promote(infra/test): freight 3a5e73c3518742b8d5039f4024eec9f7438b3f7a

.sops.yaml

@@ -1,56 +0,0 @@
-# SOPS configuration for deploy-app-kargo-private
-# Zero Trust key model: dev cannot decrypt prod, prod cannot decrypt dev.
-# Test secrets accessible to both dev and prod.
-#
-# Keys:
-#   admin: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7  (master, backup/audit)
-#   dev:   age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g  (dev cluster only)
-#   test:  age1wtzdf8k5fhazffq5t5erm0azvp463mzk6fm4vghqwah2lz9sf3eszksf33  (shared test environment)
-#   prod:  age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk  (prod cluster only)
-#
-# Trust model:
-#   *.dev.enc.yaml  → admin + dev           (ONLY dev-admin can decrypt)
-#   *.test.enc.yaml → admin + dev + test + prod (everyone can decrypt)
-#   *.prod.enc.yaml → admin + prod          (ONLY prod-admin can decrypt)
-#   *.shared.enc.yaml → admin + dev + prod  (legacy, both can decrypt)
-#
-# mac_only_encrypted: true — allows adding new YAML keys/structure without
-# having the decryption key. MAC is computed only over encrypted values.
-# This enables dev to add fields to *.prod.enc.yaml without decrypting them.
-# Requires SOPS >= 3.9.0.
-
-creation_rules:
-  # Dev-specific secrets — ONLY admin + dev can decrypt
-  - path_regex: \.dev\.enc\.yaml$
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    mac_only_encrypted: true
-    age: >-
-      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
-      age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
-
-  # Test secrets — all keys can decrypt (shared test environment)
-  - path_regex: \.test\.enc\.yaml$
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    mac_only_encrypted: true
-    age: >-
-      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
-      age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g,
-      age1wtzdf8k5fhazffq5t5erm0azvp463mzk6fm4vghqwah2lz9sf3eszksf33,
-      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
-
-  # Prod-specific secrets — ONLY admin + prod can decrypt
-  - path_regex: \.prod\.enc\.yaml$
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    mac_only_encrypted: true
-    age: >-
-      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
-      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
-
-  # Shared secrets (legacy, both clusters) — admin + dev + prod
-  - path_regex: \.shared\.enc\.yaml$
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|repoURL|username)$
-    mac_only_encrypted: true
-    age: >-
-      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
-      age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g,
-      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk

README.md

@@ -1,24 +0,0 @@
-# deploy-app-kargo-private
-
-Private ArgoCD ApplicationSet repository with SOPS-encrypted secrets.
-
-## Structure
-
-- `infra/` — Infrastructure apps (cert-manager, gitea, kargo, etc.)
-- `ci/` — CI apps (gitea-runner, etc.)
-- `kargo/` — Kargo pipeline definitions + encrypted credentials
-- `.sops.yaml` — SOPS encryption rules (3 age keys: admin, dev, prod)
-
-## Encryption
-
-Secrets in `*.enc.yaml` files are encrypted with SOPS + age:
-- `*.dev.enc.yaml` — decryptable by admin + dev keys
-- `*.prod.enc.yaml` — decryptable by admin + prod keys
-- `*.shared.enc.yaml` — decryptable by all three keys
-
-## Branches
-
-- `main` — source of truth
-- `infra/stage/dev` — dev cluster (Kargo promotion)
-- `infra/stage/test` — test stage (Kargo verification)
-- `infra/stage/prod` — prod cluster (Kargo promotion via PR)

bootstrap/argo-rollouts/config.yaml

@@ -1,13 +0,0 @@
-{
-  "name": "argo-rollouts",
-  "namespace": "argo-rollouts",
-  "step": "3",
-  "source": {
-    "repoURL": "https://argoproj.github.io/argo-helm",
-    "chart": "argo-rollouts",
-    "targetRevision": "2.40.6"
-  },
-  "helm": {
-    "values": "dashboard:\n  enabled: true\n"
-  }
-}

bootstrap/cert-manager/config.yaml

@@ -1,13 +0,0 @@
-{
-  "name": "cert-manager",
-  "namespace": "cert-manager",
-  "step": "1",
-  "source": {
-    "repoURL": "https://charts.jetstack.io",
-    "chart": "cert-manager",
-    "targetRevision": "v1.19.4"
-  },
-  "helm": {
-    "values": "crds:\n  enabled: true\n"
-  }
-}

bootstrap/kargo-ci-pipeline/config.yaml

@@ -1,10 +0,0 @@
-{
-  "name": "kargo-ci-pipeline",
-  "namespace": "ci",
-  "step": "5",
-  "source": {
-    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
-    "path": "kargo/ci",
-    "targetRevision": "main"
-  }
-}

bootstrap/kargo-infra-pipeline/config.yaml

@@ -1,10 +0,0 @@
-{
-  "name": "kargo-infra-pipeline",
-  "namespace": "infra",
-  "step": "5",
-  "source": {
-    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
-    "path": "kargo/infra",
-    "targetRevision": "main"
-  }
-}

bootstrap/kargo-test-env-pipeline/config.yaml

@@ -1,10 +0,0 @@
-{
-  "name": "kargo-test-env-pipeline",
-  "namespace": "test-env",
-  "step": "5",
-  "source": {
-    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
-    "path": "kargo/test-env",
-    "targetRevision": "main"
-  }
-}

bootstrap/kargo/config.yaml

@@ -1,14 +0,0 @@
-{
-    "name": "kargo",
-    "namespace": "kargo",
-    "step": "4",
-    "syncOptions": ["Replace=true"],
-    "source": {
-        "repoURL": "ghcr.io/akuity/kargo-charts",
-        "chart": "kargo",
-        "targetRevision": "1.9.5"
-    },
-    "helm": {
-        "values": "api:\n  service:\n    type: ClusterIP\n  adminAccount:\n    enabled: true\n    passwordHash: \"$2b$10$jk2IIBCWP.5mEzp30J0kkO1CyCXEBvCWzaPsUGVfsusvH0M2kl2aS\"\n    tokenSigningKey: \"d76a6d38c725db844e799224ae2d0a2d38c0d31f5ca510aac44abc87c973b6e3\"\ncontroller:\n  argocd:\n    integrationEnabled: true\n    namespace: argocd\n"
-    }
-}

bootstrap/kargo/values/secret-values.dev.enc.yaml

@@ -1,28 +0,0 @@
-# Kargo secrets for dev/test cluster
-passwordHash: ENC[AES256_GCM,data:Brg8qSTsGeft72w0FhnmKu0CgfL14zDLLIifyFdS+MJDtWhhRJq88Wh2OOrjylTsteYJeb9LaGh7T/6I,iv:PapmZ9/fubkIMz4Br4W4Xqj8UB6BJl5708V0nPRqgxw=,tag:r1iCfDxwmNRJT56dnEEo2Q==,type:str]
-tokenSigningKey: ENC[AES256_GCM,data:f1i9nVF74bWcGl0GXBujwo215aXV4pAm9r3AX181nUq32QyWdkzR0+7e+4EfqoZkpOorCKZQq6pJEn45th9YJw==,iv:yMT3dnlNnblyUJdmWb9XFQlnPnLIT12iw6aNxN94lY0=,tag:WE6/dL8+382eYMj/tYq/+w==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVVEhRZkhINm80MGYzcGZP
-            a1ZURk9GYVRiT1plV0U1WlQvenFieU1TbGt3CnlqbExOZGpEMEd2MDlDV0k1Z0ZI
-            UzJxK1ByVkhrNXlJWkhCUHhTSzl0cW8KLS0tIDRKb0dmNXhXSnIzMEhnOUNjMVRD
-            V1oySnBJeFdyWGdGYzhpN2JIRG00cUEKta06XCymUR8ltBL/6egR/IHTaS/Q0vih
-            ep4kyfexVOK+OAnbvA/4BSUBKXAr2L+GN3tAuG4YOnehX764WTaoxQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VHQvczM3MDhEcXJGQkpa
-            Vm1LYURwbUk5MEhXOVBLdFl5UWRLcmZpaWwwCmdrMGFmNlZVL2pQdDFFR1BrZ25h
-            ZEZMazJsR3hhZlNsUTNSNEVEUlNtcE0KLS0tIEplZnk2eDNXd2ZOcVhJNThieWJU
-            UkZSc1E1dHVieFRMSDNhSXN0ZC9OdGsK+7GeHMVOYmhIpt1tZTo/l3JdTQL1ZuC7
-            ZLydtSlmPfT4rkUmtyfEMf8HU45V9KO7IUSWyWBOy7XU1whb7frdHw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-12T14:08:13Z"
-    mac: ENC[AES256_GCM,data:DWPS9s6QGbeFKEsZGBqKZE596Bqm1nY5D3JrBnEkRVwQhXo4oo6QIwSOpojBx4cSANANzi+CkhCGXIIAhKxXLn4Aii9y/d1Lpe6S7umFeLg/15Qb7CAC6mI/WPK6H71zD8VSxzHictDek9opfdhIzrlr9xIvKRwzyhsF7I76kgE=,iv:Epf8fh8kMDpFpV0BOVV542n8OitoDcy7yRg0gI76aFU=,tag:Yd4oFywmeALME220szSWzA==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    mac_only_encrypted: true
-    version: 3.12.1

bootstrap/kargo/values/secret-values.prod.enc.yaml

@@ -1,28 +0,0 @@
-# Kargo secrets for prod cluster
-passwordHash: ENC[AES256_GCM,data:40E+4VZg1JwCjmXmsrqsPAKJJREu3TyaRdifnu6ADbFxIg7uJ1OmC2peUWZnmldOVy5rYRvn4f9+,iv:X5A46o59GeOpk5DazwV+ulhnXf+WKrz14lJB2AzVipc=,tag:0pPim5ccR9g3KeZrjvxzpg==,type:str]
-tokenSigningKey: ENC[AES256_GCM,data:tsp3iRJT0IlidEA3gU7rsY6LsoqurOAIe6DSLOnKcL167U/wax0jTUHsCsqcDq6YwVrrXr1H7EwohSpxLFkbfA==,iv:+LpAQkMKowoEHbqC3EIIJ/MaAmXYcCfNJ1SUt2lhNqc=,tag:6iI7umdfMOyEO6mD9cxMzA==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSlJqQ0tsRDFYdmUxbHFV
-            UGxLc05lRmlpYmJmdU9rTkhYUEVRN01tNVJnCmlWZnpMdU40ZEVsMnFDNWxaR3ow
-            KzlMNWpab0dDOS94Vm9EU1hBMDR5ZzQKLS0tIFpkenkvM01QOGJKRTFjcDl0N2c4
-            RnR3anYvdnRjYXhKNkE3aDFRZXY4TVEKuX/i/7fLkHVuh51vO/TMDCZ8K5AkGoO1
-            B9mOtMu8HZSV2F5UW3hpYrA+mJz82Hi0I84aI1LpAdjobsCckEpR3Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSDVNRERESERkQ2RwSlo0
-            OGFHaHAzeGhFcVhsOHEyekd2MVZzZG50b3c0CkRIMm1veXNXL3BrMkpuajVrZzFW
-            ekVPcFYwMUZMc2V5cnFUdUlneWQxQmsKLS0tIFRwZ0ZCZVE1K0N6ZlFGbkZJT2k3
-            cXFYaThyS1gxOU5hWFl0cDgyUTB6U2MKejpV8nlfBNKC9vqC9UkOJquC4poU/gAI
-            s2Ul/34xAM5/amo/icjwmkpB+TsAR4zNgkECuW7rF9plf1LSFrFUAg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-12T14:08:13Z"
-    mac: ENC[AES256_GCM,data:igA1mRDKhw3B/QgRU7naByC8lS9EYfv+r5wU4BdBDmDfEQYzqT4sf3/zEE8XZnhKNbgc+hQuu4YodpaefWQAZwUXQFGhs8zxaLtUtP+zdBq8GJlfDradha9SyrtWsjY68dcA2RBc8E0y8xG+YE0fgnsOl2gvc9iXg0+X+2g31pI=,iv:OhmU/sX6SuD7V4SYINVfQFPYnJGIZ3H76YG+/RElgBY=,tag:dhqlLkmKBLaABc4UAUFvNg==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    mac_only_encrypted: true
-    version: 3.12.1

bootstrap/traefik-routes/config.yaml

@@ -1,10 +0,0 @@
-{
-  "name": "traefik-routes",
-  "namespace": "kube-system",
-  "step": "2",
-  "source": {
-    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
-    "path": "bootstrap/traefik-routes/manifests",
-    "targetRevision": "main"
-  }
-}

bootstrap/traefik-routes/manifests/gitea-ingress.yaml

@@ -1,41 +0,0 @@
-# Gitea HTTPS IngressRoute via Traefik
-# Uses default TLS store (wildcard-tls from kube-system via TLSStore)
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: gitea-https
-  namespace: gitea
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: HostRegexp(`gitea.k3s\..+\.local`)
-      kind: Rule
-      middlewares:
-        - name: sslheader
-          namespace: kube-system
-        - name: gitea-buffer-timeout
-          namespace: gitea
-      services:
-        - name: gitea-http
-          port: 3000
-  tls: {}
----
-# HTTP → HTTPS redirect for Gitea
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: gitea-http-redirect
-  namespace: gitea
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: HostRegexp(`gitea.k3s\..+\.local`)
-      kind: Rule
-      middlewares:
-        - name: redirect-https
-          namespace: kube-system
-      services:
-        - name: gitea-http
-          port: 3000

bootstrap/traefik-routes/manifests/gitea-ssh.yaml

@@ -1,14 +0,0 @@
-# Gitea SSH access via Traefik TCP routing (port 2222)
-apiVersion: traefik.io/v1alpha1
-kind: IngressRouteTCP
-metadata:
-  name: gitea-ssh
-  namespace: gitea
-spec:
-  entryPoints:
-    - ssh
-  routes:
-    - match: HostSNI(`*`)
-      services:
-        - name: gitea-ssh
-          port: 22

bootstrap/traefik-routes/manifests/kargo-ingress.yaml

@@ -1,21 +0,0 @@
-# Kargo dashboard HTTPS IngressRoute
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: kargo-https
-  namespace: kargo
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: HostRegexp(`kargo.k3s\..+\.local`)
-      kind: Rule
-      middlewares:
-        - name: kargo-tls-middleware
-          namespace: kargo
-      services:
-        - name: kargo-api
-          port: 443
-          scheme: https
-          serversTransport: kargo-skip-verify
-  tls: {}

bootstrap/traefik-routes/manifests/kargo-transport.yaml

@@ -1,8 +0,0 @@
-# ServersTransport to skip TLS verification for Kargo backend (self-signed cert)
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransport
-metadata:
-  name: kargo-skip-verify
-  namespace: kargo
-spec:
-  insecureSkipVerify: true

bootstrap/traefik-routes/manifests/middlewares.yaml

@@ -1,57 +0,0 @@
-# HTTP → HTTPS redirect
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: redirect-https
-  namespace: kube-system
-spec:
-  redirectScheme:
-    scheme: https
-    permanent: true
----
-# Forward X-Forwarded-Proto header for backends behind TLS termination
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: sslheader
-  namespace: kube-system
-spec:
-  headers:
-    customRequestHeaders:
-      X-Forwarded-Proto: "https"
----
-# Gitea: buffer large requests (git push) + timeout for CI builds
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: gitea-buffer-timeout
-  namespace: gitea
-spec:
-  buffering:
-    maxRequestBodyBytes: 0
-    maxResponseBodyBytes: 0
-    memRequestBodyBytes: 20971520
-    memResponseBodyBytes: 20971520
-    retryExpression: "IsNetworkError()"
----
-# ArgoCD: X-Forwarded-Proto for TLS termination
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: argocd-tls-middleware
-  namespace: argocd
-spec:
-  headers:
-    customRequestHeaders:
-      X-Forwarded-Proto: "https"
----
-# Kargo: X-Forwarded-Proto for TLS termination
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: kargo-tls-middleware
-  namespace: kargo
-spec:
-  headers:
-    customRequestHeaders:
-      X-Forwarded-Proto: "https"

bootstrap/traefik-routes/manifests/namespaces.yaml

@@ -1,14 +0,0 @@
-# Ensure namespaces exist for cross-namespace middleware references
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: gitea
-  labels:
-    name: gitea
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: kargo
-  labels:
-    name: kargo

bootstrap/traefik-routes/manifests/tls-store.yaml

@@ -1,10 +0,0 @@
-# Default TLS store — uses wildcard-tls from kube-system as default cert.
-# All IngressRoutes with tls: {} will use this certificate.
-apiVersion: traefik.io/v1alpha1
-kind: TLSStore
-metadata:
-  name: default
-  namespace: kube-system
-spec:
-  defaultCertificate:
-    secretName: wildcard-tls

bootstrap/traefik-routes/manifests/traefik-dashboard.yaml

@@ -1,22 +0,0 @@
-# Traefik Dashboard IngressRoute (HTTPS access)
-# Named traefik-dashboard-https to avoid conflict with k3s built-in
-# Traefik Helm chart which creates its own "traefik-dashboard" IngressRoute
-# on the internal "traefik" entrypoint (port 9000).
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-dashboard-https
-  namespace: kube-system
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: HostRegexp(`traefik.k3s\..+\.local`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
-      kind: Rule
-      middlewares:
-        - name: sslheader
-          namespace: kube-system
-      services:
-        - name: api@internal
-          kind: TraefikService
-  tls: {}

ci/gitea-runner/config.yaml

@@ -1,10 +0,0 @@
-{
-  "name": "gitea-runner",
-  "namespace": "gitea-runner",
-  "step": "5",
-  "source": {
-    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
-    "path": "ci/gitea-runner/manifests",
-    "targetRevision": "main"
-  }
-}

ci/gitea-runner/manifests/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: gitea-runner
-  labels:
-    name: gitea-runner

ci/gitea-runner/manifests/runner.yaml

@@ -1,79 +0,0 @@
-# Gitea Actions runner (act_runner)
-# Requires registration token in gitea-runner-token secret
-# Token is generated in Gitea admin → Actions → Runners → Create new runner
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: gitea-runner-config
-  namespace: gitea-runner
-data:
-  config.yaml: |
-    log:
-      level: info
-    runner:
-      file: .runner
-      capacity: 1
-      timeout: 3h
-      labels:
-        - "ubuntu-latest:docker://node:20-bullseye"
-        - "ubuntu-22.04:docker://node:20-bullseye"
-    cache:
-      enabled: true
-      dir: ""
-    container:
-      network: ""
-      privileged: false
-      options:
-      workdir_parent:
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: gitea-runner
-  namespace: gitea-runner
-  labels:
-    app: gitea-runner
-spec:
-  replicas: 0  # Set to 1 after creating registration token
-  selector:
-    matchLabels:
-      app: gitea-runner
-  template:
-    metadata:
-      labels:
-        app: gitea-runner
-    spec:
-      containers:
-        - name: runner
-          image: gitea/act_runner:0.2.11
-          env:
-            - name: GITEA_INSTANCE_URL
-              value: "http://gitea-http.gitea.svc.cluster.local:3000"
-            - name: GITEA_RUNNER_REGISTRATION_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: gitea-runner-token
-                  key: token
-                  optional: true
-          volumeMounts:
-            - name: config
-              mountPath: /config
-              readOnly: true
-            - name: data
-              mountPath: /data
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-            limits:
-              cpu: "2"
-              memory: 2Gi
-      volumes:
-        - name: config
-          configMap:
-            name: gitea-runner-config
-        - name: data
-          emptyDir: {}
-      nodeSelector:
-        node-role.kubernetes.io/worker: ""

dev/deploy-test-env.sh

@@ -1,134 +0,0 @@
-#!/bin/bash
-# deploy-test-env.sh — Deploy test-env to dev cluster and verify
-#
-# Usage:
-#   bash dev/deploy-test-env.sh [--check-only] [--create-secrets]
-#
-# Prerequisites:
-#   - kubectl configured for dev cluster
-#   - Images benadis/pg-1c:18.1-2.1C and benadis/ar-edt:6.2.27.1 accessible
-#
-# This script:
-#   1. Validates kustomize build
-#   2. Applies manifests via kustomize
-#   3. Creates secrets if --create-secrets
-#   4. Waits for pods to be ready
-#   5. Runs smoke tests (pg_isready, ragent check)
-
-set -euo pipefail
-cd "$(dirname "$0")/.."
-
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-NC='\033[0m'
-
-CHECK_ONLY=false
-CREATE_SECRETS=false
-
-for arg in "$@"; do
-    case $arg in
-        --check-only) CHECK_ONLY=true ;;
-        --create-secrets) CREATE_SECRETS=true ;;
-    esac
-done
-
-echo "=== test-env deployment ==="
-
-# --- Step 1: Validate kustomize ---
-echo -e "\n${YELLOW}[1/5] Validating kustomize build...${NC}"
-if kubectl kustomize test-env/ > /dev/null 2>&1; then
-    echo -e "${GREEN}  ✓ kustomize build OK${NC}"
-else
-    echo -e "${RED}  ✗ kustomize build FAILED${NC}"
-    kubectl kustomize test-env/ 2>&1 | head -20
-    exit 1
-fi
-
-if $CHECK_ONLY; then
-    echo -e "\n${GREEN}Validation passed (--check-only)${NC}"
-    kubectl kustomize test-env/ | grep -c 'kind:' | xargs -I{} echo "  {} resources"
-    exit 0
-fi
-
-# --- Step 2: Apply manifests ---
-echo -e "\n${YELLOW}[2/5] Applying manifests...${NC}"
-kubectl apply -k test-env/
-echo -e "${GREEN}  ✓ Manifests applied${NC}"
-
-# --- Step 3: Create secrets if needed ---
-if $CREATE_SECRETS; then
-    echo -e "\n${YELLOW}[3/5] Creating secrets...${NC}"
-    kubectl -n test-env create secret generic test-env-secrets \
-        --from-literal=pg-password=usr1cv8 \
-        --dry-run=client -o yaml | kubectl apply -f -
-    echo -e "${GREEN}  ✓ Secrets created${NC}"
-else
-    echo -e "\n${YELLOW}[3/5] Checking secrets...${NC}"
-    if kubectl -n test-env get secret test-env-secrets > /dev/null 2>&1; then
-        echo -e "${GREEN}  ✓ test-env-secrets exists${NC}"
-    else
-        echo -e "${RED}  ✗ test-env-secrets missing — run with --create-secrets${NC}"
-    fi
-fi
-
-# --- Step 4: Wait for pods ---
-echo -e "\n${YELLOW}[4/5] Waiting for pods (timeout 120s)...${NC}"
-
-wait_for_pod() {
-    local label=$1
-    local timeout=${2:-120}
-    local start=$(date +%s)
-    while true; do
-        local phase=$(kubectl -n test-env get pods -l "$label" -o jsonpath='{.items[0].status.phase}' 2>/dev/null || echo "Pending")
-        if [ "$phase" = "Running" ]; then
-            echo -e "${GREEN}  ✓ $label → Running${NC}"
-            return 0
-        fi
-        local elapsed=$(( $(date +%s) - start ))
-        if [ $elapsed -gt $timeout ]; then
-            echo -e "${RED}  ✗ $label → $phase (timeout ${timeout}s)${NC}"
-            return 1
-        fi
-        sleep 5
-    done
-}
-
-wait_for_pod "app=test-pg" 120
-wait_for_pod "app=onec-server" 120
-
-# --- Step 5: Smoke tests ---
-echo -e "\n${YELLOW}[5/5] Smoke tests...${NC}"
-
-# PostgreSQL ready
-PG_POD=$(kubectl -n test-env get pod -l app=test-pg -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
-if [ -n "$PG_POD" ]; then
-    if kubectl -n test-env exec "$PG_POD" -- su - postgres -c "/usr/lib/postgresql/18/bin/pg_isready" > /dev/null 2>&1; then
-        echo -e "${GREEN}  ✓ PostgreSQL is ready${NC}"
-    else
-        echo -e "${RED}  ✗ PostgreSQL pg_isready failed${NC}"
-    fi
-fi
-
-# 1C server ragent running
-ONEC_POD=$(kubectl -n test-env get pod -l app=onec-server -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
-if [ -n "$ONEC_POD" ]; then
-    if kubectl -n test-env exec "$ONEC_POD" -- pgrep ragent > /dev/null 2>&1; then
-        echo -e "${GREEN}  ✓ ragent is running${NC}"
-    else
-        echo -e "${RED}  ✗ ragent not running${NC}"
-    fi
-    if kubectl -n test-env exec "$ONEC_POD" -- pgrep crserver > /dev/null 2>&1; then
-        echo -e "${GREEN}  ✓ crserver is running${NC}"
-    else
-        echo -e "${RED}  ✗ crserver not running${NC}"
-    fi
-fi
-
-# Summary
-echo -e "\n=== Status ==="
-kubectl -n test-env get pods -o wide
-echo ""
-kubectl -n test-env get svc
-echo ""
-kubectl -n test-env get pvc

dev/verify-sops-isolation.sh

@@ -1,128 +0,0 @@
-#!/bin/bash
-# verify-sops-isolation.sh — Verify SOPS zero trust key isolation
-#
-# Usage: bash dev/verify-sops-isolation.sh [--keys-dir PATH]
-#
-# Verifies that:
-# 1. dev-key can ONLY decrypt *.dev.enc.yaml
-# 2. prod-key can ONLY decrypt *.prod.enc.yaml
-# 3. test-key can decrypt *.test.enc.yaml (if any)
-# 4. test-key CANNOT decrypt dev or prod files
-# 5. mac_only_encrypted is set in all files
-# 6. All files decrypt successfully with appropriate keys
-#
-# Requires: sops, age keys in SOPS_AGE_KEY_DEV/PROD/TEST env vars
-#           or provide --keys-dir with separate key files
-
-set -euo pipefail
-cd "$(dirname "$0")/.."
-
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-NC='\033[0m'
-
-PASS=0
-FAIL=0
-WARN=0
-
-check() {
-    local desc=$1 expected=$2 actual=$3
-    if [ "$expected" = "$actual" ]; then
-        echo -e "  ${GREEN}✓${NC} $desc"
-        PASS=$((PASS+1))
-    else
-        echo -e "  ${RED}✗${NC} $desc (expected=$expected, got=$actual)"
-        FAIL=$((FAIL+1))
-    fi
-}
-
-ORIG_KEYS=""
-if [ -f ~/.config/sops/age/keys.txt ]; then
-    ORIG_KEYS=$(cat ~/.config/sops/age/keys.txt)
-fi
-
-restore_keys() {
-    if [ -n "$ORIG_KEYS" ]; then
-        echo "$ORIG_KEYS" > ~/.config/sops/age/keys.txt
-    fi
-}
-trap restore_keys EXIT
-
-# --- Check .sops.yaml ---
-echo -e "\n${YELLOW}[1] Checking .sops.yaml configuration${NC}"
-
-if [ -f .sops.yaml ]; then
-    check ".sops.yaml exists" "yes" "yes"
-else
-    check ".sops.yaml exists" "yes" "no"
-    exit 1
-fi
-
-MAC_RULES=$(grep -c '^\s*mac_only_encrypted: true' .sops.yaml || echo 0)
-check "mac_only_encrypted rules in .sops.yaml (>=4)" "yes" "$([ "$MAC_RULES" -ge 4 ] && echo yes || echo no)"
-
-# --- Check all encrypted files ---
-echo -e "\n${YELLOW}[2] Checking mac_only_encrypted in encrypted files${NC}"
-TOTAL_ENC=$(find . -name '*.enc.yaml' -not -path './.git/*' | wc -l)
-MAC_ENC=$(grep -rl 'mac_only_encrypted: true' $(find . -name '*.enc.yaml' -not -path './.git/*' 2>/dev/null) 2>/dev/null | wc -l)
-check "mac_only_encrypted in all encrypted files" "$TOTAL_ENC" "$MAC_ENC"
-
-# --- Key isolation tests ---
-echo -e "\n${YELLOW}[3] Key isolation: dev-key${NC}"
-if [ -n "${SOPS_AGE_KEY_DEV:-}" ]; then
-    echo "$SOPS_AGE_KEY_DEV" > ~/.config/sops/age/keys.txt
-    for f in $(find . -name '*.dev.enc.yaml' -not -path './.git/*'); do
-        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
-        check "dev-key decrypts $(basename $f)" "yes" "$result"
-    done
-    for f in $(find . -name '*.prod.enc.yaml' -not -path './.git/*'); do
-        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
-        check "dev-key CANNOT decrypt $(basename $f)" "no" "$result"
-    done
-else
-    echo -e "  ${YELLOW}⚠ SOPS_AGE_KEY_DEV not set, skipping${NC}"
-    WARN=$((WARN+1))
-fi
-
-echo -e "\n${YELLOW}[4] Key isolation: prod-key${NC}"
-if [ -n "${SOPS_AGE_KEY_PROD:-}" ]; then
-    echo "$SOPS_AGE_KEY_PROD" > ~/.config/sops/age/keys.txt
-    for f in $(find . -name '*.prod.enc.yaml' -not -path './.git/*'); do
-        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
-        check "prod-key decrypts $(basename $f)" "yes" "$result"
-    done
-    for f in $(find . -name '*.dev.enc.yaml' -not -path './.git/*'); do
-        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
-        check "prod-key CANNOT decrypt $(basename $f)" "no" "$result"
-    done
-else
-    echo -e "  ${YELLOW}⚠ SOPS_AGE_KEY_PROD not set, skipping${NC}"
-    WARN=$((WARN+1))
-fi
-
-echo -e "\n${YELLOW}[5] Key isolation: test-key${NC}"
-if [ -n "${SOPS_AGE_KEY_TEST:-}" ]; then
-    echo "$SOPS_AGE_KEY_TEST" > ~/.config/sops/age/keys.txt
-    for f in $(find . -name '*.dev.enc.yaml' -not -path './.git/*'); do
-        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
-        check "test-key CANNOT decrypt $(basename $f)" "no" "$result"
-    done
-    for f in $(find . -name '*.prod.enc.yaml' -not -path './.git/*'); do
-        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
-        check "test-key CANNOT decrypt $(basename $f)" "no" "$result"
-    done
-    for f in $(find . -name '*.test.enc.yaml' -not -path './.git/*'); do
-        result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
-        check "test-key decrypts $(basename $f)" "yes" "$result"
-    done
-else
-    echo -e "  ${YELLOW}⚠ SOPS_AGE_KEY_TEST not set, skipping${NC}"
-    WARN=$((WARN+1))
-fi
-
-# --- Summary ---
-echo -e "\n=== Summary ==="
-echo -e "${GREEN}Passed: $PASS${NC}  ${RED}Failed: $FAIL${NC}  ${YELLOW}Warnings: $WARN${NC}"
-[ $FAIL -eq 0 ] && echo -e "${GREEN}All checks passed!${NC}" || echo -e "${RED}Some checks failed!${NC}"
-exit $FAIL

infra/gitea/config.yaml

@@ -5,7 +5,7 @@
   "source": {
     "repoURL": "https://dl.gitea.com/charts",
     "chart": "gitea",
-    "targetRevision": "12.5.0"
+    "targetRevision": 12.5.0
   },
   "helm": {
     "values": "gitea:\n  admin:\n    existingSecret: gitea-admin\n  config:\n    server:\n      ROOT_URL: \"https://gitea.k3s.e2e.local\"\n      DOMAIN: \"k3s.e2e.local\"\n      SSH_DOMAIN: \"gitea.k3s.e2e.local\"\n      SSH_PORT: 2222\n    service:\n      DISABLE_REGISTRATION: false\n    actions:\n      ENABLED: \"true\"\n    cache:\n      ENABLED: false\n      ADAPTER: memory\n    session:\n      PROVIDER: memory\n\ningress:\n  enabled: false\n\npostgresql:\n  enabled: true\n  image:\n    repository: bitnamilegacy/postgresql\n    tag: \"17\"\n\npostgresql-ha:\n  enabled: false\n\nmemcached:\n  enabled: false\n\nredis-cluster:\n  enabled: false\n\nredis:\n  enabled: false\n\nvalkey-cluster:\n  enabled: false\n\nimage:\n  rootless: false\n"

infra/gitea/values/secret-values.dev.enc.yaml

@@ -1,28 +1,27 @@
 # Gitea secrets for dev/test cluster
-admin-password: ENC[AES256_GCM,data:VVEs6UmQymD7bhc2DQ+ghuE=,iv:LRht/bByPtiCjkazc19NRIwbXzZclEZYtwCeXJfFMfQ=,tag:ig1bUcDNr+1wsDHoeBfMvw==,type:str]
-db-password: ENC[AES256_GCM,data:1QXmkEs6ECbf8NcoMcmgF4mLOYo=,iv:xKiTicbmhJaLajgN2taL+VR+H0ky1fHI3e79I0D6IdA=,tag:Whd7VdtjC7sYqC24XGEqBQ==,type:str]
+admin-password: ENC[AES256_GCM,data:Nh7IDhZbJxOYjat8JhRoWtQ=,iv:mDtUOdjiKxvTTKaWNQ6bUQ2rCbV9Ule25IN5AVBTrp0=,tag:FxMWUvu82HusjtPBmEtwcA==,type:str]
+db-password: ENC[AES256_GCM,data:qRZjNRGr/oJVzYTz6Kv0sZ7Sbns=,iv:V03c8IrsLZzJck5ZqrXS46LydbGPtLBwkjjGQI0zkv4=,tag:pxDpAbekwwOw9yiqMwl2QA==,type:str]
 sops:
     age:
         - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdHZRckgvZXZwRUdFZTNt
-            WFlNU0YwWncyNC9aZEFIT0hRRU5uYkNLMXdvCmgxM3NHSnR0THFXZUw4amZnSi9t
-            dkgrZDloUVo5NkZ5eDdPNUxaTi84NncKLS0tIGlmWDBiMjJUWWxsU1ZzWTZYL2dm
-            c25XZ0NKbUtuNHBjeGJ6YWVDTndaMXMKKHqfuydqSL65wdpHcyug8eg0p1VPMSuz
-            VeNu16pPCtTtStuGl4f2ciOVMaGCNbjY3XySRzZQKUNciZVTfat5Ow==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdWFvNXF3QXpnbjFsbHhn
+            dmdnRmRwWnpkUVlRSHlEZXdXT2FoeVVVejFNCkZ0UGp5YWZ2TThEUnZPOVNqVjJR
+            S0lXSGxSSFF3ZWhUM2NMWW9MZUszZnMKLS0tIEowWHo5SUFMMDFNY1lWY3NuNnJN
+            OERJZklLT1RnSDc4VjdaQ0F3cVRTaGsKYIfYSv4In5YiGs2/KWX1oPqOoiUxwVUl
+            jROG2UecsSjhKq6XdX+KVYmcSKhy1ljPjHaL+t3MmSNE6+jJpMpDvQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0YzZ5am1lWGFaeVBxak5P
-            bVdSWHZTU1pkR3U0b1hvMVIvZUh3MnNpbkNJCm8wMmNUVzZ2U01kc3crTGliZG5u
-            MHpKVDZaZEt3dkJ3cVRVREpPQXFXUlUKLS0tIGdwSjNXUm4reENLUFRhMlNWQ0Yw
-            Ykw3QjBoQ2c0c3U1dWs0OVpCajBnYTQKtU/a24mNe+yo91QvFs2qHC2HR5tft9ny
-            d0RnFNYSaxgFWbV+Hs3vzBQUFlq0CzhfZzRR/rUcRfnrd+krlXThRQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNzZSWE1NcTR1blQ5TWxH
+            N0k2YWNOdTA4WHZXQ3VlTHpWNVNuRm53S3dzCnZOR0gyWTVzams4SjdCZVpSMjdL
+            S2dqZTcvb3VtVE9JUWVlVU1QL1NaZ3MKLS0tIHdUZldWZWdIZ01VUWxLeEJDNmY0
+            aEV2U1JMaTFYRldjc1kwNHczd3gvM1kKEytPjCdNTG+8SFnQxh50XKfjAxa1xn0t
+            D3dj6yMfIfkgnp84pI9PY5hBweHrEcdeUwhPrkNY8dRuiShv4o4xTQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-12T14:08:13Z"
-    mac: ENC[AES256_GCM,data:E7YknH7WIh7zhZElq67jPRyt1dfjQDVWvrcIMtHbkRG/d6xQhgeJY9HwWJaotfrlCx3tpxO0zi882/ACVoogY+8f3l8jCCOEp+e20X3qDmbEOrRLsl8+mRnDiyJFAXULqJvAHEr5yJnYNxXXvVzOSpTOe+ECgedCJ4fgRU58c0k=,iv:FZt+eF6OLW+98FVxe7TFdpCWSvMwwXWKdudccgMJoKo=,tag:lpCIsC85JDG7p6xyxJnk4A==,type:str]
+    lastmodified: "2026-03-11T06:57:04Z"
+    mac: ENC[AES256_GCM,data:LKIihGyIcUImsmRWgPhWQRBeaFiXdWgaMwlif+FPNdmy/LSRlwIqIN8KzwuMu1zAlNvl1SVOVZL7SgRe9rZHax5pIn+Qrb5B+cuFPZTyvl24VBlJ+l29x182CKhRnT1RDDA9D7do+y8bG+rjyJ6u5d/yYcMAYIH9+I4fS4uERQw=,iv:23M4i1uCpQzfWZIp2c4gGThOCGotS3eajdjItlAwh2Y=,tag:MoD7LbWCu5EGxPeliRDinQ==,type:str]
     encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    mac_only_encrypted: true
     version: 3.12.1

infra/gitea/values/secret-values.prod.enc.yaml

@@ -1,28 +1,27 @@
 # Gitea secrets for prod cluster
-admin-password: ENC[AES256_GCM,data:ZStjY7d/2LcgGm8roVRT7ndOwgNi,iv:QYCaEqO1P0fjVnd6Cw+HMJKYSlqj0Bin7aBSmkZ5Zb0=,tag:f3pM4+U84FJOR54ADGKMxw==,type:str]
-db-password: ENC[AES256_GCM,data:gVcaEkJHP6LC/ufpW6/uyVceWvrx6vVnWg==,iv:Qt364af+t33gUKqHjkNUQzmJjCV+qrvoOJlwTpXmGy4=,tag:SURLKmepxtcrlmFR8wGvJw==,type:str]
+admin-password: ENC[AES256_GCM,data:4pXdFHPAXo9fnyEmAqDygucpGrOy,iv:Qa/fQvRoU8TXMlkSjlomwzOn0v1M/PJ606HZI+inRcQ=,tag:/fKGATm+rUSCUH+os12qlQ==,type:str]
+db-password: ENC[AES256_GCM,data:lw3I+smG/1DaMFd2V98D7ENu6MB0g+e81A==,iv:DZmS4R2buArXMkO/Cjtp9gN9AqpTaVHs7NfqQFqciWY=,tag:OA9kzug/Mel6+GDlnYU/jA==,type:str]
 sops:
     age:
         - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ckdkQzdIN0dFelVUSEMy
-            QllGVTN4Z2IvZ0t3M29NcTNMSGEzczFjWnljCnA4NkZNcDdWUTRNRWIzRmhNckV3
-            ODZFWWdneUU3VHZiRC9TSlVkVjNhVEUKLS0tIHNYWHdML2o0dUlNb1BoWThUK29H
-            MDR0L1QwRlh0emFWMDJvMjhUMnJvb0UKBI+dEz95zrwzb42PpyxBMI70Aei68BIX
-            TQ/sCHKqvtdbEwTkg/ndhfPdorCIGwfCobJmWb8WySU1VZHCWYzJxw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCd2VUaHhQc0h4bmYwdmFy
+            WVJLS2dURWZnOUtCKzRoajB2RVI5U1ROOEVvCnV2VmxFTkhPNlErOE5SZzUyT0c1
+            VitrWFlJVUt5N2plMitWVjZPUHBmYU0KLS0tIFJVUnBBZjl6cWlRYUNiZSs1V0Q2
+            b1NBVnZydDVlY09LeHNpbkdsTzRNNmcKO9GFvLHIWTh/Aseuo3Z8FE47dE92MxJ6
+            p5OCsZRw+bpQfURStiyckaoMW8Of716uDIS3v1JaW8u4xm3e+lZXGg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbVZraFNrMDYzNndkNkxJ
-            OERtbXNOamRDSlhpV05mOTcxbXVxT2xVODM0Ci9WSG5vb0trTzkwZFFOdmlVd3Ar
-            UUN2TVZaMXBaL3d6TmRGZ1h0THhaNGsKLS0tIEFZcVRtNENMS3ZWMUxOeHlYTHlN
-            UDRIM0RYNVdsSmUyOEFDcXdhNHlXVFkKxoX+LTe+xjXh2M45V4oYcLe9lAmxYexe
-            KJ5O588VLGVi4zBpVs1l16JmWAfcfCiMVKOpdvS8vsiQDkGAO3cH4w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoOUZjdlk4MU4yWGNPOEs4
+            ZkplUzlyV1lmQUxidHk3aDFhU1NOeElxeVU4CngxWS8vOTdUbEVNM2thMWgxNGRo
+            ZUlYdjVPTXFJWGtNWEJEa2V1dGhqSTgKLS0tIEI2V1hrWUVnRnovblhVQ2ROSENE
+            dXhwWXJJbnVBaFpraXJURERMR1lkUjQKFzaekfQFqg2cVT5gks4fXX26GtZu+M1F
+            g+pzNxpFVlzdrXiWrzjePshTVblVsxV8fKpUVoLYwwLOSILRzF3uwg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-12T14:08:13Z"
-    mac: ENC[AES256_GCM,data:mkgNY/EwLknddBdn0X9IZfqjmA7NpESqVDNndCKY5eA01s74Ym3sE4JF39abEAs7U7/l675qsF6ew7Cv0OLCArzYDRlN7vYcBqTsnuUOovxi6utAk6VfzYhH8XQpM3CuV6FlUbSoVovUl09O26kB9yDHe1uTOGVa3Kqk/XsKKoc=,iv:BdqsABAeOBAfTvb0q3KQ5ek3UOgu9oh5GQtsu0s1lEc=,tag:Ux1SmPWs7y1/gKx2vVthiA==,type:str]
+    lastmodified: "2026-03-11T06:57:04Z"
+    mac: ENC[AES256_GCM,data:qWDAgi9DeHnc4TfH2la54mKtkNRkO3ArfXJBxZ6D6yEk5nylMA+Fw3FBmsKuU+F1/JN7CQVHbez37jjOXDmoFUfGXunionqkaf4wYz/3duRjdm/ApTLLMAYaq1YHzp6XNF4x+1LBtp0RadK//wwhxXQHoYdui9IH2Ts5ALLjOzo=,iv:B86+ovgnit5oKxY1wgxvYBEhRmnjJiQ7GdveJAGytfA=,tag:QgVjYIvIgwXvfbTxiti1OA==,type:str]
     encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    mac_only_encrypted: true
     version: 3.12.1

kargo/ci/kustomization.yaml

@@ -1,9 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - project.yaml
-  - warehouse.yaml
-  - stages/dev.yaml
-  - stages/prod.yaml
-  - verification/runner-health.yaml

kargo/ci/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ci
-  labels:
-    kargo.akuity.io/project: "true"

kargo/ci/project.yaml

@@ -1,16 +0,0 @@
-apiVersion: kargo.akuity.io/v1alpha1
-kind: Project
-metadata:
-  name: ci
----
-apiVersion: kargo.akuity.io/v1alpha1
-kind: ProjectConfig
-metadata:
-  name: ci
-  namespace: ci
-spec:
-  promotionPolicies:
-    - stageSelector: { name: dev }
-      autoPromotionEnabled: true
-    - stageSelector: { name: prod }
-      autoPromotionEnabled: true

kargo/ci/stages/dev.yaml

@@ -1,54 +0,0 @@
-apiVersion: kargo.akuity.io/v1alpha1
-kind: Stage
-metadata:
-  name: dev
-  namespace: ci
-spec:
-  requestedFreight:
-    - origin:
-        kind: Warehouse
-        name: ci-images
-      sources:
-        direct: true
-  promotionTemplate:
-    spec:
-      vars:
-        - name: gitopsRepo
-          value: https://github.com/Kargones/deploy-app-kargo-private.git
-        - name: targetBranch
-          value: ci/stage/${{ ctx.stage }}
-      steps:
-        - uses: git-clone
-          config:
-            repoURL: ${{ vars.gitopsRepo }}
-            checkout:
-              - branch: main
-                path: ./src
-              - branch: ${{ vars.targetBranch }}
-                create: true
-                path: ./out
-        - uses: git-clear
-          config:
-            path: ./out
-        - uses: copy
-          config:
-            inPath: ./src/ci
-            outPath: ./out/ci
-        - uses: yaml-update
-          config:
-            path: ./out/ci/gitea-runner/manifests/runner.yaml
-            updates:
-              - key: spec.template.spec.containers.0.image
-                value: gitea/act_runner:${{ imageFrom("gitea/act_runner").Tag }}
-        - uses: git-commit
-          as: commit
-          config:
-            path: ./out
-            message: "promote(ci/${{ ctx.stage }}): act_runner ${{ imageFrom(\"gitea/act_runner\").Tag }}"
-        - uses: git-push
-          config:
-            path: ./out
-            targetBranch: ${{ vars.targetBranch }}
-  verification:
-    analysisTemplates:
-      - name: runner-health

kargo/ci/stages/prod.yaml

@@ -1,64 +0,0 @@
-apiVersion: kargo.akuity.io/v1alpha1
-kind: Stage
-metadata:
-  name: prod
-  namespace: ci
-spec:
-  requestedFreight:
-    - origin:
-        kind: Warehouse
-        name: ci-images
-      sources:
-        stages:
-          - dev
-  promotionTemplate:
-    spec:
-      vars:
-        - name: gitopsRepo
-          value: https://github.com/Kargones/deploy-app-kargo-private.git
-        - name: sourceBranch
-          value: ci/stage/dev
-        - name: targetBranch
-          value: ci/stage/prod
-      steps:
-        - uses: git-clone
-          config:
-            repoURL: ${{ vars.gitopsRepo }}
-            checkout:
-              - branch: ${{ vars.sourceBranch }}
-                path: ./src
-              - branch: ${{ vars.targetBranch }}
-                create: true
-                path: ./out
-        - uses: git-clear
-          config:
-            path: ./out
-        - uses: copy
-          config:
-            inPath: ./src/ci
-            outPath: ./out/ci
-        - uses: git-commit
-          as: commit
-          config:
-            path: ./out
-            message: "promote(ci/prod): act_runner ${{ imageFrom(\"gitea/act_runner\").Tag }}"
-        - uses: git-push
-          as: push
-          config:
-            path: ./out
-            generateTargetBranch: true
-        - uses: git-open-pr
-          as: open-pr
-          config:
-            repoURL: ${{ vars.gitopsRepo }}
-            sourceBranch: ${{ outputs.push.branch }}
-            targetBranch: ${{ vars.targetBranch }}
-            createTargetBranch: true
-            title: "promote(ci/prod): act_runner ${{ imageFrom(\"gitea/act_runner\").Tag }}"
-            description: |
-              ## Kargo Promotion — CI
-              **Image:** gitea/act_runner:${{ imageFrom("gitea/act_runner").Tag }}
-        - uses: git-wait-for-pr
-          config:
-            repoURL: ${{ vars.gitopsRepo }}
-            prNumber: ${{ outputs['open-pr'].pr.id }}

kargo/ci/verification/runner-health.yaml

@@ -1,25 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: AnalysisTemplate
-metadata:
-  name: runner-health
-  namespace: ci
-spec:
-  metrics:
-    - name: runner-deployment-exists
-      provider:
-        job:
-          spec:
-            backoffLimit: 0
-            template:
-              spec:
-                serviceAccountName: kargo-verifier
-                restartPolicy: Never
-                containers:
-                  - name: check
-                    image: alpine/k8s:1.35.1
-                    command: ["/bin/sh", "-c"]
-                    args:
-                      - |
-                        echo "Checking gitea-runner deployment..."
-                        kubectl get deployment gitea-runner -n gitea-runner -o jsonpath='{.metadata.name}' && echo " exists" || exit 1
-                        echo "Runner health check passed"

kargo/ci/warehouse.yaml

@@ -1,11 +0,0 @@
-apiVersion: kargo.akuity.io/v1alpha1
-kind: Warehouse
-metadata:
-  name: ci-images
-  namespace: ci
-spec:
-  subscriptions:
-    - image:
-        repoURL: gitea/act_runner
-        semverConstraint: ">=0.2.0"
-        discoveryLimit: 5

kargo/credentials/dev/git-creds-ci.dev.enc.yaml

@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-creds
-    namespace: ci
-    labels:
-        kargo.akuity.io/cred-type: git
-type: Opaque
-stringData:
-    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
-    username: Kargones
-    password: ENC[AES256_GCM,data:swl5u5LpFYVKjZcuWaG+QNWLR02gi9dyXlD2yqkcFLTRpWMD3lvSfA==,iv:pixqI9FQMdQzlvs6Mmhp8DvAbofGby5zHISH3bjLwh4=,tag:PHfTfXN12bHrQCJPFW3xJw==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVc3JLYnBtWFZ6NGRhNjha
-            WW1xNW1JUFRTc1dXM203bUdPRmRWWGF6R1RBCmExN1N3STUxVGpIZmtDMzZXMWkz
-            Y2pJUklqM1YyWVlFVVpEQkQ2R0NRUE0KLS0tIDF0cXFYcllWYUlWQStMVU83MEd6
-            cnJia1lOQ21FTjJ3SkxJSDRFaExrNDAK4zDNcqeJsjZYR+b5qX97n+Asa8riugnL
-            kPuBWyO/R8XjvuNfMZb9njt6gSgX1u6aGyxL3rHXbNhvdRmmGfZIdg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaC9kb3ZIVU5zNitJWWVy
-            Ump3MFFBTUQwVUhCQ01PVnUxVVhxT1NaWGpNCnVvSUFNVlU3SDNHK3p6Y0pKLy83
-            eVdlWmRqNHk3ZWNuLzc5ODZXOEN0S0EKLS0tIFRFdDh1cVRxK0dNTEQxallBc01j
-            RmI5SHF5SE5GRTNudGZ6K3hheVZiZFEKXy6rNacjL40EiukSU/SxeiBUMyWe3EVe
-            LvyrP+d7GoC6+wix6IglQUTdV6YKjI0oCJOews+5wNveqc2SMMLlcw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-12T14:08:14Z"
-    mac: ENC[AES256_GCM,data:sy/CRatnNB8U7kMFfkqZlrB9Xs0bD7kmHu5EOGJHxtaMAE+Wql7D7yFh78mJuGJk8snmsGP2xK1Pkqcx38HwWUBbw8kqoT6X45NGn99uCT11sMvz/Kyp98PWVc+IFhqwnNyAfd76gvIkKx4CqkXbxCsxdQaw3RMYEArdGWPufrE=,iv:CUJTpRjXAraVTeBFh7Z4fB/Wk4cXdYnBXpRGJETSm2A=,tag:p+W7xx9thkAkA2iPIDuqjg==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    mac_only_encrypted: true
-    version: 3.12.1

kargo/credentials/dev/git-creds-infra.dev.enc.yaml

@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-creds
-    namespace: infra
-    labels:
-        kargo.akuity.io/cred-type: git
-type: Opaque
-stringData:
-    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
-    username: Kargones
-    password: ENC[AES256_GCM,data:PYZtFr/Yui75oe0M6Bll8eU2qpGf5IygIHUA6L35s5IHPVxUIrbWcg==,iv:NIODrxhD1mTWxq74NoZWZpC9zQQxL3NYIxxO6lAhp8Q=,tag:tcrF1xcFKZBmWFWr7z7/sg==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMY3BSZUZwVytjYXQ3KzB6
-            K0JRdnVwTllMNGJYS05vc1c5R01UdzdUN3owCk80TmJ4RnZIMHU1U0FOWEVoUkZa
-            OVRLVytwMlpPZFRNcS9wdXZKaWlhWncKLS0tIElDZGgwOFdkNCsyUGxEU0tYYjE1
-            YS9TY09rdXRkRmV4bTVOZFBqeitLazgKZCOAKyuKeRN8X89FOdHaT94phsIAZCwk
-            bFPckh5jGn1QKVNYdvLmyPAFO55ehsMA/JRl42YdzCsDSifvuufcCw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UTlsc1hiRWN3UUVwTzhU
-            MkZteGhveUsxaFJ0djd4RXpTYjl1S2l3cmlNCi8zRStWVUVPMkJ0ZVBnZDROdEc4
-            Tk9LOTN5Y3krQXp3Tk9GLzVBVkMrdzQKLS0tIDNkcmpRSkpHMXdvQVZBU3J0UCt0
-            amFPNEpGbUxZb0luNEpaZlJuWnFkd3cKHs6+l+Kapohsah+Zhoob5DXXchw2C5kc
-            cl6KK79gbxN4pTTCmWJHfaiXuohRXol3Z1km6QWrEaNC9IGF6nmGJQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-12T14:08:14Z"
-    mac: ENC[AES256_GCM,data:q+gHiqfdUmeOdaHpuj42fHXnrrHY3elE2cDTqlU9+s3atsnDEERoFx/1qJvqlOCYmvHM4h3wyAQHPB6hIt205RKHQJ13TxTEzGWkgrk5eThAolu4w9Z6Vd7Ni0Sv4dyNtdPlkj1N0907sACCBMUelLIpD6acf8jL9+n6E+xIgsE=,iv:1ZsjWgntw6iHuQZYhSm9KrWs36D6FegsweLHwYmxHQM=,tag://6dNpONbhDQUKbaUT8/gA==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    mac_only_encrypted: true
-    version: 3.12.1

kargo/credentials/dev/git-creds-test-env.dev.enc.yaml

@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-creds
-    namespace: test-env
-    labels:
-        kargo.akuity.io/cred-type: git
-type: Opaque
-stringData:
-    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
-    username: Kargones
-    password: ENC[AES256_GCM,data:BnToDVLq7wjdMDFL+y+OM6pJlIQibKr9hdLrA4o2hsCDMAxqgGrgdw==,iv:KDJMguvXjehgLfhb9E8Uw3zViT8gLegPGuoQfZsVwvc=,tag:PyZ5CwhnXC71pisaJYBt0Q==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWMW1YOE1QRStGVzBtTEo5
-            Q2lkWWxUeE1wT0t5OE1oSklhYmpaREVBWVdFClJ6NWVEUEtFV3pYanZHejZGbldi
-            NExoejZUd2ZFS3FMcHZvMUs1R2c3OG8KLS0tIHFOVmtDQ0pBRXBza25qNVNwOEZX
-            SVZCRWszaG5qS0crc1ZYUmRwMkNlNTAKJqmqt9sZG+zk3zbd9f9zbRtVEAO7soF6
-            AMFdNc6nrDY9KXOCVRwYn+bbcgWr1Gfzv4PF5Kjzp4ApQ/0aA7wLwQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTT216YjBGNnhFUVExbkdG
-            YmNONnU0SWp0aHNvd0YzK202K3owa0c1b3prClRYZ2RFeFUrTzhDdFFNbGxnZURu
-            UEZpY3lVbjZVam5adVJUbThXc0RYUjAKLS0tIG1qR3EzVjlmUE5DREdvbFMxbVRP
-            UDVSQ3lwcExOS1NwSkZwZk1iaXJacHMKrGWH26/kRCWuBjVLfqqVS4stxW/huyqa
-            u/QpRmKO0oFrX0u9l6DfHOaVUUgSao1p8nvEDrHKTLe574d8bayyQA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-12T14:08:14Z"
-    mac: ENC[AES256_GCM,data:20Te36BK8FWJ1jiUrMMl7yDhOJwCw/jGpoJbP5t5NjelJDlx9ygC7LtOkgck1FpaNvhsuroJWbOzojpkzRZKLrIUhpoiIaXpliZ3O5aNpHKFbJsf6tJmEY1cy7VaosF40f0RvH3RxWbjr5jWNGSoi5yKBcFZ32aCK6g2ToXpCHs=,iv:eGWVRv1que1NbfqAluy6UP3jLXpTWtDsFPDws3Addjg=,tag:kU/WSR26mDMdOz/i8Edf7w==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    mac_only_encrypted: true
-    version: 3.12.1

kargo/credentials/dev/ksops-generator.yaml

@@ -1,12 +0,0 @@
-apiVersion: viaduct.ai/v1
-kind: ksops
-metadata:
-  name: kargo-git-credentials
-  annotations:
-    config.kubernetes.io/function: |
-      exec:
-        path: ksops
-files:
-  - git-creds-infra.dev.enc.yaml
-  - git-creds-ci.dev.enc.yaml
-  - git-creds-test-env.dev.enc.yaml

kargo/credentials/dev/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-generators:
-  - ksops-generator.yaml

kargo/credentials/prod/git-creds-ci.prod.enc.yaml

@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-creds
-    namespace: ci
-    labels:
-        kargo.akuity.io/cred-type: git
-type: Opaque
-stringData:
-    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
-    username: Kargones
-    password: ENC[AES256_GCM,data:tmjqB73hSjvgQy4fhUiJqz4Sclj41PIgYS9TLRly38eGN3CX75CX3Q==,iv:oICPKbWpVposLMLBErRY1s0MkNw8NISAS04iq+MbA6g=,tag:LF2/oRd3S84oA1kWvoQe5Q==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbFZzaFRUTkFZYmNxaGt4
-            akhoV3J5RW1aYlQ2U3VOaFpnT1Z2TlJhVmtrCkcwM3JBZmNTdWVLdmY5SGtCeUR0
-            SWxWdW0va2hQZkFnZzhydGJjcEhIRFUKLS0tIE9CTXY0Y0ozWHhLanBzeitnNHUw
-            c1RzY1grRFVmN09rK2VnY3RsWHhYbDQK+OkyZkNX3GtnQJIPYCgjlgz4aCc5Axow
-            4oLiPPgo3MKDMz/mDA3MSZFM7dU19Yj613Eg3Y/aqLU/XGLm13RenQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzSzYweVY5VW9kMW1PaCsr
-            UjFuN1l2b0NqZlBBVU9PRFAvblNUanY2dENJClcvcnVEMEJ0aDBYdXZBcDdQSkQ5
-            Rk1aeTJralZoUU9EazZieC9sVlJuZ0UKLS0tIFNmaVhXVWxxVVRVQXB5b21xcVRr
-            ZXYxQjMvMmR4enl6VzlObjBkT0pKVDAKC+29tK9WxsYzzzgz8c7ob6Z7I+XseXpB
-            pHoaft6P/lyLA0reVEHgeWs5VfqQFtLyrfOOx9KKf6hHxpdfhcZ+KA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-12T14:08:14Z"
-    mac: ENC[AES256_GCM,data:IaDYevGdOT9//dj9HR5XoPcu7wkOe6z1NFhC8KDK6EWZvuAhSix0Rlg21OBpJicszZv3dEgd/pQkGr9i9BFW0T52oClg9bCZQUhd1Kh1VZRtA9VE+bXfdHqgt8+AC9sXS4epeZrRBLHv3swmLYYeokXRYFm9Ffi28y2xWthnywA=,iv:Sqdg7HySRrBuXJleJi/2kXrCSlQUh3zJ1I6lVIvgqa0=,tag:35u7xo34avuPK/TrHtbdJg==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    mac_only_encrypted: true
-    version: 3.12.1

kargo/credentials/prod/git-creds-infra.prod.enc.yaml

@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-creds
-    namespace: infra
-    labels:
-        kargo.akuity.io/cred-type: git
-type: Opaque
-stringData:
-    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
-    username: Kargones
-    password: ENC[AES256_GCM,data:iKCAh7QI2+aCk+91Z7EepDZgVAVqwG/+Wg2ywEtg2eyQN4iR2z6QXQ==,iv:1GtbHc7lgi5LI3+WuD2LMG6sFjPR1tfYmrHYOkSiUJs=,tag:oxMmtgOJgbaNRdvzqmtIgQ==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZ1lzYWJ6ekl1Rk1wcnZH
-            YnRpdzVtRTkrZFNQWTBab0NncHlyb04wYlc4CnJSUEs5OW9kZ1JBZ0FOTWZuTzRl
-            Z2NCd2tHaVRJVFhqdXlTNjZwa1V2Q0kKLS0tIHRkS1FmMW5kTWw1azY1NC9iYXY0
-            R2g4V0JyYzcySG5GNEVMaWZ1c3hpZDAKfJLwr81KsZmYmjfGov8z/GVhBZCQrLq5
-            cfG3vgEGm90g4tOzyo6lwfy84ZRjymcyucGn3AwSLW9/UlxQT4PsKw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUTVtMkNpekNDU1FiaEEr
-            cmI2RGo2L2VNeUZjUVVBYnVyaFhVczRTUWpBClAxV3AwSS9Tc2JJK2FwelFVck5i
-            OXVud3locysybUhaNm9RMGN3RkViUTgKLS0tIDh0SjQ3alhjQjR2QmZWdjVrSzVt
-            c0JTZnVNSk5ERUNXVDRNc2E4d3JLR2sKjyidz2xqy61sJ26sELHansCcAPN+x9VS
-            j6vSt/0CPPADzaVzsvHiVY6gWoDI5EtdYeUFPUw8cSBc+eT/846lyQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-12T14:08:14Z"
-    mac: ENC[AES256_GCM,data:ZGN9t/KEMATRH4YWbnxe39lJyKyCbEEADQLk2Sj+jPY9LF6yZq2ixRaB9mMKzrz4MLq+eghzZoWeCD0MaqjtcaNTSP7tiVL7PCFZMXT7IPYbMDbeLEPiLYg4gNb0lim6bHcQH2R5N6ZA//1+cLEdJVJ0gH8YHfIxOKzvGT3fBCk=,iv:qE2Z+q5Znbo+Wv040TuBJuvU/N2dFKb64LYHyfUSKhA=,tag:l3h7cwlM/jmuGlCPo9gm8A==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    mac_only_encrypted: true
-    version: 3.12.1

kargo/credentials/prod/git-creds-test-env.prod.enc.yaml

@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-creds
-    namespace: test-env
-    labels:
-        kargo.akuity.io/cred-type: git
-type: Opaque
-stringData:
-    repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
-    username: Kargones
-    password: ENC[AES256_GCM,data:bni/9XNGoW9KwzL3ovyu/BDcdv5dgKo6vDoZUVSebueX60SJwnc+CA==,iv:ef3MR/6a6VRzanDMfl7H9PygSHV7HGqp0OkeY/Yv27Q=,tag:D4OWKTbj5HB+TURvJAEfbg==,type:str]
-sops:
-    age:
-        - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4TS92bXkwRGZaK0s4OHdE
-            Y25rMFRyK2FLeUJ1c0gwWlVQdm1OMDl5eUdrCmxQZ01vb2NwVXBoWXpJMzJ6VS9N
-            eTBKbjdQUmdIclFObmpqVW9qb2RUcWcKLS0tIDVjN2lTSWJ4ZVQwazZObThJRVhI
-            czJib0UzS0ZuOE9uaVpOclQ3cEI3cjQKnrqviLM7T5OEqhtT0rhSZ86vtr88gAtw
-            je4yt20hcATuKLKnjIorFtXR6tww1zW92LiORP2VTiYC25IuHv4ccA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZDhDdVBQS3hsTDZVdi9G
-            dzk3SFpzT0NVdzhUcTB6bm16YlRhSjFNa1h3CllFR1hxdDNZc1JZMERtTlIxY1R3
-            dUtmRGlranY3eFFWTWU0VFVBMkRyREEKLS0tIEFNWG1wZG9SWkJCTGkxNUQwaU05
-            UFcwbGhuVXI0Q3d0VWpqM09KaWFGZkkKOfVRoQqOKWVPsvcnRrCLAUfvXZje2zrw
-            EQ5CeyjoZL9lxzuWMxoe71e1lzo1ecwV4Wdu4G54wSuzhxA9vwpSTg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-12T14:08:14Z"
-    mac: ENC[AES256_GCM,data:mc59PsRuw1JnjMxFR/y37oOJmnoojpFd8hEKounvA/lMf1rBvUAcQ6sYK+qajBHvtnzlCuMpuetxYY1v2djfRrp4GhwQotmSpAb2fqO1kz1JEqHkFeZ2ZeBtnytVf9I95VAeU/zJV1X2TrUW14ZmOvowtdRYFkSdY6Z3/Hs9vic=,iv:DlsN9rmiEq/2xBQS/LghBoVQcT+7XfSJJ7r5rKhTB/k=,tag:cuLvv4e7r25mjVCGrQZYNA==,type:str]
-    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
-    mac_only_encrypted: true
-    version: 3.12.1

kargo/credentials/prod/ksops-generator.yaml

@@ -1,12 +0,0 @@
-apiVersion: viaduct.ai/v1
-kind: ksops
-metadata:
-  name: kargo-git-credentials
-  annotations:
-    config.kubernetes.io/function: |
-      exec:
-        path: ksops
-files:
-  - git-creds-infra.prod.enc.yaml
-  - git-creds-ci.prod.enc.yaml
-  - git-creds-test-env.prod.enc.yaml

kargo/credentials/prod/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-generators:
-  - ksops-generator.yaml

kargo/infra/kustomization.yaml

@@ -1,12 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - project.yaml
-  - warehouse.yaml
-  - stages/dev.yaml
-  - stages/test.yaml
-  - stages/prod.yaml
-  - verification/rbac.yaml
-  - verification/dev-health-check.yaml
-  - verification/prod-health-check.yaml

kargo/infra/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: infra
-  labels:
-    kargo.akuity.io/project: "true"

kargo/infra/project.yaml

@@ -1,18 +0,0 @@
-apiVersion: kargo.akuity.io/v1alpha1
-kind: Project
-metadata:
-  name: infra
----
-apiVersion: kargo.akuity.io/v1alpha1
-kind: ProjectConfig
-metadata:
-  name: infra
-  namespace: infra
-spec:
-  promotionPolicies:
-    - stageSelector: { name: dev }
-      autoPromotionEnabled: true
-    - stageSelector: { name: test }
-      autoPromotionEnabled: true
-    - stageSelector: { name: prod }
-      autoPromotionEnabled: true  # creates PR, not direct push

kargo/infra/stages/dev.yaml

@@ -1,55 +0,0 @@
-apiVersion: kargo.akuity.io/v1alpha1
-kind: Stage
-metadata:
-  name: dev
-  namespace: infra
-spec:
-  requestedFreight:
-    - origin:
-        kind: Warehouse
-        name: infra-charts
-      sources:
-        direct: true
-  promotionTemplate:
-    spec:
-      vars:
-        - name: gitopsRepo
-          value: https://github.com/Kargones/deploy-app-kargo-private.git
-        - name: targetBranch
-          value: infra/stage/${{ ctx.stage }}
-      steps:
-        - uses: git-clone
-          config:
-            repoURL: ${{ vars.gitopsRepo }}
-            checkout:
-              - branch: main
-                path: ./src
-              - branch: ${{ vars.targetBranch }}
-                create: true
-                path: ./out
-        - uses: git-clear
-          config:
-            path: ./out
-        - uses: yaml-update
-          as: update-gitea
-          config:
-            path: ./src/infra/gitea/config.yaml
-            updates:
-              - key: source.targetRevision
-                value: ${{ chartFrom("https://dl.gitea.com/charts", "gitea").Version }}
-        - uses: copy
-          config:
-            inPath: ./src/infra
-            outPath: ./out/infra
-        - uses: git-commit
-          as: commit
-          config:
-            path: ./out
-            message: "promote(infra/${{ ctx.stage }}): freight ${{ ctx.targetFreight.name }}"
-        - uses: git-push
-          config:
-            path: ./out
-            targetBranch: ${{ vars.targetBranch }}
-  verification:
-    analysisTemplates:
-      - name: dev-health-check

kargo/infra/stages/prod.yaml

@@ -1,76 +0,0 @@
-apiVersion: kargo.akuity.io/v1alpha1
-kind: Stage
-metadata:
-  name: prod
-  namespace: infra
-spec:
-  requestedFreight:
-    - origin:
-        kind: Warehouse
-        name: infra-charts
-      sources:
-        stages:
-          - test
-  promotionTemplate:
-    spec:
-      vars:
-        - name: gitopsRepo
-          value: https://github.com/Kargones/deploy-app-kargo-private.git
-        - name: sourceBranch
-          value: infra/stage/test
-        - name: targetBranch
-          value: infra/stage/prod
-      steps:
-        - uses: git-clone
-          config:
-            repoURL: ${{ vars.gitopsRepo }}
-            checkout:
-              - branch: ${{ vars.sourceBranch }}
-                path: ./src
-              - branch: ${{ vars.targetBranch }}
-                create: true
-                path: ./out
-        - uses: git-clear
-          config:
-            path: ./out
-        - uses: copy
-          config:
-            inPath: ./src/infra
-            outPath: ./out/infra
-        - uses: git-commit
-          as: commit
-          config:
-            path: ./out
-            message: "promote(infra/prod): freight ${{ ctx.targetFreight.name }}"
-        - uses: git-push
-          as: push
-          config:
-            path: ./out
-            generateTargetBranch: true
-        - uses: git-open-pr
-          as: open-pr
-          config:
-            repoURL: ${{ vars.gitopsRepo }}
-            sourceBranch: ${{ outputs.push.branch }}
-            targetBranch: ${{ vars.targetBranch }}
-            title: "promote(infra/prod): ${{ ctx.targetFreight.name }}"
-            description: |
-              ## Kargo Promotion
-              **Freight:** ${{ ctx.targetFreight.name }}
-              **Project:** infra
-              **Stage:** prod
-
-              ## Verified in
-              - ✅ dev (pod-health)
-              - ✅ test (pod-health)
-
-              ## Review
-              Check the diff below for version changes.
-              Verify changelogs before merging.
-        - uses: git-wait-for-pr
-          config:
-            repoURL: ${{ vars.gitopsRepo }}
-            prNumber: ${{ outputs['open-pr'].pr.id }}
-  verification:
-    analysisTemplates:
-      - name: prod-health-check

kargo/infra/stages/test.yaml

@@ -1,51 +0,0 @@
-apiVersion: kargo.akuity.io/v1alpha1
-kind: Stage
-metadata:
-  name: test
-  namespace: infra
-spec:
-  requestedFreight:
-    - origin:
-        kind: Warehouse
-        name: infra-charts
-      sources:
-        stages:
-          - dev
-  promotionTemplate:
-    spec:
-      vars:
-        - name: gitopsRepo
-          value: https://github.com/Kargones/deploy-app-kargo-private.git
-        - name: sourceBranch
-          value: infra/stage/dev
-        - name: targetBranch
-          value: infra/stage/${{ ctx.stage }}
-      steps:
-        - uses: git-clone
-          config:
-            repoURL: ${{ vars.gitopsRepo }}
-            checkout:
-              - branch: ${{ vars.sourceBranch }}
-                path: ./src
-              - branch: ${{ vars.targetBranch }}
-                create: true
-                path: ./out
-        - uses: git-clear
-          config:
-            path: ./out
-        - uses: copy
-          config:
-            inPath: ./src/infra
-            outPath: ./out/infra
-        - uses: git-commit
-          as: commit
-          config:
-            path: ./out
-            message: "promote(infra/${{ ctx.stage }}): freight ${{ ctx.targetFreight.name }}"
-        - uses: git-push
-          config:
-            path: ./out
-            targetBranch: ${{ vars.targetBranch }}
-  verification:
-    analysisTemplates:
-      - name: dev-health-check

kargo/infra/verification/dev-health-check.yaml

@@ -1,37 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: AnalysisTemplate
-metadata:
-  name: dev-health-check
-  namespace: infra
-spec:
-  metrics:
-    - name: pod-health
-      successCondition: result == "healthy"
-      provider:
-        job:
-          spec:
-            template:
-              spec:
-                serviceAccountName: kargo-verifier
-                containers:
-                  - name: check
-                    image: alpine/k8s:1.35.1
-                    command: [sh, -c]
-                    args:
-                      - |
-                        set -e
-                        echo "Checking pod health..."
-                        cm=$(kubectl get pods -n cert-manager --no-headers 2>/dev/null | grep -c Running || echo 0)
-                        echo "cert-manager running pods: $cm"
-                        ar=$(kubectl get pods -n argo-rollouts --no-headers 2>/dev/null | grep -c Running || echo 0)
-                        echo "argo-rollouts running pods: $ar"
-                        gt=$(kubectl get pods -n gitea --no-headers 2>/dev/null | grep -c Running || echo 0)
-                        echo "gitea running pods: $gt"
-                        if [ "$cm" -ge 1 ] && [ "$ar" -ge 1 ] && [ "$gt" -ge 1 ]; then
-                          echo "healthy"
-                        else
-                          echo "unhealthy"
-                          exit 1
-                        fi
-                restartPolicy: Never
-            backoffLimit: 2

kargo/infra/verification/prod-health-check.yaml

@@ -1,37 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: AnalysisTemplate
-metadata:
-  name: prod-health-check
-  namespace: infra
-spec:
-  metrics:
-    - name: pod-health
-      successCondition: result == "healthy"
-      provider:
-        job:
-          spec:
-            template:
-              spec:
-                serviceAccountName: kargo-verifier
-                containers:
-                  - name: check
-                    image: alpine/k8s:1.35.1
-                    command: [sh, -c]
-                    args:
-                      - |
-                        set -e
-                        echo "Checking pod health..."
-                        cm=$(kubectl get pods -n cert-manager --no-headers 2>/dev/null | grep -c Running || echo 0)
-                        echo "cert-manager running pods: $cm"
-                        ar=$(kubectl get pods -n argo-rollouts --no-headers 2>/dev/null | grep -c Running || echo 0)
-                        echo "argo-rollouts running pods: $ar"
-                        gt=$(kubectl get pods -n gitea --no-headers 2>/dev/null | grep -c Running || echo 0)
-                        echo "gitea running pods: $gt"
-                        if [ "$cm" -ge 1 ] && [ "$ar" -ge 1 ] && [ "$gt" -ge 1 ]; then
-                          echo "healthy"
-                        else
-                          echo "unhealthy"
-                          exit 1
-                        fi
-                restartPolicy: Never
-            backoffLimit: 2

kargo/infra/verification/rbac.yaml

@@ -1,27 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kargo-verifier
-  namespace: infra
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kargo-verifier-infra
-rules:
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "list"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kargo-verifier-infra
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kargo-verifier-infra
-subjects:
-  - kind: ServiceAccount
-    name: kargo-verifier
-    namespace: infra

kargo/infra/warehouse.yaml

@@ -1,12 +0,0 @@
-apiVersion: kargo.akuity.io/v1alpha1
-kind: Warehouse
-metadata:
-  name: infra-charts
-  namespace: infra
-spec:
-  subscriptions:
-    - chart:
-        repoURL: https://dl.gitea.com/charts
-        name: gitea
-        semverConstraint: ">=10.6.0"
-        discoveryLimit: 5

kargo/test-env/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - project.yaml
-  - warehouse.yaml
-  - stages/dev.yaml

kargo/test-env/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: test-env
-  labels:
-    kargo.akuity.io/project: "true"

kargo/test-env/project.yaml

@@ -1,14 +0,0 @@
-apiVersion: kargo.akuity.io/v1alpha1
-kind: Project
-metadata:
-  name: test-env
----
-apiVersion: kargo.akuity.io/v1alpha1
-kind: ProjectConfig
-metadata:
-  name: test-env
-  namespace: test-env
-spec:
-  promotionPolicies:
-    - stageSelector: { name: dev }
-      autoPromotionEnabled: true

kargo/test-env/stages/dev.yaml

@@ -1,45 +0,0 @@
-apiVersion: kargo.akuity.io/v1alpha1
-kind: Stage
-metadata:
-  name: dev
-  namespace: test-env
-spec:
-  requestedFreight:
-    - origin:
-        kind: Warehouse
-        name: test-env-images
-      sources:
-        direct: true
-  promotionTemplate:
-    spec:
-      vars:
-        - name: gitopsRepo
-          value: https://github.com/Kargones/deploy-app-kargo-private.git
-        - name: targetBranch
-          value: test-env/stage/${{ ctx.stage }}
-      steps:
-        - uses: git-clone
-          config:
-            repoURL: ${{ vars.gitopsRepo }}
-            checkout:
-              - branch: main
-                path: ./src
-              - branch: ${{ vars.targetBranch }}
-                create: true
-                path: ./out
-        - uses: git-clear
-          config:
-            path: ./out
-        - uses: copy
-          config:
-            inPath: ./src/test-env
-            outPath: ./out/test-env
-        - uses: git-commit
-          as: commit
-          config:
-            path: ./out
-            message: "promote(test-env/${{ ctx.stage }}): freight ${{ ctx.targetFreight.name }}"
-        - uses: git-push
-          config:
-            path: ./out
-            targetBranch: ${{ vars.targetBranch }}

kargo/test-env/warehouse.yaml

@@ -1,14 +0,0 @@
-apiVersion: kargo.akuity.io/v1alpha1
-kind: Warehouse
-metadata:
-  name: test-env-images
-  namespace: test-env
-spec:
-  # Placeholder: no subscriptions yet.
-  # When test services are added, subscribe to their container images here.
-  subscriptions:
-    - chart:
-        repoURL: https://dl.gitea.com/charts
-        name: gitea
-        semverConstraint: ">=0.0.1"
-        discoveryLimit: 1

test-env/config.yaml

@@ -1,10 +0,0 @@
-{
-  "name": "test-env",
-  "namespace": "test-env",
-  "step": "6",
-  "source": {
-    "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
-    "path": "test-env",
-    "targetRevision": "main"
-  }
-}

test-env/gitea-runner/configmap.yaml

@@ -1,24 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: test-env-runner-config
-  namespace: test-env
-data:
-  config.yaml: |
-    log:
-      level: info
-    runner:
-      file: .runner
-      capacity: 1
-      timeout: 3h
-      labels:
-        - "edt:docker://benadis/ar-edt-slim:latest"
-        - "ubuntu-latest:docker://node:20-bullseye"
-    cache:
-      enabled: true
-      dir: ""
-    container:
-      network: ""
-      privileged: false
-      options:
-      workdir_parent:

test-env/gitea-runner/deployment.yaml

@@ -1,161 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: test-env-runner
-  namespace: test-env
-  labels:
-    app: test-env-runner
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: test-env-runner
-  template:
-    metadata:
-      labels:
-        app: test-env-runner
-    spec:
-      serviceAccountName: runner-registrar
-      initContainers:
-        # Obtain registration token from Gitea API once, write to shared volume.
-        # Uses the same token if .runner file already exists (idempotent).
-        - name: register
-          image: alpine/k8s:1.35.1
-          command:
-            - sh
-            - -c
-            - |
-              set -e
-              # If already registered, skip
-              if [ -f /data/.runner ]; then
-                echo "Runner already registered, skipping."
-                exit 0
-              fi
-
-              # Get Gitea admin credentials
-              USER=$(kubectl -n gitea get secret gitea-admin -o jsonpath='{.data.username}' | base64 -d)
-              PASS=$(kubectl -n gitea get secret gitea-admin -o jsonpath='{.data.password}' | base64 -d)
-
-              # Resolve Gitea pod IP (headless service)
-              GITEA_POD_IP=$(kubectl -n gitea get pod -l app.kubernetes.io/name=gitea \
-                -o jsonpath='{.items[0].status.podIP}')
-              GITEA_URL="http://${GITEA_POD_IP}:3000"
-
-              # Wait for Gitea API
-              for i in $(seq 1 30); do
-                if curl -sf "$GITEA_URL/api/v1/version" > /dev/null 2>&1; then
-                  break
-                fi
-                echo "Waiting for Gitea API... ($i/30)"
-                sleep 5
-              done
-
-              # Get registration token
-              TOKEN=$(curl -sf -X POST -u "$USER:$PASS" \
-                "$GITEA_URL/api/v1/user/actions/runners/registration-token" \
-                | sed 's/.*"token":"\([^"]*\)".*/\1/')
-
-              if [ -z "$TOKEN" ]; then
-                echo "ERROR: Failed to get registration token"
-                exit 1
-              fi
-              echo "Got token: ${TOKEN:0:8}..."
-
-              # Write token for the runner container
-              echo "$TOKEN" > /data/.registration-token
-              echo "$GITEA_URL" > /data/.gitea-url
-              echo "Token saved to /data/.registration-token"
-          volumeMounts:
-            - name: data
-              mountPath: /data
-      containers:
-        # Docker-in-Docker sidecar (required for act_runner to execute workflows)
-        - name: dind
-          image: docker:27-dind
-          securityContext:
-            privileged: true
-          env:
-            - name: DOCKER_TLS_CERTDIR
-              value: ""
-          volumeMounts:
-            - name: docker-socket
-              mountPath: /var/run
-          resources:
-            requests:
-              cpu: 100m
-              memory: 256Mi
-            limits:
-              cpu: "2"
-              memory: 2Gi
-        - name: runner
-          image: gitea/act_runner:0.2.11
-          command:
-            - sh
-            - -c
-            - |
-              # Wait for Docker daemon
-              echo "Waiting for Docker daemon..."
-              for i in $(seq 1 30); do
-                if docker info > /dev/null 2>&1; then
-                  echo "Docker daemon is ready"
-                  break
-                fi
-                sleep 2
-              done
-
-              # Register if not yet registered
-              if [ ! -f /data/.runner ] && [ -f /data/.registration-token ]; then
-                TOKEN=$(cat /data/.registration-token)
-                GITEA_URL=$(cat /data/.gitea-url)
-                echo "Registering runner at $GITEA_URL..."
-                act_runner register --no-interactive \
-                  --instance "$GITEA_URL" \
-                  --token "$TOKEN" \
-                  --name "test-env-runner" \
-                  --labels "edt:docker://benadis/ar-edt-slim:latest,ubuntu-latest:docker://node:20-bullseye"
-              fi
-
-              # Start daemon
-              exec act_runner daemon
-          env:
-            - name: DOCKER_HOST
-              value: "unix:///var/run/docker.sock"
-            - name: GITEA_INSTANCE_URL
-              value: "http://gitea-http.gitea.svc.cluster.local:3000"
-          volumeMounts:
-            - name: docker-socket
-              mountPath: /var/run
-            - name: config
-              mountPath: /config
-              readOnly: true
-            - name: data
-              mountPath: /data
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-            limits:
-              cpu: "2"
-              memory: 2Gi
-      volumes:
-        - name: docker-socket
-          emptyDir: {}
-        - name: config
-          configMap:
-            name: test-env-runner-config
-        - name: data
-          persistentVolumeClaim:
-            claimName: runner-data
----
-# PVC for runner data — persists .runner registration across pod restarts
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: runner-data
-  namespace: test-env
-spec:
-  storageClassName: local-path
-  accessModes: ["ReadWriteOnce"]
-  resources:
-    requests:
-      storage: 1Gi

test-env/gitea-runner/rbac.yaml

@@ -1,34 +0,0 @@
-# RBAC for runner registration initContainer
-# Allows reading gitea-admin secret and listing pods in gitea namespace
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: runner-registrar
-  namespace: test-env
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: test-env-gitea-reader
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    resourceNames: ["gitea-admin"]
-    verbs: ["get"]
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "list"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: test-env-gitea-reader
-subjects:
-  - kind: ServiceAccount
-    name: runner-registrar
-    namespace: test-env
-roleRef:
-  kind: ClusterRole
-  name: test-env-gitea-reader
-  apiGroup: rbac.authorization.k8s.io

test-env/kustomization.yaml

@@ -1,18 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  # NOTE: namespace.yaml removed — ArgoCD creates namespace via syncOptions.CreateNamespace
-  # The namespace is shared with kargo-test-env-pipeline app.
-  # PostgreSQL 18.x-2.1C (image has built-in 1C entrypoint)
-  - postgres/statefulset.yaml
-  - postgres/service.yaml
-  # 1C:Enterprise server (ragent + crserver + ras)
-  - onec-server/statefulset.yaml
-  - onec-server/service.yaml
-  - onec-server/service-nodeport.yaml
-  - onec-server/configmap.yaml
-  # Gitea Actions runner (for apk-ci-ng workflows)
-  - gitea-runner/deployment.yaml
-  - gitea-runner/configmap.yaml
-  - gitea-runner/rbac.yaml

test-env/namespace.yaml

@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: test-env
-  labels:
-    name: test-env
-    environment: dev

test-env/onec-server/configmap.yaml

@@ -1,48 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: onec-config
-  namespace: test-env
-data:
-  # HASP license server configuration
-  # Points to external license server for 1C client mode
-  nethasp.ini: |
-    [NH_COMMON]
-    NH_TCPIP = Enabled
-
-    [NH_TCPIP]
-    NH_SERVER_ADDR = 89.110.88.209
-    NH_PORT_NUMBER = 475
-
-  # 1C server entrypoint: starts ragent, crserver, ras, sshd
-  # Based on docker-compose env service from tester.benadis.org
-  entrypoint.sh: |
-    #!/bin/bash
-    set -e
-
-    ONEC_BASE="/opt/1cv8/x86_64"
-    # Auto-detect 1C version directory
-    ONEC_VER=$(ls -1 "$ONEC_BASE" | sort -V | tail -1)
-    ONEC_BIN="$ONEC_BASE/$ONEC_VER"
-
-    echo "=== Starting 1C:Enterprise $ONEC_VER ==="
-
-    mkdir -p /data/srv1c /data/storage
-
-    # Start ragent (cluster manager) — port 1540
-    $ONEC_BIN/ragent -port 1540 -regport 1541 -range 1560:1591 -d /data/srv1c &
-
-    # Start crserver (configuration repository server) — port 1542
-    $ONEC_BIN/crserver -port 1542 -d /data/storage &
-
-    # Wait for ragent to start, then launch RAS
-    sleep 3
-    $ONEC_BIN/ras cluster --port 1545 &
-
-    # Start SSH daemon if available
-    if [ -x /usr/sbin/sshd ]; then
-        /usr/sbin/sshd 2>/dev/null || true
-    fi
-
-    echo "Test environment ready (ragent:1540, crserver:1542, ras:1545)"
-    exec tail -f /dev/null

test-env/onec-server/service-nodeport.yaml

@@ -1,34 +0,0 @@
-# NodePort service for external access to 1C server
-# Accessed via SSH tunnels from connect-multi.ps1
-apiVersion: v1
-kind: Service
-metadata:
-  name: onec-nodeport
-  namespace: test-env
-  labels:
-    app: onec-server
-spec:
-  type: NodePort
-  selector:
-    app: onec-server
-  ports:
-    - name: ragent
-      port: 1540
-      targetPort: 1540
-      nodePort: 31540
-      protocol: TCP
-    - name: regport
-      port: 1541
-      targetPort: 1541
-      nodePort: 31541
-      protocol: TCP
-    - name: crserver
-      port: 1542
-      targetPort: 1542
-      nodePort: 31542
-      protocol: TCP
-    - name: ras
-      port: 1545
-      targetPort: 1545
-      nodePort: 31545
-      protocol: TCP

test-env/onec-server/service.yaml

@@ -1,28 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: onec-server
-  namespace: test-env
-  labels:
-    app: onec-server
-spec:
-  type: ClusterIP
-  selector:
-    app: onec-server
-  ports:
-    - name: ragent
-      port: 1540
-      targetPort: 1540
-      protocol: TCP
-    - name: regport
-      port: 1541
-      targetPort: 1541
-      protocol: TCP
-    - name: crserver
-      port: 1542
-      targetPort: 1542
-      protocol: TCP
-    - name: ras
-      port: 1545
-      targetPort: 1545
-      protocol: TCP

test-env/onec-server/statefulset.yaml

@@ -1,107 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: onec-server
-  namespace: test-env
-  labels:
-    app: onec-server
-spec:
-  serviceName: onec-server
-  replicas: 1
-  selector:
-    matchLabels:
-      app: onec-server
-  template:
-    metadata:
-      labels:
-        app: onec-server
-    spec:
-      # Stable hostname for 1C community license (tied to hostname, not hardware)
-      hostname: test-env-0
-      containers:
-        - name: onec
-          image: benadis/ar-edt:6.2.27.1
-          command: ["/scripts/entrypoint.sh"]
-          env:
-            - name: LANG
-              value: "ru_RU.UTF-8"
-            - name: LC_ALL
-              value: "ru_RU.UTF-8"
-            - name: TZ
-              value: "Europe/Moscow"
-            - name: PGHOST
-              value: "postgres.test-env.svc.cluster.local"
-            - name: PGPORT
-              value: "5432"
-            - name: PGUSER
-              value: "usr1cv8"
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: test-env-secrets
-                  key: pg-password
-          ports:
-            - name: ragent
-              containerPort: 1540
-              protocol: TCP
-            - name: regport
-              containerPort: 1541
-              protocol: TCP
-            - name: crserver
-              containerPort: 1542
-              protocol: TCP
-            - name: ras
-              containerPort: 1545
-              protocol: TCP
-          volumeMounts:
-            - name: onec-data
-              mountPath: /data
-            - name: onec-scripts
-              mountPath: /scripts
-              readOnly: true
-            - name: onec-nethasp
-              mountPath: /opt/1cv8/conf/nethasp.ini
-              subPath: nethasp.ini
-              readOnly: true
-          resources:
-            requests:
-              cpu: 200m
-              memory: 512Mi
-            limits:
-              cpu: "4"
-              memory: 4Gi
-          readinessProbe:
-            exec:
-              command: ["sh", "-c", "pgrep ragent && pgrep crserver"]
-            initialDelaySeconds: 15
-            periodSeconds: 10
-            timeoutSeconds: 5
-          livenessProbe:
-            exec:
-              command: ["sh", "-c", "pgrep ragent"]
-            initialDelaySeconds: 30
-            periodSeconds: 30
-            timeoutSeconds: 5
-      volumes:
-        - name: onec-scripts
-          configMap:
-            name: onec-config
-            items:
-              - key: entrypoint.sh
-                path: entrypoint.sh
-                mode: 0755
-        - name: onec-nethasp
-          configMap:
-            name: onec-config
-            items:
-              - key: nethasp.ini
-                path: nethasp.ini
-  volumeClaimTemplates:
-    - metadata:
-        name: onec-data
-      spec:
-        storageClassName: local-path
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 10Gi

test-env/postgres/configmap.yaml

@@ -1,10 +0,0 @@
-# PostgreSQL ConfigMap
-# The benadis/pg-1c image has a built-in entrypoint that:
-#   1. Configures postgresql.conf with 1C optimizations on first run
-#   2. Sets pg_hba.conf for network access
-#   3. Creates usr1cv8 superuser
-#   4. Starts PostgreSQL
-#
-# No additional configuration needed — all settings are baked into the image.
-# This file is kept as documentation placeholder.
-# If custom settings are needed in the future, mount them via ConfigMap.

test-env/postgres/service.yaml

@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: postgres
-  namespace: test-env
-  labels:
-    app: test-pg
-spec:
-  type: ClusterIP
-  selector:
-    app: test-pg
-  ports:
-    - name: postgres
-      port: 5432
-      targetPort: 5432
-      protocol: TCP

test-env/postgres/statefulset.yaml

@@ -1,104 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: test-pg
-  namespace: test-env
-  labels:
-    app: test-pg
-spec:
-  serviceName: postgres
-  replicas: 1
-  selector:
-    matchLabels:
-      app: test-pg
-  template:
-    metadata:
-      labels:
-        app: test-pg
-    spec:
-      initContainers:
-        # On first run the PVC is empty — copy the pre-built PG cluster
-        # from the image so the main entrypoint can configure and start it.
-        - name: init-pgdata
-          image: benadis/pg-1c:18.1-2.1C
-          command:
-            - sh
-            - -c
-            - |
-              if [ ! -d /data/18/main ]; then
-                echo "Initializing PG data from image..."
-                cp -a /var/lib/postgresql/. /data/
-                echo "Done."
-              else
-                echo "PG data already exists, skipping init."
-              fi
-          volumeMounts:
-            - name: pg-data
-              mountPath: /data
-      containers:
-        - name: postgres
-          image: benadis/pg-1c:18.1-2.1C
-          # Override entrypoint to handle "role already exists" on PVC reuse.
-          # The image entrypoint uses `set -e` + CREATE USER without IF NOT EXISTS,
-          # causing crash when PVC already has the user from a previous init.
-          command:
-            - bash
-            - -c
-            - |
-              # Patch entrypoint: make CREATE USER idempotent.
-              # Image entrypoint uses `set -e` + bare CREATE USER which fails
-              # when PVC is reused and the role already exists.
-              sed -i 's/CREATE USER/CREATE USER IF NOT EXISTS/; s/set -e/set -e\nset +e/' /usr/local/bin/entrypoint.sh 2>/dev/null || true
-              exec /usr/local/bin/entrypoint.sh postgres
-          env:
-            - name: LANG
-              value: "ru_RU.UTF-8"
-            - name: LC_ALL
-              value: "ru_RU.UTF-8"
-            - name: TZ
-              value: "Europe/Moscow"
-          ports:
-            - name: postgres
-              containerPort: 5432
-              protocol: TCP
-          volumeMounts:
-            - name: pg-data
-              mountPath: /var/lib/postgresql
-          resources:
-            requests:
-              cpu: 200m
-              memory: 512Mi
-            limits:
-              cpu: "2"
-              memory: 4Gi
-          readinessProbe:
-            exec:
-              command:
-                - su
-                - "-"
-                - postgres
-                - "-c"
-                - "/usr/lib/postgresql/18/bin/pg_isready"
-            initialDelaySeconds: 30
-            periodSeconds: 10
-            timeoutSeconds: 5
-          livenessProbe:
-            exec:
-              command:
-                - su
-                - "-"
-                - postgres
-                - "-c"
-                - "/usr/lib/postgresql/18/bin/pg_isready"
-            initialDelaySeconds: 60
-            periodSeconds: 30
-            timeoutSeconds: 5
-  volumeClaimTemplates:
-    - metadata:
-        name: pg-data
-      spec:
-        storageClassName: local-path
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 20Gi

test-env/secrets/placeholder.yaml

@@ -1,22 +0,0 @@
-# Placeholder for SOPS-encrypted secrets
-# Actual secrets will be encrypted with: sops --encrypt --age <admin-key>,<dev-key>
-#
-# Required secrets (create as test-env-secrets):
-#   pg-password: password for PostgreSQL usr1cv8 user
-#
-# Required secrets (create as test-env-runner-token):
-#   token: Gitea Actions runner registration token
-#
-# Example (before encryption):
-#   apiVersion: v1
-#   kind: Secret
-#   metadata:
-#     name: test-env-secrets
-#     namespace: test-env
-#   type: Opaque
-#   stringData:
-#     pg-password: "usr1cv8"
-#
-# For now, create secrets manually in the cluster:
-#   kubectl -n test-env create secret generic test-env-secrets --from-literal=pg-password=usr1cv8
-#   kubectl -n test-env create secret generic test-env-runner-token --from-literal=token=<TOKEN>