This section details on the original issue you should resolve

<issue_title>Deploy Mosquitto MQTT Broker via SINTEF Helm chart (Argo CD) + OnePassword-managed auth</issue_title>
<issue_description>### Why

Copilot used bjw-s/app-template, but we want the dedicated Mosquitto chart from SINTEF (helm repo add mosquitto https://sintef.github.io/mosquitto-helm-chart). The SINTEF chart also supports sourcing users/passwords from an existing Secret (auth.usersExistingSecret) so we don’t ship credentials in Git. ([Artifact Hub][1])

Goal

Replace the current mqtt-broker Application (app-template) with an Argo CD Application that deploys SINTEF Mosquitto into namespace infra-mqtt, using:

• Chart repo: https://sintef.github.io/mosquitto-helm-chart
• Chart: mosquitto
• Chart version: 0.1.1 (latest release tag shown in upstream releases) ([GitHub][2])
• Auth: enabled, but no default admin user from values.yaml (must override to use auth.usersExistingSecret) ([GitHub][3])
• Only override non-default values in valuesObject

Work items

1) Remove/replace the broken chart usage

• Delete or replace the existing Argo app that points to bjw-s/app-template for MQTT.
• Keep the destination namespace infra-mqtt and Argo project coachlight-k3s-infra.

2) Add OnePassword-backed Kubernetes Secret for Mosquitto users

In k8s/infra-mqtt/ (the path already used by mqtt-broker-secrets), add the OnePassword Operator CRDs needed to create a Secret that Mosquitto will read.

Secret requirements

• Secret name: mosquitto-auth

• Data key(s): follow the chart’s expected format for auth.usersExistingSecret (read the chart templates and confirm the expected key name and file format).

  • The chart docs indicate auth.usersExistingSecret “holds user/password pairs”. ([Artifact Hub][1])

• The stored content should be a mosquitto password file (e.g., lines like username:<sha512-pbkdf2-hash>). The upstream values show passwords are expected in sha512-pbkdf2 format. ([GitHub][3])

1Password item fields

• Create/update a 1Password item (vault: HomeLab) with a field for the password-file content.
• Field name suggestion: mosquitto_passwd
• Value: multiline password file content (e.g. admin:<hash>)

Note: generate hash using mosquitto_passwd tooling (store the hash/file content in 1Password; do not commit it).

Ensure the mqtt-broker-secrets app (sync-wave 10) applies these CRDs before the Helm release (sync-wave 20).

3) Create/update the Argo CD Application for Mosquitto chart

Create a new Application manifest (or update existing) that uses:

• spec.source.repoURL: https://sintef.github.io/mosquitto-helm-chart
• spec.source.chart: mosquitto
• spec.source.targetRevision: 0.1.1 ([GitHub][2])

valuesObject rules

• Do not set chart defaults.
• Only apply these sensible overrides (and only if they differ from defaults):

Suggested overrides to implement:

1. Disable websockets unless we actually need them

• Default is mqttOverWebsocket: true ([GitHub][3])
  Set:
• mqttOverWebsocket: false

2. Pin image tag only if you want something different than chart appVersion

• The default values set image.tag: "" (meaning “use chart appVersion”). ([GitHub][3])
  If you don’t need a pin, don’t set it.
  If you do want to pin, set:
• image.tag: "2.0.20" (or whatever version you want)

3. Resources

• Default is resources: {} ([GitHub][3])
  Set requests/limits appropriate for your lightweight broker:

resources:
  requests:
    cpu: 10m
    memory: 32Mi
  limits:
    cpu: 100m
    memory: 128Mi

4. Auth: 반드시 default admin 제거

• The default values include an admin user and hash in auth.users. ([GitHub][3])
  We must override so we do not deploy that default user.

Set:

• auth.enabled: true (ONLY if required to activate the block—if it’s already true...