feat: zero trust SOPS key isolation (deploy-k3s#32)

- Add test-key (age1wtzdf8...) for shared test environment
- Enable mac_only_encrypted: true in .sops.yaml (SOPS >= 3.9.0)
  Allows adding new YAML fields without decryption key
- Re-encrypt all 10 files with mac_only_encrypted metadata
- Strict isolation: dev-key ↔ *.dev.enc.yaml, prod-key ↔ *.prod.enc.yaml
- test-key can only decrypt *.test.enc.yaml (not dev/prod)
- Add dev/verify-sops-isolation.sh — 33-point verification script
- Keep dev/prod files with admin+dev / admin+prod only (no test-key)

Verified: 33/33 isolation checks passed

Co-authored-by: XoR <xor@benadis.ru>

.sops.yaml

@@ -1,28 +1,55 @@
 # SOPS configuration for deploy-app-kargo-private
-# Three age keys: admin (all access), dev (dev/test cluster), prod (prod cluster)
+# Zero Trust key model: dev cannot decrypt prod, prod cannot decrypt dev.
+# Test secrets accessible to both dev and prod.
 #
-# admin: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-# dev:   age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
-# prod:  age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+# Keys:
+#   admin: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7  (master, backup/audit)
+#   dev:   age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g  (dev cluster only)
+#   test:  age1wtzdf8k5fhazffq5t5erm0azvp463mzk6fm4vghqwah2lz9sf3eszksf33  (shared test environment)
+#   prod:  age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk  (prod cluster only)
+#
+# Trust model:
+#   *.dev.enc.yaml  → admin + dev           (ONLY dev-admin can decrypt)
+#   *.test.enc.yaml → admin + dev + test + prod (everyone can decrypt)
+#   *.prod.enc.yaml → admin + prod          (ONLY prod-admin can decrypt)
+#   *.shared.enc.yaml → admin + dev + prod  (legacy, both can decrypt)
+#
+# mac_only_encrypted: true — allows adding new YAML keys/structure without
+# having the decryption key. MAC is computed only over encrypted values.
+# This enables dev to add fields to *.prod.enc.yaml without decrypting them.
+# Requires SOPS >= 3.9.0.
 
 creation_rules:
-  # Prod-specific secrets — admin + prod only
-  - path_regex: \.prod\.enc\.yaml$
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    age: >-
-      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
-      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
-
-  # Dev-specific secrets — admin + dev only
+  # Dev-specific secrets — ONLY admin + dev can decrypt
   - path_regex: \.dev\.enc\.yaml$
     encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
     age: >-
       age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
       age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
 
-  # Shared secrets (e.g. kargo credentials) — all three keys
+  # Test secrets — all keys can decrypt (shared test environment)
+  - path_regex: \.test\.enc\.yaml$
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
+    age: >-
+      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
+      age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g,
+      age1wtzdf8k5fhazffq5t5erm0azvp463mzk6fm4vghqwah2lz9sf3eszksf33,
+      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+
+  # Prod-specific secrets — ONLY admin + prod can decrypt
+  - path_regex: \.prod\.enc\.yaml$
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
+    age: >-
+      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
+      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+
+  # Shared secrets (legacy, both clusters) — admin + dev + prod
   - path_regex: \.shared\.enc\.yaml$
     encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|repoURL|username)$
+    mac_only_encrypted: true
     age: >-
       age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
       age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g,

bootstrap/argo-rollouts/config.yaml

@@ -1,11 +1,11 @@
 {
   "name": "argo-rollouts",
   "namespace": "argo-rollouts",
-  "step": "2",
+  "step": "3",
   "source": {
     "repoURL": "https://argoproj.github.io/argo-helm",
     "chart": "argo-rollouts",
-    "targetRevision": 2.40.6
+    "targetRevision": "2.40.6"
   },
   "helm": {
     "values": "dashboard:\n  enabled: true\n"

bootstrap/cert-manager/config.yaml

@@ -5,7 +5,7 @@
   "source": {
     "repoURL": "https://charts.jetstack.io",
     "chart": "cert-manager",
-    "targetRevision": v1.19.4
+    "targetRevision": "v1.19.4"
   },
   "helm": {
     "values": "crds:\n  enabled: true\n"

bootstrap/kargo/values/secret-values.dev.enc.yaml

@@ -0,0 +1,28 @@
+# Kargo secrets for dev/test cluster
+passwordHash: ENC[AES256_GCM,data:Brg8qSTsGeft72w0FhnmKu0CgfL14zDLLIifyFdS+MJDtWhhRJq88Wh2OOrjylTsteYJeb9LaGh7T/6I,iv:PapmZ9/fubkIMz4Br4W4Xqj8UB6BJl5708V0nPRqgxw=,tag:r1iCfDxwmNRJT56dnEEo2Q==,type:str]
+tokenSigningKey: ENC[AES256_GCM,data:f1i9nVF74bWcGl0GXBujwo215aXV4pAm9r3AX181nUq32QyWdkzR0+7e+4EfqoZkpOorCKZQq6pJEn45th9YJw==,iv:yMT3dnlNnblyUJdmWb9XFQlnPnLIT12iw6aNxN94lY0=,tag:WE6/dL8+382eYMj/tYq/+w==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVVEhRZkhINm80MGYzcGZP
+            a1ZURk9GYVRiT1plV0U1WlQvenFieU1TbGt3CnlqbExOZGpEMEd2MDlDV0k1Z0ZI
+            UzJxK1ByVkhrNXlJWkhCUHhTSzl0cW8KLS0tIDRKb0dmNXhXSnIzMEhnOUNjMVRD
+            V1oySnBJeFdyWGdGYzhpN2JIRG00cUEKta06XCymUR8ltBL/6egR/IHTaS/Q0vih
+            ep4kyfexVOK+OAnbvA/4BSUBKXAr2L+GN3tAuG4YOnehX764WTaoxQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VHQvczM3MDhEcXJGQkpa
+            Vm1LYURwbUk5MEhXOVBLdFl5UWRLcmZpaWwwCmdrMGFmNlZVL2pQdDFFR1BrZ25h
+            ZEZMazJsR3hhZlNsUTNSNEVEUlNtcE0KLS0tIEplZnk2eDNXd2ZOcVhJNThieWJU
+            UkZSc1E1dHVieFRMSDNhSXN0ZC9OdGsK+7GeHMVOYmhIpt1tZTo/l3JdTQL1ZuC7
+            ZLydtSlmPfT4rkUmtyfEMf8HU45V9KO7IUSWyWBOy7XU1whb7frdHw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-12T14:08:13Z"
+    mac: ENC[AES256_GCM,data:DWPS9s6QGbeFKEsZGBqKZE596Bqm1nY5D3JrBnEkRVwQhXo4oo6QIwSOpojBx4cSANANzi+CkhCGXIIAhKxXLn4Aii9y/d1Lpe6S7umFeLg/15Qb7CAC6mI/WPK6H71zD8VSxzHictDek9opfdhIzrlr9xIvKRwzyhsF7I76kgE=,iv:Epf8fh8kMDpFpV0BOVV542n8OitoDcy7yRg0gI76aFU=,tag:Yd4oFywmeALME220szSWzA==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
+    version: 3.12.1

bootstrap/kargo/values/secret-values.prod.enc.yaml

@@ -0,0 +1,28 @@
+# Kargo secrets for prod cluster
+passwordHash: ENC[AES256_GCM,data:40E+4VZg1JwCjmXmsrqsPAKJJREu3TyaRdifnu6ADbFxIg7uJ1OmC2peUWZnmldOVy5rYRvn4f9+,iv:X5A46o59GeOpk5DazwV+ulhnXf+WKrz14lJB2AzVipc=,tag:0pPim5ccR9g3KeZrjvxzpg==,type:str]
+tokenSigningKey: ENC[AES256_GCM,data:tsp3iRJT0IlidEA3gU7rsY6LsoqurOAIe6DSLOnKcL167U/wax0jTUHsCsqcDq6YwVrrXr1H7EwohSpxLFkbfA==,iv:+LpAQkMKowoEHbqC3EIIJ/MaAmXYcCfNJ1SUt2lhNqc=,tag:6iI7umdfMOyEO6mD9cxMzA==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSlJqQ0tsRDFYdmUxbHFV
+            UGxLc05lRmlpYmJmdU9rTkhYUEVRN01tNVJnCmlWZnpMdU40ZEVsMnFDNWxaR3ow
+            KzlMNWpab0dDOS94Vm9EU1hBMDR5ZzQKLS0tIFpkenkvM01QOGJKRTFjcDl0N2c4
+            RnR3anYvdnRjYXhKNkE3aDFRZXY4TVEKuX/i/7fLkHVuh51vO/TMDCZ8K5AkGoO1
+            B9mOtMu8HZSV2F5UW3hpYrA+mJz82Hi0I84aI1LpAdjobsCckEpR3Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSDVNRERESERkQ2RwSlo0
+            OGFHaHAzeGhFcVhsOHEyekd2MVZzZG50b3c0CkRIMm1veXNXL3BrMkpuajVrZzFW
+            ekVPcFYwMUZMc2V5cnFUdUlneWQxQmsKLS0tIFRwZ0ZCZVE1K0N6ZlFGbkZJT2k3
+            cXFYaThyS1gxOU5hWFl0cDgyUTB6U2MKejpV8nlfBNKC9vqC9UkOJquC4poU/gAI
+            s2Ul/34xAM5/amo/icjwmkpB+TsAR4zNgkECuW7rF9plf1LSFrFUAg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-12T14:08:13Z"
+    mac: ENC[AES256_GCM,data:igA1mRDKhw3B/QgRU7naByC8lS9EYfv+r5wU4BdBDmDfEQYzqT4sf3/zEE8XZnhKNbgc+hQuu4YodpaefWQAZwUXQFGhs8zxaLtUtP+zdBq8GJlfDradha9SyrtWsjY68dcA2RBc8E0y8xG+YE0fgnsOl2gvc9iXg0+X+2g31pI=,iv:OhmU/sX6SuD7V4SYINVfQFPYnJGIZ3H76YG+/RElgBY=,tag:dhqlLkmKBLaABc4UAUFvNg==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
+    version: 3.12.1

bootstrap/traefik-routes/config.yaml

@@ -1,10 +1,10 @@
 {
   "name": "traefik-routes",
   "namespace": "kube-system",
-  "step": "3",
+  "step": "2",
   "source": {
     "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
-    "path": "infra/traefik-routes/manifests",
+    "path": "bootstrap/traefik-routes/manifests",
     "targetRevision": "main"
   }
 }

bootstrap/traefik-routes/manifests/traefik-dashboard.yaml

@@ -1,8 +1,11 @@
-# Traefik Dashboard IngressRoute
+# Traefik Dashboard IngressRoute (HTTPS access)
+# Named traefik-dashboard-https to avoid conflict with k3s built-in
+# Traefik Helm chart which creates its own "traefik-dashboard" IngressRoute
+# on the internal "traefik" entrypoint (port 9000).
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: traefik-dashboard
+  name: traefik-dashboard-https
   namespace: kube-system
 spec:
   entryPoints:

dev/deploy-test-env.sh

@@ -0,0 +1,134 @@
+#!/bin/bash
+# deploy-test-env.sh — Deploy test-env to dev cluster and verify
+#
+# Usage:
+#   bash dev/deploy-test-env.sh [--check-only] [--create-secrets]
+#
+# Prerequisites:
+#   - kubectl configured for dev cluster
+#   - Images benadis/pg-1c:18.1-2.1C and benadis/ar-edt:6.2.27.1 accessible
+#
+# This script:
+#   1. Validates kustomize build
+#   2. Applies manifests via kustomize
+#   3. Creates secrets if --create-secrets
+#   4. Waits for pods to be ready
+#   5. Runs smoke tests (pg_isready, ragent check)
+
+set -euo pipefail
+cd "$(dirname "$0")/.."
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+CHECK_ONLY=false
+CREATE_SECRETS=false
+
+for arg in "$@"; do
+    case $arg in
+        --check-only) CHECK_ONLY=true ;;
+        --create-secrets) CREATE_SECRETS=true ;;
+    esac
+done
+
+echo "=== test-env deployment ==="
+
+# --- Step 1: Validate kustomize ---
+echo -e "\n${YELLOW}[1/5] Validating kustomize build...${NC}"
+if kubectl kustomize test-env/ > /dev/null 2>&1; then
+    echo -e "${GREEN}  ✓ kustomize build OK${NC}"
+else
+    echo -e "${RED}  ✗ kustomize build FAILED${NC}"
+    kubectl kustomize test-env/ 2>&1 | head -20
+    exit 1
+fi
+
+if $CHECK_ONLY; then
+    echo -e "\n${GREEN}Validation passed (--check-only)${NC}"
+    kubectl kustomize test-env/ | grep -c 'kind:' | xargs -I{} echo "  {} resources"
+    exit 0
+fi
+
+# --- Step 2: Apply manifests ---
+echo -e "\n${YELLOW}[2/5] Applying manifests...${NC}"
+kubectl apply -k test-env/
+echo -e "${GREEN}  ✓ Manifests applied${NC}"
+
+# --- Step 3: Create secrets if needed ---
+if $CREATE_SECRETS; then
+    echo -e "\n${YELLOW}[3/5] Creating secrets...${NC}"
+    kubectl -n test-env create secret generic test-env-secrets \
+        --from-literal=pg-password=usr1cv8 \
+        --dry-run=client -o yaml | kubectl apply -f -
+    echo -e "${GREEN}  ✓ Secrets created${NC}"
+else
+    echo -e "\n${YELLOW}[3/5] Checking secrets...${NC}"
+    if kubectl -n test-env get secret test-env-secrets > /dev/null 2>&1; then
+        echo -e "${GREEN}  ✓ test-env-secrets exists${NC}"
+    else
+        echo -e "${RED}  ✗ test-env-secrets missing — run with --create-secrets${NC}"
+    fi
+fi
+
+# --- Step 4: Wait for pods ---
+echo -e "\n${YELLOW}[4/5] Waiting for pods (timeout 120s)...${NC}"
+
+wait_for_pod() {
+    local label=$1
+    local timeout=${2:-120}
+    local start=$(date +%s)
+    while true; do
+        local phase=$(kubectl -n test-env get pods -l "$label" -o jsonpath='{.items[0].status.phase}' 2>/dev/null || echo "Pending")
+        if [ "$phase" = "Running" ]; then
+            echo -e "${GREEN}  ✓ $label → Running${NC}"
+            return 0
+        fi
+        local elapsed=$(( $(date +%s) - start ))
+        if [ $elapsed -gt $timeout ]; then
+            echo -e "${RED}  ✗ $label → $phase (timeout ${timeout}s)${NC}"
+            return 1
+        fi
+        sleep 5
+    done
+}
+
+wait_for_pod "app=test-pg" 120
+wait_for_pod "app=onec-server" 120
+
+# --- Step 5: Smoke tests ---
+echo -e "\n${YELLOW}[5/5] Smoke tests...${NC}"
+
+# PostgreSQL ready
+PG_POD=$(kubectl -n test-env get pod -l app=test-pg -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
+if [ -n "$PG_POD" ]; then
+    if kubectl -n test-env exec "$PG_POD" -- su - postgres -c "/usr/lib/postgresql/18/bin/pg_isready" > /dev/null 2>&1; then
+        echo -e "${GREEN}  ✓ PostgreSQL is ready${NC}"
+    else
+        echo -e "${RED}  ✗ PostgreSQL pg_isready failed${NC}"
+    fi
+fi
+
+# 1C server ragent running
+ONEC_POD=$(kubectl -n test-env get pod -l app=onec-server -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
+if [ -n "$ONEC_POD" ]; then
+    if kubectl -n test-env exec "$ONEC_POD" -- pgrep ragent > /dev/null 2>&1; then
+        echo -e "${GREEN}  ✓ ragent is running${NC}"
+    else
+        echo -e "${RED}  ✗ ragent not running${NC}"
+    fi
+    if kubectl -n test-env exec "$ONEC_POD" -- pgrep crserver > /dev/null 2>&1; then
+        echo -e "${GREEN}  ✓ crserver is running${NC}"
+    else
+        echo -e "${RED}  ✗ crserver not running${NC}"
+    fi
+fi
+
+# Summary
+echo -e "\n=== Status ==="
+kubectl -n test-env get pods -o wide
+echo ""
+kubectl -n test-env get svc
+echo ""
+kubectl -n test-env get pvc

dev/verify-sops-isolation.sh

@@ -0,0 +1,128 @@
+#!/bin/bash
+# verify-sops-isolation.sh — Verify SOPS zero trust key isolation
+#
+# Usage: bash dev/verify-sops-isolation.sh [--keys-dir PATH]
+#
+# Verifies that:
+# 1. dev-key can ONLY decrypt *.dev.enc.yaml
+# 2. prod-key can ONLY decrypt *.prod.enc.yaml
+# 3. test-key can decrypt *.test.enc.yaml (if any)
+# 4. test-key CANNOT decrypt dev or prod files
+# 5. mac_only_encrypted is set in all files
+# 6. All files decrypt successfully with appropriate keys
+#
+# Requires: sops, age keys in SOPS_AGE_KEY_DEV/PROD/TEST env vars
+#           or provide --keys-dir with separate key files
+
+set -euo pipefail
+cd "$(dirname "$0")/.."
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+PASS=0
+FAIL=0
+WARN=0
+
+check() {
+    local desc=$1 expected=$2 actual=$3
+    if [ "$expected" = "$actual" ]; then
+        echo -e "  ${GREEN}✓${NC} $desc"
+        PASS=$((PASS+1))
+    else
+        echo -e "  ${RED}✗${NC} $desc (expected=$expected, got=$actual)"
+        FAIL=$((FAIL+1))
+    fi
+}
+
+ORIG_KEYS=""
+if [ -f ~/.config/sops/age/keys.txt ]; then
+    ORIG_KEYS=$(cat ~/.config/sops/age/keys.txt)
+fi
+
+restore_keys() {
+    if [ -n "$ORIG_KEYS" ]; then
+        echo "$ORIG_KEYS" > ~/.config/sops/age/keys.txt
+    fi
+}
+trap restore_keys EXIT
+
+# --- Check .sops.yaml ---
+echo -e "\n${YELLOW}[1] Checking .sops.yaml configuration${NC}"
+
+if [ -f .sops.yaml ]; then
+    check ".sops.yaml exists" "yes" "yes"
+else
+    check ".sops.yaml exists" "yes" "no"
+    exit 1
+fi
+
+MAC_RULES=$(grep -c '^\s*mac_only_encrypted: true' .sops.yaml || echo 0)
+check "mac_only_encrypted rules in .sops.yaml (>=4)" "yes" "$([ "$MAC_RULES" -ge 4 ] && echo yes || echo no)"
+
+# --- Check all encrypted files ---
+echo -e "\n${YELLOW}[2] Checking mac_only_encrypted in encrypted files${NC}"
+TOTAL_ENC=$(find . -name '*.enc.yaml' -not -path './.git/*' | wc -l)
+MAC_ENC=$(grep -rl 'mac_only_encrypted: true' $(find . -name '*.enc.yaml' -not -path './.git/*' 2>/dev/null) 2>/dev/null | wc -l)
+check "mac_only_encrypted in all encrypted files" "$TOTAL_ENC" "$MAC_ENC"
+
+# --- Key isolation tests ---
+echo -e "\n${YELLOW}[3] Key isolation: dev-key${NC}"
+if [ -n "${SOPS_AGE_KEY_DEV:-}" ]; then
+    echo "$SOPS_AGE_KEY_DEV" > ~/.config/sops/age/keys.txt
+    for f in $(find . -name '*.dev.enc.yaml' -not -path './.git/*'); do
+        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
+        check "dev-key decrypts $(basename $f)" "yes" "$result"
+    done
+    for f in $(find . -name '*.prod.enc.yaml' -not -path './.git/*'); do
+        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
+        check "dev-key CANNOT decrypt $(basename $f)" "no" "$result"
+    done
+else
+    echo -e "  ${YELLOW}⚠ SOPS_AGE_KEY_DEV not set, skipping${NC}"
+    WARN=$((WARN+1))
+fi
+
+echo -e "\n${YELLOW}[4] Key isolation: prod-key${NC}"
+if [ -n "${SOPS_AGE_KEY_PROD:-}" ]; then
+    echo "$SOPS_AGE_KEY_PROD" > ~/.config/sops/age/keys.txt
+    for f in $(find . -name '*.prod.enc.yaml' -not -path './.git/*'); do
+        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
+        check "prod-key decrypts $(basename $f)" "yes" "$result"
+    done
+    for f in $(find . -name '*.dev.enc.yaml' -not -path './.git/*'); do
+        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
+        check "prod-key CANNOT decrypt $(basename $f)" "no" "$result"
+    done
+else
+    echo -e "  ${YELLOW}⚠ SOPS_AGE_KEY_PROD not set, skipping${NC}"
+    WARN=$((WARN+1))
+fi
+
+echo -e "\n${YELLOW}[5] Key isolation: test-key${NC}"
+if [ -n "${SOPS_AGE_KEY_TEST:-}" ]; then
+    echo "$SOPS_AGE_KEY_TEST" > ~/.config/sops/age/keys.txt
+    for f in $(find . -name '*.dev.enc.yaml' -not -path './.git/*'); do
+        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
+        check "test-key CANNOT decrypt $(basename $f)" "no" "$result"
+    done
+    for f in $(find . -name '*.prod.enc.yaml' -not -path './.git/*'); do
+        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
+        check "test-key CANNOT decrypt $(basename $f)" "no" "$result"
+    done
+    for f in $(find . -name '*.test.enc.yaml' -not -path './.git/*'); do
+        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
+        check "test-key decrypts $(basename $f)" "yes" "$result"
+    done
+else
+    echo -e "  ${YELLOW}⚠ SOPS_AGE_KEY_TEST not set, skipping${NC}"
+    WARN=$((WARN+1))
+fi
+
+# --- Summary ---
+echo -e "\n=== Summary ==="
+echo -e "${GREEN}Passed: $PASS${NC}  ${RED}Failed: $FAIL${NC}  ${YELLOW}Warnings: $WARN${NC}"
+[ $FAIL -eq 0 ] && echo -e "${GREEN}All checks passed!${NC}" || echo -e "${RED}Some checks failed!${NC}"
+exit $FAIL

infra/gitea-custom/config.yaml

@@ -1,7 +1,7 @@
 {
   "name": "gitea-custom",
   "namespace": "gitea",
-  "step": "6",
+  "step": "2",
   "source": {
     "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
     "path": "infra/gitea-custom/manifests",

infra/gitea/config.yaml

@@ -1,7 +1,7 @@
 {
   "name": "gitea",
   "namespace": "gitea",
-  "step": "4",
+  "step": "1",
   "source": {
     "repoURL": "https://dl.gitea.com/charts",
     "chart": "gitea",

infra/gitea/values/secret-values.dev.enc.yaml

@@ -1,27 +1,28 @@
 # Gitea secrets for dev/test cluster
-admin-password: ENC[AES256_GCM,data:Nh7IDhZbJxOYjat8JhRoWtQ=,iv:mDtUOdjiKxvTTKaWNQ6bUQ2rCbV9Ule25IN5AVBTrp0=,tag:FxMWUvu82HusjtPBmEtwcA==,type:str]
-db-password: ENC[AES256_GCM,data:qRZjNRGr/oJVzYTz6Kv0sZ7Sbns=,iv:V03c8IrsLZzJck5ZqrXS46LydbGPtLBwkjjGQI0zkv4=,tag:pxDpAbekwwOw9yiqMwl2QA==,type:str]
+admin-password: ENC[AES256_GCM,data:VVEs6UmQymD7bhc2DQ+ghuE=,iv:LRht/bByPtiCjkazc19NRIwbXzZclEZYtwCeXJfFMfQ=,tag:ig1bUcDNr+1wsDHoeBfMvw==,type:str]
+db-password: ENC[AES256_GCM,data:1QXmkEs6ECbf8NcoMcmgF4mLOYo=,iv:xKiTicbmhJaLajgN2taL+VR+H0ky1fHI3e79I0D6IdA=,tag:Whd7VdtjC7sYqC24XGEqBQ==,type:str]
 sops:
     age:
         - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdWFvNXF3QXpnbjFsbHhn
-            dmdnRmRwWnpkUVlRSHlEZXdXT2FoeVVVejFNCkZ0UGp5YWZ2TThEUnZPOVNqVjJR
-            S0lXSGxSSFF3ZWhUM2NMWW9MZUszZnMKLS0tIEowWHo5SUFMMDFNY1lWY3NuNnJN
-            OERJZklLT1RnSDc4VjdaQ0F3cVRTaGsKYIfYSv4In5YiGs2/KWX1oPqOoiUxwVUl
-            jROG2UecsSjhKq6XdX+KVYmcSKhy1ljPjHaL+t3MmSNE6+jJpMpDvQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdHZRckgvZXZwRUdFZTNt
+            WFlNU0YwWncyNC9aZEFIT0hRRU5uYkNLMXdvCmgxM3NHSnR0THFXZUw4amZnSi9t
+            dkgrZDloUVo5NkZ5eDdPNUxaTi84NncKLS0tIGlmWDBiMjJUWWxsU1ZzWTZYL2dm
+            c25XZ0NKbUtuNHBjeGJ6YWVDTndaMXMKKHqfuydqSL65wdpHcyug8eg0p1VPMSuz
+            VeNu16pPCtTtStuGl4f2ciOVMaGCNbjY3XySRzZQKUNciZVTfat5Ow==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNzZSWE1NcTR1blQ5TWxH
-            N0k2YWNOdTA4WHZXQ3VlTHpWNVNuRm53S3dzCnZOR0gyWTVzams4SjdCZVpSMjdL
-            S2dqZTcvb3VtVE9JUWVlVU1QL1NaZ3MKLS0tIHdUZldWZWdIZ01VUWxLeEJDNmY0
-            aEV2U1JMaTFYRldjc1kwNHczd3gvM1kKEytPjCdNTG+8SFnQxh50XKfjAxa1xn0t
-            D3dj6yMfIfkgnp84pI9PY5hBweHrEcdeUwhPrkNY8dRuiShv4o4xTQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0YzZ5am1lWGFaeVBxak5P
+            bVdSWHZTU1pkR3U0b1hvMVIvZUh3MnNpbkNJCm8wMmNUVzZ2U01kc3crTGliZG5u
+            MHpKVDZaZEt3dkJ3cVRVREpPQXFXUlUKLS0tIGdwSjNXUm4reENLUFRhMlNWQ0Yw
+            Ykw3QjBoQ2c0c3U1dWs0OVpCajBnYTQKtU/a24mNe+yo91QvFs2qHC2HR5tft9ny
+            d0RnFNYSaxgFWbV+Hs3vzBQUFlq0CzhfZzRR/rUcRfnrd+krlXThRQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-11T06:57:04Z"
-    mac: ENC[AES256_GCM,data:LKIihGyIcUImsmRWgPhWQRBeaFiXdWgaMwlif+FPNdmy/LSRlwIqIN8KzwuMu1zAlNvl1SVOVZL7SgRe9rZHax5pIn+Qrb5B+cuFPZTyvl24VBlJ+l29x182CKhRnT1RDDA9D7do+y8bG+rjyJ6u5d/yYcMAYIH9+I4fS4uERQw=,iv:23M4i1uCpQzfWZIp2c4gGThOCGotS3eajdjItlAwh2Y=,tag:MoD7LbWCu5EGxPeliRDinQ==,type:str]
+    lastmodified: "2026-03-12T14:08:13Z"
+    mac: ENC[AES256_GCM,data:E7YknH7WIh7zhZElq67jPRyt1dfjQDVWvrcIMtHbkRG/d6xQhgeJY9HwWJaotfrlCx3tpxO0zi882/ACVoogY+8f3l8jCCOEp+e20X3qDmbEOrRLsl8+mRnDiyJFAXULqJvAHEr5yJnYNxXXvVzOSpTOe+ECgedCJ4fgRU58c0k=,iv:FZt+eF6OLW+98FVxe7TFdpCWSvMwwXWKdudccgMJoKo=,tag:lpCIsC85JDG7p6xyxJnk4A==,type:str]
     encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
     version: 3.12.1

infra/gitea/values/secret-values.prod.enc.yaml

@@ -1,27 +1,28 @@
 # Gitea secrets for prod cluster
-admin-password: ENC[AES256_GCM,data:4pXdFHPAXo9fnyEmAqDygucpGrOy,iv:Qa/fQvRoU8TXMlkSjlomwzOn0v1M/PJ606HZI+inRcQ=,tag:/fKGATm+rUSCUH+os12qlQ==,type:str]
-db-password: ENC[AES256_GCM,data:lw3I+smG/1DaMFd2V98D7ENu6MB0g+e81A==,iv:DZmS4R2buArXMkO/Cjtp9gN9AqpTaVHs7NfqQFqciWY=,tag:OA9kzug/Mel6+GDlnYU/jA==,type:str]
+admin-password: ENC[AES256_GCM,data:ZStjY7d/2LcgGm8roVRT7ndOwgNi,iv:QYCaEqO1P0fjVnd6Cw+HMJKYSlqj0Bin7aBSmkZ5Zb0=,tag:f3pM4+U84FJOR54ADGKMxw==,type:str]
+db-password: ENC[AES256_GCM,data:gVcaEkJHP6LC/ufpW6/uyVceWvrx6vVnWg==,iv:Qt364af+t33gUKqHjkNUQzmJjCV+qrvoOJlwTpXmGy4=,tag:SURLKmepxtcrlmFR8wGvJw==,type:str]
 sops:
     age:
         - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCd2VUaHhQc0h4bmYwdmFy
-            WVJLS2dURWZnOUtCKzRoajB2RVI5U1ROOEVvCnV2VmxFTkhPNlErOE5SZzUyT0c1
-            VitrWFlJVUt5N2plMitWVjZPUHBmYU0KLS0tIFJVUnBBZjl6cWlRYUNiZSs1V0Q2
-            b1NBVnZydDVlY09LeHNpbkdsTzRNNmcKO9GFvLHIWTh/Aseuo3Z8FE47dE92MxJ6
-            p5OCsZRw+bpQfURStiyckaoMW8Of716uDIS3v1JaW8u4xm3e+lZXGg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ckdkQzdIN0dFelVUSEMy
+            QllGVTN4Z2IvZ0t3M29NcTNMSGEzczFjWnljCnA4NkZNcDdWUTRNRWIzRmhNckV3
+            ODZFWWdneUU3VHZiRC9TSlVkVjNhVEUKLS0tIHNYWHdML2o0dUlNb1BoWThUK29H
+            MDR0L1QwRlh0emFWMDJvMjhUMnJvb0UKBI+dEz95zrwzb42PpyxBMI70Aei68BIX
+            TQ/sCHKqvtdbEwTkg/ndhfPdorCIGwfCobJmWb8WySU1VZHCWYzJxw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoOUZjdlk4MU4yWGNPOEs4
-            ZkplUzlyV1lmQUxidHk3aDFhU1NOeElxeVU4CngxWS8vOTdUbEVNM2thMWgxNGRo
-            ZUlYdjVPTXFJWGtNWEJEa2V1dGhqSTgKLS0tIEI2V1hrWUVnRnovblhVQ2ROSENE
-            dXhwWXJJbnVBaFpraXJURERMR1lkUjQKFzaekfQFqg2cVT5gks4fXX26GtZu+M1F
-            g+pzNxpFVlzdrXiWrzjePshTVblVsxV8fKpUVoLYwwLOSILRzF3uwg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbVZraFNrMDYzNndkNkxJ
+            OERtbXNOamRDSlhpV05mOTcxbXVxT2xVODM0Ci9WSG5vb0trTzkwZFFOdmlVd3Ar
+            UUN2TVZaMXBaL3d6TmRGZ1h0THhaNGsKLS0tIEFZcVRtNENMS3ZWMUxOeHlYTHlN
+            UDRIM0RYNVdsSmUyOEFDcXdhNHlXVFkKxoX+LTe+xjXh2M45V4oYcLe9lAmxYexe
+            KJ5O588VLGVi4zBpVs1l16JmWAfcfCiMVKOpdvS8vsiQDkGAO3cH4w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-11T06:57:04Z"
-    mac: ENC[AES256_GCM,data:qWDAgi9DeHnc4TfH2la54mKtkNRkO3ArfXJBxZ6D6yEk5nylMA+Fw3FBmsKuU+F1/JN7CQVHbez37jjOXDmoFUfGXunionqkaf4wYz/3duRjdm/ApTLLMAYaq1YHzp6XNF4x+1LBtp0RadK//wwhxXQHoYdui9IH2Ts5ALLjOzo=,iv:B86+ovgnit5oKxY1wgxvYBEhRmnjJiQ7GdveJAGytfA=,tag:QgVjYIvIgwXvfbTxiti1OA==,type:str]
+    lastmodified: "2026-03-12T14:08:13Z"
+    mac: ENC[AES256_GCM,data:mkgNY/EwLknddBdn0X9IZfqjmA7NpESqVDNndCKY5eA01s74Ym3sE4JF39abEAs7U7/l675qsF6ew7Cv0OLCArzYDRlN7vYcBqTsnuUOovxi6utAk6VfzYhH8XQpM3CuV6FlUbSoVovUl09O26kB9yDHe1uTOGVa3Kqk/XsKKoc=,iv:BdqsABAeOBAfTvb0q3KQ5ek3UOgu9oh5GQtsu0s1lEc=,tag:Ux1SmPWs7y1/gKx2vVthiA==,type:str]
     encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
     version: 3.12.1

infra/kargo/values/secret-values.dev.enc.yaml

@@ -1,27 +0,0 @@
-# Kargo secrets for dev/test cluster
-passwordHash: ENC[AES256_GCM,data:qmQr8l5EK92BZyadoAU0+hrOS2N8evnmxroL13GhQbD9idHKhHwkSt6fn1OgYyu+CtnJ6BxeyDyJCNbN,iv:4tnO8HczTo4GO+NFFQK6JRsOYXkS3wFiJfwYrCmot0M=,tag:LTeO8xl31f4+oLy/FDEyIQ==,type:str]
-tokenSigningKey: ENC[AES256_GCM,data:Plf3vK+DJYmFsvS1cHTKtPvsvCC17i2/0lAEnG65CZVcrtux3+BiMY7rukLfW7uw/hQ+6JLB1PS4EWIGMNx/xw==,iv:54mdXGpgJ3f1dkeTyfZbfSoufJE89MUYIQpEz6jUt0E=,tag:KqK4shNvrQ7Dbu0+uYqjPw==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVHNjbmJ2K3ljSHNmdEpE
-            RzdrL1o5ZXhxQXl0N0ptWk5JWjlCYnVtTXdZCkRWUDl5RkkzYXFBbjRpMmdnY254
-            YWhPeEw0MzF6K2VoTEI1R09PV0szQlkKLS0tIG42S0h4VUtsaWN0WTI0V1piYTU5
-            MUYvbzVyWUVRZHRYd21MY2dWMzVBTE0KJ0cSonX/lD3PBjz3BFFPkea+XDDPqGAF
-            gd20j8xOjyV1nu6Dg1qq80ZN3E0rotXnTK5zu/AyW4wcByUTG465Hw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUmlEM1Z4NDRZaU9LSFF3
-            SjZnM0R6U0NlYWtkbGFMdGRXbW9YRjBIeVVjCk9nV05aZk04L0xvUnk4c3hRczZV
-            ZEY4dmI0NndjWHEvSDJ6OTUrS3owM3cKLS0tIFFhWUk5Qy9GMGNrWGM2WnY4SWNm
-            UVVUcktPakNYeWVxakp2RjQweG41MVEKoHKCkhsn29s4JuRCfBqoF78/UcShnCAx
-            sGnz9zTnE+LSVMbknG1+Y3kFdRNXesLFZfyyk3W2atjp7Tw9rGYWTw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-11T06:57:04Z"
-    mac: ENC[AES256_GCM,data:E4jKWJsO9bEMzEjmp+XhBx45heXB7W5op11YyC2TV2KA0PNfAa7eZXIAZ7PVjVIfhbmODv3pd3KG4mY7lJ9I1ly6VfFGl4wMtXZkQlVt5+2DF6GyLGGfjKftRcGni4xP2J4wfzZGiIiQ2G8IUfmGy8Wpegw9lo6/UvES1w1kies=,iv:6fwg2NNoZnKq9jiFHLRQ6FZXrx9OzFEnxWU1VwEVoj0=,tag:CiJAekk+4dp/pyWkqXJKVw==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    version: 3.12.1

infra/kargo/values/secret-values.prod.enc.yaml

@@ -1,27 +0,0 @@
-# Kargo secrets for prod cluster
-passwordHash: ENC[AES256_GCM,data:iYRGwF7yug4fy4q70CoWMJCAIwd5nszzTqXHXe88zGRRYw6YtvAszCpGcecRRFhCwIfycTnciXfN,iv:CwerCu5GfMhpTpeqQ2QmMBMwxf7t2L12PUM4yCT4yIE=,tag:XNhTKS0d6T0VhK6E9BDn1w==,type:str]
-tokenSigningKey: ENC[AES256_GCM,data:+05VkEeKatxayA1wK0a19fE6PFc3utOHvvT3Z+4KwfUBI778n5X9rMwSQQSFsbQyduPLITGf5VYKGaC5z3okAQ==,iv:uuS6oHdCLrvh6H38sfYzXTsrZ1lw5CJxjNN/0jchV9Q=,tag:iVuTqL2zew18OMeFwnGqrQ==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYytrSWhtUWtEQUpQVEhh
-            S1RvN2N3ZFcvaFVmdU5KQ2pYTitPMUJJQTNFCml4YWMzRWdiZHAxRUoycHRmTU1L
-            RUhDOEJzSThIVDV0Y1RSQWczeEVXU0UKLS0tIHgwM0k3R2k1V1h5U2tWajdnMElj
-            SUdhZzh1S3Y3cktwTUJzQk5Lc3BjeTAK4LOXLhfyd4NMWsuUm0/Bjxq+9ni6wntw
-            6u2UgYliecKNw4IX+2Ukhp/z4jGlVEayAE8QrfCj7RjBATPUYncPEw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1bittd3daOE9jWUJKeHB4
-            R2k4Q3lNSzNkTDA0RTZlL1JrSFNMalRhWEVVCjNYSDVZU3kvRHlqZTRaOGRkZDJI
-            RUJiM2RMY0tFU2QvT25tQlFtK1l1NTgKLS0tIGJDYzhFelR1TkpNL2JmMGJ4YXd2
-            SGNGTGhGWGovbUJHMHh0QWhIWlhBdVUKAKxeFgOPJRaTl5z0bydzd1nr5SDmqfMx
-            7n/OjVadcCg4PLd54eMpgiJ7ts4UeaAK+RxdHtI9Y7jP1ConLffoAg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-11T06:57:04Z"
-    mac: ENC[AES256_GCM,data:Mp01K4uHW7ZFXzURs8nzkfwe6d7xgiOds12/VN1I5qB5OoC3afM1pZRQ7/mM0lTyueVt9hTh4B76zAFp6rB+/ombjJ5JPnwyEayAklovy7R6BFC1podhb78npC2u7K5P7DIFI54nJqj1XfFt4eIMQjkR6AnFeT1pqzquF7SVnLQ=,iv:VesrzDd09vugtzAYjB/oyHm99Dmm8dlDgP0NITvd4Rs=,tag:5z5zBC/7ulnqTRz9UXyrhw==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    version: 3.12.1

kargo/credentials/dev/git-creds-ci.dev.enc.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: ci
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:swl5u5LpFYVKjZcuWaG+QNWLR02gi9dyXlD2yqkcFLTRpWMD3lvSfA==,iv:pixqI9FQMdQzlvs6Mmhp8DvAbofGby5zHISH3bjLwh4=,tag:PHfTfXN12bHrQCJPFW3xJw==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVc3JLYnBtWFZ6NGRhNjha
+            WW1xNW1JUFRTc1dXM203bUdPRmRWWGF6R1RBCmExN1N3STUxVGpIZmtDMzZXMWkz
+            Y2pJUklqM1YyWVlFVVpEQkQ2R0NRUE0KLS0tIDF0cXFYcllWYUlWQStMVU83MEd6
+            cnJia1lOQ21FTjJ3SkxJSDRFaExrNDAK4zDNcqeJsjZYR+b5qX97n+Asa8riugnL
+            kPuBWyO/R8XjvuNfMZb9njt6gSgX1u6aGyxL3rHXbNhvdRmmGfZIdg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaC9kb3ZIVU5zNitJWWVy
+            Ump3MFFBTUQwVUhCQ01PVnUxVVhxT1NaWGpNCnVvSUFNVlU3SDNHK3p6Y0pKLy83
+            eVdlWmRqNHk3ZWNuLzc5ODZXOEN0S0EKLS0tIFRFdDh1cVRxK0dNTEQxallBc01j
+            RmI5SHF5SE5GRTNudGZ6K3hheVZiZFEKXy6rNacjL40EiukSU/SxeiBUMyWe3EVe
+            LvyrP+d7GoC6+wix6IglQUTdV6YKjI0oCJOews+5wNveqc2SMMLlcw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-12T14:08:14Z"
+    mac: ENC[AES256_GCM,data:sy/CRatnNB8U7kMFfkqZlrB9Xs0bD7kmHu5EOGJHxtaMAE+Wql7D7yFh78mJuGJk8snmsGP2xK1Pkqcx38HwWUBbw8kqoT6X45NGn99uCT11sMvz/Kyp98PWVc+IFhqwnNyAfd76gvIkKx4CqkXbxCsxdQaw3RMYEArdGWPufrE=,iv:CUJTpRjXAraVTeBFh7Z4fB/Wk4cXdYnBXpRGJETSm2A=,tag:p+W7xx9thkAkA2iPIDuqjg==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
+    version: 3.12.1

kargo/credentials/dev/git-creds-infra.dev.enc.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: infra
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:PYZtFr/Yui75oe0M6Bll8eU2qpGf5IygIHUA6L35s5IHPVxUIrbWcg==,iv:NIODrxhD1mTWxq74NoZWZpC9zQQxL3NYIxxO6lAhp8Q=,tag:tcrF1xcFKZBmWFWr7z7/sg==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMY3BSZUZwVytjYXQ3KzB6
+            K0JRdnVwTllMNGJYS05vc1c5R01UdzdUN3owCk80TmJ4RnZIMHU1U0FOWEVoUkZa
+            OVRLVytwMlpPZFRNcS9wdXZKaWlhWncKLS0tIElDZGgwOFdkNCsyUGxEU0tYYjE1
+            YS9TY09rdXRkRmV4bTVOZFBqeitLazgKZCOAKyuKeRN8X89FOdHaT94phsIAZCwk
+            bFPckh5jGn1QKVNYdvLmyPAFO55ehsMA/JRl42YdzCsDSifvuufcCw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UTlsc1hiRWN3UUVwTzhU
+            MkZteGhveUsxaFJ0djd4RXpTYjl1S2l3cmlNCi8zRStWVUVPMkJ0ZVBnZDROdEc4
+            Tk9LOTN5Y3krQXp3Tk9GLzVBVkMrdzQKLS0tIDNkcmpRSkpHMXdvQVZBU3J0UCt0
+            amFPNEpGbUxZb0luNEpaZlJuWnFkd3cKHs6+l+Kapohsah+Zhoob5DXXchw2C5kc
+            cl6KK79gbxN4pTTCmWJHfaiXuohRXol3Z1km6QWrEaNC9IGF6nmGJQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-12T14:08:14Z"
+    mac: ENC[AES256_GCM,data:q+gHiqfdUmeOdaHpuj42fHXnrrHY3elE2cDTqlU9+s3atsnDEERoFx/1qJvqlOCYmvHM4h3wyAQHPB6hIt205RKHQJ13TxTEzGWkgrk5eThAolu4w9Z6Vd7Ni0Sv4dyNtdPlkj1N0907sACCBMUelLIpD6acf8jL9+n6E+xIgsE=,iv:1ZsjWgntw6iHuQZYhSm9KrWs36D6FegsweLHwYmxHQM=,tag://6dNpONbhDQUKbaUT8/gA==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
+    version: 3.12.1

kargo/credentials/dev/git-creds-test-env.dev.enc.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: test-env
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:BnToDVLq7wjdMDFL+y+OM6pJlIQibKr9hdLrA4o2hsCDMAxqgGrgdw==,iv:KDJMguvXjehgLfhb9E8Uw3zViT8gLegPGuoQfZsVwvc=,tag:PyZ5CwhnXC71pisaJYBt0Q==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWMW1YOE1QRStGVzBtTEo5
+            Q2lkWWxUeE1wT0t5OE1oSklhYmpaREVBWVdFClJ6NWVEUEtFV3pYanZHejZGbldi
+            NExoejZUd2ZFS3FMcHZvMUs1R2c3OG8KLS0tIHFOVmtDQ0pBRXBza25qNVNwOEZX
+            SVZCRWszaG5qS0crc1ZYUmRwMkNlNTAKJqmqt9sZG+zk3zbd9f9zbRtVEAO7soF6
+            AMFdNc6nrDY9KXOCVRwYn+bbcgWr1Gfzv4PF5Kjzp4ApQ/0aA7wLwQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTT216YjBGNnhFUVExbkdG
+            YmNONnU0SWp0aHNvd0YzK202K3owa0c1b3prClRYZ2RFeFUrTzhDdFFNbGxnZURu
+            UEZpY3lVbjZVam5adVJUbThXc0RYUjAKLS0tIG1qR3EzVjlmUE5DREdvbFMxbVRP
+            UDVSQ3lwcExOS1NwSkZwZk1iaXJacHMKrGWH26/kRCWuBjVLfqqVS4stxW/huyqa
+            u/QpRmKO0oFrX0u9l6DfHOaVUUgSao1p8nvEDrHKTLe574d8bayyQA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-12T14:08:14Z"
+    mac: ENC[AES256_GCM,data:20Te36BK8FWJ1jiUrMMl7yDhOJwCw/jGpoJbP5t5NjelJDlx9ygC7LtOkgck1FpaNvhsuroJWbOzojpkzRZKLrIUhpoiIaXpliZ3O5aNpHKFbJsf6tJmEY1cy7VaosF40f0RvH3RxWbjr5jWNGSoi5yKBcFZ32aCK6g2ToXpCHs=,iv:eGWVRv1que1NbfqAluy6UP3jLXpTWtDsFPDws3Addjg=,tag:kU/WSR26mDMdOz/i8Edf7w==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
+    version: 3.12.1

kargo/credentials/dev/ksops-generator.yaml

@@ -0,0 +1,12 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: kargo-git-credentials
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - git-creds-infra.dev.enc.yaml
+  - git-creds-ci.dev.enc.yaml
+  - git-creds-test-env.dev.enc.yaml

kargo/credentials/git-creds-ci.dev.enc.yaml

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-creds
-    namespace: ci
-    labels:
-        kargo.akuity.io/cred-type: git
-type: Opaque
-stringData:
-    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
-    username: Kargones
-    password: ENC[AES256_GCM,data:m9CZFhTHwaX6TrpGtbAynbI7eiprSrhCVVtST6fWiduFP55/EWtx1Q==,iv:iAjeVVakD8SZWhaEBu7JVR1YL2UGzYNBoy1W13M+Jwg=,tag:ABSswqyDhJG8+zlu8dWrgg==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOWI4eWZxOERjRHVhV1VI
-            MVE3WDErejZrNzBaRnVHK280dXI4WThxR2tvCmVzbE1HR1MzcEgybm8vUVVSOWJY
-            VlVvREl4NVRDRElHVHk5aWpnVkVhNW8KLS0tIG5FOXRwRy8xakFvaVlBTXF5OXJJ
-            aHFlbWh0Ym1NWEswbFM5N01JRGtGMUUKyjiN+bK0+6PLc/LG/dozgrAhB4PLcZmV
-            JVtxrSZWV6RQOuvc/HUw2yhO3dJldYqWauX+7ZOy2o1JACdPe9ixdQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWU9JLzdwbDI1SDJ3MnlE
-            YnlRQkdzWExpa1FGNjArSHFCamc2bWJnbjBBCnlkQlVEQVNDTXMvZ3NWRzhyT2lM
-            R0FpVUdleUVUcVVrTnRxQjVnSFo3S2cKLS0tIG1MZ0hYdGJpdTJ3WWU3MU1WeWFr
-            cklvSldLdW5ERDF1aW95dDlxOUtGbDAK7uoTP8idcEM8rQ7rRashsbzc9f4S7qI9
-            Bl87wLgMAFYfFO41cwSqhMY+gr7HRkDQq65CWo8HpQjMMlneC72jVQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-11T06:58:02Z"
-    mac: ENC[AES256_GCM,data:OYJAnGhgB0sOC2KEgse7ZYMkrvrRNsMWqVQZM29VbhPbvp3s3GMmJPROPydsjvm6OE4EIi0C6ry2h9pGoRY5IApw6+tSXVmrlr3oQIjkGqimJVdJ0oBSwEYtZ6gNKpsn1I7ZthXCHBfZmmESkYiTJj8ogdXxNLIqydIuITengpI=,iv:IpBxWcDeGUD9ucIAVjY3Ojc0wd63nWDPDIcH8OtvJY8=,tag:yDZ8d9E9dufB/iGTk71t2Q==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    version: 3.12.1

kargo/credentials/git-creds-ci.prod.enc.yaml

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-creds
-    namespace: ci
-    labels:
-        kargo.akuity.io/cred-type: git
-type: Opaque
-stringData:
-    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
-    username: Kargones
-    password: ENC[AES256_GCM,data:OHHKJ82Bh3UtuWJwtIr4dNnMDxweZEs/bHQQ7buy+zQM99f1SC4zEA==,iv:kn2P/KO5QKYhNxWKcbphmEmeJayWz/xA3NbfSq3T8K4=,tag:EzwiJHrK36SqRgISnzYmmw==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnREI0NnE1Z0Z6ZE1HWG4x
-            aHhZeDBIYmNJNjZJbVNJR2Myb3Zyb092cW1NCkt0T3Rwamx0S1dudE1rM1ZCTDZv
-            ZDlJTmh5YjdUT3k1YlZlM2FOdzgrc3MKLS0tIFhNeFdrNkRBelZRUldqenhBVFAx
-            dHF0cUFmNXRHS3RkeTVVQzhIVTBXdm8K6c/K14oe/bPkaFCJi/OpoLj3q8RE20Hn
-            /1yeNCfRNkAPyOYQae6XgPI2xL5H+PfhMzRWYa6ebI/Pefl3n4WeSA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdFhPTWRZUEllR01sQzBM
-            RTQvbzM5ZnoyaEtHS21hS1BCWjJFNkZDZml3ClBPZHgvU2lCTHRwL01JUFRpY3pI
-            RTcvNkNZNXkwYkRVQzBWNVRuSllPcTAKLS0tIDMwTlFkcXR1QmNBNDVwQXdPUzR0
-            UlBIbE83UXEzcmVNWXhyOWRXUit4REUKxJQwLz/w4BGMW6OggbaG0kDv0CWIUQi6
-            H1gWD4HKT1JM8rI9GrBJRijmQhJvfn+s3PcRnimVa8sFUXJwR8ffrA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-11T06:58:02Z"
-    mac: ENC[AES256_GCM,data:0sm3v9oBiyy+3/es2piC9O3505QyaiylQSy7/7IkOYHcLQi5T0R6pXV+LlTMrJgxbvQg5PjyFxtGDF/MS9VM7iimDwJzAwC+Jv9Z9senKG6DwenUl8B/hHtXoWHGIxKrzR+0nnh756u+ftDTR5u7PDdd03UIn+n6fhpZ3tRB1q8=,iv:T3KPpdXz+8Bq0TBlIPR3+tFWHEBsE515rBWWDyM0VGM=,tag:+aBXzSUykrdazF6lXGNwHQ==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    version: 3.12.1

kargo/credentials/git-creds-infra.dev.enc.yaml

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-creds
-    namespace: infra
-    labels:
-        kargo.akuity.io/cred-type: git
-type: Opaque
-stringData:
-    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
-    username: Kargones
-    password: ENC[AES256_GCM,data:lzaZLTkmA68DadpquacJNc6CMxwv3wOlWh6Ze8e23F9lzFKw3oB5gg==,iv:9EZUg6DSUFnNddOaiB2oIfNYhaOKKkrP9Hkf+5OGcLk=,tag:rr6ej2x87mquQbXiBM7+Ow==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCeGdkaVJiNWE0Q0xWbTVT
-            dkZDN296VXJUMktMVUZ2U3FyeUwvVzBSaWc0CmRlWFpLdTlCNXl3eEtKcDRrUzhV
-            SG9KdkhlSTg0SnZwK3BvS0hkT3FjbjgKLS0tIDA2Y1lic053ejR0UWZUekZ1Y1JK
-            c2llUmhKNTRjaW1zQ3AyZzUvR1VRUG8KuFXq5pbpEEZd3P/E5bD0FCuSOIuGCsJL
-            bUx6VucI1zZF0DbXjzr28FsxqSJW4GiCpDscj1LGQIZa5jvj8aWMXA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRlh5SXdkTmZOVUdXc21N
-            aXNZaDhydXA3dUU4OHlidmViM2xUQU5rNDF3Ck9iditWSWcyaWoxNTVTRzN5Y0ZU
-            c21BT2R6U2lxNkh6cU9kdjFSRUVjUWsKLS0tIHBwWGI1R2p0TTg1amFRM2FlYVQx
-            Q2lIZDJ0ZkliWEtiVGd5eXIxMjB1OGMKeK2iTyPBrcIWByU9QXZ3Ora7gylwC66g
-            diGbcUF5ER7mUt0KEILTwuMkTUbhy1F5zLYB7p4e49YdY2O8mz51SA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-11T06:58:02Z"
-    mac: ENC[AES256_GCM,data:dzyW+dAsjPDrZQ3EWNnhLWfd9DSmRVSp1Qrm+nx4qFfsRoS5y61jnkhVyupq2OUVsuUTuePIAqmZQI16HD0TTMJIN9UKPdW2sEj/DGwdBXqcJRs6mvJlv79Jh2VlzJdJSpZf/YhCBVIVThZqrWBI1T1jPdN1gaJ0ov6cSAqYjPU=,iv:MMhdUthu2nUFJOkxXz00xXMiH7tit7sNejU/aXuQOmY=,tag:+NSHR9T4wlpJaBH5ZdxhvA==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    version: 3.12.1

kargo/credentials/git-creds-infra.prod.enc.yaml

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-creds
-    namespace: infra
-    labels:
-        kargo.akuity.io/cred-type: git
-type: Opaque
-stringData:
-    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
-    username: Kargones
-    password: ENC[AES256_GCM,data:2ucqkKTdxBlW2GCRmr4ZqrZZS2KuIcUCkhyF6/dIy0jGiUTM1iQIiQ==,iv:gTnztDCoZX9rfK6cnnoOOs6WD8mmw6tWr2z9JUkj+sA=,tag:I5OgSmjtAbnXxyhCe7y3GA==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RVRoa2ZTT2llSitDYlRn
-            RU1RRkVNdnFFZWpMU0ZoU2Q0bGRKVFViZEc4CkdaalppTll1Q0c4T29aYks2a3Nq
-            azBaMWtJL3hyQlFVMFpUTjcrQ3BkU0kKLS0tIC80azJYWnhGZHpwK0lWa1FrS1d4
-            WlFjQk9WZVdoSnhnT1lROFZzUWMxb00KJ6i6Vap1FCYYUcTiNh5dyHbSeyXthtdf
-            iQcMjvZlOgKuHVPmaiXv8Mh+AHNl0RgWN2nNEoa1NPhriGU36ZmVWA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzMUx5UkNBZHlZdVhlaXV3
-            OVNXTitPd2lQQXFoanNjb014ODB3ZUVLRHlvCmdBbkpmaXkzSXZxRFdPZEVubVJC
-            NHpyUDVkVjV5QXRPbnBHNkZhclMzc1UKLS0tIGtWcHZGMEorbFNEeStmSW80WE9N
-            RjRLYkhHMmd6UTNUSkxCUUFvMzVkdTAKJhUHz7PDrJca3OIdXyzXzD86/7tkCSm4
-            Q6q6WbscBBMtclrO5EfbHuzUUNuejFRLjeHjvPCBb5z/i6sp6Pxyuw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-11T06:58:02Z"
-    mac: ENC[AES256_GCM,data:KetBMvqfuE4eSrQoKmFJ0fkHHAvxFjQJvm9b9haSODfXDUxZ7DOYlVAVrZzf7L9VYFj7iP+yQeW2cLuV0JRH9+CL6u2GuvtK5WPC82NhRK/I5dEF+x3VIFjc3amr62FEuOjPeLOiAqluPeJ3BscW/Gj6UXKrLgrPzmZZgzzBHb4=,iv:fNbOFcpkAmom0Tf7xeoDfyklWNxIhHANS3WguPtrDK4=,tag:lsbhvAgSWdp+XKPKpGU56Q==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    version: 3.12.1

kargo/credentials/git-creds-test-env.dev.enc.yaml

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-creds
-    namespace: test-env
-    labels:
-        kargo.akuity.io/cred-type: git
-type: Opaque
-stringData:
-    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
-    username: Kargones
-    password: ENC[AES256_GCM,data:pGwKoR6eurha3ATmL0XP01DTK3qXCxAV3SdFYmNFokKMZI+VuzZ/GQ==,iv:DKVdeBRQS+HjPkHftJZZuXf7yB+I18Ae3iK+7L+hZQ0=,tag:/K6twgUKTNrn6s1rDTAeQA==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTk5seDNiR2dRcXRRclJZ
-            UlNuRXZGd3ZMTDNsaHVrYUtnUmsyNk1IVkJFCmo0Y0pwdnlsay9qcy8rakk4ejBF
-            VHAzbmRObUFVVVpZN0JraHRlVmhhNW8KLS0tIHNXd01OUnVxclRXcE9iNFNzZS9S
-            UlQzRnlSb2F0Y0J0eVdZN1BSelRrSWcK8V99m3Hh2mOm9csGG42k4FIeFbQnkXIr
-            w3elSENAib0rFz7Uewpn1VD3yjFL7SVv33bVOEuM3KlHDtUnF6fuuQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOS05ZanNzMWRFRG5EUlNq
-            WmtLUHpHRE0rWXRuVXRLRDFiRDZSZmdEc2lnCmMrbHRxRUhIWDFkaTJlekxrckxj
-            V3ROU25aOVZGVzVUY3IwRlhwYWhBWEUKLS0tIHZCS1ZobFlqQ2NZSUt3N1VSV2l4
-            SmVWWDRhckRxek1jRFpPUnIxb0QxaDQKmkVXDqP0tjaWo/fkdqrIatV/bhyQt9vb
-            Rzz21KATjKow6VtekA3FVOVchlDsaYDLkhuLI69I1lIYqR99ovS+8w==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-11T06:58:02Z"
-    mac: ENC[AES256_GCM,data:CDESJXzhctA4WexUb2hP6ykWkRCWUsgIYHOSmRnHUlyf6Pd8uF43Bl/+ZHWhE6SLWf3LKGMOKSU60Qkh1aSH+Z9BqaiKa3dL0MIQx4yXRe9NzS/mEki4IsuQi27AZ6BKD93tznyVKbCAzxmyP1jRhbRNIKBA2dWoQAITX1w2vvA=,iv:l8JZK3a17DfIn3llapKnUZH7SRNCte5MNPZzjtPJbxA=,tag:rEcarIr7UhsV+THixTUiKw==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    version: 3.12.1

kargo/credentials/git-creds-test-env.prod.enc.yaml

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-creds
-    namespace: test-env
-    labels:
-        kargo.akuity.io/cred-type: git
-type: Opaque
-stringData:
-    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
-    username: Kargones
-    password: ENC[AES256_GCM,data:YIFtzQT8BYFwj5SfRDGxd/ND6BzpFSbERF3u+TyFjCoFqQXqk4g9ew==,iv:gOwNFYoErJhEJglBP9Oed45/CFQXXHlPqid3RzScvdA=,tag:iTJfhSTKceOl5lv4YiGo4Q==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBza2JKZTlxSTZOZ1lzNllu
-            TWdoL0lKSDc0Ri9BMWs1aDhSU1VaQ1dod2dzCk5sRHdIa1B3a2RMbTViZ3lPc04y
-            OUQ4WVNRR3JrZ1lyZXJvd3lFVUYxdlEKLS0tIFRNM0dqR1RGMVZ2alprMmxRQndo
-            Y0h3RE5WaHprRDZWUnBCQURhS0tnbHMKz9/qP2w1KURlDAWVcjfUFz1kJy/ed53w
-            SpKMwvWTfYTvvZMNnz1XgxMfKXu4TKWAuP9mJ+rmcj5jIcPSGxetUA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYeTd6Uk5yN2o5MDhsa0V6
-            UTZGZ29rSmFYbm5uRkg2UGNNdW13UmJ0eWxFCnZCWU5RalJEdFQ1SCtxdGQxVDhV
-            R3FsbkppRHkwbEdmYTU0dE5leEUxN2cKLS0tIDZtc3orbkhKMVVmdnpQRDVRUm9P
-            ck5QYkczblV0YndpQ0hoN3lDWDhrbUEKG5nPWrnAHFvUCsf/Zwgo22oiP1nIvXc5
-            PSo+hPCzFAjVtg7y1jO8HcwUVOgtcH/LN4NwcMF/I7VZajHRZXEQXQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-11T06:58:02Z"
-    mac: ENC[AES256_GCM,data:3/YKxY5Ai543PDiUZi767xsmgJSI+bWyBQER+ICo9jQydbef1gJ2Rp3TitnuSiD2H+l41b2tIEFp4y3IaXSD6B+8cbf+bs7YdXznJzFd/V3FKjKncQJkJdTlLDijJRsjPczEFA/syhy/i8jMORoid1SNQrk2l0XmiWx7bujTOys=,iv:Wtdf3swbTJEXQu2+JNu8mqYHWvK9DIZRLuXLoKB5n9w=,tag:jMiSS9gzmZpWXNVq3liyTA==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    version: 3.12.1

kargo/credentials/ksops-generator.yaml

@@ -1,20 +0,0 @@
-# ksops generator: decrypts SOPS-encrypted K8s Secret manifests
-# ArgoCD repo-server must have ksops + sops + age installed
-#
-# Dev cluster uses: *.dev.enc.yaml
-# Prod cluster uses: *.prod.enc.yaml
-#
-# Which files to decrypt is controlled by the kustomization overlay
-# in the cluster-specific branch (infra/stage/dev or infra/stage/prod)
-apiVersion: viaduct.ai/v1
-kind: ksops
-metadata:
-  name: kargo-git-credentials
-  annotations:
-    config.kubernetes.io/function: |
-      exec:
-        path: ksops
-files:
-  - git-creds-infra.dev.enc.yaml
-  - git-creds-ci.dev.enc.yaml
-  - git-creds-test-env.dev.enc.yaml

kargo/credentials/prod/git-creds-ci.prod.enc.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: ci
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:tmjqB73hSjvgQy4fhUiJqz4Sclj41PIgYS9TLRly38eGN3CX75CX3Q==,iv:oICPKbWpVposLMLBErRY1s0MkNw8NISAS04iq+MbA6g=,tag:LF2/oRd3S84oA1kWvoQe5Q==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbFZzaFRUTkFZYmNxaGt4
+            akhoV3J5RW1aYlQ2U3VOaFpnT1Z2TlJhVmtrCkcwM3JBZmNTdWVLdmY5SGtCeUR0
+            SWxWdW0va2hQZkFnZzhydGJjcEhIRFUKLS0tIE9CTXY0Y0ozWHhLanBzeitnNHUw
+            c1RzY1grRFVmN09rK2VnY3RsWHhYbDQK+OkyZkNX3GtnQJIPYCgjlgz4aCc5Axow
+            4oLiPPgo3MKDMz/mDA3MSZFM7dU19Yj613Eg3Y/aqLU/XGLm13RenQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzSzYweVY5VW9kMW1PaCsr
+            UjFuN1l2b0NqZlBBVU9PRFAvblNUanY2dENJClcvcnVEMEJ0aDBYdXZBcDdQSkQ5
+            Rk1aeTJralZoUU9EazZieC9sVlJuZ0UKLS0tIFNmaVhXVWxxVVRVQXB5b21xcVRr
+            ZXYxQjMvMmR4enl6VzlObjBkT0pKVDAKC+29tK9WxsYzzzgz8c7ob6Z7I+XseXpB
+            pHoaft6P/lyLA0reVEHgeWs5VfqQFtLyrfOOx9KKf6hHxpdfhcZ+KA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-12T14:08:14Z"
+    mac: ENC[AES256_GCM,data:IaDYevGdOT9//dj9HR5XoPcu7wkOe6z1NFhC8KDK6EWZvuAhSix0Rlg21OBpJicszZv3dEgd/pQkGr9i9BFW0T52oClg9bCZQUhd1Kh1VZRtA9VE+bXfdHqgt8+AC9sXS4epeZrRBLHv3swmLYYeokXRYFm9Ffi28y2xWthnywA=,iv:Sqdg7HySRrBuXJleJi/2kXrCSlQUh3zJ1I6lVIvgqa0=,tag:35u7xo34avuPK/TrHtbdJg==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
+    version: 3.12.1

kargo/credentials/prod/git-creds-infra.prod.enc.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: infra
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:iKCAh7QI2+aCk+91Z7EepDZgVAVqwG/+Wg2ywEtg2eyQN4iR2z6QXQ==,iv:1GtbHc7lgi5LI3+WuD2LMG6sFjPR1tfYmrHYOkSiUJs=,tag:oxMmtgOJgbaNRdvzqmtIgQ==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZ1lzYWJ6ekl1Rk1wcnZH
+            YnRpdzVtRTkrZFNQWTBab0NncHlyb04wYlc4CnJSUEs5OW9kZ1JBZ0FOTWZuTzRl
+            Z2NCd2tHaVRJVFhqdXlTNjZwa1V2Q0kKLS0tIHRkS1FmMW5kTWw1azY1NC9iYXY0
+            R2g4V0JyYzcySG5GNEVMaWZ1c3hpZDAKfJLwr81KsZmYmjfGov8z/GVhBZCQrLq5
+            cfG3vgEGm90g4tOzyo6lwfy84ZRjymcyucGn3AwSLW9/UlxQT4PsKw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUTVtMkNpekNDU1FiaEEr
+            cmI2RGo2L2VNeUZjUVVBYnVyaFhVczRTUWpBClAxV3AwSS9Tc2JJK2FwelFVck5i
+            OXVud3locysybUhaNm9RMGN3RkViUTgKLS0tIDh0SjQ3alhjQjR2QmZWdjVrSzVt
+            c0JTZnVNSk5ERUNXVDRNc2E4d3JLR2sKjyidz2xqy61sJ26sELHansCcAPN+x9VS
+            j6vSt/0CPPADzaVzsvHiVY6gWoDI5EtdYeUFPUw8cSBc+eT/846lyQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-12T14:08:14Z"
+    mac: ENC[AES256_GCM,data:ZGN9t/KEMATRH4YWbnxe39lJyKyCbEEADQLk2Sj+jPY9LF6yZq2ixRaB9mMKzrz4MLq+eghzZoWeCD0MaqjtcaNTSP7tiVL7PCFZMXT7IPYbMDbeLEPiLYg4gNb0lim6bHcQH2R5N6ZA//1+cLEdJVJ0gH8YHfIxOKzvGT3fBCk=,iv:qE2Z+q5Znbo+Wv040TuBJuvU/N2dFKb64LYHyfUSKhA=,tag:l3h7cwlM/jmuGlCPo9gm8A==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
+    version: 3.12.1

kargo/credentials/prod/git-creds-test-env.prod.enc.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-creds
+    namespace: test-env
+    labels:
+        kargo.akuity.io/cred-type: git
+type: Opaque
+stringData:
+    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
+    username: Kargones
+    password: ENC[AES256_GCM,data:bni/9XNGoW9KwzL3ovyu/BDcdv5dgKo6vDoZUVSebueX60SJwnc+CA==,iv:ef3MR/6a6VRzanDMfl7H9PygSHV7HGqp0OkeY/Yv27Q=,tag:D4OWKTbj5HB+TURvJAEfbg==,type:str]
+sops:
+    age:
+        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4TS92bXkwRGZaK0s4OHdE
+            Y25rMFRyK2FLeUJ1c0gwWlVQdm1OMDl5eUdrCmxQZ01vb2NwVXBoWXpJMzJ6VS9N
+            eTBKbjdQUmdIclFObmpqVW9qb2RUcWcKLS0tIDVjN2lTSWJ4ZVQwazZObThJRVhI
+            czJib0UzS0ZuOE9uaVpOclQ3cEI3cjQKnrqviLM7T5OEqhtT0rhSZ86vtr88gAtw
+            je4yt20hcATuKLKnjIorFtXR6tww1zW92LiORP2VTiYC25IuHv4ccA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZDhDdVBQS3hsTDZVdi9G
+            dzk3SFpzT0NVdzhUcTB6bm16YlRhSjFNa1h3CllFR1hxdDNZc1JZMERtTlIxY1R3
+            dUtmRGlranY3eFFWTWU0VFVBMkRyREEKLS0tIEFNWG1wZG9SWkJCTGkxNUQwaU05
+            UFcwbGhuVXI0Q3d0VWpqM09KaWFGZkkKOfVRoQqOKWVPsvcnRrCLAUfvXZje2zrw
+            EQ5CeyjoZL9lxzuWMxoe71e1lzo1ecwV4Wdu4G54wSuzhxA9vwpSTg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-12T14:08:14Z"
+    mac: ENC[AES256_GCM,data:mc59PsRuw1JnjMxFR/y37oOJmnoojpFd8hEKounvA/lMf1rBvUAcQ6sYK+qajBHvtnzlCuMpuetxYY1v2djfRrp4GhwQotmSpAb2fqO1kz1JEqHkFeZ2ZeBtnytVf9I95VAeU/zJV1X2TrUW14ZmOvowtdRYFkSdY6Z3/Hs9vic=,iv:DlsN9rmiEq/2xBQS/LghBoVQcT+7XfSJJ7r5rKhTB/k=,tag:cuLvv4e7r25mjVCGrQZYNA==,type:str]
+    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
+    mac_only_encrypted: true
+    version: 3.12.1

kargo/credentials/prod/ksops-generator.yaml

@@ -1,5 +1,3 @@
-# ksops generator for PROD cluster
-# Replace ksops-generator.yaml on infra/stage/prod branch
 apiVersion: viaduct.ai/v1
 kind: ksops
 metadata:

kargo/credentials/prod/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generators:
+  - ksops-generator.yaml

kargo/infra/stages/dev.yaml

@@ -30,20 +30,6 @@ spec:
         - uses: git-clear
           config:
             path: ./out
-        - uses: yaml-update
-          as: update-cert-manager
-          config:
-            path: ./src/infra/cert-manager/config.yaml
-            updates:
-              - key: source.targetRevision
-                value: ${{ chartFrom("https://charts.jetstack.io", "cert-manager").Version }}
-        - uses: yaml-update
-          as: update-argo-rollouts
-          config:
-            path: ./src/infra/argo-rollouts/config.yaml
-            updates:
-              - key: source.targetRevision
-                value: ${{ chartFrom("https://argoproj.github.io/argo-helm", "argo-rollouts").Version }}
         - uses: yaml-update
           as: update-gitea
           config:

kargo/infra/warehouse.yaml

@@ -5,16 +5,6 @@ metadata:
   namespace: infra
 spec:
   subscriptions:
-    - chart:
-        repoURL: https://charts.jetstack.io
-        name: cert-manager
-        semverConstraint: ">=1.17.0"
-        discoveryLimit: 5
-    - chart:
-        repoURL: https://argoproj.github.io/argo-helm
-        name: argo-rollouts
-        semverConstraint: ">=2.39.0"
-        discoveryLimit: 5
     - chart:
         repoURL: https://dl.gitea.com/charts
         name: gitea

kargo/test-env/warehouse.yaml

@@ -4,5 +4,11 @@ metadata:
   name: test-env-images
   namespace: test-env
 spec:
-  subscriptions: []
-  # TODO: Add container image subscriptions for test services
+  # Placeholder: no subscriptions yet.
+  # When test services are added, subscribe to their container images here.
+  subscriptions:
+    - chart:
+        repoURL: https://dl.gitea.com/charts
+        name: gitea
+        semverConstraint: ">=0.0.1"
+        discoveryLimit: 1

test-env/config.yaml

@@ -1,10 +1,10 @@
 {
-  "name": "kargo-credentials",
-  "namespace": "default",
-  "step": "5",
+  "name": "test-env",
+  "namespace": "test-env",
+  "step": "6",
   "source": {
     "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
-    "path": "kargo/credentials",
+    "path": "test-env",
     "targetRevision": "main"
   }
 }

test-env/gitea-runner/configmap.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-env-runner-config
+  namespace: test-env
+data:
+  config.yaml: |
+    log:
+      level: info
+    runner:
+      file: .runner
+      capacity: 1
+      timeout: 3h
+      labels:
+        - "edt:docker://benadis/ar-edt-slim:latest"
+        - "ubuntu-latest:docker://node:20-bullseye"
+    cache:
+      enabled: true
+      dir: ""
+    container:
+      network: ""
+      privileged: false
+      options:
+      workdir_parent:

test-env/gitea-runner/deployment.yaml

@@ -0,0 +1,161 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-env-runner
+  namespace: test-env
+  labels:
+    app: test-env-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test-env-runner
+  template:
+    metadata:
+      labels:
+        app: test-env-runner
+    spec:
+      serviceAccountName: runner-registrar
+      initContainers:
+        # Obtain registration token from Gitea API once, write to shared volume.
+        # Uses the same token if .runner file already exists (idempotent).
+        - name: register
+          image: alpine/k8s:1.35.1
+          command:
+            - sh
+            - -c
+            - |
+              set -e
+              # If already registered, skip
+              if [ -f /data/.runner ]; then
+                echo "Runner already registered, skipping."
+                exit 0
+              fi
+
+              # Get Gitea admin credentials
+              USER=$(kubectl -n gitea get secret gitea-admin -o jsonpath='{.data.username}' | base64 -d)
+              PASS=$(kubectl -n gitea get secret gitea-admin -o jsonpath='{.data.password}' | base64 -d)
+
+              # Resolve Gitea pod IP (headless service)
+              GITEA_POD_IP=$(kubectl -n gitea get pod -l app.kubernetes.io/name=gitea \
+                -o jsonpath='{.items[0].status.podIP}')
+              GITEA_URL="http://${GITEA_POD_IP}:3000"
+
+              # Wait for Gitea API
+              for i in $(seq 1 30); do
+                if curl -sf "$GITEA_URL/api/v1/version" > /dev/null 2>&1; then
+                  break
+                fi
+                echo "Waiting for Gitea API... ($i/30)"
+                sleep 5
+              done
+
+              # Get registration token
+              TOKEN=$(curl -sf -X POST -u "$USER:$PASS" \
+                "$GITEA_URL/api/v1/user/actions/runners/registration-token" \
+                | sed 's/.*"token":"\([^"]*\)".*/\1/')
+
+              if [ -z "$TOKEN" ]; then
+                echo "ERROR: Failed to get registration token"
+                exit 1
+              fi
+              echo "Got token: ${TOKEN:0:8}..."
+
+              # Write token for the runner container
+              echo "$TOKEN" > /data/.registration-token
+              echo "$GITEA_URL" > /data/.gitea-url
+              echo "Token saved to /data/.registration-token"
+          volumeMounts:
+            - name: data
+              mountPath: /data
+      containers:
+        # Docker-in-Docker sidecar (required for act_runner to execute workflows)
+        - name: dind
+          image: docker:27-dind
+          securityContext:
+            privileged: true
+          env:
+            - name: DOCKER_TLS_CERTDIR
+              value: ""
+          volumeMounts:
+            - name: docker-socket
+              mountPath: /var/run
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              cpu: "2"
+              memory: 2Gi
+        - name: runner
+          image: gitea/act_runner:0.2.11
+          command:
+            - sh
+            - -c
+            - |
+              # Wait for Docker daemon
+              echo "Waiting for Docker daemon..."
+              for i in $(seq 1 30); do
+                if docker info > /dev/null 2>&1; then
+                  echo "Docker daemon is ready"
+                  break
+                fi
+                sleep 2
+              done
+
+              # Register if not yet registered
+              if [ ! -f /data/.runner ] && [ -f /data/.registration-token ]; then
+                TOKEN=$(cat /data/.registration-token)
+                GITEA_URL=$(cat /data/.gitea-url)
+                echo "Registering runner at $GITEA_URL..."
+                act_runner register --no-interactive \
+                  --instance "$GITEA_URL" \
+                  --token "$TOKEN" \
+                  --name "test-env-runner" \
+                  --labels "edt:docker://benadis/ar-edt-slim:latest,ubuntu-latest:docker://node:20-bullseye"
+              fi
+
+              # Start daemon
+              exec act_runner daemon
+          env:
+            - name: DOCKER_HOST
+              value: "unix:///var/run/docker.sock"
+            - name: GITEA_INSTANCE_URL
+              value: "http://gitea-http.gitea.svc.cluster.local:3000"
+          volumeMounts:
+            - name: docker-socket
+              mountPath: /var/run
+            - name: config
+              mountPath: /config
+              readOnly: true
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: "2"
+              memory: 2Gi
+      volumes:
+        - name: docker-socket
+          emptyDir: {}
+        - name: config
+          configMap:
+            name: test-env-runner-config
+        - name: data
+          persistentVolumeClaim:
+            claimName: runner-data
+---
+# PVC for runner data — persists .runner registration across pod restarts
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: runner-data
+  namespace: test-env
+spec:
+  storageClassName: local-path
+  accessModes: ["ReadWriteOnce"]
+  resources:
+    requests:
+      storage: 1Gi

test-env/gitea-runner/rbac.yaml

@@ -0,0 +1,34 @@
+# RBAC for runner registration initContainer
+# Allows reading gitea-admin secret and listing pods in gitea namespace
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: runner-registrar
+  namespace: test-env
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: test-env-gitea-reader
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["gitea-admin"]
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: test-env-gitea-reader
+subjects:
+  - kind: ServiceAccount
+    name: runner-registrar
+    namespace: test-env
+roleRef:
+  kind: ClusterRole
+  name: test-env-gitea-reader
+  apiGroup: rbac.authorization.k8s.io

test-env/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # NOTE: namespace.yaml removed — ArgoCD creates namespace via syncOptions.CreateNamespace
+  # The namespace is shared with kargo-test-env-pipeline app.
+  # PostgreSQL 18.x-2.1C (image has built-in 1C entrypoint)
+  - postgres/statefulset.yaml
+  - postgres/service.yaml
+  # 1C:Enterprise server (ragent + crserver + ras)
+  - onec-server/statefulset.yaml
+  - onec-server/service.yaml
+  - onec-server/service-nodeport.yaml
+  - onec-server/configmap.yaml
+  # Gitea Actions runner (for apk-ci-ng workflows)
+  - gitea-runner/deployment.yaml
+  - gitea-runner/configmap.yaml
+  - gitea-runner/rbac.yaml

test-env/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-env
+  labels:
+    name: test-env
+    environment: dev

test-env/onec-server/configmap.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: onec-config
+  namespace: test-env
+data:
+  # HASP license server configuration
+  # Points to external license server for 1C client mode
+  nethasp.ini: |
+    [NH_COMMON]
+    NH_TCPIP = Enabled
+
+    [NH_TCPIP]
+    NH_SERVER_ADDR = 89.110.88.209
+    NH_PORT_NUMBER = 475
+
+  # 1C server entrypoint: starts ragent, crserver, ras, sshd
+  # Based on docker-compose env service from tester.benadis.org
+  entrypoint.sh: |
+    #!/bin/bash
+    set -e
+
+    ONEC_BASE="/opt/1cv8/x86_64"
+    # Auto-detect 1C version directory
+    ONEC_VER=$(ls -1 "$ONEC_BASE" | sort -V | tail -1)
+    ONEC_BIN="$ONEC_BASE/$ONEC_VER"
+
+    echo "=== Starting 1C:Enterprise $ONEC_VER ==="
+
+    mkdir -p /data/srv1c /data/storage
+
+    # Start ragent (cluster manager) — port 1540
+    $ONEC_BIN/ragent -port 1540 -regport 1541 -range 1560:1591 -d /data/srv1c &
+
+    # Start crserver (configuration repository server) — port 1542
+    $ONEC_BIN/crserver -port 1542 -d /data/storage &
+
+    # Wait for ragent to start, then launch RAS
+    sleep 3
+    $ONEC_BIN/ras cluster --port 1545 &
+
+    # Start SSH daemon if available
+    if [ -x /usr/sbin/sshd ]; then
+        /usr/sbin/sshd 2>/dev/null || true
+    fi
+
+    echo "Test environment ready (ragent:1540, crserver:1542, ras:1545)"
+    exec tail -f /dev/null

test-env/onec-server/service-nodeport.yaml

@@ -0,0 +1,34 @@
+# NodePort service for external access to 1C server
+# Accessed via SSH tunnels from connect-multi.ps1
+apiVersion: v1
+kind: Service
+metadata:
+  name: onec-nodeport
+  namespace: test-env
+  labels:
+    app: onec-server
+spec:
+  type: NodePort
+  selector:
+    app: onec-server
+  ports:
+    - name: ragent
+      port: 1540
+      targetPort: 1540
+      nodePort: 31540
+      protocol: TCP
+    - name: regport
+      port: 1541
+      targetPort: 1541
+      nodePort: 31541
+      protocol: TCP
+    - name: crserver
+      port: 1542
+      targetPort: 1542
+      nodePort: 31542
+      protocol: TCP
+    - name: ras
+      port: 1545
+      targetPort: 1545
+      nodePort: 31545
+      protocol: TCP

test-env/onec-server/service.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: onec-server
+  namespace: test-env
+  labels:
+    app: onec-server
+spec:
+  type: ClusterIP
+  selector:
+    app: onec-server
+  ports:
+    - name: ragent
+      port: 1540
+      targetPort: 1540
+      protocol: TCP
+    - name: regport
+      port: 1541
+      targetPort: 1541
+      protocol: TCP
+    - name: crserver
+      port: 1542
+      targetPort: 1542
+      protocol: TCP
+    - name: ras
+      port: 1545
+      targetPort: 1545
+      protocol: TCP

test-env/onec-server/statefulset.yaml

@@ -0,0 +1,107 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: onec-server
+  namespace: test-env
+  labels:
+    app: onec-server
+spec:
+  serviceName: onec-server
+  replicas: 1
+  selector:
+    matchLabels:
+      app: onec-server
+  template:
+    metadata:
+      labels:
+        app: onec-server
+    spec:
+      # Stable hostname for 1C community license (tied to hostname, not hardware)
+      hostname: test-env-0
+      containers:
+        - name: onec
+          image: benadis/ar-edt:6.2.27.1
+          command: ["/scripts/entrypoint.sh"]
+          env:
+            - name: LANG
+              value: "ru_RU.UTF-8"
+            - name: LC_ALL
+              value: "ru_RU.UTF-8"
+            - name: TZ
+              value: "Europe/Moscow"
+            - name: PGHOST
+              value: "postgres.test-env.svc.cluster.local"
+            - name: PGPORT
+              value: "5432"
+            - name: PGUSER
+              value: "usr1cv8"
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: test-env-secrets
+                  key: pg-password
+          ports:
+            - name: ragent
+              containerPort: 1540
+              protocol: TCP
+            - name: regport
+              containerPort: 1541
+              protocol: TCP
+            - name: crserver
+              containerPort: 1542
+              protocol: TCP
+            - name: ras
+              containerPort: 1545
+              protocol: TCP
+          volumeMounts:
+            - name: onec-data
+              mountPath: /data
+            - name: onec-scripts
+              mountPath: /scripts
+              readOnly: true
+            - name: onec-nethasp
+              mountPath: /opt/1cv8/conf/nethasp.ini
+              subPath: nethasp.ini
+              readOnly: true
+          resources:
+            requests:
+              cpu: 200m
+              memory: 512Mi
+            limits:
+              cpu: "4"
+              memory: 4Gi
+          readinessProbe:
+            exec:
+              command: ["sh", "-c", "pgrep ragent && pgrep crserver"]
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            timeoutSeconds: 5
+          livenessProbe:
+            exec:
+              command: ["sh", "-c", "pgrep ragent"]
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            timeoutSeconds: 5
+      volumes:
+        - name: onec-scripts
+          configMap:
+            name: onec-config
+            items:
+              - key: entrypoint.sh
+                path: entrypoint.sh
+                mode: 0755
+        - name: onec-nethasp
+          configMap:
+            name: onec-config
+            items:
+              - key: nethasp.ini
+                path: nethasp.ini
+  volumeClaimTemplates:
+    - metadata:
+        name: onec-data
+      spec:
+        storageClassName: local-path
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 10Gi

test-env/postgres/configmap.yaml

@@ -0,0 +1,10 @@
+# PostgreSQL ConfigMap
+# The benadis/pg-1c image has a built-in entrypoint that:
+#   1. Configures postgresql.conf with 1C optimizations on first run
+#   2. Sets pg_hba.conf for network access
+#   3. Creates usr1cv8 superuser
+#   4. Starts PostgreSQL
+#
+# No additional configuration needed — all settings are baked into the image.
+# This file is kept as documentation placeholder.
+# If custom settings are needed in the future, mount them via ConfigMap.

test-env/postgres/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  namespace: test-env
+  labels:
+    app: test-pg
+spec:
+  type: ClusterIP
+  selector:
+    app: test-pg
+  ports:
+    - name: postgres
+      port: 5432
+      targetPort: 5432
+      protocol: TCP

test-env/postgres/statefulset.yaml

@@ -0,0 +1,104 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: test-pg
+  namespace: test-env
+  labels:
+    app: test-pg
+spec:
+  serviceName: postgres
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test-pg
+  template:
+    metadata:
+      labels:
+        app: test-pg
+    spec:
+      initContainers:
+        # On first run the PVC is empty — copy the pre-built PG cluster
+        # from the image so the main entrypoint can configure and start it.
+        - name: init-pgdata
+          image: benadis/pg-1c:18.1-2.1C
+          command:
+            - sh
+            - -c
+            - |
+              if [ ! -d /data/18/main ]; then
+                echo "Initializing PG data from image..."
+                cp -a /var/lib/postgresql/. /data/
+                echo "Done."
+              else
+                echo "PG data already exists, skipping init."
+              fi
+          volumeMounts:
+            - name: pg-data
+              mountPath: /data
+      containers:
+        - name: postgres
+          image: benadis/pg-1c:18.1-2.1C
+          # Override entrypoint to handle "role already exists" on PVC reuse.
+          # The image entrypoint uses `set -e` + CREATE USER without IF NOT EXISTS,
+          # causing crash when PVC already has the user from a previous init.
+          command:
+            - bash
+            - -c
+            - |
+              # Patch entrypoint: make CREATE USER idempotent.
+              # Image entrypoint uses `set -e` + bare CREATE USER which fails
+              # when PVC is reused and the role already exists.
+              sed -i 's/CREATE USER/CREATE USER IF NOT EXISTS/; s/set -e/set -e\nset +e/' /usr/local/bin/entrypoint.sh 2>/dev/null || true
+              exec /usr/local/bin/entrypoint.sh postgres
+          env:
+            - name: LANG
+              value: "ru_RU.UTF-8"
+            - name: LC_ALL
+              value: "ru_RU.UTF-8"
+            - name: TZ
+              value: "Europe/Moscow"
+          ports:
+            - name: postgres
+              containerPort: 5432
+              protocol: TCP
+          volumeMounts:
+            - name: pg-data
+              mountPath: /var/lib/postgresql
+          resources:
+            requests:
+              cpu: 200m
+              memory: 512Mi
+            limits:
+              cpu: "2"
+              memory: 4Gi
+          readinessProbe:
+            exec:
+              command:
+                - su
+                - "-"
+                - postgres
+                - "-c"
+                - "/usr/lib/postgresql/18/bin/pg_isready"
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 5
+          livenessProbe:
+            exec:
+              command:
+                - su
+                - "-"
+                - postgres
+                - "-c"
+                - "/usr/lib/postgresql/18/bin/pg_isready"
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 5
+  volumeClaimTemplates:
+    - metadata:
+        name: pg-data
+      spec:
+        storageClassName: local-path
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 20Gi

test-env/secrets/placeholder.yaml

@@ -0,0 +1,22 @@
+# Placeholder for SOPS-encrypted secrets
+# Actual secrets will be encrypted with: sops --encrypt --age <admin-key>,<dev-key>
+#
+# Required secrets (create as test-env-secrets):
+#   pg-password: password for PostgreSQL usr1cv8 user
+#
+# Required secrets (create as test-env-runner-token):
+#   token: Gitea Actions runner registration token
+#
+# Example (before encryption):
+#   apiVersion: v1
+#   kind: Secret
+#   metadata:
+#     name: test-env-secrets
+#     namespace: test-env
+#   type: Opaque
+#   stringData:
+#     pg-password: "usr1cv8"
+#
+# For now, create secrets manually in the cluster:
+#   kubectl -n test-env create secret generic test-env-secrets --from-literal=pg-password=usr1cv8
+#   kubectl -n test-env create secret generic test-env-runner-token --from-literal=token=<TOKEN>