deploy-app-kargo-private

gitea_admin/deploy-app-kargo-private

Fork 0

Commit Graph

Author	SHA1	Message	Date
Dear XoR	42cb7ac5bf	feat: zero trust SOPS key isolation (deploy-k3s#32) - Add test-key (age1wtzdf8...) for shared test environment - Enable mac_only_encrypted: true in .sops.yaml (SOPS >= 3.9.0) Allows adding new YAML fields without decryption key - Re-encrypt all 10 files with mac_only_encrypted metadata - Strict isolation: dev-key ↔ .dev.enc.yaml, prod-key ↔ .prod.enc.yaml - test-key can only decrypt *.test.enc.yaml (not dev/prod) - Add dev/verify-sops-isolation.sh — 33-point verification script - Keep dev/prod files with admin+dev / admin+prod only (no test-key) Verified: 33/33 isolation checks passed Co-authored-by: XoR <xor@benadis.ru>	2026-03-12 17:11:29 +03:00
deploy-k3s	f640de781d	refactor: bootstrap/infra/ci separation (#27 ) - Create bootstrap/ dir: cert-manager, traefik-routes, argo-rollouts, kargo, kargo-*-pipeline (not managed by Kargo promotion) - infra/ now only: gitea, gitea-custom (promoted by Kargo) - ci/ unchanged: gitea-runner (promoted by Kargo) - Split kargo/credentials/ into dev/ and prod/ with separate ksops generators - Remove kargo-credentials from AppSet (managed by Pulumi Go code) - Update infra Warehouse: only gitea (was also argo-rollouts, cert-manager) - Update infra Stage dev: only yaml-update for gitea version - Fix test-env warehouse: valid subscription instead of empty array - Update step numbers: bootstrap 1-5, infra 1-2	2026-03-11 13:18:22 +03:00
XoR	4dd68859d8	feat: SOPS + age encrypted secrets structure - .sops.yaml with 3 age keys (admin, dev, prod) - infra/gitea/values/.enc.yaml — per-env encrypted Helm values - infra/kargo/values/.enc.yaml — per-env encrypted Kargo admin secrets - kargo/credentials/*.enc.yaml — per-env encrypted git credentials (ksops) - infra/kargo-credentials/ — ArgoCD app for deploying Kargo creds via ksops - All repoURLs point to deploy-app-kargo-private Structure from deploy-app-kargo (reference), adapted for SOPS workflow	2026-03-11 10:01:26 +03:00

Author

SHA1

Message

Date

Dear XoR

42cb7ac5bf

feat: zero trust SOPS key isolation (deploy-k3s#32)

- Add test-key (age1wtzdf8...) for shared test environment
- Enable mac_only_encrypted: true in .sops.yaml (SOPS >= 3.9.0)
  Allows adding new YAML fields without decryption key
- Re-encrypt all 10 files with mac_only_encrypted metadata
- Strict isolation: dev-key ↔ *.dev.enc.yaml, prod-key ↔ *.prod.enc.yaml
- test-key can only decrypt *.test.enc.yaml (not dev/prod)
- Add dev/verify-sops-isolation.sh — 33-point verification script
- Keep dev/prod files with admin+dev / admin+prod only (no test-key)

Verified: 33/33 isolation checks passed

Co-authored-by: XoR <xor@benadis.ru>

2026-03-12 17:11:29 +03:00

deploy-k3s

f640de781d

refactor: bootstrap/infra/ci separation (#27 )

- Create bootstrap/ dir: cert-manager, traefik-routes, argo-rollouts,
  kargo, kargo-*-pipeline (not managed by Kargo promotion)
- infra/ now only: gitea, gitea-custom (promoted by Kargo)
- ci/ unchanged: gitea-runner (promoted by Kargo)
- Split kargo/credentials/ into dev/ and prod/ with separate ksops generators
- Remove kargo-credentials from AppSet (managed by Pulumi Go code)
- Update infra Warehouse: only gitea (was also argo-rollouts, cert-manager)
- Update infra Stage dev: only yaml-update for gitea version
- Fix test-env warehouse: valid subscription instead of empty array
- Update step numbers: bootstrap 1-5, infra 1-2

2026-03-11 13:18:22 +03:00

XoR

4dd68859d8

feat: SOPS + age encrypted secrets structure

- .sops.yaml with 3 age keys (admin, dev, prod)
- infra/gitea/values/*.enc.yaml — per-env encrypted Helm values
- infra/kargo/values/*.enc.yaml — per-env encrypted Kargo admin secrets
- kargo/credentials/*.enc.yaml — per-env encrypted git credentials (ksops)
- infra/kargo-credentials/ — ArgoCD app for deploying Kargo creds via ksops
- All repoURLs point to deploy-app-kargo-private

Structure from deploy-app-kargo (reference), adapted for SOPS workflow

2026-03-11 10:01:26 +03:00

3 Commits