gitea_admin/deploy-app-kargo-private
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: SOPS + age encrypted secrets structure

Browse Source 
- .sops.yaml with 3 age keys (admin, dev, prod)
- infra/gitea/values/*.enc.yaml — per-env encrypted Helm values
- infra/kargo/values/*.enc.yaml — per-env encrypted Kargo admin secrets
- kargo/credentials/*.enc.yaml — per-env encrypted git credentials (ksops)
- infra/kargo-credentials/ — ArgoCD app for deploying Kargo creds via ksops
- All repoURLs point to deploy-app-kargo-private

Structure from deploy-app-kargo (reference), adapted for SOPS workflow
This commit is contained in:
XoR
2026-03-11 10:01:26 +03:00
parent 720748be50
commit 4dd68859d8
60 changed files with 1444 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
kargo/credentials/git-creds-ci.dev.enc.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: v1
kind: Secret
metadata:
name: github-creds
namespace: ci
labels:
kargo.akuity.io/cred-type: git
type: Opaque
stringData:
repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
username: Kargones
password: ENC[AES256_GCM,data:m9CZFhTHwaX6TrpGtbAynbI7eiprSrhCVVtST6fWiduFP55/EWtx1Q==,iv:iAjeVVakD8SZWhaEBu7JVR1YL2UGzYNBoy1W13M+Jwg=,tag:ABSswqyDhJG8+zlu8dWrgg==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOWI4eWZxOERjRHVhV1VI
MVE3WDErejZrNzBaRnVHK280dXI4WThxR2tvCmVzbE1HR1MzcEgybm8vUVVSOWJY
VlVvREl4NVRDRElHVHk5aWpnVkVhNW8KLS0tIG5FOXRwRy8xakFvaVlBTXF5OXJJ
aHFlbWh0Ym1NWEswbFM5N01JRGtGMUUKyjiN+bK0+6PLc/LG/dozgrAhB4PLcZmV
JVtxrSZWV6RQOuvc/HUw2yhO3dJldYqWauX+7ZOy2o1JACdPe9ixdQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWU9JLzdwbDI1SDJ3MnlE
YnlRQkdzWExpa1FGNjArSHFCamc2bWJnbjBBCnlkQlVEQVNDTXMvZ3NWRzhyT2lM
R0FpVUdleUVUcVVrTnRxQjVnSFo3S2cKLS0tIG1MZ0hYdGJpdTJ3WWU3MU1WeWFr
cklvSldLdW5ERDF1aW95dDlxOUtGbDAK7uoTP8idcEM8rQ7rRashsbzc9f4S7qI9
Bl87wLgMAFYfFO41cwSqhMY+gr7HRkDQq65CWo8HpQjMMlneC72jVQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-11T06:58:02Z"
mac: ENC[AES256_GCM,data:OYJAnGhgB0sOC2KEgse7ZYMkrvrRNsMWqVQZM29VbhPbvp3s3GMmJPROPydsjvm6OE4EIi0C6ry2h9pGoRY5IApw6+tSXVmrlr3oQIjkGqimJVdJ0oBSwEYtZ6gNKpsn1I7ZthXCHBfZmmESkYiTJj8ogdXxNLIqydIuITengpI=,iv:IpBxWcDeGUD9ucIAVjY3Ojc0wd63nWDPDIcH8OtvJY8=,tag:yDZ8d9E9dufB/iGTk71t2Q==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
version: 3.12.1

36
kargo/credentials/git-creds-ci.prod.enc.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: v1
kind: Secret
metadata:
name: github-creds
namespace: ci
labels:
kargo.akuity.io/cred-type: git
type: Opaque
stringData:
repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
username: Kargones
password: ENC[AES256_GCM,data:OHHKJ82Bh3UtuWJwtIr4dNnMDxweZEs/bHQQ7buy+zQM99f1SC4zEA==,iv:kn2P/KO5QKYhNxWKcbphmEmeJayWz/xA3NbfSq3T8K4=,tag:EzwiJHrK36SqRgISnzYmmw==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnREI0NnE1Z0Z6ZE1HWG4x
aHhZeDBIYmNJNjZJbVNJR2Myb3Zyb092cW1NCkt0T3Rwamx0S1dudE1rM1ZCTDZv
ZDlJTmh5YjdUT3k1YlZlM2FOdzgrc3MKLS0tIFhNeFdrNkRBelZRUldqenhBVFAx
dHF0cUFmNXRHS3RkeTVVQzhIVTBXdm8K6c/K14oe/bPkaFCJi/OpoLj3q8RE20Hn
/1yeNCfRNkAPyOYQae6XgPI2xL5H+PfhMzRWYa6ebI/Pefl3n4WeSA==
-----END AGE ENCRYPTED FILE-----
- recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdFhPTWRZUEllR01sQzBM
RTQvbzM5ZnoyaEtHS21hS1BCWjJFNkZDZml3ClBPZHgvU2lCTHRwL01JUFRpY3pI
RTcvNkNZNXkwYkRVQzBWNVRuSllPcTAKLS0tIDMwTlFkcXR1QmNBNDVwQXdPUzR0
UlBIbE83UXEzcmVNWXhyOWRXUit4REUKxJQwLz/w4BGMW6OggbaG0kDv0CWIUQi6
H1gWD4HKT1JM8rI9GrBJRijmQhJvfn+s3PcRnimVa8sFUXJwR8ffrA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-11T06:58:02Z"
mac: ENC[AES256_GCM,data:0sm3v9oBiyy+3/es2piC9O3505QyaiylQSy7/7IkOYHcLQi5T0R6pXV+LlTMrJgxbvQg5PjyFxtGDF/MS9VM7iimDwJzAwC+Jv9Z9senKG6DwenUl8B/hHtXoWHGIxKrzR+0nnh756u+ftDTR5u7PDdd03UIn+n6fhpZ3tRB1q8=,iv:T3KPpdXz+8Bq0TBlIPR3+tFWHEBsE515rBWWDyM0VGM=,tag:+aBXzSUykrdazF6lXGNwHQ==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
version: 3.12.1

36
kargo/credentials/git-creds-infra.dev.enc.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: v1
kind: Secret
metadata:
name: github-creds
namespace: infra
labels:
kargo.akuity.io/cred-type: git
type: Opaque
stringData:
repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
username: Kargones
password: ENC[AES256_GCM,data:lzaZLTkmA68DadpquacJNc6CMxwv3wOlWh6Ze8e23F9lzFKw3oB5gg==,iv:9EZUg6DSUFnNddOaiB2oIfNYhaOKKkrP9Hkf+5OGcLk=,tag:rr6ej2x87mquQbXiBM7+Ow==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCeGdkaVJiNWE0Q0xWbTVT
dkZDN296VXJUMktMVUZ2U3FyeUwvVzBSaWc0CmRlWFpLdTlCNXl3eEtKcDRrUzhV
SG9KdkhlSTg0SnZwK3BvS0hkT3FjbjgKLS0tIDA2Y1lic053ejR0UWZUekZ1Y1JK
c2llUmhKNTRjaW1zQ3AyZzUvR1VRUG8KuFXq5pbpEEZd3P/E5bD0FCuSOIuGCsJL
bUx6VucI1zZF0DbXjzr28FsxqSJW4GiCpDscj1LGQIZa5jvj8aWMXA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRlh5SXdkTmZOVUdXc21N
aXNZaDhydXA3dUU4OHlidmViM2xUQU5rNDF3Ck9iditWSWcyaWoxNTVTRzN5Y0ZU
c21BT2R6U2lxNkh6cU9kdjFSRUVjUWsKLS0tIHBwWGI1R2p0TTg1amFRM2FlYVQx
Q2lIZDJ0ZkliWEtiVGd5eXIxMjB1OGMKeK2iTyPBrcIWByU9QXZ3Ora7gylwC66g
diGbcUF5ER7mUt0KEILTwuMkTUbhy1F5zLYB7p4e49YdY2O8mz51SA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-11T06:58:02Z"
mac: ENC[AES256_GCM,data:dzyW+dAsjPDrZQ3EWNnhLWfd9DSmRVSp1Qrm+nx4qFfsRoS5y61jnkhVyupq2OUVsuUTuePIAqmZQI16HD0TTMJIN9UKPdW2sEj/DGwdBXqcJRs6mvJlv79Jh2VlzJdJSpZf/YhCBVIVThZqrWBI1T1jPdN1gaJ0ov6cSAqYjPU=,iv:MMhdUthu2nUFJOkxXz00xXMiH7tit7sNejU/aXuQOmY=,tag:+NSHR9T4wlpJaBH5ZdxhvA==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
version: 3.12.1

36
kargo/credentials/git-creds-infra.prod.enc.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: v1
kind: Secret
metadata:
name: github-creds
namespace: infra
labels:
kargo.akuity.io/cred-type: git
type: Opaque
stringData:
repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
username: Kargones
password: ENC[AES256_GCM,data:2ucqkKTdxBlW2GCRmr4ZqrZZS2KuIcUCkhyF6/dIy0jGiUTM1iQIiQ==,iv:gTnztDCoZX9rfK6cnnoOOs6WD8mmw6tWr2z9JUkj+sA=,tag:I5OgSmjtAbnXxyhCe7y3GA==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RVRoa2ZTT2llSitDYlRn
RU1RRkVNdnFFZWpMU0ZoU2Q0bGRKVFViZEc4CkdaalppTll1Q0c4T29aYks2a3Nq
azBaMWtJL3hyQlFVMFpUTjcrQ3BkU0kKLS0tIC80azJYWnhGZHpwK0lWa1FrS1d4
WlFjQk9WZVdoSnhnT1lROFZzUWMxb00KJ6i6Vap1FCYYUcTiNh5dyHbSeyXthtdf
iQcMjvZlOgKuHVPmaiXv8Mh+AHNl0RgWN2nNEoa1NPhriGU36ZmVWA==
-----END AGE ENCRYPTED FILE-----
- recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzMUx5UkNBZHlZdVhlaXV3
OVNXTitPd2lQQXFoanNjb014ODB3ZUVLRHlvCmdBbkpmaXkzSXZxRFdPZEVubVJC
NHpyUDVkVjV5QXRPbnBHNkZhclMzc1UKLS0tIGtWcHZGMEorbFNEeStmSW80WE9N
RjRLYkhHMmd6UTNUSkxCUUFvMzVkdTAKJhUHz7PDrJca3OIdXyzXzD86/7tkCSm4
Q6q6WbscBBMtclrO5EfbHuzUUNuejFRLjeHjvPCBb5z/i6sp6Pxyuw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-11T06:58:02Z"
mac: ENC[AES256_GCM,data:KetBMvqfuE4eSrQoKmFJ0fkHHAvxFjQJvm9b9haSODfXDUxZ7DOYlVAVrZzf7L9VYFj7iP+yQeW2cLuV0JRH9+CL6u2GuvtK5WPC82NhRK/I5dEF+x3VIFjc3amr62FEuOjPeLOiAqluPeJ3BscW/Gj6UXKrLgrPzmZZgzzBHb4=,iv:fNbOFcpkAmom0Tf7xeoDfyklWNxIhHANS3WguPtrDK4=,tag:lsbhvAgSWdp+XKPKpGU56Q==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
version: 3.12.1

36
kargo/credentials/git-creds-test-env.dev.enc.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: v1
kind: Secret
metadata:
name: github-creds
namespace: test-env
labels:
kargo.akuity.io/cred-type: git
type: Opaque
stringData:
repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
username: Kargones
password: ENC[AES256_GCM,data:pGwKoR6eurha3ATmL0XP01DTK3qXCxAV3SdFYmNFokKMZI+VuzZ/GQ==,iv:DKVdeBRQS+HjPkHftJZZuXf7yB+I18Ae3iK+7L+hZQ0=,tag:/K6twgUKTNrn6s1rDTAeQA==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTk5seDNiR2dRcXRRclJZ
UlNuRXZGd3ZMTDNsaHVrYUtnUmsyNk1IVkJFCmo0Y0pwdnlsay9qcy8rakk4ejBF
VHAzbmRObUFVVVpZN0JraHRlVmhhNW8KLS0tIHNXd01OUnVxclRXcE9iNFNzZS9S
UlQzRnlSb2F0Y0J0eVdZN1BSelRrSWcK8V99m3Hh2mOm9csGG42k4FIeFbQnkXIr
w3elSENAib0rFz7Uewpn1VD3yjFL7SVv33bVOEuM3KlHDtUnF6fuuQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOS05ZanNzMWRFRG5EUlNq
WmtLUHpHRE0rWXRuVXRLRDFiRDZSZmdEc2lnCmMrbHRxRUhIWDFkaTJlekxrckxj
V3ROU25aOVZGVzVUY3IwRlhwYWhBWEUKLS0tIHZCS1ZobFlqQ2NZSUt3N1VSV2l4
SmVWWDRhckRxek1jRFpPUnIxb0QxaDQKmkVXDqP0tjaWo/fkdqrIatV/bhyQt9vb
Rzz21KATjKow6VtekA3FVOVchlDsaYDLkhuLI69I1lIYqR99ovS+8w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-11T06:58:02Z"
mac: ENC[AES256_GCM,data:CDESJXzhctA4WexUb2hP6ykWkRCWUsgIYHOSmRnHUlyf6Pd8uF43Bl/+ZHWhE6SLWf3LKGMOKSU60Qkh1aSH+Z9BqaiKa3dL0MIQx4yXRe9NzS/mEki4IsuQi27AZ6BKD93tznyVKbCAzxmyP1jRhbRNIKBA2dWoQAITX1w2vvA=,iv:l8JZK3a17DfIn3llapKnUZH7SRNCte5MNPZzjtPJbxA=,tag:rEcarIr7UhsV+THixTUiKw==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
version: 3.12.1

36
kargo/credentials/git-creds-test-env.prod.enc.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: v1
kind: Secret
metadata:
name: github-creds
namespace: test-env
labels:
kargo.akuity.io/cred-type: git
type: Opaque
stringData:
repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
username: Kargones
password: ENC[AES256_GCM,data:YIFtzQT8BYFwj5SfRDGxd/ND6BzpFSbERF3u+TyFjCoFqQXqk4g9ew==,iv:gOwNFYoErJhEJglBP9Oed45/CFQXXHlPqid3RzScvdA=,tag:iTJfhSTKceOl5lv4YiGo4Q==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBza2JKZTlxSTZOZ1lzNllu
TWdoL0lKSDc0Ri9BMWs1aDhSU1VaQ1dod2dzCk5sRHdIa1B3a2RMbTViZ3lPc04y
OUQ4WVNRR3JrZ1lyZXJvd3lFVUYxdlEKLS0tIFRNM0dqR1RGMVZ2alprMmxRQndo
Y0h3RE5WaHprRDZWUnBCQURhS0tnbHMKz9/qP2w1KURlDAWVcjfUFz1kJy/ed53w
SpKMwvWTfYTvvZMNnz1XgxMfKXu4TKWAuP9mJ+rmcj5jIcPSGxetUA==
-----END AGE ENCRYPTED FILE-----
- recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYeTd6Uk5yN2o5MDhsa0V6
UTZGZ29rSmFYbm5uRkg2UGNNdW13UmJ0eWxFCnZCWU5RalJEdFQ1SCtxdGQxVDhV
R3FsbkppRHkwbEdmYTU0dE5leEUxN2cKLS0tIDZtc3orbkhKMVVmdnpQRDVRUm9P
ck5QYkczblV0YndpQ0hoN3lDWDhrbUEKG5nPWrnAHFvUCsf/Zwgo22oiP1nIvXc5
PSo+hPCzFAjVtg7y1jO8HcwUVOgtcH/LN4NwcMF/I7VZajHRZXEQXQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-11T06:58:02Z"
mac: ENC[AES256_GCM,data:3/YKxY5Ai543PDiUZi767xsmgJSI+bWyBQER+ICo9jQydbef1gJ2Rp3TitnuSiD2H+l41b2tIEFp4y3IaXSD6B+8cbf+bs7YdXznJzFd/V3FKjKncQJkJdTlLDijJRsjPczEFA/syhy/i8jMORoid1SNQrk2l0XmiWx7bujTOys=,iv:Wtdf3swbTJEXQu2+JNu8mqYHWvK9DIZRLuXLoKB5n9w=,tag:jMiSS9gzmZpWXNVq3liyTA==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
version: 3.12.1

14
kargo/credentials/ksops-generator.prod.yaml Normal file
View File

@@ -0,0 +1,14 @@
# ksops generator for PROD cluster
# Replace ksops-generator.yaml on infra/stage/prod branch
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: kargo-git-credentials
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- git-creds-infra.prod.enc.yaml
- git-creds-ci.prod.enc.yaml
- git-creds-test-env.prod.enc.yaml

20
kargo/credentials/ksops-generator.yaml Normal file
View File

@@ -0,0 +1,20 @@
# ksops generator: decrypts SOPS-encrypted K8s Secret manifests
# ArgoCD repo-server must have ksops + sops + age installed
#
# Dev cluster uses: *.dev.enc.yaml
# Prod cluster uses: *.prod.enc.yaml
#
# Which files to decrypt is controlled by the kustomization overlay
# in the cluster-specific branch (infra/stage/dev or infra/stage/prod)
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: kargo-git-credentials
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- git-creds-infra.dev.enc.yaml
- git-creds-ci.dev.enc.yaml
- git-creds-test-env.dev.enc.yaml

5
kargo/credentials/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
- ksops-generator.yaml