diff --git a/private/cockpit/cloud_ingress.yaml b/private/cockpit/cloud_ingress.yaml
index f78447e56c0..f511b457f1d 100644
--- a/private/cockpit/cloud_ingress.yaml
+++ b/private/cockpit/cloud_ingress.yaml
@@ -5,16 +5,16 @@ metadata:
   name: cloud-ingress
   namespace: plc
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: pixie.austrianopencloudcommunity.org,work.pixie.austrianopencloudcommunity.org
+    external-dns.alpha.kubernetes.io/hostname: test.austrianopencloudcommunity.org,work.test.austrianopencloudcommunity.org
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
 spec:
   tls:
   - hosts:
-    - pixie.austrianopencloudcommunity.org
-    - work.pixie.austrianopencloudcommunity.org
+    - test.austrianopencloudcommunity.org
+    - work.test.austrianopencloudcommunity.org
     secretName: cloud-proxy-tls-certs
   rules:
-  - host: pixie.austrianopencloudcommunity.org
+  - host: test.austrianopencloudcommunity.org
     http:
       paths:
       - path: /px.services
@@ -45,7 +45,7 @@ spec:
             name: cloud-proxy-service
             port:
               number: 443
-  - host: work.pixie.austrianopencloudcommunity.org
+  - host: work.test.austrianopencloudcommunity.org
     http:
       paths:
       - path: /px.services
diff --git a/private/cockpit/domain_config.yaml b/private/cockpit/domain_config.yaml
index ebc460f3abc..bffad38b03d 100644
--- a/private/cockpit/domain_config.yaml
+++ b/private/cockpit/domain_config.yaml
@@ -4,5 +4,5 @@ kind: ConfigMap
 metadata:
   name: pl-domain-config
 data:
-  PL_DOMAIN_NAME: pixie.austrianopencloudcommunity.org
+  PL_DOMAIN_NAME: test.austrianopencloudcommunity.org
   PASSTHROUGH_PROXY_PORT: ""
diff --git a/private/cockpit/kustomization.yaml b/private/cockpit/kustomization.yaml
index ca3a5d234d1..2e1a93fdf5a 100644
--- a/private/cockpit/kustomization.yaml
+++ b/private/cockpit/kustomization.yaml
@@ -20,6 +20,7 @@ replicas:
 resources:
 - ../../k8s/cloud/base
 - plugin_db_updater_job.yaml
+- oauth_config.yaml
 components:
 - ../../k8s/cloud/overlays/exposed_services_traefik
 labels:
diff --git a/private/cockpit/oauth_config.yaml b/private/cockpit/oauth_config.yaml
new file mode 100644
index 00000000000..55acfbaef00
--- /dev/null
+++ b/private/cockpit/oauth_config.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pl-oauth-config
+data:
+  PL_OAUTH_PROVIDER: auth0
+  PL_AUTH_URI: dev-ylinrwd1tckmhm03.us.auth0.com
+  PL_AUTH_CLIENT_ID: rDOrqnuIaTsXiya5I41b1FkNzXOQfWbW
+  PL_AUTH_EMAIL_PASSWORD_CONN: Username-Password-Authentication
diff --git a/private/cockpit/proxy_envoy.yaml b/private/cockpit/proxy_envoy.yaml
index 17e05ecc92a..f196c8af4a5 100644
--- a/private/cockpit/proxy_envoy.yaml
+++ b/private/cockpit/proxy_envoy.yaml
@@ -42,7 +42,7 @@ data:
                       cluster: api_service
                   cors:
                     allow_origin_string_match:
-                    - suffix: "pixie.austrianopencloudcommunity.org"
+                    - suffix: "test.austrianopencloudcommunity.org"
                     allow_methods: GET, PUT, DELETE, POST, OPTIONS
                     allow_headers: content-type,x-grpc-web,x-user-agent
                     max_age: "1728000"
diff --git a/private/cockpit/servers_transport.yaml b/private/cockpit/servers_transport.yaml
index 5324809631e..50f86112c86 100644
--- a/private/cockpit/servers_transport.yaml
+++ b/private/cockpit/servers_transport.yaml
@@ -5,4 +5,4 @@ metadata:
   name: cloud-backend-transport
   namespace: plc
 spec:
-  serverName: pixie.austrianopencloudcommunity.org
+  serverName: test.austrianopencloudcommunity.org
diff --git a/terraform/kubernetes/cloud_deps/cert_manager.tf b/terraform/kubernetes/cloud_deps/cert_manager.tf
index 75dc1be563a..15d812950ef 100644
--- a/terraform/kubernetes/cloud_deps/cert_manager.tf
+++ b/terraform/kubernetes/cloud_deps/cert_manager.tf
@@ -83,6 +83,10 @@ resource "kubernetes_manifest" "cloud_proxy_tls_certs" {
         "work.${local.cert_subdomain}",
       ]
       "issuerRef" = {
+        # ClusterIssuer kind must be explicit — defaulting to Issuer makes
+        # cert-manager look for a namespaced Issuer with this name in the
+        # plc namespace, which doesn't exist for letsencrypt-prod.
+        "kind" = "ClusterIssuer"
         "name" = var.public_issuer
       }
       "secretName" = "cloud-proxy-tls-certs"
diff --git a/terraform/kubernetes/cloud_deps/core_resource_deps.tf b/terraform/kubernetes/cloud_deps/core_resource_deps.tf
index 1d82f493f28..f549ffd64d4 100644
--- a/terraform/kubernetes/cloud_deps/core_resource_deps.tf
+++ b/terraform/kubernetes/cloud_deps/core_resource_deps.tf
@@ -83,8 +83,15 @@ resource "kubernetes_secret_v1" "db_secrets" {
   wait_for_service_account_token = false
 }
 
-data "sops_file" "auth0" {
-  source_file = "${path.module}/../../credentials/cockpit/auth0_config.yaml"
+data "terraform_remote_state" "auth0" {
+  backend = "azurerm"
+  config = {
+    resource_group_name  = var.auth0_state_resource_group
+    storage_account_name = var.auth0_state_storage_account
+    container_name       = var.auth0_state_container
+    key                  = var.auth0_state_key
+    use_azuread_auth     = true
+  }
 }
 
 resource "kubernetes_secret_v1" "cloud_auth0" {
@@ -94,8 +101,8 @@ resource "kubernetes_secret_v1" "cloud_auth0" {
   }
 
   data = {
-    "auth0-client-id"     = data.sops_file.auth0.data["stringData.auth0-client-id"]
-    "auth0-client-secret" = data.sops_file.auth0.data["stringData.auth0-client-secret"]
+    "auth0-client-id"     = data.terraform_remote_state.auth0.outputs.pixie_client_id
+    "auth0-client-secret" = data.terraform_remote_state.auth0.outputs.pixie_client_secret
   }
 
   type                           = "Opaque"
diff --git a/terraform/kubernetes/cloud_deps/provider.tf b/terraform/kubernetes/cloud_deps/provider.tf
index 527cf2b4295..0453dc57823 100644
--- a/terraform/kubernetes/cloud_deps/provider.tf
+++ b/terraform/kubernetes/cloud_deps/provider.tf
@@ -8,19 +8,15 @@ terraform {
       source  = "kbst/kustomization"
       version = "0.9.7"
     }
-    sops = {
-      source  = "carlpett/sops"
-      version = "~> 1.0"
-    }
   }
 }
 
 provider "kubernetes" {
-  config_path    = "~/.kube/cockpick-config"
+  config_path    = "~/.kube/cockpit-config"
   config_context = "default"
 }
 
 provider "kustomization" {
   context = "default"
-  kubeconfig_path = "~/.kube/cockpick-config"
+  kubeconfig_path = "~/.kube/cockpit-config"
 }
diff --git a/terraform/kubernetes/cloud_deps/variables.tf b/terraform/kubernetes/cloud_deps/variables.tf
index 88b789f3ec0..f7349926ab7 100644
--- a/terraform/kubernetes/cloud_deps/variables.tf
+++ b/terraform/kubernetes/cloud_deps/variables.tf
@@ -39,3 +39,21 @@ variable "cluster_internal_issuer" {
 variable "public_issuer" {
   default = "letsencrypt-prod"
 }
+
+# Auth0 remote state lookup — reads pixie_client_id / pixie_client_secret
+# outputs from the auth0 terraform state. All four must be supplied by the
+# caller (pipeline passes them as -var).
+variable "auth0_state_resource_group" {
+  type = string
+}
+variable "auth0_state_storage_account" {
+  type = string
+}
+variable "auth0_state_container" {
+  type    = string
+  default = "tfoscaas-0001"
+}
+variable "auth0_state_key" {
+  type    = string
+  default = "auth0-ckp2.tfstate"
+}