7Fz+gp4ZUdUA0WhH2LRAQIN945pvJIkHm/AYAhH6pZiXdBzYeguPY5VEf6hDVM1sa39aSZzs81cj0YHxbjR/BoBxbUAa9xW7JYH2rcIqXDhJB4zq2H++8e0eABsdQC3tMmE1eQA51d0yg8+2fX+CRkcvMCmI3VjS/mdirrtnctv
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        allowedToBeCloned: "true"
+      name: gitea-smtp-secret
+      namespace: gitea
+    type: Opaque
--- a/infra/base/gitea/gitea.yaml
+++ b/infra/base/gitea/gitea.yaml
@@ -21,7 +21,8 @@ spec:
    helm:
      releaseName: gitea
      valueFiles:
-      - $values/infra/values/gitea-values.yaml
+      - $values/infra/values/base/gitea-values.yaml
+      - $values/infra/values/upc-dev/gitea-values.yaml

  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/gitea/kustomization.yaml
+++ b/infra/base/gitea/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gitea.yaml
+- gitea-backup-s3-sealed.yaml
+- gitea-credentials-sealed.yaml
+- gitea-runner-token-sealed.yaml
+- gitea-smtp-secret-sealed.yaml
--- a/infra/base/grafana-dashboards/grafana-dashboards.yaml
+++ b/infra/base/grafana-dashboards/grafana-dashboards.yaml
--- a/infra/base/grafana-dashboards/kustomization.yaml
+++ b/infra/base/grafana-dashboards/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- grafana-dashboards.yaml
--- a/infra/base/grafana/grafana.yaml
+++ b/infra/base/grafana/grafana.yaml
@@ -21,7 +21,8 @@ spec:
    helm:
      releaseName: grafana
      valueFiles:
-      - $values/infra/values/grafana-values.yaml
+      - $values/infra/values/base/grafana-values.yaml
+      - $values/infra/values/upc-dev/grafana-values.yaml

  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/grafana/kustomization.yaml
+++ b/infra/base/grafana/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- grafana.yaml
--- a/infra/base/homepage/homepage.yaml
+++ b/infra/base/homepage/homepage.yaml
@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: homepage
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "3"
+  labels:
+    app.kubernetes.io/name: homepage
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://jameswynn.github.io/helm-charts
+    chart: homepage
+    targetRevision: "2.1.0"
+    helm:
+      releaseName: homepage
+      valueFiles:
+      - $values/infra/values/base/homepage-values.yaml
+      - $values/infra/values/upc-dev/homepage-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: homepage
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
--- a/infra/base/homepage/kustomization.yaml
+++ b/infra/base/homepage/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- homepage.yaml
--- a/infra/base/karpor/karpor.yaml
+++ b/infra/base/karpor/karpor.yaml
@@ -0,0 +1,48 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: karpor
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: karpor
+    app.kubernetes.io/part-of: developer-portal
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://kusionstack.github.io/charts
+    chart: karpor
+    targetRevision: "0.7.6"
+    helm:
+      releaseName: karpor
+      valueFiles:
+      - $values/infra/values/base/karpor-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: karpor
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
--- a/infra/base/karpor/kustomization.yaml
+++ b/infra/base/karpor/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- karpor.yaml
--- a/infra/base/keycloak/keycloak-credentials-sealed.yaml
+++ b/infra/base/keycloak/keycloak-credentials-sealed.yaml
--- a/infra/base/keycloak/keycloak.yaml
+++ b/infra/base/keycloak/keycloak.yaml
@@ -0,0 +1,53 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: keycloak
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/part-of: identity
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: registry-1.docker.io/bitnamicharts
+    chart: keycloak
+    targetRevision: "25.2.0"
+    helm:
+      releaseName: keycloak
+      valueFiles:
+      - $values/infra/values/base/keycloak-values.yaml
+      - $values/infra/values/upc-dev/keycloak-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: keycloak
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: batch
+    kind: CronJob
+    jsonPointers:
+    - /spec/jobTemplate/spec/template/spec/containers/0/args
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
--- a/infra/base/keycloak/kustomization.yaml
+++ b/infra/base/keycloak/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- keycloak.yaml
+- keycloak-credentials-sealed.yaml
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- traefik-application
+- keycloak
+- grafana
+- cert-manager-application
+- kyverno
+- sealedsecrets
+- prometheus
+- loki
+- fluent-bit
+- enterprise-apps
+- cluster-resources-application
+- kyverno-policies
+- gitea
+- gitea-actions
+- opencost
+- renovate
+- tempo
+- grafana-dashboards
+- karpor
+- databunker
+- homepage
--- a/infra/base/kyverno-policies/kustomization.yaml
+++ b/infra/base/kyverno-policies/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- kyverno-policies.yaml
--- a/infra/base/kyverno-policies/kyverno-policies.yaml
+++ b/infra/base/kyverno-policies/kyverno-policies.yaml
--- a/infra/base/kyverno/kustomization.yaml
+++ b/infra/base/kyverno/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- kyverno.yaml
--- a/infra/base/kyverno/kyverno.yaml
+++ b/infra/base/kyverno/kyverno.yaml
--- a/infra/base/loki/kustomization.yaml
+++ b/infra/base/loki/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- loki.yaml
--- a/infra/base/loki/loki.yaml
+++ b/infra/base/loki/loki.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: loki
      valueFiles:
-      - $values/infra/values/loki-values.yaml
+      - $values/infra/values/base/loki-values.yaml

  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
@@ -40,3 +40,9 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
--- a/infra/base/opencost/kustomization.yaml
+++ b/infra/base/opencost/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- opencost.yaml
--- a/infra/base/opencost/opencost.yaml
+++ b/infra/base/opencost/opencost.yaml
@@ -21,7 +21,8 @@ spec:
    helm:
      releaseName: opencost
      valueFiles:
-      - $values/infra/values/opencost-values.yaml
+      - $values/infra/values/base/opencost-values.yaml
+      - $values/infra/values/upc-dev/opencost-values.yaml

  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/prometheus/kustomization.yaml
+++ b/infra/base/prometheus/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- prometheus.yaml
--- a/infra/base/prometheus/prometheus.yaml
+++ b/infra/base/prometheus/prometheus.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: prometheus
      valueFiles:
-      - $values/infra/values/prometheus-values.yaml
+      - $values/infra/values/base/prometheus-values.yaml

  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/renovate/kustomization.yaml
+++ b/infra/base/renovate/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- renovate.yaml
+- renovate-env-sealed.yaml
--- a/infra/base/renovate/renovate-env-sealed.yaml
+++ b/infra/base/renovate/renovate-env-sealed.yaml
--- a/infra/base/renovate/renovate.yaml
+++ b/infra/base/renovate/renovate.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: renovate
      valueFiles:
-      - $values/infra/values/renovate-values.yaml
+      - $values/infra/values/base/renovate-values.yaml

  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/sealedsecrets/argocd-forte-helm-secret-sealed.yaml
+++ b/infra/base/sealedsecrets/argocd-forte-helm-secret-sealed.yaml
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Danijel Simeunovic	516498651b	homepage annotations	2026-04-28 14:10:12 +02:00
Danijel Simeunovic	230c160870	more mem homepage	2026-04-28 14:03:21 +02:00
Danijel Simeunovic	d1588975dc	homepage	2026-04-28 13:58:34 +02:00
Danijel Simeunovic	7132f5000e	docs	2026-04-27 20:35:27 +02:00
Danijel Simeunovic	b4100bd456	mm ns	2026-04-27 20:16:06 +02:00
Danijel Simeunovic	fff117a500	ns	2026-04-27 17:40:46 +02:00
Danijel Simeunovic	03c75fc4cd	mm ns	2026-04-27 17:40:05 +02:00
Danijel Simeunovic	df73c4bdc0	mm sync pol	2026-04-27 17:37:54 +02:00
Danijel Simeunovic	6a7de704f2	enterprise-apps	2026-04-27 17:34:43 +02:00
Danijel Simeunovic	be8bbd2c12	aksapps	2026-04-27 17:33:47 +02:00
Danijel Simeunovic	c469ab44b0	ent apps	2026-04-27 17:28:48 +02:00
Danijel Simeunovic	290c8b91f8	db pass	2026-04-27 14:05:38 +02:00
Danijel Simeunovic	a776bae4bd	image tag	2026-04-27 13:00:37 +02:00
Danijel Simeunovic	7405ce27dd	chart name	2026-04-27 12:55:20 +02:00
Danijel Simeunovic	1281e8ef37	databunker	2026-04-27 12:54:18 +02:00
Danijel Simeunovic	c497c54e8e	fix	2026-04-27 12:28:47 +02:00
Danijel Simeunovic	b57459cf85	rm secrets2	2026-04-27 12:25:25 +02:00
Danijel Simeunovic	e8dd213685	rm secrets	2026-04-27 12:24:14 +02:00
Danijel Simeunovic	1d879c82f9	secrets shuffle	2026-04-27 12:21:50 +02:00
Danijel Simeunovic	94c8265475	overlays2	2026-04-27 12:01:59 +02:00
Danijel Simeunovic	17d7c4a655	overlays	2026-04-27 11:49:10 +02:00
Danijel Simeunovic	f3dba72c5d	aks-dev	2026-04-27 11:33:24 +02:00
Danijel Simeunovic	cc9c9049eb	ignore diff	2026-04-26 23:55:55 +02:00
Danijel Simeunovic	9f6c5105af	netpol all remove	2026-04-25 16:04:13 +02:00
Danijel Simeunovic	45e502d74d	argocd tls	2026-04-25 11:49:17 +02:00
Danijel Simeunovic	167d893233	clean scopes gitea	2026-04-24 20:18:02 +02:00
Danijel Simeunovic	8b9ffee242	socpes	2026-04-24 20:14:28 +02:00
Danijel Simeunovic	4069e255a8	org scope	2026-04-24 20:05:01 +02:00
Danijel Simeunovic	3b1f498616	Update infra/values/base/keycloak-values.yaml	2026-04-24 17:40:15 +00:00
Danijel Simeunovic	cc47bf6b9f	grafana access	2026-04-24 15:49:47 +02:00
Danijel Simeunovic	c1d61398f0	SSO grafana	2026-04-24 15:45:50 +02:00
Danijel Simeunovic	ece4a8d199	grafana tls	2026-04-24 15:39:46 +02:00
Danijel Simeunovic	03c47ad109	remove trivy	2026-04-24 15:24:58 +02:00
Danijel Simeunovic	3095741590	clear KC scopes	2026-04-24 15:13:58 +02:00
Danijel Simeunovic	d7ba859e61	no openid	2026-04-24 15:09:10 +02:00
Danijel Simeunovic	07eb9b7051	optional scopes	2026-04-24 15:05:07 +02:00
Danijel Simeunovic	a911ff64c3	kc scopes	2026-04-24 15:03:14 +02:00
Danijel Simeunovic	9e13560e5e	basic scope	2026-04-24 14:40:32 +02:00
Danijel Simeunovic	3d84acb278	DEFAULT_EMAIL_NOTIFICATIONS	2026-04-24 14:25:29 +02:00
Danijel Simeunovic	fde81c6ec6	dbox	2026-04-24 13:42:52 +02:00
Thomas Solbjor	8648269e55	Update secrets/base/kustomization.yaml	2026-04-24 11:25:38 +00:00
Thomas Solbjor	84fe4cbe7c	ts-mcp-secrets-sealed.yaml	2026-04-24 13:15:00 +02:00
Danijel Simeunovic	38158be0a8	doc	2026-04-24 12:55:50 +02:00
Danijel Simeunovic	202e84badc	doc	2026-04-24 12:54:26 +02:00
Danijel Simeunovic	a6df75de93	dbox	2026-04-24 12:38:50 +02:00
Danijel Simeunovic	4f4f544100	k	2026-04-24 10:58:20 +02:00
Danijel Simeunovic	8d4b6493a0	mm	2026-04-24 10:57:53 +02:00
gitea_admin	8505481291	feature/multi-cloud (#14 ) Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com> Reviewed-on: #14	2026-04-24 08:48:53 +00:00
Danijel Simeunovic	65598c9297	karpor diffs	2026-04-24 09:47:52 +02:00
Danijel Simeunovic	3f0f70699b	karpor	2026-04-24 09:43:16 +02:00
Danijel Simeunovic	06522b2f19	ts-mcp	2026-04-23 14:44:33 +02:00
Danijel Simeunovic	4c65035485	ns	2026-04-23 14:11:45 +02:00
Danijel Simeunovic	84f4bebc08	ts-mcp	2026-04-23 13:41:51 +02:00
Danijel Simeunovic	5394b2c714	ts-mcp	2026-04-23 13:40:33 +02:00
Danijel Simeunovic	c4e586a7be	ts-mcp	2026-04-23 13:38:47 +02:00
Danijel Simeunovic	1fa070b041	argo	2026-04-23 13:35:42 +02:00
Danijel Simeunovic	9c905355e3	argocd known host	2026-04-23 13:28:34 +02:00
Danijel Simeunovic	6b1115ec28	argocd disable submodule	2026-04-23 13:09:02 +02:00
Danijel Simeunovic	2fb276a62c	ts-mcp	2026-04-23 13:02:00 +02:00
Danijel Simeunovic	3efe1b68ef	auth doc	2026-04-23 10:05:15 +02:00
Danijel Simeunovic	5df104beec	sp	2026-04-22 13:54:51 +02:00
Danijel Simeunovic	0ecfee3cf8	prompts	2026-04-22 13:51:38 +02:00
Danijel Simeunovic	c88938adb5	feature/ai-review (#7 ) Co-authored-by: gitea_admin <admin@forteapps.net> Reviewed-on: #7 Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com> Co-committed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>	2026-04-22 09:30:02 +00:00
Danijel Simeunovic	d05a16840e	pr trigger	2026-04-22 09:11:40 +02:00
Danijel Simeunovic	d7c7242aa1	submodule	2026-04-22 09:10:38 +02:00
Danijel Simeunovic	3bf9fa7837	pr label	2026-04-22 08:48:05 +02:00
Danijel Simeunovic	d2596568f2	version tag	2026-04-21 15:17:52 +02:00
Danijel Simeunovic	2a3539350b	AI-review (#6 ) Co-authored-by: gitea_admin <admin@forteapps.net> Reviewed-on: #6 Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com> Co-committed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>	2026-04-21 08:20:41 +00:00
Danijel Simeunovic	f97b613c12	remove unneeded yml	2026-04-20 22:46:44 +02:00
Danijel Simeunovic	9c7db11470	remove unneeded yml	2026-04-20 22:45:53 +02:00
Danijel Simeunovic	723072bd1e	cleanup	2026-04-19 13:47:29 +02:00
Danijel Simeunovic	046b78446b	add opencost	2026-04-19 13:41:44 +02:00
Danijel Simeunovic	56a1b49d10	missing manifest	2026-04-19 13:39:26 +02:00
Danijel Simeunovic	d557eb1865	revert	2026-04-19 13:28:40 +02:00
Danijel Simeunovic	a51ed84124	Merge branch 'main' of https://git.forteapps.net/Forte/launchpad	2026-04-19 13:28:03 +02:00
Danijel Simeunovic	73e253a579	traefik	2026-04-19 13:27:59 +02:00
Danijel Simeunovic	d7c1341eab	don't sync users with cron job	2026-04-19 11:43:47 +02:00
Danijel Simeunovic	eed53006c1	docs	2026-04-18 23:12:18 +02:00
Danijel Simeunovic	395ca70c2a	prod values	2026-04-18 23:02:02 +02:00
Danijel Simeunovic	ea04ec20c9	remove docs wf	2026-04-18 20:54:48 +02:00
Danijel Simeunovic	03a0d7c9ae	feature/multicluster Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 5s Details Co-authored-by: Danijel Simeunovic <danijel.simeunovic@trumf.no> Reviewed-on: #4 Reviewed-by: gitea_admin <admin@forteapps.net>	2026-04-18 18:14:00 +00:00
Danijel Simeunovic	72a65f0e06	client cloner (#3 ) Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 7s Details Reviewed-on: #3 Reviewed-by: gitea_admin <admin@forteapps.net> Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com> Co-committed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>	2026-04-17 13:42:44 +00:00
Danijel Simeunovic	44fc242ae8	doc Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 7s Details	2026-04-17 11:43:50 +02:00
Danijel Simeunovic	b2f601e950	doc Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 6s Details	2026-04-17 11:42:46 +02:00
Danijel Simeunovic	f8b17cc030	log level info renovate	2026-04-17 10:59:52 +02:00
Danijel Simeunovic	6639d0e3ff	renovate prs Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 5m15s Details	2026-04-17 09:58:52 +02:00
Danijel Simeunovic	4485731ab5	smtp+starttls	2026-04-16 15:57:59 +02:00
Danijel Simeunovic	439b8516f0	smtps auth	2026-04-16 15:46:54 +02:00
Danijel Simeunovic	0eccd2d439	smtp auth	2026-04-16 15:43:10 +02:00
Danijel Simeunovic	3e1029a557	mail notification	2026-04-16 15:39:51 +02:00
Danijel Simeunovic	61c2801e0a	smtp	2026-04-16 15:32:10 +02:00
gitea_admin	8902a0e51e	Merge pull request 'SMTP config Gitea' (#2 ) from feature/smtp into main Reviewed-on: #2	2026-04-16 13:17:28 +00:00
Danijel Simeunovic	4486279eab	smtp config	2026-04-16 15:13:18 +02:00
Danijel Simeunovic	020dfeffd4	client secret fixes Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 6m6s Details	2026-04-16 15:04:27 +02:00
Danijel Simeunovic	7e10954a8f	client secret bootstrapping Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 39m32s Details	2026-04-16 13:55:13 +02:00
Danijel Simeunovic	88c29565b6	smtp	2026-04-16 10:42:35 +02:00
Danijel Simeunovic	87ee0588a7	renovate pr targets	2026-04-15 16:33:58 +02:00
Danijel Simeunovic	db8a1de797	10x repo PRs	2026-04-15 13:46:13 +02:00
Danijel Simeunovic	177150e069	gitea protocol mapper Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 7s Details	2026-04-15 13:27:14 +02:00
Danijel Simeunovic	c63a9242f0	renovate loglevel	2026-04-14 12:44:47 +02:00
Danijel Simeunovic	1d43ecddad	renovate daily and more mem	2026-04-14 12:26:46 +02:00