deploy-app-kargo-private

gitea_admin/deploy-app-kargo-private

Fork 0

Commit Graph

Author	SHA1	Message	Date
Dear XoR	42cb7ac5bf	feat: zero trust SOPS key isolation (deploy-k3s#32) - Add test-key (age1wtzdf8...) for shared test environment - Enable mac_only_encrypted: true in .sops.yaml (SOPS >= 3.9.0) Allows adding new YAML fields without decryption key - Re-encrypt all 10 files with mac_only_encrypted metadata - Strict isolation: dev-key ↔ .dev.enc.yaml, prod-key ↔ .prod.enc.yaml - test-key can only decrypt *.test.enc.yaml (not dev/prod) - Add dev/verify-sops-isolation.sh — 33-point verification script - Keep dev/prod files with admin+dev / admin+prod only (no test-key) Verified: 33/33 isolation checks passed Co-authored-by: XoR <xor@benadis.ru>	2026-03-12 17:11:29 +03:00
Dear XoR	efb2427586	feat(test-env): add 1C test environment (#11 ) * feat(test-env): add 1C test environment manifests (#11) - PostgreSQL 18.x-2.1C StatefulSet with ru_RU.UTF-8 locale init - 1C server (ragent+crserver+ras) StatefulSet with stable hostname - Gitea runner Deployment with edt label for apk-ci-ng - NodePort services for external 1C access (31540-31545) - Deploy/verify script: dev/deploy-test-env.sh - config.yaml for ApplicationSet integration - test-env only in dev cluster (not in prod AppSet) * fix(test-env): use initContainer for PG data + remove custom entrypoint PVC mount on /var/lib/postgresql wipes the image's pre-built cluster. Solution: initContainer copies cluster data from image to PVC on first run. Removed custom pg-entrypoint.sh ConfigMap — image has its own. * feat(test-env): DinD sidecar for runner + auto-registration Job - Add Docker-in-Docker sidecar to gitea-runner Deployment - Add register-job.yaml: Job that obtains Gitea runner token via API, creates Secret, and scales runner to 1 - RBAC: ServiceAccount + Role/ClusterRole for cross-namespace secret access - Runner labels: edt (for apk-ci-ng), ubuntu-latest --------- Co-authored-by: XoR <xor@benadis.ru>	2026-03-12 12:33:50 +03:00

Author

SHA1

Message

Date

Dear XoR

42cb7ac5bf

feat: zero trust SOPS key isolation (deploy-k3s#32)

- Add test-key (age1wtzdf8...) for shared test environment
- Enable mac_only_encrypted: true in .sops.yaml (SOPS >= 3.9.0)
  Allows adding new YAML fields without decryption key
- Re-encrypt all 10 files with mac_only_encrypted metadata
- Strict isolation: dev-key ↔ *.dev.enc.yaml, prod-key ↔ *.prod.enc.yaml
- test-key can only decrypt *.test.enc.yaml (not dev/prod)
- Add dev/verify-sops-isolation.sh — 33-point verification script
- Keep dev/prod files with admin+dev / admin+prod only (no test-key)

Verified: 33/33 isolation checks passed

Co-authored-by: XoR <xor@benadis.ru>

2026-03-12 17:11:29 +03:00

Dear XoR

efb2427586

feat(test-env): add 1C test environment (#11 )

* feat(test-env): add 1C test environment manifests (#11)

- PostgreSQL 18.x-2.1C StatefulSet with ru_RU.UTF-8 locale init
- 1C server (ragent+crserver+ras) StatefulSet with stable hostname
- Gitea runner Deployment with edt label for apk-ci-ng
- NodePort services for external 1C access (31540-31545)
- Deploy/verify script: dev/deploy-test-env.sh
- config.yaml for ApplicationSet integration
- test-env only in dev cluster (not in prod AppSet)

* fix(test-env): use initContainer for PG data + remove custom entrypoint

PVC mount on /var/lib/postgresql wipes the image's pre-built cluster.
Solution: initContainer copies cluster data from image to PVC on first run.
Removed custom pg-entrypoint.sh ConfigMap — image has its own.

* feat(test-env): DinD sidecar for runner + auto-registration Job

- Add Docker-in-Docker sidecar to gitea-runner Deployment
- Add register-job.yaml: Job that obtains Gitea runner token via API,
  creates Secret, and scales runner to 1
- RBAC: ServiceAccount + Role/ClusterRole for cross-namespace secret access
- Runner labels: edt (for apk-ci-ng), ubuntu-latest

---------

Co-authored-by: XoR <xor@benadis.ru>

2026-03-12 12:33:50 +03:00

2 Commits