feat: SOPS + age encrypted secrets structure

- .sops.yaml with 3 age keys (admin, dev, prod)
- infra/gitea/values/*.enc.yaml — per-env encrypted Helm values
- infra/kargo/values/*.enc.yaml — per-env encrypted Kargo admin secrets
- kargo/credentials/*.enc.yaml — per-env encrypted git credentials (ksops)
- infra/kargo-credentials/ — ArgoCD app for deploying Kargo creds via ksops
- All repoURLs point to deploy-app-kargo-private

Structure from deploy-app-kargo (reference), adapted for SOPS workflow

infra/argo-rollouts/config.yaml

@@ -0,0 +1,13 @@
+{
+  "name": "argo-rollouts",
+  "namespace": "argo-rollouts",
+  "step": "2",
+  "source": {
+    "repoURL": "https://argoproj.github.io/argo-helm",
+    "chart": "argo-rollouts",
+    "targetRevision": 2.40.6
+  },
+  "helm": {
+    "values": "dashboard:\n  enabled: true\n"
+  }
+}

infra/cert-manager/config.yaml

@@ -0,0 +1,13 @@
+{
+  "name": "cert-manager",
+  "namespace": "cert-manager",
+  "step": "1",
+  "source": {
+    "repoURL": "https://charts.jetstack.io",
+    "chart": "cert-manager",
+    "targetRevision": v1.19.4
+  },
+  "helm": {
+    "values": "crds:\n  enabled: true\n"
+  }
+}

infra/gitea-custom/config.yaml

@@ -0,0 +1,10 @@
+{
+  "name": "gitea-custom",
+  "namespace": "gitea",
+  "step": "6",
+  "source": {
+    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
+    "path": "infra/gitea-custom/manifests",
+    "targetRevision": "main"
+  }
+}

infra/gitea-custom/manifests/disable-cache.yaml

@@ -0,0 +1,16 @@
+# Override Gitea cache/session to use memory (no redis/valkey)
+# Mount this ConfigMap as /data/gitea/conf/app.ini override
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitea-disable-cache
+  namespace: gitea
+data:
+  _10-cache.ini: |
+    [cache]
+    ENABLED = false
+    ADAPTER = memory
+    INTERVAL = 0
+
+    [session]
+    PROVIDER = memory

infra/gitea/config.yaml

@@ -0,0 +1,13 @@
+{
+  "name": "gitea",
+  "namespace": "gitea",
+  "step": "4",
+  "source": {
+    "repoURL": "https://dl.gitea.com/charts",
+    "chart": "gitea",
+    "targetRevision": "12.5.0"
+  },
+  "helm": {
+    "values": "gitea:\n  admin:\n    existingSecret: gitea-admin\n  config:\n    server:\n      ROOT_URL: \"https://gitea.k3s.e2e.local\"\n      DOMAIN: \"k3s.e2e.local\"\n      SSH_DOMAIN: \"gitea.k3s.e2e.local\"\n      SSH_PORT: 2222\n    service:\n      DISABLE_REGISTRATION: false\n    actions:\n      ENABLED: \"true\"\n    cache:\n      ENABLED: false\n      ADAPTER: memory\n    session:\n      PROVIDER: memory\n\ningress:\n  enabled: false\n\npostgresql:\n  enabled: true\n  image:\n    repository: bitnamilegacy/postgresql\n    tag: \"17\"\n\npostgresql-ha:\n  enabled: false\n\nmemcached:\n  enabled: false\n\nredis-cluster:\n  enabled: false\n\nredis:\n  enabled: false\n\nvalkey-cluster:\n  enabled: false\n\nimage:\n  rootless: false\n"
+  }
+}

infra/gitea/values/secret-values.dev.enc.yaml

@@ -0,0 +1,27 @@
+# Gitea secrets for dev/test cluster
+admin-password: ENC[AES256_GCM,data:Nh7IDhZbJxOYjat8JhRoWtQ=,iv:mDtUOdjiKxvTTKaWNQ6bUQ2rCbV9Ule25IN5AVBTrp0=,tag:FxMWUvu82HusjtPBmEtwcA==,type:str]
+db-password: ENC[AES256_GCM,data:qRZjNRGr/oJVzYTz6Kv0sZ7Sbns=,iv:V03c8IrsLZzJck5ZqrXS46LydbGPtLBwkjjGQI0zkv4=,tag:pxDpAbekwwOw9yiqMwl2QA==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdWFvNXF3QXpnbjFsbHhn
+            dmdnRmRwWnpkUVlRSHlEZXdXT2FoeVVVejFNCkZ0UGp5YWZ2TThEUnZPOVNqVjJR
+            S0lXSGxSSFF3ZWhUM2NMWW9MZUszZnMKLS0tIEowWHo5SUFMMDFNY1lWY3NuNnJN
+            OERJZklLT1RnSDc4VjdaQ0F3cVRTaGsKYIfYSv4In5YiGs2/KWX1oPqOoiUxwVUl
+            jROG2UecsSjhKq6XdX+KVYmcSKhy1ljPjHaL+t3MmSNE6+jJpMpDvQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNzZSWE1NcTR1blQ5TWxH
+            N0k2YWNOdTA4WHZXQ3VlTHpWNVNuRm53S3dzCnZOR0gyWTVzams4SjdCZVpSMjdL
+            S2dqZTcvb3VtVE9JUWVlVU1QL1NaZ3MKLS0tIHdUZldWZWdIZ01VUWxLeEJDNmY0
+            aEV2U1JMaTFYRldjc1kwNHczd3gvM1kKEytPjCdNTG+8SFnQxh50XKfjAxa1xn0t
+            D3dj6yMfIfkgnp84pI9PY5hBweHrEcdeUwhPrkNY8dRuiShv4o4xTQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-11T06:57:04Z"
+    mac: ENC[AES256_GCM,data:LKIihGyIcUImsmRWgPhWQRBeaFiXdWgaMwlif+FPNdmy/LSRlwIqIN8KzwuMu1zAlNvl1SVOVZL7SgRe9rZHax5pIn+Qrb5B+cuFPZTyvl24VBlJ+l29x182CKhRnT1RDDA9D7do+y8bG+rjyJ6u5d/yYcMAYIH9+I4fS4uERQw=,iv:23M4i1uCpQzfWZIp2c4gGThOCGotS3eajdjItlAwh2Y=,tag:MoD7LbWCu5EGxPeliRDinQ==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    version: 3.12.1

infra/gitea/values/secret-values.prod.enc.yaml

@@ -0,0 +1,27 @@
+# Gitea secrets for prod cluster
+admin-password: ENC[AES256_GCM,data:4pXdFHPAXo9fnyEmAqDygucpGrOy,iv:Qa/fQvRoU8TXMlkSjlomwzOn0v1M/PJ606HZI+inRcQ=,tag:/fKGATm+rUSCUH+os12qlQ==,type:str]
+db-password: ENC[AES256_GCM,data:lw3I+smG/1DaMFd2V98D7ENu6MB0g+e81A==,iv:DZmS4R2buArXMkO/Cjtp9gN9AqpTaVHs7NfqQFqciWY=,tag:OA9kzug/Mel6+GDlnYU/jA==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCd2VUaHhQc0h4bmYwdmFy
+            WVJLS2dURWZnOUtCKzRoajB2RVI5U1ROOEVvCnV2VmxFTkhPNlErOE5SZzUyT0c1
+            VitrWFlJVUt5N2plMitWVjZPUHBmYU0KLS0tIFJVUnBBZjl6cWlRYUNiZSs1V0Q2
+            b1NBVnZydDVlY09LeHNpbkdsTzRNNmcKO9GFvLHIWTh/Aseuo3Z8FE47dE92MxJ6
+            p5OCsZRw+bpQfURStiyckaoMW8Of716uDIS3v1JaW8u4xm3e+lZXGg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoOUZjdlk4MU4yWGNPOEs4
+            ZkplUzlyV1lmQUxidHk3aDFhU1NOeElxeVU4CngxWS8vOTdUbEVNM2thMWgxNGRo
+            ZUlYdjVPTXFJWGtNWEJEa2V1dGhqSTgKLS0tIEI2V1hrWUVnRnovblhVQ2ROSENE
+            dXhwWXJJbnVBaFpraXJURERMR1lkUjQKFzaekfQFqg2cVT5gks4fXX26GtZu+M1F
+            g+pzNxpFVlzdrXiWrzjePshTVblVsxV8fKpUVoLYwwLOSILRzF3uwg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-11T06:57:04Z"
+    mac: ENC[AES256_GCM,data:qWDAgi9DeHnc4TfH2la54mKtkNRkO3ArfXJBxZ6D6yEk5nylMA+Fw3FBmsKuU+F1/JN7CQVHbez37jjOXDmoFUfGXunionqkaf4wYz/3duRjdm/ApTLLMAYaq1YHzp6XNF4x+1LBtp0RadK//wwhxXQHoYdui9IH2Ts5ALLjOzo=,iv:B86+ovgnit5oKxY1wgxvYBEhRmnjJiQ7GdveJAGytfA=,tag:QgVjYIvIgwXvfbTxiti1OA==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    version: 3.12.1

infra/kargo-ci-pipeline/config.yaml

@@ -0,0 +1,10 @@
+{
+  "name": "kargo-ci-pipeline",
+  "namespace": "ci",
+  "step": "5",
+  "source": {
+    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
+    "path": "kargo/ci",
+    "targetRevision": "main"
+  }
+}

infra/kargo-credentials/config.yaml

@@ -0,0 +1,10 @@
+{
+  "name": "kargo-credentials",
+  "namespace": "default",
+  "step": "5",
+  "source": {
+    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
+    "path": "kargo/credentials",
+    "targetRevision": "main"
+  }
+}

infra/kargo-infra-pipeline/config.yaml

@@ -0,0 +1,10 @@
+{
+  "name": "kargo-infra-pipeline",
+  "namespace": "infra",
+  "step": "5",
+  "source": {
+    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
+    "path": "kargo/infra",
+    "targetRevision": "main"
+  }
+}

infra/kargo-test-env-pipeline/config.yaml

@@ -0,0 +1,10 @@
+{
+  "name": "kargo-test-env-pipeline",
+  "namespace": "test-env",
+  "step": "5",
+  "source": {
+    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
+    "path": "kargo/test-env",
+    "targetRevision": "main"
+  }
+}

infra/kargo/config.yaml

@@ -0,0 +1,14 @@
+{
+    "name": "kargo",
+    "namespace": "kargo",
+    "step": "4",
+    "syncOptions": ["Replace=true"],
+    "source": {
+        "repoURL": "ghcr.io/akuity/kargo-charts",
+        "chart": "kargo",
+        "targetRevision": "1.9.5"
+    },
+    "helm": {
+        "values": "api:\n  service:\n    type: ClusterIP\n  adminAccount:\n    enabled: true\n    passwordHash: \"$2b$10$jk2IIBCWP.5mEzp30J0kkO1CyCXEBvCWzaPsUGVfsusvH0M2kl2aS\"\n    tokenSigningKey: \"d76a6d38c725db844e799224ae2d0a2d38c0d31f5ca510aac44abc87c973b6e3\"\ncontroller:\n  argocd:\n    integrationEnabled: true\n    namespace: argocd\n"
+    }
+}

infra/kargo/values/secret-values.dev.enc.yaml

@@ -0,0 +1,27 @@
+# Kargo secrets for dev/test cluster
+passwordHash: ENC[AES256_GCM,data:qmQr8l5EK92BZyadoAU0+hrOS2N8evnmxroL13GhQbD9idHKhHwkSt6fn1OgYyu+CtnJ6BxeyDyJCNbN,iv:4tnO8HczTo4GO+NFFQK6JRsOYXkS3wFiJfwYrCmot0M=,tag:LTeO8xl31f4+oLy/FDEyIQ==,type:str]
+tokenSigningKey: ENC[AES256_GCM,data:Plf3vK+DJYmFsvS1cHTKtPvsvCC17i2/0lAEnG65CZVcrtux3+BiMY7rukLfW7uw/hQ+6JLB1PS4EWIGMNx/xw==,iv:54mdXGpgJ3f1dkeTyfZbfSoufJE89MUYIQpEz6jUt0E=,tag:KqK4shNvrQ7Dbu0+uYqjPw==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVHNjbmJ2K3ljSHNmdEpE
+            RzdrL1o5ZXhxQXl0N0ptWk5JWjlCYnVtTXdZCkRWUDl5RkkzYXFBbjRpMmdnY254
+            YWhPeEw0MzF6K2VoTEI1R09PV0szQlkKLS0tIG42S0h4VUtsaWN0WTI0V1piYTU5
+            MUYvbzVyWUVRZHRYd21MY2dWMzVBTE0KJ0cSonX/lD3PBjz3BFFPkea+XDDPqGAF
+            gd20j8xOjyV1nu6Dg1qq80ZN3E0rotXnTK5zu/AyW4wcByUTG465Hw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUmlEM1Z4NDRZaU9LSFF3
+            SjZnM0R6U0NlYWtkbGFMdGRXbW9YRjBIeVVjCk9nV05aZk04L0xvUnk4c3hRczZV
+            ZEY4dmI0NndjWHEvSDJ6OTUrS3owM3cKLS0tIFFhWUk5Qy9GMGNrWGM2WnY4SWNm
+            UVVUcktPakNYeWVxakp2RjQweG41MVEKoHKCkhsn29s4JuRCfBqoF78/UcShnCAx
+            sGnz9zTnE+LSVMbknG1+Y3kFdRNXesLFZfyyk3W2atjp7Tw9rGYWTw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-11T06:57:04Z"
+    mac: ENC[AES256_GCM,data:E4jKWJsO9bEMzEjmp+XhBx45heXB7W5op11YyC2TV2KA0PNfAa7eZXIAZ7PVjVIfhbmODv3pd3KG4mY7lJ9I1ly6VfFGl4wMtXZkQlVt5+2DF6GyLGGfjKftRcGni4xP2J4wfzZGiIiQ2G8IUfmGy8Wpegw9lo6/UvES1w1kies=,iv:6fwg2NNoZnKq9jiFHLRQ6FZXrx9OzFEnxWU1VwEVoj0=,tag:CiJAekk+4dp/pyWkqXJKVw==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    version: 3.12.1

infra/kargo/values/secret-values.prod.enc.yaml

@@ -0,0 +1,27 @@
+# Kargo secrets for prod cluster
+passwordHash: ENC[AES256_GCM,data:iYRGwF7yug4fy4q70CoWMJCAIwd5nszzTqXHXe88zGRRYw6YtvAszCpGcecRRFhCwIfycTnciXfN,iv:CwerCu5GfMhpTpeqQ2QmMBMwxf7t2L12PUM4yCT4yIE=,tag:XNhTKS0d6T0VhK6E9BDn1w==,type:str]
+tokenSigningKey: ENC[AES256_GCM,data:+05VkEeKatxayA1wK0a19fE6PFc3utOHvvT3Z+4KwfUBI778n5X9rMwSQQSFsbQyduPLITGf5VYKGaC5z3okAQ==,iv:uuS6oHdCLrvh6H38sfYzXTsrZ1lw5CJxjNN/0jchV9Q=,tag:iVuTqL2zew18OMeFwnGqrQ==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYytrSWhtUWtEQUpQVEhh
+            S1RvN2N3ZFcvaFVmdU5KQ2pYTitPMUJJQTNFCml4YWMzRWdiZHAxRUoycHRmTU1L
+            RUhDOEJzSThIVDV0Y1RSQWczeEVXU0UKLS0tIHgwM0k3R2k1V1h5U2tWajdnMElj
+            SUdhZzh1S3Y3cktwTUJzQk5Lc3BjeTAK4LOXLhfyd4NMWsuUm0/Bjxq+9ni6wntw
+            6u2UgYliecKNw4IX+2Ukhp/z4jGlVEayAE8QrfCj7RjBATPUYncPEw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1bittd3daOE9jWUJKeHB4
+            R2k4Q3lNSzNkTDA0RTZlL1JrSFNMalRhWEVVCjNYSDVZU3kvRHlqZTRaOGRkZDJI
+            RUJiM2RMY0tFU2QvT25tQlFtK1l1NTgKLS0tIGJDYzhFelR1TkpNL2JmMGJ4YXd2
+            SGNGTGhGWGovbUJHMHh0QWhIWlhBdVUKAKxeFgOPJRaTl5z0bydzd1nr5SDmqfMx
+            7n/OjVadcCg4PLd54eMpgiJ7ts4UeaAK+RxdHtI9Y7jP1ConLffoAg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-11T06:57:04Z"
+    mac: ENC[AES256_GCM,data:Mp01K4uHW7ZFXzURs8nzkfwe6d7xgiOds12/VN1I5qB5OoC3afM1pZRQ7/mM0lTyueVt9hTh4B76zAFp6rB+/ombjJ5JPnwyEayAklovy7R6BFC1podhb78npC2u7K5P7DIFI54nJqj1XfFt4eIMQjkR6AnFeT1pqzquF7SVnLQ=,iv:VesrzDd09vugtzAYjB/oyHm99Dmm8dlDgP0NITvd4Rs=,tag:5z5zBC/7ulnqTRz9UXyrhw==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    version: 3.12.1

infra/traefik-routes/config.yaml

@@ -0,0 +1,10 @@
+{
+  "name": "traefik-routes",
+  "namespace": "kube-system",
+  "step": "3",
+  "source": {
+    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
+    "path": "infra/traefik-routes/manifests",
+    "targetRevision": "main"
+  }
+}

infra/traefik-routes/manifests/gitea-ingress.yaml

@@ -0,0 +1,41 @@
+# Gitea HTTPS IngressRoute via Traefik
+# Uses default TLS store (wildcard-tls from kube-system via TLSStore)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-https
+  namespace: gitea
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: HostRegexp(`gitea.k3s\..+\.local`)
+      kind: Rule
+      middlewares:
+        - name: sslheader
+          namespace: kube-system
+        - name: gitea-buffer-timeout
+          namespace: gitea
+      services:
+        - name: gitea-http
+          port: 3000
+  tls: {}
+---
+# HTTP → HTTPS redirect for Gitea
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-http-redirect
+  namespace: gitea
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: HostRegexp(`gitea.k3s\..+\.local`)
+      kind: Rule
+      middlewares:
+        - name: redirect-https
+          namespace: kube-system
+      services:
+        - name: gitea-http
+          port: 3000

infra/traefik-routes/manifests/gitea-ssh.yaml

@@ -0,0 +1,14 @@
+# Gitea SSH access via Traefik TCP routing (port 2222)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: gitea-ssh
+  namespace: gitea
+spec:
+  entryPoints:
+    - ssh
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: gitea-ssh
+          port: 22

infra/traefik-routes/manifests/kargo-ingress.yaml

@@ -0,0 +1,21 @@
+# Kargo dashboard HTTPS IngressRoute
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kargo-https
+  namespace: kargo
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: HostRegexp(`kargo.k3s\..+\.local`)
+      kind: Rule
+      middlewares:
+        - name: kargo-tls-middleware
+          namespace: kargo
+      services:
+        - name: kargo-api
+          port: 443
+          scheme: https
+          serversTransport: kargo-skip-verify
+  tls: {}

infra/traefik-routes/manifests/kargo-transport.yaml

@@ -0,0 +1,8 @@
+# ServersTransport to skip TLS verification for Kargo backend (self-signed cert)
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: kargo-skip-verify
+  namespace: kargo
+spec:
+  insecureSkipVerify: true

infra/traefik-routes/manifests/middlewares.yaml

@@ -0,0 +1,57 @@
+# HTTP → HTTPS redirect
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+  namespace: kube-system
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+---
+# Forward X-Forwarded-Proto header for backends behind TLS termination
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: sslheader
+  namespace: kube-system
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+---
+# Gitea: buffer large requests (git push) + timeout for CI builds
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: gitea-buffer-timeout
+  namespace: gitea
+spec:
+  buffering:
+    maxRequestBodyBytes: 0
+    maxResponseBodyBytes: 0
+    memRequestBodyBytes: 20971520
+    memResponseBodyBytes: 20971520
+    retryExpression: "IsNetworkError()"
+---
+# ArgoCD: X-Forwarded-Proto for TLS termination
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: argocd-tls-middleware
+  namespace: argocd
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+---
+# Kargo: X-Forwarded-Proto for TLS termination
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: kargo-tls-middleware
+  namespace: kargo
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"

infra/traefik-routes/manifests/namespaces.yaml

@@ -0,0 +1,14 @@
+# Ensure namespaces exist for cross-namespace middleware references
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea
+  labels:
+    name: gitea
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kargo
+  labels:
+    name: kargo

infra/traefik-routes/manifests/tls-store.yaml

@@ -0,0 +1,10 @@
+# Default TLS store — uses wildcard-tls from kube-system as default cert.
+# All IngressRoutes with tls: {} will use this certificate.
+apiVersion: traefik.io/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: kube-system
+spec:
+  defaultCertificate:
+    secretName: wildcard-tls

infra/traefik-routes/manifests/traefik-dashboard.yaml

@@ -0,0 +1,19 @@
+# Traefik Dashboard IngressRoute
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: kube-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: HostRegexp(`traefik.k3s\..+\.local`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+      kind: Rule
+      middlewares:
+        - name: sslheader
+          namespace: kube-system
+      services:
+        - name: api@internal
+          kind: TraefikService
+  tls: {}