refactor: bootstrap/infra/ci separation (#27)

- Create bootstrap/ dir: cert-manager, traefik-routes, argo-rollouts,
  kargo, kargo-*-pipeline (not managed by Kargo promotion)
- infra/ now only: gitea, gitea-custom (promoted by Kargo)
- ci/ unchanged: gitea-runner (promoted by Kargo)
- Split kargo/credentials/ into dev/ and prod/ with separate ksops generators
- Remove kargo-credentials from AppSet (managed by Pulumi Go code)
- Update infra Warehouse: only gitea (was also argo-rollouts, cert-manager)
- Update infra Stage dev: only yaml-update for gitea version
- Fix test-env warehouse: valid subscription instead of empty array
- Update step numbers: bootstrap 1-5, infra 1-2

bootstrap/argo-rollouts/config.yaml

@@ -1,11 +1,11 @@
 {
   "name": "argo-rollouts",
   "namespace": "argo-rollouts",
-  "step": "2",
+  "step": "3",
   "source": {
     "repoURL": "https://argoproj.github.io/argo-helm",
     "chart": "argo-rollouts",
-    "targetRevision": 2.40.6
+    "targetRevision": "2.40.6"
   },
   "helm": {
     "values": "dashboard:\n  enabled: true\n"

bootstrap/cert-manager/config.yaml

@@ -5,7 +5,7 @@
   "source": {
     "repoURL": "https://charts.jetstack.io",
     "chart": "cert-manager",
-    "targetRevision": v1.19.4
+    "targetRevision": "v1.19.4"
   },
   "helm": {
     "values": "crds:\n  enabled: true\n"

bootstrap/traefik-routes/config.yaml

@@ -1,7 +1,7 @@
 {
   "name": "traefik-routes",
   "namespace": "kube-system",
-  "step": "3",
+  "step": "2",
   "source": {
     "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
     "path": "infra/traefik-routes/manifests",

infra/gitea-custom/config.yaml

@@ -1,7 +1,7 @@
 {
   "name": "gitea-custom",
   "namespace": "gitea",
-  "step": "6",
+  "step": "2",
   "source": {
     "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
     "path": "infra/gitea-custom/manifests",

infra/gitea/config.yaml

@@ -1,7 +1,7 @@
 {
   "name": "gitea",
   "namespace": "gitea",
-  "step": "4",
+  "step": "1",
   "source": {
     "repoURL": "https://dl.gitea.com/charts",
     "chart": "gitea",

infra/kargo-credentials/config.yaml

@@ -1,10 +0,0 @@
-{
-  "name": "kargo-credentials",
-  "namespace": "default",
-  "step": "5",
-  "source": {
-    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
-    "path": "kargo/credentials",
-    "targetRevision": "main"
-  }
-}

kargo/credentials/dev/ksops-generator.yaml

@@ -0,0 +1,12 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: kargo-git-credentials
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - git-creds-infra.dev.enc.yaml
+  - git-creds-ci.dev.enc.yaml
+  - git-creds-test-env.dev.enc.yaml

kargo/credentials/ksops-generator.yaml

@@ -1,20 +0,0 @@
-# ksops generator: decrypts SOPS-encrypted K8s Secret manifests
-# ArgoCD repo-server must have ksops + sops + age installed
-#
-# Dev cluster uses: *.dev.enc.yaml
-# Prod cluster uses: *.prod.enc.yaml
-#
-# Which files to decrypt is controlled by the kustomization overlay
-# in the cluster-specific branch (infra/stage/dev or infra/stage/prod)
-apiVersion: viaduct.ai/v1
-kind: ksops
-metadata:
-  name: kargo-git-credentials
-  annotations:
-    config.kubernetes.io/function: |
-      exec:
-        path: ksops
-files:
-  - git-creds-infra.dev.enc.yaml
-  - git-creds-ci.dev.enc.yaml
-  - git-creds-test-env.dev.enc.yaml

kargo/credentials/prod/ksops-generator.yaml

@@ -1,5 +1,3 @@
-# ksops generator for PROD cluster
-# Replace ksops-generator.yaml on infra/stage/prod branch
 apiVersion: viaduct.ai/v1
 kind: ksops
 metadata:

kargo/credentials/prod/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generators:
+  - ksops-generator.yaml

kargo/infra/stages/dev.yaml

@@ -30,20 +30,6 @@ spec:
         - uses: git-clear
           config:
             path: ./out
-        - uses: yaml-update
-          as: update-cert-manager
-          config:
-            path: ./src/infra/cert-manager/config.yaml
-            updates:
-              - key: source.targetRevision
-                value: ${{ chartFrom("https://charts.jetstack.io", "cert-manager").Version }}
-        - uses: yaml-update
-          as: update-argo-rollouts
-          config:
-            path: ./src/infra/argo-rollouts/config.yaml
-            updates:
-              - key: source.targetRevision
-                value: ${{ chartFrom("https://argoproj.github.io/argo-helm", "argo-rollouts").Version }}
         - uses: yaml-update
           as: update-gitea
           config:

kargo/infra/warehouse.yaml

@@ -5,16 +5,6 @@ metadata:
   namespace: infra
 spec:
   subscriptions:
-    - chart:
-        repoURL: https://charts.jetstack.io
-        name: cert-manager
-        semverConstraint: ">=1.17.0"
-        discoveryLimit: 5
-    - chart:
-        repoURL: https://argoproj.github.io/argo-helm
-        name: argo-rollouts
-        semverConstraint: ">=2.39.0"
-        discoveryLimit: 5
     - chart:
         repoURL: https://dl.gitea.com/charts
         name: gitea

kargo/test-env/warehouse.yaml

@@ -4,5 +4,11 @@ metadata:
   name: test-env-images
   namespace: test-env
 spec:
-  subscriptions: []
+  # Placeholder: no subscriptions yet.
-  # TODO: Add container image subscriptions for test services
+  # When test services are added, subscribe to their container images here.
+  subscriptions:
+    - chart:
+        repoURL: https://dl.gitea.com/charts
+        name: gitea
+        semverConstraint: ">=0.0.1"
+        discoveryLimit: 1