gitea_admin/deploy-app-kargo-private
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12 Commits 18 Branches 1 Tag
main
Commit Graph

6 Commits

Author SHA1 Message Date
Dear XoR
42cb7ac5bf feat: zero trust SOPS key isolation (deploy-k3s#32) 
- Add test-key (age1wtzdf8...) for shared test environment
- Enable mac_only_encrypted: true in .sops.yaml (SOPS >= 3.9.0)
  Allows adding new YAML fields without decryption key
- Re-encrypt all 10 files with mac_only_encrypted metadata
- Strict isolation: dev-key ↔ *.dev.enc.yaml, prod-key ↔ *.prod.enc.yaml
- test-key can only decrypt *.test.enc.yaml (not dev/prod)
- Add dev/verify-sops-isolation.sh — 33-point verification script
- Keep dev/prod files with admin+dev / admin+prod only (no test-key)

Verified: 33/33 isolation checks passed

Co-authored-by: XoR <xor@benadis.ru>
 2026-03-12 17:11:29 +03:00
XoR
01623cb260 fix: rename traefik-dashboard → traefik-dashboard-https 
Avoids race condition with k3s built-in Traefik Helm chart which
creates its own 'traefik-dashboard' IngressRoute. Both charts tried
to own the same resource name, causing Helm install failure when
ArgoCD created it first.
 2026-03-11 20:16:01 +03:00
XoR
4d8ebf96df Revert "fix: remove traefik-dashboard IngressRoute (conflicts with k3s built-in Traefik Helm chart)" 
This reverts commit a2d0682168.
 2026-03-11 20:10:08 +03:00
XoR
a2d0682168 fix: remove traefik-dashboard IngressRoute (conflicts with k3s built-in Traefik Helm chart) 
The built-in k3s Traefik Helm chart creates its own traefik-dashboard
IngressRoute. Our ArgoCD-managed copy blocked Helm install because
Helm requires ownership labels (app.kubernetes.io/managed-by=Helm).

Removing our copy lets the built-in chart manage the dashboard route.
 2026-03-11 20:04:55 +03:00
deploy-k3s
77831d73a9 fix: traefik-routes path after bootstrap move 
Path was still infra/traefik-routes/manifests, but files moved to
bootstrap/traefik-routes/manifests in the restructuring.
 2026-03-11 15:47:35 +03:00
deploy-k3s
f640de781d refactor: bootstrap/infra/ci separation (#27) 
- Create bootstrap/ dir: cert-manager, traefik-routes, argo-rollouts,
  kargo, kargo-*-pipeline (not managed by Kargo promotion)
- infra/ now only: gitea, gitea-custom (promoted by Kargo)
- ci/ unchanged: gitea-runner (promoted by Kargo)
- Split kargo/credentials/ into dev/ and prod/ with separate ksops generators
- Remove kargo-credentials from AppSet (managed by Pulumi Go code)
- Update infra Warehouse: only gitea (was also argo-rollouts, cert-manager)
- Update infra Stage dev: only yaml-update for gitea version
- Fix test-env warehouse: valid subscription instead of empty array
- Update step numbers: bootstrap 1-5, infra 1-2
 2026-03-11 13:18:22 +03:00