feat: SOPS + age encrypted secrets structure

- .sops.yaml with 3 age keys (admin, dev, prod) - infra/gitea/values/*.enc.yaml — per-env encrypted Helm values - infra/kargo/values/*.enc.yaml — per-env encrypted Kargo admin secrets - kargo/credentials/*.enc.yaml — per-env encrypted git credentials (ksops) - infra/kargo-credentials/ — ArgoCD app for deploying Kargo creds via ksops - All repoURLs point to deploy-app-kargo-private Structure from deploy-app-kargo (reference), adapted for SOPS workflow
2026-03-11 10:01:26 +03:00
parent 720748be50
commit 4dd68859d8
60 changed files with 1444 additions and 1 deletions
--- a/kargo/ci/kustomization.yaml
+++ b/kargo/ci/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - project.yaml
+  - warehouse.yaml
+  - stages/dev.yaml
+  - stages/prod.yaml
+  - verification/runner-health.yaml
--- a/kargo/ci/namespace.yaml
+++ b/kargo/ci/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ci
+  labels:
+    kargo.akuity.io/project: "true"
--- a/kargo/ci/project.yaml
+++ b/kargo/ci/project.yaml
@@ -0,0 +1,16 @@
+apiVersion: kargo.akuity.io/v1alpha1
+kind: Project
+metadata:
+  name: ci
+---
+apiVersion: kargo.akuity.io/v1alpha1
+kind: ProjectConfig
+metadata:
+  name: ci
+  namespace: ci
+spec:
+  promotionPolicies:
+    - stageSelector: { name: dev }
+      autoPromotionEnabled: true
+    - stageSelector: { name: prod }
+      autoPromotionEnabled: true
--- a/kargo/ci/stages/dev.yaml
+++ b/kargo/ci/stages/dev.yaml
@@ -0,0 +1,54 @@
+apiVersion: kargo.akuity.io/v1alpha1
+kind: Stage
+metadata:
+  name: dev
+  namespace: ci
+spec:
+  requestedFreight:
+    - origin:
+        kind: Warehouse
+        name: ci-images
+      sources:
+        direct: true
+  promotionTemplate:
+    spec:
+      vars:
+        - name: gitopsRepo
+          value: https://github.com/Kargones/deploy-app-kargo-private.git
+        - name: targetBranch
+          value: ci/stage/${{ ctx.stage }}
+      steps:
+        - uses: git-clone
+          config:
+            repoURL: ${{ vars.gitopsRepo }}
+            checkout:
+              - branch: main
+                path: ./src
+              - branch: ${{ vars.targetBranch }}
+                create: true
+                path: ./out
+        - uses: git-clear
+          config:
+            path: ./out
+        - uses: copy
+          config:
+            inPath: ./src/ci
+            outPath: ./out/ci
+        - uses: yaml-update
+          config:
+            path: ./out/ci/gitea-runner/manifests/runner.yaml
+            updates:
+              - key: spec.template.spec.containers.0.image
+                value: gitea/act_runner:${{ imageFrom("gitea/act_runner").Tag }}
+        - uses: git-commit
+          as: commit
+          config:
+            path: ./out
+            message: "promote(ci/${{ ctx.stage }}): act_runner ${{ imageFrom(\"gitea/act_runner\").Tag }}"
+        - uses: git-push
+          config:
+            path: ./out
+            targetBranch: ${{ vars.targetBranch }}
+  verification:
+    analysisTemplates:
+      - name: runner-health
--- a/kargo/ci/stages/prod.yaml
+++ b/kargo/ci/stages/prod.yaml
@@ -0,0 +1,64 @@
+apiVersion: kargo.akuity.io/v1alpha1
+kind: Stage
+metadata:
+  name: prod
+  namespace: ci
+spec:
+  requestedFreight:
+    - origin:
+        kind: Warehouse
+        name: ci-images
+      sources:
+        stages:
+          - dev
+  promotionTemplate:
+    spec:
+      vars:
+        - name: gitopsRepo
+          value: https://github.com/Kargones/deploy-app-kargo-private.git
+        - name: sourceBranch
+          value: ci/stage/dev
+        - name: targetBranch
+          value: ci/stage/prod
+      steps:
+        - uses: git-clone
+          config:
+            repoURL: ${{ vars.gitopsRepo }}
+            checkout:
+              - branch: ${{ vars.sourceBranch }}
+                path: ./src
+              - branch: ${{ vars.targetBranch }}
+                create: true
+                path: ./out
+        - uses: git-clear
+          config:
+            path: ./out
+        - uses: copy
+          config:
+            inPath: ./src/ci
+            outPath: ./out/ci
+        - uses: git-commit
+          as: commit
+          config:
+            path: ./out
+            message: "promote(ci/prod): act_runner ${{ imageFrom(\"gitea/act_runner\").Tag }}"
+        - uses: git-push
+          as: push
+          config:
+            path: ./out
+            generateTargetBranch: true
+        - uses: git-open-pr
+          as: open-pr
+          config:
+            repoURL: ${{ vars.gitopsRepo }}
+            sourceBranch: ${{ outputs.push.branch }}
+            targetBranch: ${{ vars.targetBranch }}
+            createTargetBranch: true
+            title: "promote(ci/prod): act_runner ${{ imageFrom(\"gitea/act_runner\").Tag }}"
+            description: |
+              ## Kargo Promotion — CI
+              **Image:** gitea/act_runner:${{ imageFrom("gitea/act_runner").Tag }}
+        - uses: git-wait-for-pr
+          config:
+            repoURL: ${{ vars.gitopsRepo }}
+            prNumber: ${{ outputs['open-pr'].pr.id }}
--- a/kargo/ci/verification/runner-health.yaml
+++ b/kargo/ci/verification/runner-health.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AnalysisTemplate
+metadata:
+  name: runner-health
+  namespace: ci
+spec:
+  metrics:
+    - name: runner-deployment-exists
+      provider:
+        job:
+          spec:
+            backoffLimit: 0
+            template:
+              spec:
+                serviceAccountName: kargo-verifier
+                restartPolicy: Never
+                containers:
+                  - name: check
+                    image: alpine/k8s:1.35.1
+                    command: ["/bin/sh", "-c"]
+                    args:
+                      - |
+                        echo "Checking gitea-runner deployment..."
+                        kubectl get deployment gitea-runner -n gitea-runner -o jsonpath='{.metadata.name}' && echo " exists" || exit 1
+                        echo "Runner health check passed"
--- a/kargo/ci/warehouse.yaml
+++ b/kargo/ci/warehouse.yaml
@@ -0,0 +1,11 @@
+apiVersion: kargo.akuity.io/v1alpha1
+kind: Warehouse
+metadata:
+  name: ci-images
+  namespace: ci
+spec:
+  subscriptions:
+    - image:
+        repoURL: gitea/act_runner
+        semverConstraint: ">=0.2.0"
+        discoveryLimit: 5
--- a/kargo/credentials/git-creds-ci.dev.enc.yaml
+++ b/kargo/credentials/git-creds-ci.dev.enc.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: ci
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:m9CZFhTHwaX6TrpGtbAynbI7eiprSrhCVVtST6fWiduFP55/EWtx1Q==,iv:iAjeVVakD8SZWhaEBu7JVR1YL2UGzYNBoy1W13M+Jwg=,tag:ABSswqyDhJG8+zlu8dWrgg==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOWI4eWZxOERjRHVhV1VI
+            MVE3WDErejZrNzBaRnVHK280dXI4WThxR2tvCmVzbE1HR1MzcEgybm8vUVVSOWJY
+            VlVvREl4NVRDRElHVHk5aWpnVkVhNW8KLS0tIG5FOXRwRy8xakFvaVlBTXF5OXJJ
+            aHFlbWh0Ym1NWEswbFM5N01JRGtGMUUKyjiN+bK0+6PLc/LG/dozgrAhB4PLcZmV
+            JVtxrSZWV6RQOuvc/HUw2yhO3dJldYqWauX+7ZOy2o1JACdPe9ixdQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWU9JLzdwbDI1SDJ3MnlE
+            YnlRQkdzWExpa1FGNjArSHFCamc2bWJnbjBBCnlkQlVEQVNDTXMvZ3NWRzhyT2lM
+            R0FpVUdleUVUcVVrTnRxQjVnSFo3S2cKLS0tIG1MZ0hYdGJpdTJ3WWU3MU1WeWFr
+            cklvSldLdW5ERDF1aW95dDlxOUtGbDAK7uoTP8idcEM8rQ7rRashsbzc9f4S7qI9
+            Bl87wLgMAFYfFO41cwSqhMY+gr7HRkDQq65CWo8HpQjMMlneC72jVQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-11T06:58:02Z"
+    mac: ENC[AES256_GCM,data:OYJAnGhgB0sOC2KEgse7ZYMkrvrRNsMWqVQZM29VbhPbvp3s3GMmJPROPydsjvm6OE4EIi0C6ry2h9pGoRY5IApw6+tSXVmrlr3oQIjkGqimJVdJ0oBSwEYtZ6gNKpsn1I7ZthXCHBfZmmESkYiTJj8ogdXxNLIqydIuITengpI=,iv:IpBxWcDeGUD9ucIAVjY3Ojc0wd63nWDPDIcH8OtvJY8=,tag:yDZ8d9E9dufB/iGTk71t2Q==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    version: 3.12.1
--- a/kargo/credentials/git-creds-ci.prod.enc.yaml
+++ b/kargo/credentials/git-creds-ci.prod.enc.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: ci
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:OHHKJ82Bh3UtuWJwtIr4dNnMDxweZEs/bHQQ7buy+zQM99f1SC4zEA==,iv:kn2P/KO5QKYhNxWKcbphmEmeJayWz/xA3NbfSq3T8K4=,tag:EzwiJHrK36SqRgISnzYmmw==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnREI0NnE1Z0Z6ZE1HWG4x
+            aHhZeDBIYmNJNjZJbVNJR2Myb3Zyb092cW1NCkt0T3Rwamx0S1dudE1rM1ZCTDZv
+            ZDlJTmh5YjdUT3k1YlZlM2FOdzgrc3MKLS0tIFhNeFdrNkRBelZRUldqenhBVFAx
+            dHF0cUFmNXRHS3RkeTVVQzhIVTBXdm8K6c/K14oe/bPkaFCJi/OpoLj3q8RE20Hn
+            /1yeNCfRNkAPyOYQae6XgPI2xL5H+PfhMzRWYa6ebI/Pefl3n4WeSA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdFhPTWRZUEllR01sQzBM
+            RTQvbzM5ZnoyaEtHS21hS1BCWjJFNkZDZml3ClBPZHgvU2lCTHRwL01JUFRpY3pI
+            RTcvNkNZNXkwYkRVQzBWNVRuSllPcTAKLS0tIDMwTlFkcXR1QmNBNDVwQXdPUzR0
+            UlBIbE83UXEzcmVNWXhyOWRXUit4REUKxJQwLz/w4BGMW6OggbaG0kDv0CWIUQi6
+            H1gWD4HKT1JM8rI9GrBJRijmQhJvfn+s3PcRnimVa8sFUXJwR8ffrA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-11T06:58:02Z"
+    mac: ENC[AES256_GCM,data:0sm3v9oBiyy+3/es2piC9O3505QyaiylQSy7/7IkOYHcLQi5T0R6pXV+LlTMrJgxbvQg5PjyFxtGDF/MS9VM7iimDwJzAwC+Jv9Z9senKG6DwenUl8B/hHtXoWHGIxKrzR+0nnh756u+ftDTR5u7PDdd03UIn+n6fhpZ3tRB1q8=,iv:T3KPpdXz+8Bq0TBlIPR3+tFWHEBsE515rBWWDyM0VGM=,tag:+aBXzSUykrdazF6lXGNwHQ==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    version: 3.12.1
--- a/kargo/credentials/git-creds-infra.dev.enc.yaml
+++ b/kargo/credentials/git-creds-infra.dev.enc.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: infra
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:lzaZLTkmA68DadpquacJNc6CMxwv3wOlWh6Ze8e23F9lzFKw3oB5gg==,iv:9EZUg6DSUFnNddOaiB2oIfNYhaOKKkrP9Hkf+5OGcLk=,tag:rr6ej2x87mquQbXiBM7+Ow==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCeGdkaVJiNWE0Q0xWbTVT
+            dkZDN296VXJUMktMVUZ2U3FyeUwvVzBSaWc0CmRlWFpLdTlCNXl3eEtKcDRrUzhV
+            SG9KdkhlSTg0SnZwK3BvS0hkT3FjbjgKLS0tIDA2Y1lic053ejR0UWZUekZ1Y1JK
+            c2llUmhKNTRjaW1zQ3AyZzUvR1VRUG8KuFXq5pbpEEZd3P/E5bD0FCuSOIuGCsJL
+            bUx6VucI1zZF0DbXjzr28FsxqSJW4GiCpDscj1LGQIZa5jvj8aWMXA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRlh5SXdkTmZOVUdXc21N
+            aXNZaDhydXA3dUU4OHlidmViM2xUQU5rNDF3Ck9iditWSWcyaWoxNTVTRzN5Y0ZU
+            c21BT2R6U2lxNkh6cU9kdjFSRUVjUWsKLS0tIHBwWGI1R2p0TTg1amFRM2FlYVQx
+            Q2lIZDJ0ZkliWEtiVGd5eXIxMjB1OGMKeK2iTyPBrcIWByU9QXZ3Ora7gylwC66g
+            diGbcUF5ER7mUt0KEILTwuMkTUbhy1F5zLYB7p4e49YdY2O8mz51SA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-11T06:58:02Z"
+    mac: ENC[AES256_GCM,data:dzyW+dAsjPDrZQ3EWNnhLWfd9DSmRVSp1Qrm+nx4qFfsRoS5y61jnkhVyupq2OUVsuUTuePIAqmZQI16HD0TTMJIN9UKPdW2sEj/DGwdBXqcJRs6mvJlv79Jh2VlzJdJSpZf/YhCBVIVThZqrWBI1T1jPdN1gaJ0ov6cSAqYjPU=,iv:MMhdUthu2nUFJOkxXz00xXMiH7tit7sNejU/aXuQOmY=,tag:+NSHR9T4wlpJaBH5ZdxhvA==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    version: 3.12.1
--- a/kargo/credentials/git-creds-infra.prod.enc.yaml
+++ b/kargo/credentials/git-creds-infra.prod.enc.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: infra
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:2ucqkKTdxBlW2GCRmr4ZqrZZS2KuIcUCkhyF6/dIy0jGiUTM1iQIiQ==,iv:gTnztDCoZX9rfK6cnnoOOs6WD8mmw6tWr2z9JUkj+sA=,tag:I5OgSmjtAbnXxyhCe7y3GA==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RVRoa2ZTT2llSitDYlRn
+            RU1RRkVNdnFFZWpMU0ZoU2Q0bGRKVFViZEc4CkdaalppTll1Q0c4T29aYks2a3Nq
+            azBaMWtJL3hyQlFVMFpUTjcrQ3BkU0kKLS0tIC80azJYWnhGZHpwK0lWa1FrS1d4
+            WlFjQk9WZVdoSnhnT1lROFZzUWMxb00KJ6i6Vap1FCYYUcTiNh5dyHbSeyXthtdf
+            iQcMjvZlOgKuHVPmaiXv8Mh+AHNl0RgWN2nNEoa1NPhriGU36ZmVWA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzMUx5UkNBZHlZdVhlaXV3
+            OVNXTitPd2lQQXFoanNjb014ODB3ZUVLRHlvCmdBbkpmaXkzSXZxRFdPZEVubVJC
+            NHpyUDVkVjV5QXRPbnBHNkZhclMzc1UKLS0tIGtWcHZGMEorbFNEeStmSW80WE9N
+            RjRLYkhHMmd6UTNUSkxCUUFvMzVkdTAKJhUHz7PDrJca3OIdXyzXzD86/7tkCSm4
+            Q6q6WbscBBMtclrO5EfbHuzUUNuejFRLjeHjvPCBb5z/i6sp6Pxyuw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-11T06:58:02Z"
+    mac: ENC[AES256_GCM,data:KetBMvqfuE4eSrQoKmFJ0fkHHAvxFjQJvm9b9haSODfXDUxZ7DOYlVAVrZzf7L9VYFj7iP+yQeW2cLuV0JRH9+CL6u2GuvtK5WPC82NhRK/I5dEF+x3VIFjc3amr62FEuOjPeLOiAqluPeJ3BscW/Gj6UXKrLgrPzmZZgzzBHb4=,iv:fNbOFcpkAmom0Tf7xeoDfyklWNxIhHANS3WguPtrDK4=,tag:lsbhvAgSWdp+XKPKpGU56Q==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    version: 3.12.1
--- a/kargo/credentials/git-creds-test-env.dev.enc.yaml
+++ b/kargo/credentials/git-creds-test-env.dev.enc.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: test-env
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:pGwKoR6eurha3ATmL0XP01DTK3qXCxAV3SdFYmNFokKMZI+VuzZ/GQ==,iv:DKVdeBRQS+HjPkHftJZZuXf7yB+I18Ae3iK+7L+hZQ0=,tag:/K6twgUKTNrn6s1rDTAeQA==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTk5seDNiR2dRcXRRclJZ
+            UlNuRXZGd3ZMTDNsaHVrYUtnUmsyNk1IVkJFCmo0Y0pwdnlsay9qcy8rakk4ejBF
+            VHAzbmRObUFVVVpZN0JraHRlVmhhNW8KLS0tIHNXd01OUnVxclRXcE9iNFNzZS9S
+            UlQzRnlSb2F0Y0J0eVdZN1BSelRrSWcK8V99m3Hh2mOm9csGG42k4FIeFbQnkXIr
+            w3elSENAib0rFz7Uewpn1VD3yjFL7SVv33bVOEuM3KlHDtUnF6fuuQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOS05ZanNzMWRFRG5EUlNq
+            WmtLUHpHRE0rWXRuVXRLRDFiRDZSZmdEc2lnCmMrbHRxRUhIWDFkaTJlekxrckxj
+            V3ROU25aOVZGVzVUY3IwRlhwYWhBWEUKLS0tIHZCS1ZobFlqQ2NZSUt3N1VSV2l4
+            SmVWWDRhckRxek1jRFpPUnIxb0QxaDQKmkVXDqP0tjaWo/fkdqrIatV/bhyQt9vb
+            Rzz21KATjKow6VtekA3FVOVchlDsaYDLkhuLI69I1lIYqR99ovS+8w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-11T06:58:02Z"
+    mac: ENC[AES256_GCM,data:CDESJXzhctA4WexUb2hP6ykWkRCWUsgIYHOSmRnHUlyf6Pd8uF43Bl/+ZHWhE6SLWf3LKGMOKSU60Qkh1aSH+Z9BqaiKa3dL0MIQx4yXRe9NzS/mEki4IsuQi27AZ6BKD93tznyVKbCAzxmyP1jRhbRNIKBA2dWoQAITX1w2vvA=,iv:l8JZK3a17DfIn3llapKnUZH7SRNCte5MNPZzjtPJbxA=,tag:rEcarIr7UhsV+THixTUiKw==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    version: 3.12.1
--- a/kargo/credentials/git-creds-test-env.prod.enc.yaml
+++ b/kargo/credentials/git-creds-test-env.prod.enc.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: test-env
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:YIFtzQT8BYFwj5SfRDGxd/ND6BzpFSbERF3u+TyFjCoFqQXqk4g9ew==,iv:gOwNFYoErJhEJglBP9Oed45/CFQXXHlPqid3RzScvdA=,tag:iTJfhSTKceOl5lv4YiGo4Q==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBza2JKZTlxSTZOZ1lzNllu
+            TWdoL0lKSDc0Ri9BMWs1aDhSU1VaQ1dod2dzCk5sRHdIa1B3a2RMbTViZ3lPc04y
+            OUQ4WVNRR3JrZ1lyZXJvd3lFVUYxdlEKLS0tIFRNM0dqR1RGMVZ2alprMmxRQndo
+            Y0h3RE5WaHprRDZWUnBCQURhS0tnbHMKz9/qP2w1KURlDAWVcjfUFz1kJy/ed53w
+            SpKMwvWTfYTvvZMNnz1XgxMfKXu4TKWAuP9mJ+rmcj5jIcPSGxetUA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYeTd6Uk5yN2o5MDhsa0V6
+            UTZGZ29rSmFYbm5uRkg2UGNNdW13UmJ0eWxFCnZCWU5RalJEdFQ1SCtxdGQxVDhV
+            R3FsbkppRHkwbEdmYTU0dE5leEUxN2cKLS0tIDZtc3orbkhKMVVmdnpQRDVRUm9P
+            ck5QYkczblV0YndpQ0hoN3lDWDhrbUEKG5nPWrnAHFvUCsf/Zwgo22oiP1nIvXc5
+            PSo+hPCzFAjVtg7y1jO8HcwUVOgtcH/LN4NwcMF/I7VZajHRZXEQXQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-11T06:58:02Z"
+    mac: ENC[AES256_GCM,data:3/YKxY5Ai543PDiUZi767xsmgJSI+bWyBQER+ICo9jQydbef1gJ2Rp3TitnuSiD2H+l41b2tIEFp4y3IaXSD6B+8cbf+bs7YdXznJzFd/V3FKjKncQJkJdTlLDijJRsjPczEFA/syhy/i8jMORoid1SNQrk2l0XmiWx7bujTOys=,iv:Wtdf3swbTJEXQu2+JNu8mqYHWvK9DIZRLuXLoKB5n9w=,tag:jMiSS9gzmZpWXNVq3liyTA==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    version: 3.12.1
--- a/kargo/credentials/ksops-generator.prod.yaml
+++ b/kargo/credentials/ksops-generator.prod.yaml
@@ -0,0 +1,14 @@
+# ksops generator for PROD cluster
+# Replace ksops-generator.yaml on infra/stage/prod branch
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: kargo-git-credentials
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - git-creds-infra.prod.enc.yaml
+  - git-creds-ci.prod.enc.yaml
+  - git-creds-test-env.prod.enc.yaml
--- a/kargo/credentials/ksops-generator.yaml
+++ b/kargo/credentials/ksops-generator.yaml
@@ -0,0 +1,20 @@
+# ksops generator: decrypts SOPS-encrypted K8s Secret manifests
+# ArgoCD repo-server must have ksops + sops + age installed
+#
+# Dev cluster uses: *.dev.enc.yaml
+# Prod cluster uses: *.prod.enc.yaml
+#
+# Which files to decrypt is controlled by the kustomization overlay
+# in the cluster-specific branch (infra/stage/dev or infra/stage/prod)
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: kargo-git-credentials
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - git-creds-infra.dev.enc.yaml
+  - git-creds-ci.dev.enc.yaml
+  - git-creds-test-env.dev.enc.yaml
--- a/kargo/credentials/kustomization.yaml
+++ b/kargo/credentials/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generators:
+  - ksops-generator.yaml
--- a/kargo/infra/kustomization.yaml
+++ b/kargo/infra/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - project.yaml
+  - warehouse.yaml
+  - stages/dev.yaml
+  - stages/test.yaml
+  - stages/prod.yaml
+  - verification/rbac.yaml
+  - verification/dev-health-check.yaml
+  - verification/prod-health-check.yaml
--- a/kargo/infra/namespace.yaml
+++ b/kargo/infra/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infra
+  labels:
+    kargo.akuity.io/project: "true"
--- a/kargo/infra/project.yaml
+++ b/kargo/infra/project.yaml
@@ -0,0 +1,18 @@
+apiVersion: kargo.akuity.io/v1alpha1
+kind: Project
+metadata:
+  name: infra
+---
+apiVersion: kargo.akuity.io/v1alpha1
+kind: ProjectConfig
+metadata:
+  name: infra
+  namespace: infra
+spec:
+  promotionPolicies:
+    - stageSelector: { name: dev }
+      autoPromotionEnabled: true
+    - stageSelector: { name: test }
+      autoPromotionEnabled: true
+    - stageSelector: { name: prod }
+      autoPromotionEnabled: true  # creates PR, not direct push
--- a/kargo/infra/stages/dev.yaml
+++ b/kargo/infra/stages/dev.yaml
@@ -0,0 +1,69 @@
+apiVersion: kargo.akuity.io/v1alpha1
+kind: Stage
+metadata:
+  name: dev
+  namespace: infra
+spec:
+  requestedFreight:
+    - origin:
+        kind: Warehouse
+        name: infra-charts
+      sources:
+        direct: true
+  promotionTemplate:
+    spec:
+      vars:
+        - name: gitopsRepo
+          value: https://github.com/Kargones/deploy-app-kargo-private.git
+        - name: targetBranch
+          value: infra/stage/${{ ctx.stage }}
+      steps:
+        - uses: git-clone
+          config:
+            repoURL: ${{ vars.gitopsRepo }}
+            checkout:
+              - branch: main
+                path: ./src
+              - branch: ${{ vars.targetBranch }}
+                create: true
+                path: ./out
+        - uses: git-clear
+          config:
+            path: ./out
+        - uses: yaml-update
+          as: update-cert-manager
+          config:
+            path: ./src/infra/cert-manager/config.yaml
+            updates:
+              - key: source.targetRevision
+                value: ${{ chartFrom("https://charts.jetstack.io", "cert-manager").Version }}
+        - uses: yaml-update
+          as: update-argo-rollouts
+          config:
+            path: ./src/infra/argo-rollouts/config.yaml
+            updates:
+              - key: source.targetRevision
+                value: ${{ chartFrom("https://argoproj.github.io/argo-helm", "argo-rollouts").Version }}
+        - uses: yaml-update
+          as: update-gitea
+          config:
+            path: ./src/infra/gitea/config.yaml
+            updates:
+              - key: source.targetRevision
+                value: ${{ chartFrom("https://dl.gitea.com/charts", "gitea").Version }}
+        - uses: copy
+          config:
+            inPath: ./src/infra
+            outPath: ./out/infra
+        - uses: git-commit
+          as: commit
+          config:
+            path: ./out
+            message: "promote(infra/${{ ctx.stage }}): freight ${{ ctx.targetFreight.name }}"
+        - uses: git-push
+          config:
+            path: ./out
+            targetBranch: ${{ vars.targetBranch }}
+  verification:
+    analysisTemplates:
+      - name: dev-health-check
--- a/kargo/infra/stages/prod.yaml
+++ b/kargo/infra/stages/prod.yaml
@@ -0,0 +1,76 @@
+apiVersion: kargo.akuity.io/v1alpha1
+kind: Stage
+metadata:
+  name: prod
+  namespace: infra
+spec:
+  requestedFreight:
+    - origin:
+        kind: Warehouse
+        name: infra-charts
+      sources:
+        stages:
+          - test
+  promotionTemplate:
+    spec:
+      vars:
+        - name: gitopsRepo
+          value: https://github.com/Kargones/deploy-app-kargo-private.git
+        - name: sourceBranch
+          value: infra/stage/test
+        - name: targetBranch
+          value: infra/stage/prod
+      steps:
+        - uses: git-clone
+          config:
+            repoURL: ${{ vars.gitopsRepo }}
+            checkout:
+              - branch: ${{ vars.sourceBranch }}
+                path: ./src
+              - branch: ${{ vars.targetBranch }}
+                create: true
+                path: ./out
+        - uses: git-clear
+          config:
+            path: ./out
+        - uses: copy
+          config:
+            inPath: ./src/infra
+            outPath: ./out/infra
+        - uses: git-commit
+          as: commit
+          config:
+            path: ./out
+            message: "promote(infra/prod): freight ${{ ctx.targetFreight.name }}"
+        - uses: git-push
+          as: push
+          config:
+            path: ./out
+            generateTargetBranch: true
+        - uses: git-open-pr
+          as: open-pr
+          config:
+            repoURL: ${{ vars.gitopsRepo }}
+            sourceBranch: ${{ outputs.push.branch }}
+            targetBranch: ${{ vars.targetBranch }}
+            title: "promote(infra/prod): ${{ ctx.targetFreight.name }}"
+            description: |
+              ## Kargo Promotion
+              **Freight:** ${{ ctx.targetFreight.name }}
+              **Project:** infra
+              **Stage:** prod
+
+              ## Verified in
+              - ✅ dev (pod-health)
+              - ✅ test (pod-health)
+
+              ## Review
+              Check the diff below for version changes.
+              Verify changelogs before merging.
+        - uses: git-wait-for-pr
+          config:
+            repoURL: ${{ vars.gitopsRepo }}
+            prNumber: ${{ outputs['open-pr'].pr.id }}
+  verification:
+    analysisTemplates:
+      - name: prod-health-check
--- a/kargo/infra/stages/test.yaml
+++ b/kargo/infra/stages/test.yaml
@@ -0,0 +1,51 @@
+apiVersion: kargo.akuity.io/v1alpha1
+kind: Stage
+metadata:
+  name: test
+  namespace: infra
+spec:
+  requestedFreight:
+    - origin:
+        kind: Warehouse
+        name: infra-charts
+      sources:
+        stages:
+          - dev
+  promotionTemplate:
+    spec:
+      vars:
+        - name: gitopsRepo
+          value: https://github.com/Kargones/deploy-app-kargo-private.git
+        - name: sourceBranch
+          value: infra/stage/dev
+        - name: targetBranch
+          value: infra/stage/${{ ctx.stage }}
+      steps:
+        - uses: git-clone
+          config:
+            repoURL: ${{ vars.gitopsRepo }}
+            checkout:
+              - branch: ${{ vars.sourceBranch }}
+                path: ./src
+              - branch: ${{ vars.targetBranch }}
+                create: true
+                path: ./out
+        - uses: git-clear
+          config:
+            path: ./out
+        - uses: copy
+          config:
+            inPath: ./src/infra
+            outPath: ./out/infra
+        - uses: git-commit
+          as: commit
+          config:
+            path: ./out
+            message: "promote(infra/${{ ctx.stage }}): freight ${{ ctx.targetFreight.name }}"
+        - uses: git-push
+          config:
+            path: ./out
+            targetBranch: ${{ vars.targetBranch }}
+  verification:
+    analysisTemplates:
+      - name: dev-health-check
--- a/kargo/infra/verification/dev-health-check.yaml
+++ b/kargo/infra/verification/dev-health-check.yaml
@@ -0,0 +1,37 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AnalysisTemplate
+metadata:
+  name: dev-health-check
+  namespace: infra
+spec:
+  metrics:
+    - name: pod-health
+      successCondition: result == "healthy"
+      provider:
+        job:
+          spec:
+            template:
+              spec:
+                serviceAccountName: kargo-verifier
+                containers:
+                  - name: check
+                    image: alpine/k8s:1.35.1
+                    command: [sh, -c]
+                    args:
+                      - |
+                        set -e
+                        echo "Checking pod health..."
+                        cm=$(kubectl get pods -n cert-manager --no-headers 2>/dev/null | grep -c Running || echo 0)
+                        echo "cert-manager running pods: $cm"
+                        ar=$(kubectl get pods -n argo-rollouts --no-headers 2>/dev/null | grep -c Running || echo 0)
+                        echo "argo-rollouts running pods: $ar"
+                        gt=$(kubectl get pods -n gitea --no-headers 2>/dev/null | grep -c Running || echo 0)
+                        echo "gitea running pods: $gt"
+                        if [ "$cm" -ge 1 ] && [ "$ar" -ge 1 ] && [ "$gt" -ge 1 ]; then
+                          echo "healthy"
+                        else
+                          echo "unhealthy"
+                          exit 1
+                        fi
+                restartPolicy: Never
+            backoffLimit: 2
--- a/kargo/infra/verification/prod-health-check.yaml
+++ b/kargo/infra/verification/prod-health-check.yaml
@@ -0,0 +1,37 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AnalysisTemplate
+metadata:
+  name: prod-health-check
+  namespace: infra
+spec:
+  metrics:
+    - name: pod-health
+      successCondition: result == "healthy"
+      provider:
+        job:
+          spec:
+            template:
+              spec:
+                serviceAccountName: kargo-verifier
+                containers:
+                  - name: check
+                    image: alpine/k8s:1.35.1
+                    command: [sh, -c]
+                    args:
+                      - |
+                        set -e
+                        echo "Checking pod health..."
+                        cm=$(kubectl get pods -n cert-manager --no-headers 2>/dev/null | grep -c Running || echo 0)
+                        echo "cert-manager running pods: $cm"
+                        ar=$(kubectl get pods -n argo-rollouts --no-headers 2>/dev/null | grep -c Running || echo 0)
+                        echo "argo-rollouts running pods: $ar"
+                        gt=$(kubectl get pods -n gitea --no-headers 2>/dev/null | grep -c Running || echo 0)
+                        echo "gitea running pods: $gt"
+                        if [ "$cm" -ge 1 ] && [ "$ar" -ge 1 ] && [ "$gt" -ge 1 ]; then
+                          echo "healthy"
+                        else
+                          echo "unhealthy"
+                          exit 1
+                        fi
+                restartPolicy: Never
+            backoffLimit: 2
--- a/kargo/infra/verification/rbac.yaml
+++ b/kargo/infra/verification/rbac.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kargo-verifier
+  namespace: infra
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kargo-verifier-infra
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kargo-verifier-infra
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kargo-verifier-infra
+subjects:
+  - kind: ServiceAccount
+    name: kargo-verifier
+    namespace: infra
--- a/kargo/infra/warehouse.yaml
+++ b/kargo/infra/warehouse.yaml
@@ -0,0 +1,22 @@
+apiVersion: kargo.akuity.io/v1alpha1
+kind: Warehouse
+metadata:
+  name: infra-charts
+  namespace: infra
+spec:
+  subscriptions:
+    - chart:
+        repoURL: https://charts.jetstack.io
+        name: cert-manager
+        semverConstraint: ">=1.17.0"
+        discoveryLimit: 5
+    - chart:
+        repoURL: https://argoproj.github.io/argo-helm
+        name: argo-rollouts
+        semverConstraint: ">=2.39.0"
+        discoveryLimit: 5
+    - chart:
+        repoURL: https://dl.gitea.com/charts
+        name: gitea
+        semverConstraint: ">=10.6.0"
+        discoveryLimit: 5
--- a/kargo/test-env/kustomization.yaml
+++ b/kargo/test-env/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - project.yaml
+  - warehouse.yaml
+  - stages/dev.yaml
--- a/kargo/test-env/namespace.yaml
+++ b/kargo/test-env/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-env
+  labels:
+    kargo.akuity.io/project: "true"
--- a/kargo/test-env/project.yaml
+++ b/kargo/test-env/project.yaml
@@ -0,0 +1,14 @@
+apiVersion: kargo.akuity.io/v1alpha1
+kind: Project
+metadata:
+  name: test-env
+---
+apiVersion: kargo.akuity.io/v1alpha1
+kind: ProjectConfig
+metadata:
+  name: test-env
+  namespace: test-env
+spec:
+  promotionPolicies:
+    - stageSelector: { name: dev }
+      autoPromotionEnabled: true
--- a/kargo/test-env/stages/dev.yaml
+++ b/kargo/test-env/stages/dev.yaml
@@ -0,0 +1,45 @@
+apiVersion: kargo.akuity.io/v1alpha1
+kind: Stage
+metadata:
+  name: dev
+  namespace: test-env
+spec:
+  requestedFreight:
+    - origin:
+        kind: Warehouse
+        name: test-env-images
+      sources:
+        direct: true
+  promotionTemplate:
+    spec:
+      vars:
+        - name: gitopsRepo
+          value: https://github.com/Kargones/deploy-app-kargo-private.git
+        - name: targetBranch
+          value: test-env/stage/${{ ctx.stage }}
+      steps:
+        - uses: git-clone
+          config:
+            repoURL: ${{ vars.gitopsRepo }}
+            checkout:
+              - branch: main
+                path: ./src
+              - branch: ${{ vars.targetBranch }}
+                create: true
+                path: ./out
+        - uses: git-clear
+          config:
+            path: ./out
+        - uses: copy
+          config:
+            inPath: ./src/test-env
+            outPath: ./out/test-env
+        - uses: git-commit
+          as: commit
+          config:
+            path: ./out
+            message: "promote(test-env/${{ ctx.stage }}): freight ${{ ctx.targetFreight.name }}"
+        - uses: git-push
+          config:
+            path: ./out
+            targetBranch: ${{ vars.targetBranch }}
--- a/kargo/test-env/warehouse.yaml
+++ b/kargo/test-env/warehouse.yaml
@@ -0,0 +1,8 @@
+apiVersion: kargo.akuity.io/v1alpha1
+kind: Warehouse
+metadata:
+  name: test-env-images
+  namespace: test-env
+spec:
+  subscriptions: []
+  # TODO: Add container image subscriptions for test services