deploy-app-kargo-private

gitea_admin/deploy-app-kargo-private

Fork 0

Commit Graph

Author	SHA1	Message	Date
Dear XoR	42cb7ac5bf	feat: zero trust SOPS key isolation (deploy-k3s#32) - Add test-key (age1wtzdf8...) for shared test environment - Enable mac_only_encrypted: true in .sops.yaml (SOPS >= 3.9.0) Allows adding new YAML fields without decryption key - Re-encrypt all 10 files with mac_only_encrypted metadata - Strict isolation: dev-key ↔ .dev.enc.yaml, prod-key ↔ .prod.enc.yaml - test-key can only decrypt *.test.enc.yaml (not dev/prod) - Add dev/verify-sops-isolation.sh — 33-point verification script - Keep dev/prod files with admin+dev / admin+prod only (no test-key) Verified: 33/33 isolation checks passed Co-authored-by: XoR <xor@benadis.ru>	2026-03-12 17:11:29 +03:00
XoR	4dd68859d8	feat: SOPS + age encrypted secrets structure - .sops.yaml with 3 age keys (admin, dev, prod) - infra/gitea/values/.enc.yaml — per-env encrypted Helm values - infra/kargo/values/.enc.yaml — per-env encrypted Kargo admin secrets - kargo/credentials/*.enc.yaml — per-env encrypted git credentials (ksops) - infra/kargo-credentials/ — ArgoCD app for deploying Kargo creds via ksops - All repoURLs point to deploy-app-kargo-private Structure from deploy-app-kargo (reference), adapted for SOPS workflow	2026-03-11 10:01:26 +03:00

Author

SHA1

Message

Date

Dear XoR

42cb7ac5bf

feat: zero trust SOPS key isolation (deploy-k3s#32)

- Add test-key (age1wtzdf8...) for shared test environment
- Enable mac_only_encrypted: true in .sops.yaml (SOPS >= 3.9.0)
  Allows adding new YAML fields without decryption key
- Re-encrypt all 10 files with mac_only_encrypted metadata
- Strict isolation: dev-key ↔ *.dev.enc.yaml, prod-key ↔ *.prod.enc.yaml
- test-key can only decrypt *.test.enc.yaml (not dev/prod)
- Add dev/verify-sops-isolation.sh — 33-point verification script
- Keep dev/prod files with admin+dev / admin+prod only (no test-key)

Verified: 33/33 isolation checks passed

Co-authored-by: XoR <xor@benadis.ru>

2026-03-12 17:11:29 +03:00

XoR

4dd68859d8

feat: SOPS + age encrypted secrets structure

- .sops.yaml with 3 age keys (admin, dev, prod)
- infra/gitea/values/*.enc.yaml — per-env encrypted Helm values
- infra/kargo/values/*.enc.yaml — per-env encrypted Kargo admin secrets
- kargo/credentials/*.enc.yaml — per-env encrypted git credentials (ksops)
- infra/kargo-credentials/ — ArgoCD app for deploying Kargo creds via ksops
- All repoURLs point to deploy-app-kargo-private

Structure from deploy-app-kargo (reference), adapted for SOPS workflow

2026-03-11 10:01:26 +03:00

2 Commits