From ebe792629be391e22e8440e1c5c6939ed5f87372 Mon Sep 17 00:00:00 2001
From: Vadym Moshynskyi <vmoshynskyi@indocresearch.org>
Date: Mon, 8 Jun 2026 15:53:42 +0200
Subject: [PATCH 1/2] IEBH-483: Deploy audit-trail service in dev

---
 README.md                                     |  3 +-
 clusters/dev/apps/audit-trail/Chart.yaml      |  7 +++
 .../dev/apps/audit-trail/application.yaml     | 28 +++++++++
 .../templates/external-secret.yaml            | 17 ++++++
 clusters/dev/apps/audit-trail/values.yaml     | 61 +++++++++++++++++++
 docs/vault-secrets.md                         |  7 +++
 6 files changed, 122 insertions(+), 1 deletion(-)
 create mode 100644 clusters/dev/apps/audit-trail/Chart.yaml
 create mode 100644 clusters/dev/apps/audit-trail/application.yaml
 create mode 100644 clusters/dev/apps/audit-trail/templates/external-secret.yaml
 create mode 100644 clusters/dev/apps/audit-trail/values.yaml

diff --git a/README.md b/README.md
index 9ec67af..3090a8b 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ This repo uses ArgoCD's app-of-apps pattern: a root Application (`root-app.yaml`
 ### Sync-Wave Order
 
 | Wave | App | Notes |
-|------|-----|-------|
+|------|-----|------|
 | -1 | argo-cd | GitOps controller |
 | 0 | cert-manager | TLS certificate management |
 | 1 | ingress-nginx | Ingress controller |
@@ -51,6 +51,7 @@ This repo uses ArgoCD's app-of-apps pattern: a root Application (`root-app.yaml`
 | 9 | kong | API gateway |
 | 9 | metadata-event-handler | Kafka→ES event indexer |
 | 9 | kg-integration | EBRAINS Knowledge Graph integration |
+| 9 | audit-trail | |
 | 10 | bff | Backend-for-frontend (web) |
 | 10 | bff-cli | Backend-for-frontend (CLI) |
 | 11 | portal | Frontend UI |
diff --git a/clusters/dev/apps/audit-trail/Chart.yaml b/clusters/dev/apps/audit-trail/Chart.yaml
new file mode 100644
index 0000000..0f6b6b8
--- /dev/null
+++ b/clusters/dev/apps/audit-trail/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: audit-trail
+version: 0.1.0
+dependencies:
+  - name: audit-trail-service
+    version: "0.2.0"
+    repository: https://pilotdataplatform.github.io/helm-charts/
diff --git a/clusters/dev/apps/audit-trail/application.yaml b/clusters/dev/apps/audit-trail/application.yaml
new file mode 100644
index 0000000..42546f0
--- /dev/null
+++ b/clusters/dev/apps/audit-trail/application.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: audit-trail
+  namespace: utility
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+    targetRevision: main
+    path: clusters/dev/apps/audit-trail
+    helm:
+      valueFiles:
+        - ../../registry.yaml
+        - ../../versions.yaml
+        - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: utility
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
diff --git a/clusters/dev/apps/audit-trail/templates/external-secret.yaml b/clusters/dev/apps/audit-trail/templates/external-secret.yaml
new file mode 100644
index 0000000..37b1da4
--- /dev/null
+++ b/clusters/dev/apps/audit-trail/templates/external-secret.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: audit-trail-credentials
+  namespace: utility
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    name: audit-trail-credentials
+  data:
+    - secretKey: atlas-password
+      remoteRef:
+        key: secret/data/atlas
+        property: atlas-password
diff --git a/clusters/dev/apps/audit-trail/values.yaml b/clusters/dev/apps/audit-trail/values.yaml
new file mode 100644
index 0000000..f47b759
--- /dev/null
+++ b/clusters/dev/apps/audit-trail/values.yaml
@@ -0,0 +1,61 @@
+audit-trail-service:
+  image:
+    repository: n47w5524.c1.de1.container-registry.ovh.net/hdc-services-image/audit-trail
+    pullPolicy: IfNotPresent
+
+  fullnameOverride: audit-trail
+  replicaCount: 1
+
+  container:
+    port: 5077
+
+  service:
+    type: ClusterIP
+    port: 5077
+
+  imagePullSecrets:
+    - name: docker-registry-secret
+
+  extraEnv:
+    ATLAS_ADMIN: "admin"
+    ATLAS_HOST: "atlas.utility"
+    ATLAS_PORT: 21000
+
+  extraEnvYaml:
+    - name: ATLAS_PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: audit-trail-credentials
+          key: atlas-password
+
+  resources:
+    limits:
+      cpu: "1"
+      memory: 500Mi
+    requests:
+      cpu: 10m
+      memory: 50Mi
+
+  readinessProbe:
+    failureThreshold: 3
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    successThreshold: 1
+    tcpSocket:
+      port: 5077
+
+  livenessProbe:
+    failureThreshold: 3
+    httpGet:
+      path: /v1/health/
+      port: 5077
+      scheme: HTTP
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+
+  updateStrategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 33%
+    type: RollingUpdate
diff --git a/docs/vault-secrets.md b/docs/vault-secrets.md
index 079613e..54b7614 100644
--- a/docs/vault-secrets.md
+++ b/docs/vault-secrets.md
@@ -147,6 +147,13 @@ vault kv put secret/bff-cli \
   guacamole-jwt-public-key='<public-key-pem>'
 ```
 
+## Atlas (`secret/atlas`)
+
+```bash
+vault kv put secret/atlas \
+  atlas-password=$(openssl rand -hex 24)
+```
+
 ## Guacamole (`secret/guacamole`)
 
 ```bash

From 1c2caf043b2eb386a713fb3df66cd5a3ebb3338b Mon Sep 17 00:00:00 2001
From: Vadym Moshynskyi <vmoshynskyi@indocresearch.org>
Date: Mon, 8 Jun 2026 16:52:41 +0200
Subject: [PATCH 2/2] IEBH-483: Apply Copilot suggestions

---
 README.md                                      | 2 +-
 clusters/dev/apps/audit-trail/application.yaml | 2 +-
 clusters/dev/apps/audit-trail/values.yaml      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 3090a8b..efdc9ec 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ This repo uses ArgoCD's app-of-apps pattern: a root Application (`root-app.yaml`
 ### Sync-Wave Order
 
 | Wave | App | Notes |
-|------|-----|------|
+|------|-----|-------|
 | -1 | argo-cd | GitOps controller |
 | 0 | cert-manager | TLS certificate management |
 | 1 | ingress-nginx | Ingress controller |
diff --git a/clusters/dev/apps/audit-trail/application.yaml b/clusters/dev/apps/audit-trail/application.yaml
index 42546f0..1528a25 100644
--- a/clusters/dev/apps/audit-trail/application.yaml
+++ b/clusters/dev/apps/audit-trail/application.yaml
@@ -2,7 +2,7 @@ apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: audit-trail
-  namespace: utility
+  namespace: argocd
   annotations:
     argocd.argoproj.io/sync-wave: "9"
 spec:
diff --git a/clusters/dev/apps/audit-trail/values.yaml b/clusters/dev/apps/audit-trail/values.yaml
index f47b759..fec470d 100644
--- a/clusters/dev/apps/audit-trail/values.yaml
+++ b/clusters/dev/apps/audit-trail/values.yaml
@@ -19,7 +19,7 @@ audit-trail-service:
   extraEnv:
     ATLAS_ADMIN: "admin"
     ATLAS_HOST: "atlas.utility"
-    ATLAS_PORT: 21000
+    ATLAS_PORT: "21000"
 
   extraEnvYaml:
     - name: ATLAS_PASSWD