feat: zero trust SOPS key isolation (deploy-k3s#32)

- Add test-key (age1wtzdf8...) for shared test environment - Enable mac_only_encrypted: true in .sops.yaml (SOPS >= 3.9.0) Allows adding new YAML fields without decryption key - Re-encrypt all 10 files with mac_only_encrypted metadata - Strict isolation: dev-key ↔ *.dev.enc.yaml, prod-key ↔ *.prod.enc.yaml - test-key can only decrypt *.test.enc.yaml (not dev/prod) - Add dev/verify-sops-isolation.sh — 33-point verification script - Keep dev/prod files with admin+dev / admin+prod only (no test-key) Verified: 33/33 isolation checks passed Co-authored-by: XoR <xor@benadis.ru>
2026-03-12 17:11:29 +03:00
parent bea103a280
commit 42cb7ac5bf
12 changed files with 312 additions and 147 deletions
--- a/infra/gitea/values/secret-values.dev.enc.yaml
+++ b/infra/gitea/values/secret-values.dev.enc.yaml
@@ -1,27 +1,28 @@
 # Gitea secrets for dev/test cluster
-admin-password: ENC[AES256_GCM,data:Nh7IDhZbJxOYjat8JhRoWtQ=,iv:mDtUOdjiKxvTTKaWNQ6bUQ2rCbV9Ule25IN5AVBTrp0=,tag:FxMWUvu82HusjtPBmEtwcA==,type:str]
-db-password: ENC[AES256_GCM,data:qRZjNRGr/oJVzYTz6Kv0sZ7Sbns=,iv:V03c8IrsLZzJck5ZqrXS46LydbGPtLBwkjjGQI0zkv4=,tag:pxDpAbekwwOw9yiqMwl2QA==,type:str]
+admin-password: ENC[AES256_GCM,data:VVEs6UmQymD7bhc2DQ+ghuE=,iv:LRht/bByPtiCjkazc19NRIwbXzZclEZYtwCeXJfFMfQ=,tag:ig1bUcDNr+1wsDHoeBfMvw==,type:str]
+db-password: ENC[AES256_GCM,data:1QXmkEs6ECbf8NcoMcmgF4mLOYo=,iv:xKiTicbmhJaLajgN2taL+VR+H0ky1fHI3e79I0D6IdA=,tag:Whd7VdtjC7sYqC24XGEqBQ==,type:str]
 sops:
    age:
        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdWFvNXF3QXpnbjFsbHhn
-            dmdnRmRwWnpkUVlRSHlEZXdXT2FoeVVVejFNCkZ0UGp5YWZ2TThEUnZPOVNqVjJR
-            S0lXSGxSSFF3ZWhUM2NMWW9MZUszZnMKLS0tIEowWHo5SUFMMDFNY1lWY3NuNnJN
-            OERJZklLT1RnSDc4VjdaQ0F3cVRTaGsKYIfYSv4In5YiGs2/KWX1oPqOoiUxwVUl
-            jROG2UecsSjhKq6XdX+KVYmcSKhy1ljPjHaL+t3MmSNE6+jJpMpDvQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdHZRckgvZXZwRUdFZTNt
+            WFlNU0YwWncyNC9aZEFIT0hRRU5uYkNLMXdvCmgxM3NHSnR0THFXZUw4amZnSi9t
+            dkgrZDloUVo5NkZ5eDdPNUxaTi84NncKLS0tIGlmWDBiMjJUWWxsU1ZzWTZYL2dm
+            c25XZ0NKbUtuNHBjeGJ6YWVDTndaMXMKKHqfuydqSL65wdpHcyug8eg0p1VPMSuz
+            VeNu16pPCtTtStuGl4f2ciOVMaGCNbjY3XySRzZQKUNciZVTfat5Ow==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNzZSWE1NcTR1blQ5TWxH
-            N0k2YWNOdTA4WHZXQ3VlTHpWNVNuRm53S3dzCnZOR0gyWTVzams4SjdCZVpSMjdL
-            S2dqZTcvb3VtVE9JUWVlVU1QL1NaZ3MKLS0tIHdUZldWZWdIZ01VUWxLeEJDNmY0
-            aEV2U1JMaTFYRldjc1kwNHczd3gvM1kKEytPjCdNTG+8SFnQxh50XKfjAxa1xn0t
-            D3dj6yMfIfkgnp84pI9PY5hBweHrEcdeUwhPrkNY8dRuiShv4o4xTQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0YzZ5am1lWGFaeVBxak5P
+            bVdSWHZTU1pkR3U0b1hvMVIvZUh3MnNpbkNJCm8wMmNUVzZ2U01kc3crTGliZG5u
+            MHpKVDZaZEt3dkJ3cVRVREpPQXFXUlUKLS0tIGdwSjNXUm4reENLUFRhMlNWQ0Yw
+            Ykw3QjBoQ2c0c3U1dWs0OVpCajBnYTQKtU/a24mNe+yo91QvFs2qHC2HR5tft9ny
+            d0RnFNYSaxgFWbV+Hs3vzBQUFlq0CzhfZzRR/rUcRfnrd+krlXThRQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-11T06:57:04Z"
-    mac: ENC[AES256_GCM,data:LKIihGyIcUImsmRWgPhWQRBeaFiXdWgaMwlif+FPNdmy/LSRlwIqIN8KzwuMu1zAlNvl1SVOVZL7SgRe9rZHax5pIn+Qrb5B+cuFPZTyvl24VBlJ+l29x182CKhRnT1RDDA9D7do+y8bG+rjyJ6u5d/yYcMAYIH9+I4fS4uERQw=,iv:23M4i1uCpQzfWZIp2c4gGThOCGotS3eajdjItlAwh2Y=,tag:MoD7LbWCu5EGxPeliRDinQ==,type:str]
+    lastmodified: "2026-03-12T14:08:13Z"
+    mac: ENC[AES256_GCM,data:E7YknH7WIh7zhZElq67jPRyt1dfjQDVWvrcIMtHbkRG/d6xQhgeJY9HwWJaotfrlCx3tpxO0zi882/ACVoogY+8f3l8jCCOEp+e20X3qDmbEOrRLsl8+mRnDiyJFAXULqJvAHEr5yJnYNxXXvVzOSpTOe+ECgedCJ4fgRU58c0k=,iv:FZt+eF6OLW+98FVxe7TFdpCWSvMwwXWKdudccgMJoKo=,tag:lpCIsC85JDG7p6xyxJnk4A==,type:str]
    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
    version: 3.12.1
--- a/infra/gitea/values/secret-values.prod.enc.yaml
+++ b/infra/gitea/values/secret-values.prod.enc.yaml
@@ -1,27 +1,28 @@
 # Gitea secrets for prod cluster
-admin-password: ENC[AES256_GCM,data:4pXdFHPAXo9fnyEmAqDygucpGrOy,iv:Qa/fQvRoU8TXMlkSjlomwzOn0v1M/PJ606HZI+inRcQ=,tag:/fKGATm+rUSCUH+os12qlQ==,type:str]
-db-password: ENC[AES256_GCM,data:lw3I+smG/1DaMFd2V98D7ENu6MB0g+e81A==,iv:DZmS4R2buArXMkO/Cjtp9gN9AqpTaVHs7NfqQFqciWY=,tag:OA9kzug/Mel6+GDlnYU/jA==,type:str]
+admin-password: ENC[AES256_GCM,data:ZStjY7d/2LcgGm8roVRT7ndOwgNi,iv:QYCaEqO1P0fjVnd6Cw+HMJKYSlqj0Bin7aBSmkZ5Zb0=,tag:f3pM4+U84FJOR54ADGKMxw==,type:str]
+db-password: ENC[AES256_GCM,data:gVcaEkJHP6LC/ufpW6/uyVceWvrx6vVnWg==,iv:Qt364af+t33gUKqHjkNUQzmJjCV+qrvoOJlwTpXmGy4=,tag:SURLKmepxtcrlmFR8wGvJw==,type:str]
 sops:
    age:
        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCd2VUaHhQc0h4bmYwdmFy
-            WVJLS2dURWZnOUtCKzRoajB2RVI5U1ROOEVvCnV2VmxFTkhPNlErOE5SZzUyT0c1
-            VitrWFlJVUt5N2plMitWVjZPUHBmYU0KLS0tIFJVUnBBZjl6cWlRYUNiZSs1V0Q2
-            b1NBVnZydDVlY09LeHNpbkdsTzRNNmcKO9GFvLHIWTh/Aseuo3Z8FE47dE92MxJ6
-            p5OCsZRw+bpQfURStiyckaoMW8Of716uDIS3v1JaW8u4xm3e+lZXGg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ckdkQzdIN0dFelVUSEMy
+            QllGVTN4Z2IvZ0t3M29NcTNMSGEzczFjWnljCnA4NkZNcDdWUTRNRWIzRmhNckV3
+            ODZFWWdneUU3VHZiRC9TSlVkVjNhVEUKLS0tIHNYWHdML2o0dUlNb1BoWThUK29H
+            MDR0L1QwRlh0emFWMDJvMjhUMnJvb0UKBI+dEz95zrwzb42PpyxBMI70Aei68BIX
+            TQ/sCHKqvtdbEwTkg/ndhfPdorCIGwfCobJmWb8WySU1VZHCWYzJxw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoOUZjdlk4MU4yWGNPOEs4
-            ZkplUzlyV1lmQUxidHk3aDFhU1NOeElxeVU4CngxWS8vOTdUbEVNM2thMWgxNGRo
-            ZUlYdjVPTXFJWGtNWEJEa2V1dGhqSTgKLS0tIEI2V1hrWUVnRnovblhVQ2ROSENE
-            dXhwWXJJbnVBaFpraXJURERMR1lkUjQKFzaekfQFqg2cVT5gks4fXX26GtZu+M1F
-            g+pzNxpFVlzdrXiWrzjePshTVblVsxV8fKpUVoLYwwLOSILRzF3uwg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbVZraFNrMDYzNndkNkxJ
+            OERtbXNOamRDSlhpV05mOTcxbXVxT2xVODM0Ci9WSG5vb0trTzkwZFFOdmlVd3Ar
+            UUN2TVZaMXBaL3d6TmRGZ1h0THhaNGsKLS0tIEFZcVRtNENMS3ZWMUxOeHlYTHlN
+            UDRIM0RYNVdsSmUyOEFDcXdhNHlXVFkKxoX+LTe+xjXh2M45V4oYcLe9lAmxYexe
+            KJ5O588VLGVi4zBpVs1l16JmWAfcfCiMVKOpdvS8vsiQDkGAO3cH4w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-11T06:57:04Z"
-    mac: ENC[AES256_GCM,data:qWDAgi9DeHnc4TfH2la54mKtkNRkO3ArfXJBxZ6D6yEk5nylMA+Fw3FBmsKuU+F1/JN7CQVHbez37jjOXDmoFUfGXunionqkaf4wYz/3duRjdm/ApTLLMAYaq1YHzp6XNF4x+1LBtp0RadK//wwhxXQHoYdui9IH2Ts5ALLjOzo=,iv:B86+ovgnit5oKxY1wgxvYBEhRmnjJiQ7GdveJAGytfA=,tag:QgVjYIvIgwXvfbTxiti1OA==,type:str]
+    lastmodified: "2026-03-12T14:08:13Z"
+    mac: ENC[AES256_GCM,data:mkgNY/EwLknddBdn0X9IZfqjmA7NpESqVDNndCKY5eA01s74Ym3sE4JF39abEAs7U7/l675qsF6ew7Cv0OLCArzYDRlN7vYcBqTsnuUOovxi6utAk6VfzYhH8XQpM3CuV6FlUbSoVovUl09O26kB9yDHe1uTOGVa3Kqk/XsKKoc=,iv:BdqsABAeOBAfTvb0q3KQ5ek3UOgu9oh5GQtsu0s1lEc=,tag:Ux1SmPWs7y1/gKx2vVthiA==,type:str]
    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
    version: 3.12.1