gitea_admin/deploy-app-kargo-private
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: gitea_admin:main
Branches Tags
gitea_admin:main gitea_admin:kargo/promotion/prod.01kkf0p33cfwcf71t0z26a2fj4.3a5e73c gitea_admin:infra/stage/dev gitea_admin:infra/stage/prod gitea_admin:kargo/promotion/prod.01kkez5vyxc949csgmmxwd26c2.3a5e73c gitea_admin:kargo/promotion/prod.01kkez3yerf40e5w45pnnqp7fs.3a5e73c gitea_admin:kargo/promotion/prod.01kkeny4c0fbqjekgbe415p40r.3a5e73c gitea_admin:kargo/promotion/prod.01kkegh7jk7tnhb7svmk1qxrs0.3a5e73c gitea_admin:kargo/promotion/prod.01kkegje6sfrva77a3tfxx09k5.3a5e73c gitea_admin:kargo/promotion/prod.01kkefc7g3frz8e3yhnw089vye.3a5e73c gitea_admin:kargo/promotion/prod.01kke84qmy8p7w0s3s85m40swk.3a5e73c gitea_admin:kargo/promotion/prod.01kke725yknx5nebcrpwghdcwb.3a5e73c gitea_admin:infra/stage/test gitea_admin:test-env/stage/dev gitea_admin:kargo/promotion/prod.01kke36fwn9w2d5a0x7vkt7ygs.5156c91 gitea_admin:kargo/promotion/prod.01kkdzjf1g6ps6j0b971t49w6y.5156c91 gitea_admin:kargo/promotion/prod.01kkdyhm6f0j2g9ncp9ar0jvpp.5156c91 gitea_admin:ci/stage/dev
gitea_admin:v0.1.0
..
compare: gitea_admin:kargo/promotion/prod.01kkdzjf1g6ps6j0b971t49w6y.5156c91
Branches Tags
gitea_admin:main gitea_admin:kargo/promotion/prod.01kkf0p33cfwcf71t0z26a2fj4.3a5e73c gitea_admin:infra/stage/dev gitea_admin:infra/stage/prod gitea_admin:kargo/promotion/prod.01kkez5vyxc949csgmmxwd26c2.3a5e73c gitea_admin:kargo/promotion/prod.01kkez3yerf40e5w45pnnqp7fs.3a5e73c gitea_admin:kargo/promotion/prod.01kkeny4c0fbqjekgbe415p40r.3a5e73c gitea_admin:kargo/promotion/prod.01kkegh7jk7tnhb7svmk1qxrs0.3a5e73c gitea_admin:kargo/promotion/prod.01kkegje6sfrva77a3tfxx09k5.3a5e73c gitea_admin:kargo/promotion/prod.01kkefc7g3frz8e3yhnw089vye.3a5e73c gitea_admin:kargo/promotion/prod.01kke84qmy8p7w0s3s85m40swk.3a5e73c gitea_admin:kargo/promotion/prod.01kke725yknx5nebcrpwghdcwb.3a5e73c gitea_admin:infra/stage/test gitea_admin:test-env/stage/dev gitea_admin:kargo/promotion/prod.01kke36fwn9w2d5a0x7vkt7ygs.5156c91 gitea_admin:kargo/promotion/prod.01kkdzjf1g6ps6j0b971t49w6y.5156c91 gitea_admin:kargo/promotion/prod.01kkdyhm6f0j2g9ncp9ar0jvpp.5156c91 gitea_admin:ci/stage/dev
gitea_admin:v0.1.0

2 Commits
main ... kargo/prom

Author SHA1 Message Date
Kargo
8d3d75b902 promote(infra/prod): freight 5156c91d9d5d70decc8f78ca021bb04178f65daf 2026-03-11 08:17:52 +00:00
XoR
2ef96b3f49 initial prod: bootstrap apps only 
Bootstrap: cert-manager kargo kargo-infra-pipeline kargo-ci-pipeline kargo-test-env-pipeline kargo-credentials
Other apps arrive via Kargo promotion (dev → test → PR → prod)
 2026-03-11 10:01:35 +03:00
76 changed files with 95 additions and 2010 deletions
Expand all files Collapse all files

56
.sops.yaml
View File

@@ -1,56 +0,0 @@
# SOPS configuration for deploy-app-kargo-private
# Zero Trust key model: dev cannot decrypt prod, prod cannot decrypt dev.
# Test secrets accessible to both dev and prod.
#
# Keys:
# admin: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7 (master, backup/audit)
# dev: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g (dev cluster only)
# test: age1wtzdf8k5fhazffq5t5erm0azvp463mzk6fm4vghqwah2lz9sf3eszksf33 (shared test environment)
# prod: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk (prod cluster only)
#
# Trust model:
# *.dev.enc.yaml → admin + dev (ONLY dev-admin can decrypt)
# *.test.enc.yaml → admin + dev + test + prod (everyone can decrypt)
# *.prod.enc.yaml → admin + prod (ONLY prod-admin can decrypt)
# *.shared.enc.yaml → admin + dev + prod (legacy, both can decrypt)
#
# mac_only_encrypted: true — allows adding new YAML keys/structure without
# having the decryption key. MAC is computed only over encrypted values.
# This enables dev to add fields to *.prod.enc.yaml without decrypting them.
# Requires SOPS >= 3.9.0.
creation_rules:
# Dev-specific secrets — ONLY admin + dev can decrypt
- path_regex: \.dev\.enc\.yaml$
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
mac_only_encrypted: true
age: >-
age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
# Test secrets — all keys can decrypt (shared test environment)
- path_regex: \.test\.enc\.yaml$
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
mac_only_encrypted: true
age: >-
age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g,
age1wtzdf8k5fhazffq5t5erm0azvp463mzk6fm4vghqwah2lz9sf3eszksf33,
age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
# Prod-specific secrets — ONLY admin + prod can decrypt
- path_regex: \.prod\.enc\.yaml$
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
mac_only_encrypted: true
age: >-
age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
# Shared secrets (legacy, both clusters) — admin + dev + prod
- path_regex: \.shared\.enc\.yaml$
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|repoURL|username)$
mac_only_encrypted: true
age: >-
age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g,
age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk

24
README.md
View File

@@ -1,24 +0,0 @@
# deploy-app-kargo-private
Private ArgoCD ApplicationSet repository with SOPS-encrypted secrets.
## Structure
- `infra/` — Infrastructure apps (cert-manager, gitea, kargo, etc.)
- `ci/` — CI apps (gitea-runner, etc.)
- `kargo/` — Kargo pipeline definitions + encrypted credentials
- `.sops.yaml` — SOPS encryption rules (3 age keys: admin, dev, prod)
## Encryption
Secrets in `*.enc.yaml` files are encrypted with SOPS + age:
- `*.dev.enc.yaml` — decryptable by admin + dev keys
- `*.prod.enc.yaml` — decryptable by admin + prod keys
- `*.shared.enc.yaml` — decryptable by all three keys
## Branches
- `main` — source of truth
- `infra/stage/dev` — dev cluster (Kargo promotion)
- `infra/stage/test` — test stage (Kargo verification)
- `infra/stage/prod` — prod cluster (Kargo promotion via PR)

28
bootstrap/kargo/values/secret-values.dev.enc.yaml
View File

@@ -1,28 +0,0 @@
# Kargo secrets for dev/test cluster
passwordHash: ENC[AES256_GCM,data:Brg8qSTsGeft72w0FhnmKu0CgfL14zDLLIifyFdS+MJDtWhhRJq88Wh2OOrjylTsteYJeb9LaGh7T/6I,iv:PapmZ9/fubkIMz4Br4W4Xqj8UB6BJl5708V0nPRqgxw=,tag:r1iCfDxwmNRJT56dnEEo2Q==,type:str]
tokenSigningKey: ENC[AES256_GCM,data:f1i9nVF74bWcGl0GXBujwo215aXV4pAm9r3AX181nUq32QyWdkzR0+7e+4EfqoZkpOorCKZQq6pJEn45th9YJw==,iv:yMT3dnlNnblyUJdmWb9XFQlnPnLIT12iw6aNxN94lY0=,tag:WE6/dL8+382eYMj/tYq/+w==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVVEhRZkhINm80MGYzcGZP
a1ZURk9GYVRiT1plV0U1WlQvenFieU1TbGt3CnlqbExOZGpEMEd2MDlDV0k1Z0ZI
UzJxK1ByVkhrNXlJWkhCUHhTSzl0cW8KLS0tIDRKb0dmNXhXSnIzMEhnOUNjMVRD
V1oySnBJeFdyWGdGYzhpN2JIRG00cUEKta06XCymUR8ltBL/6egR/IHTaS/Q0vih
ep4kyfexVOK+OAnbvA/4BSUBKXAr2L+GN3tAuG4YOnehX764WTaoxQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VHQvczM3MDhEcXJGQkpa
Vm1LYURwbUk5MEhXOVBLdFl5UWRLcmZpaWwwCmdrMGFmNlZVL2pQdDFFR1BrZ25h
ZEZMazJsR3hhZlNsUTNSNEVEUlNtcE0KLS0tIEplZnk2eDNXd2ZOcVhJNThieWJU
UkZSc1E1dHVieFRMSDNhSXN0ZC9OdGsK+7GeHMVOYmhIpt1tZTo/l3JdTQL1ZuC7
ZLydtSlmPfT4rkUmtyfEMf8HU45V9KO7IUSWyWBOy7XU1whb7frdHw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-12T14:08:13Z"
mac: ENC[AES256_GCM,data:DWPS9s6QGbeFKEsZGBqKZE596Bqm1nY5D3JrBnEkRVwQhXo4oo6QIwSOpojBx4cSANANzi+CkhCGXIIAhKxXLn4Aii9y/d1Lpe6S7umFeLg/15Qb7CAC6mI/WPK6H71zD8VSxzHictDek9opfdhIzrlr9xIvKRwzyhsF7I76kgE=,iv:Epf8fh8kMDpFpV0BOVV542n8OitoDcy7yRg0gI76aFU=,tag:Yd4oFywmeALME220szSWzA==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
mac_only_encrypted: true
version: 3.12.1

28
bootstrap/kargo/values/secret-values.prod.enc.yaml
View File

@@ -1,28 +0,0 @@
# Kargo secrets for prod cluster
passwordHash: ENC[AES256_GCM,data:40E+4VZg1JwCjmXmsrqsPAKJJREu3TyaRdifnu6ADbFxIg7uJ1OmC2peUWZnmldOVy5rYRvn4f9+,iv:X5A46o59GeOpk5DazwV+ulhnXf+WKrz14lJB2AzVipc=,tag:0pPim5ccR9g3KeZrjvxzpg==,type:str]
tokenSigningKey: ENC[AES256_GCM,data:tsp3iRJT0IlidEA3gU7rsY6LsoqurOAIe6DSLOnKcL167U/wax0jTUHsCsqcDq6YwVrrXr1H7EwohSpxLFkbfA==,iv:+LpAQkMKowoEHbqC3EIIJ/MaAmXYcCfNJ1SUt2lhNqc=,tag:6iI7umdfMOyEO6mD9cxMzA==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSlJqQ0tsRDFYdmUxbHFV
UGxLc05lRmlpYmJmdU9rTkhYUEVRN01tNVJnCmlWZnpMdU40ZEVsMnFDNWxaR3ow
KzlMNWpab0dDOS94Vm9EU1hBMDR5ZzQKLS0tIFpkenkvM01QOGJKRTFjcDl0N2c4
RnR3anYvdnRjYXhKNkE3aDFRZXY4TVEKuX/i/7fLkHVuh51vO/TMDCZ8K5AkGoO1
B9mOtMu8HZSV2F5UW3hpYrA+mJz82Hi0I84aI1LpAdjobsCckEpR3Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSDVNRERESERkQ2RwSlo0
OGFHaHAzeGhFcVhsOHEyekd2MVZzZG50b3c0CkRIMm1veXNXL3BrMkpuajVrZzFW
ekVPcFYwMUZMc2V5cnFUdUlneWQxQmsKLS0tIFRwZ0ZCZVE1K0N6ZlFGbkZJT2k3
cXFYaThyS1gxOU5hWFl0cDgyUTB6U2MKejpV8nlfBNKC9vqC9UkOJquC4poU/gAI
s2Ul/34xAM5/amo/icjwmkpB+TsAR4zNgkECuW7rF9plf1LSFrFUAg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-12T14:08:13Z"
mac: ENC[AES256_GCM,data:igA1mRDKhw3B/QgRU7naByC8lS9EYfv+r5wU4BdBDmDfEQYzqT4sf3/zEE8XZnhKNbgc+hQuu4YodpaefWQAZwUXQFGhs8zxaLtUtP+zdBq8GJlfDradha9SyrtWsjY68dcA2RBc8E0y8xG+YE0fgnsOl2gvc9iXg0+X+2g31pI=,iv:OhmU/sX6SuD7V4SYINVfQFPYnJGIZ3H76YG+/RElgBY=,tag:dhqlLkmKBLaABc4UAUFvNg==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
mac_only_encrypted: true
version: 3.12.1

6
ci/gitea-runner/manifests/namespace.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: gitea-runner
labels:
name: gitea-runner

79
ci/gitea-runner/manifests/runner.yaml
View File

@@ -1,79 +0,0 @@
# Gitea Actions runner (act_runner)
# Requires registration token in gitea-runner-token secret
# Token is generated in Gitea admin → Actions → Runners → Create new runner
---
apiVersion: v1
kind: ConfigMap
metadata:
name: gitea-runner-config
namespace: gitea-runner
data:
config.yaml: |
log:
level: info
runner:
file: .runner
capacity: 1
timeout: 3h
labels:
- "ubuntu-latest:docker://node:20-bullseye"
- "ubuntu-22.04:docker://node:20-bullseye"
cache:
enabled: true
dir: ""
container:
network: ""
privileged: false
options:
workdir_parent:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea-runner
namespace: gitea-runner
labels:
app: gitea-runner
spec:
replicas: 0 # Set to 1 after creating registration token
selector:
matchLabels:
app: gitea-runner
template:
metadata:
labels:
app: gitea-runner
spec:
containers:
- name: runner
image: gitea/act_runner:0.2.11
env:
- name: GITEA_INSTANCE_URL
value: "http://gitea-http.gitea.svc.cluster.local:3000"
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: gitea-runner-token
key: token
optional: true
volumeMounts:
- name: config
mountPath: /config
readOnly: true
- name: data
mountPath: /data
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: "2"
memory: 2Gi
volumes:
- name: config
configMap:
name: gitea-runner-config
- name: data
emptyDir: {}
nodeSelector:
node-role.kubernetes.io/worker: ""

134
dev/deploy-test-env.sh
View File

@@ -1,134 +0,0 @@
#!/bin/bash
# deploy-test-env.sh — Deploy test-env to dev cluster and verify
#
# Usage:
# bash dev/deploy-test-env.sh [--check-only] [--create-secrets]
#
# Prerequisites:
# - kubectl configured for dev cluster
# - Images benadis/pg-1c:18.1-2.1C and benadis/ar-edt:6.2.27.1 accessible
#
# This script:
# 1. Validates kustomize build
# 2. Applies manifests via kustomize
# 3. Creates secrets if --create-secrets
# 4. Waits for pods to be ready
# 5. Runs smoke tests (pg_isready, ragent check)
set -euo pipefail
cd "$(dirname "$0")/.."
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
CHECK_ONLY=false
CREATE_SECRETS=false
for arg in "$@"; do
case $arg in
--check-only) CHECK_ONLY=true ;;
--create-secrets) CREATE_SECRETS=true ;;
esac
done
echo "=== test-env deployment ==="
# --- Step 1: Validate kustomize ---
echo -e "\n${YELLOW}[1/5] Validating kustomize build...${NC}"
if kubectl kustomize test-env/ > /dev/null 2>&1; then
echo -e "${GREEN} ✓ kustomize build OK${NC}"
else
echo -e "${RED} ✗ kustomize build FAILED${NC}"
kubectl kustomize test-env/ 2>&1 | head -20
exit 1
fi
if $CHECK_ONLY; then
echo -e "\n${GREEN}Validation passed (--check-only)${NC}"
kubectl kustomize test-env/ | grep -c 'kind:' | xargs -I{} echo " {} resources"
exit 0
fi
# --- Step 2: Apply manifests ---
echo -e "\n${YELLOW}[2/5] Applying manifests...${NC}"
kubectl apply -k test-env/
echo -e "${GREEN} ✓ Manifests applied${NC}"
# --- Step 3: Create secrets if needed ---
if $CREATE_SECRETS; then
echo -e "\n${YELLOW}[3/5] Creating secrets...${NC}"
kubectl -n test-env create secret generic test-env-secrets \
--from-literal=pg-password=usr1cv8 \
--dry-run=client -o yaml | kubectl apply -f -
echo -e "${GREEN} ✓ Secrets created${NC}"
else
echo -e "\n${YELLOW}[3/5] Checking secrets...${NC}"
if kubectl -n test-env get secret test-env-secrets > /dev/null 2>&1; then
echo -e "${GREEN} ✓ test-env-secrets exists${NC}"
else
echo -e "${RED} ✗ test-env-secrets missing — run with --create-secrets${NC}"
fi
fi
# --- Step 4: Wait for pods ---
echo -e "\n${YELLOW}[4/5] Waiting for pods (timeout 120s)...${NC}"
wait_for_pod() {
local label=$1
local timeout=${2:-120}
local start=$(date +%s)
while true; do
local phase=$(kubectl -n test-env get pods -l "$label" -o jsonpath='{.items[0].status.phase}' 2>/dev/null || echo "Pending")
if [ "$phase" = "Running" ]; then
echo -e "${GREEN}$label → Running${NC}"
return 0
fi
local elapsed=$(( $(date +%s) - start ))
if [ $elapsed -gt $timeout ]; then
echo -e "${RED}$label$phase (timeout ${timeout}s)${NC}"
return 1
fi
sleep 5
done
}
wait_for_pod "app=test-pg" 120
wait_for_pod "app=onec-server" 120
# --- Step 5: Smoke tests ---
echo -e "\n${YELLOW}[5/5] Smoke tests...${NC}"
# PostgreSQL ready
PG_POD=$(kubectl -n test-env get pod -l app=test-pg -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
if [ -n "$PG_POD" ]; then
if kubectl -n test-env exec "$PG_POD" -- su - postgres -c "/usr/lib/postgresql/18/bin/pg_isready" > /dev/null 2>&1; then
echo -e "${GREEN} ✓ PostgreSQL is ready${NC}"
else
echo -e "${RED} ✗ PostgreSQL pg_isready failed${NC}"
fi
fi
# 1C server ragent running
ONEC_POD=$(kubectl -n test-env get pod -l app=onec-server -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
if [ -n "$ONEC_POD" ]; then
if kubectl -n test-env exec "$ONEC_POD" -- pgrep ragent > /dev/null 2>&1; then
echo -e "${GREEN} ✓ ragent is running${NC}"
else
echo -e "${RED} ✗ ragent not running${NC}"
fi
if kubectl -n test-env exec "$ONEC_POD" -- pgrep crserver > /dev/null 2>&1; then
echo -e "${GREEN} ✓ crserver is running${NC}"
else
echo -e "${RED} ✗ crserver not running${NC}"
fi
fi
# Summary
echo -e "\n=== Status ==="
kubectl -n test-env get pods -o wide
echo ""
kubectl -n test-env get svc
echo ""
kubectl -n test-env get pvc

128
dev/verify-sops-isolation.sh
View File

@@ -1,128 +0,0 @@
#!/bin/bash
# verify-sops-isolation.sh — Verify SOPS zero trust key isolation
#
# Usage: bash dev/verify-sops-isolation.sh [--keys-dir PATH]
#
# Verifies that:
# 1. dev-key can ONLY decrypt *.dev.enc.yaml
# 2. prod-key can ONLY decrypt *.prod.enc.yaml
# 3. test-key can decrypt *.test.enc.yaml (if any)
# 4. test-key CANNOT decrypt dev or prod files
# 5. mac_only_encrypted is set in all files
# 6. All files decrypt successfully with appropriate keys
#
# Requires: sops, age keys in SOPS_AGE_KEY_DEV/PROD/TEST env vars
# or provide --keys-dir with separate key files
set -euo pipefail
cd "$(dirname "$0")/.."
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
PASS=0
FAIL=0
WARN=0
check() {
local desc=$1 expected=$2 actual=$3
if [ "$expected" = "$actual" ]; then
echo -e " ${GREEN}${NC} $desc"
PASS=$((PASS+1))
else
echo -e " ${RED}${NC} $desc (expected=$expected, got=$actual)"
FAIL=$((FAIL+1))
fi
}
ORIG_KEYS=""
if [ -f ~/.config/sops/age/keys.txt ]; then
ORIG_KEYS=$(cat ~/.config/sops/age/keys.txt)
fi
restore_keys() {
if [ -n "$ORIG_KEYS" ]; then
echo "$ORIG_KEYS" > ~/.config/sops/age/keys.txt
fi
}
trap restore_keys EXIT
# --- Check .sops.yaml ---
echo -e "\n${YELLOW}[1] Checking .sops.yaml configuration${NC}"
if [ -f .sops.yaml ]; then
check ".sops.yaml exists" "yes" "yes"
else
check ".sops.yaml exists" "yes" "no"
exit 1
fi
MAC_RULES=$(grep -c '^\s*mac_only_encrypted: true' .sops.yaml || echo 0)
check "mac_only_encrypted rules in .sops.yaml (>=4)" "yes" "$([ "$MAC_RULES" -ge 4 ] && echo yes || echo no)"
# --- Check all encrypted files ---
echo -e "\n${YELLOW}[2] Checking mac_only_encrypted in encrypted files${NC}"
TOTAL_ENC=$(find . -name '*.enc.yaml' -not -path './.git/*' | wc -l)
MAC_ENC=$(grep -rl 'mac_only_encrypted: true' $(find . -name '*.enc.yaml' -not -path './.git/*' 2>/dev/null) 2>/dev/null | wc -l)
check "mac_only_encrypted in all encrypted files" "$TOTAL_ENC" "$MAC_ENC"
# --- Key isolation tests ---
echo -e "\n${YELLOW}[3] Key isolation: dev-key${NC}"
if [ -n "${SOPS_AGE_KEY_DEV:-}" ]; then
echo "$SOPS_AGE_KEY_DEV" > ~/.config/sops/age/keys.txt
for f in $(find . -name '*.dev.enc.yaml' -not -path './.git/*'); do
result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
check "dev-key decrypts $(basename $f)" "yes" "$result"
done
for f in $(find . -name '*.prod.enc.yaml' -not -path './.git/*'); do
result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
check "dev-key CANNOT decrypt $(basename $f)" "no" "$result"
done
else
echo -e " ${YELLOW}⚠ SOPS_AGE_KEY_DEV not set, skipping${NC}"
WARN=$((WARN+1))
fi
echo -e "\n${YELLOW}[4] Key isolation: prod-key${NC}"
if [ -n "${SOPS_AGE_KEY_PROD:-}" ]; then
echo "$SOPS_AGE_KEY_PROD" > ~/.config/sops/age/keys.txt
for f in $(find . -name '*.prod.enc.yaml' -not -path './.git/*'); do
result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
check "prod-key decrypts $(basename $f)" "yes" "$result"
done
for f in $(find . -name '*.dev.enc.yaml' -not -path './.git/*'); do
result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
check "prod-key CANNOT decrypt $(basename $f)" "no" "$result"
done
else
echo -e " ${YELLOW}⚠ SOPS_AGE_KEY_PROD not set, skipping${NC}"
WARN=$((WARN+1))
fi
echo -e "\n${YELLOW}[5] Key isolation: test-key${NC}"
if [ -n "${SOPS_AGE_KEY_TEST:-}" ]; then
echo "$SOPS_AGE_KEY_TEST" > ~/.config/sops/age/keys.txt
for f in $(find . -name '*.dev.enc.yaml' -not -path './.git/*'); do
result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
check "test-key CANNOT decrypt $(basename $f)" "no" "$result"
done
for f in $(find . -name '*.prod.enc.yaml' -not -path './.git/*'); do
result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
check "test-key CANNOT decrypt $(basename $f)" "no" "$result"
done
for f in $(find . -name '*.test.enc.yaml' -not -path './.git/*'); do
result=$(sops decrypt "$f" > /dev/null 2>&1 && echo "yes" || echo "no")
check "test-key decrypts $(basename $f)" "yes" "$result"
done
else
echo -e " ${YELLOW}⚠ SOPS_AGE_KEY_TEST not set, skipping${NC}"
WARN=$((WARN+1))
fi
# --- Summary ---
echo -e "\n=== Summary ==="
echo -e "${GREEN}Passed: $PASS${NC} ${RED}Failed: $FAIL${NC} ${YELLOW}Warnings: $WARN${NC}"
[ $FAIL -eq 0 ] && echo -e "${GREEN}All checks passed!${NC}" || echo -e "${RED}Some checks failed!${NC}"
exit $FAIL

4
bootstrap/argo-rollouts/config.yaml → infra/argo-rollouts/config.yaml
View File

@@ -1,11 +1,11 @@
{ {
"name": "argo-rollouts", "name": "argo-rollouts",
"namespace": "argo-rollouts", "namespace": "argo-rollouts",
"step": "3", "step": "2",
"source": { "source": {
"repoURL": "https://argoproj.github.io/argo-helm", "repoURL": "https://argoproj.github.io/argo-helm",
"chart": "argo-rollouts", "chart": "argo-rollouts",
"targetRevision": "2.40.6" "targetRevision": 2.40.6
}, },
"helm": { "helm": {
"values": "dashboard:\n enabled: true\n" "values": "dashboard:\n enabled: true\n"

2
bootstrap/cert-manager/config.yaml → infra/cert-manager/config.yaml
View File

@@ -5,7 +5,7 @@
"source": { "source": {
"repoURL": "https://charts.jetstack.io", "repoURL": "https://charts.jetstack.io",
"chart": "cert-manager", "chart": "cert-manager",
"targetRevision": "v1.19.4" "targetRevision": v1.20.0
}, },
"helm": { "helm": {
"values": "crds:\n enabled: true\n" "values": "crds:\n enabled: true\n"

2
infra/gitea-custom/config.yaml
View File

@@ -1,7 +1,7 @@
{ {
"name": "gitea-custom", "name": "gitea-custom",
"namespace": "gitea", "namespace": "gitea",
"step": "2", "step": "6",
"source": { "source": {
"repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git", "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
"path": "infra/gitea-custom/manifests", "path": "infra/gitea-custom/manifests",

4
infra/gitea/config.yaml
View File

@@ -1,11 +1,11 @@
{ {
"name": "gitea", "name": "gitea",
"namespace": "gitea", "namespace": "gitea",
"step": "1", "step": "4",
"source": { "source": {
"repoURL": "https://dl.gitea.com/charts", "repoURL": "https://dl.gitea.com/charts",
"chart": "gitea", "chart": "gitea",
"targetRevision": "12.5.0" "targetRevision": 12.5.0
}, },
"helm": { "helm": {
"values": "gitea:\n admin:\n existingSecret: gitea-admin\n config:\n server:\n ROOT_URL: \"https://gitea.k3s.e2e.local\"\n DOMAIN: \"k3s.e2e.local\"\n SSH_DOMAIN: \"gitea.k3s.e2e.local\"\n SSH_PORT: 2222\n service:\n DISABLE_REGISTRATION: false\n actions:\n ENABLED: \"true\"\n cache:\n ENABLED: false\n ADAPTER: memory\n session:\n PROVIDER: memory\n\ningress:\n enabled: false\n\npostgresql:\n enabled: true\n image:\n repository: bitnamilegacy/postgresql\n tag: \"17\"\n\npostgresql-ha:\n enabled: false\n\nmemcached:\n enabled: false\n\nredis-cluster:\n enabled: false\n\nredis:\n enabled: false\n\nvalkey-cluster:\n enabled: false\n\nimage:\n rootless: false\n" "values": "gitea:\n admin:\n existingSecret: gitea-admin\n config:\n server:\n ROOT_URL: \"https://gitea.k3s.e2e.local\"\n DOMAIN: \"k3s.e2e.local\"\n SSH_DOMAIN: \"gitea.k3s.e2e.local\"\n SSH_PORT: 2222\n service:\n DISABLE_REGISTRATION: false\n actions:\n ENABLED: \"true\"\n cache:\n ENABLED: false\n ADAPTER: memory\n session:\n PROVIDER: memory\n\ningress:\n enabled: false\n\npostgresql:\n enabled: true\n image:\n repository: bitnamilegacy/postgresql\n tag: \"17\"\n\npostgresql-ha:\n enabled: false\n\nmemcached:\n enabled: false\n\nredis-cluster:\n enabled: false\n\nredis:\n enabled: false\n\nvalkey-cluster:\n enabled: false\n\nimage:\n rootless: false\n"

29
infra/gitea/values/secret-values.dev.enc.yaml
View File

@@ -1,28 +1,27 @@
# Gitea secrets for dev/test cluster # Gitea secrets for dev/test cluster
admin-password: ENC[AES256_GCM,data:VVEs6UmQymD7bhc2DQ+ghuE=,iv:LRht/bByPtiCjkazc19NRIwbXzZclEZYtwCeXJfFMfQ=,tag:ig1bUcDNr+1wsDHoeBfMvw==,type:str] admin-password: ENC[AES256_GCM,data:Nh7IDhZbJxOYjat8JhRoWtQ=,iv:mDtUOdjiKxvTTKaWNQ6bUQ2rCbV9Ule25IN5AVBTrp0=,tag:FxMWUvu82HusjtPBmEtwcA==,type:str]
db-password: ENC[AES256_GCM,data:1QXmkEs6ECbf8NcoMcmgF4mLOYo=,iv:xKiTicbmhJaLajgN2taL+VR+H0ky1fHI3e79I0D6IdA=,tag:Whd7VdtjC7sYqC24XGEqBQ==,type:str] db-password: ENC[AES256_GCM,data:qRZjNRGr/oJVzYTz6Kv0sZ7Sbns=,iv:V03c8IrsLZzJck5ZqrXS46LydbGPtLBwkjjGQI0zkv4=,tag:pxDpAbekwwOw9yiqMwl2QA==,type:str]
sops: sops:
age: age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7 - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdHZRckgvZXZwRUdFZTNt YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdWFvNXF3QXpnbjFsbHhn
WFlNU0YwWncyNC9aZEFIT0hRRU5uYkNLMXdvCmgxM3NHSnR0THFXZUw4amZnSi9t dmdnRmRwWnpkUVlRSHlEZXdXT2FoeVVVejFNCkZ0UGp5YWZ2TThEUnZPOVNqVjJR
dkgrZDloUVo5NkZ5eDdPNUxaTi84NncKLS0tIGlmWDBiMjJUWWxsU1ZzWTZYL2dm S0lXSGxSSFF3ZWhUM2NMWW9MZUszZnMKLS0tIEowWHo5SUFMMDFNY1lWY3NuNnJN
c25XZ0NKbUtuNHBjeGJ6YWVDTndaMXMKKHqfuydqSL65wdpHcyug8eg0p1VPMSuz OERJZklLT1RnSDc4VjdaQ0F3cVRTaGsKYIfYSv4In5YiGs2/KWX1oPqOoiUxwVUl
VeNu16pPCtTtStuGl4f2ciOVMaGCNbjY3XySRzZQKUNciZVTfat5Ow== jROG2UecsSjhKq6XdX+KVYmcSKhy1ljPjHaL+t3MmSNE6+jJpMpDvQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g - recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0YzZ5am1lWGFaeVBxak5P YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNzZSWE1NcTR1blQ5TWxH
bVdSWHZTU1pkR3U0b1hvMVIvZUh3MnNpbkNJCm8wMmNUVzZ2U01kc3crTGliZG5u N0k2YWNOdTA4WHZXQ3VlTHpWNVNuRm53S3dzCnZOR0gyWTVzams4SjdCZVpSMjdL
MHpKVDZaZEt3dkJ3cVRVREpPQXFXUlUKLS0tIGdwSjNXUm4reENLUFRhMlNWQ0Yw S2dqZTcvb3VtVE9JUWVlVU1QL1NaZ3MKLS0tIHdUZldWZWdIZ01VUWxLeEJDNmY0
Ykw3QjBoQ2c0c3U1dWs0OVpCajBnYTQKtU/a24mNe+yo91QvFs2qHC2HR5tft9ny aEV2U1JMaTFYRldjc1kwNHczd3gvM1kKEytPjCdNTG+8SFnQxh50XKfjAxa1xn0t
d0RnFNYSaxgFWbV+Hs3vzBQUFlq0CzhfZzRR/rUcRfnrd+krlXThRQ== D3dj6yMfIfkgnp84pI9PY5hBweHrEcdeUwhPrkNY8dRuiShv4o4xTQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-12T14:08:13Z" lastmodified: "2026-03-11T06:57:04Z"
mac: ENC[AES256_GCM,data:E7YknH7WIh7zhZElq67jPRyt1dfjQDVWvrcIMtHbkRG/d6xQhgeJY9HwWJaotfrlCx3tpxO0zi882/ACVoogY+8f3l8jCCOEp+e20X3qDmbEOrRLsl8+mRnDiyJFAXULqJvAHEr5yJnYNxXXvVzOSpTOe+ECgedCJ4fgRU58c0k=,iv:FZt+eF6OLW+98FVxe7TFdpCWSvMwwXWKdudccgMJoKo=,tag:lpCIsC85JDG7p6xyxJnk4A==,type:str] mac: ENC[AES256_GCM,data:LKIihGyIcUImsmRWgPhWQRBeaFiXdWgaMwlif+FPNdmy/LSRlwIqIN8KzwuMu1zAlNvl1SVOVZL7SgRe9rZHax5pIn+Qrb5B+cuFPZTyvl24VBlJ+l29x182CKhRnT1RDDA9D7do+y8bG+rjyJ6u5d/yYcMAYIH9+I4fS4uERQw=,iv:23M4i1uCpQzfWZIp2c4gGThOCGotS3eajdjItlAwh2Y=,tag:MoD7LbWCu5EGxPeliRDinQ==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$ encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
mac_only_encrypted: true
version: 3.12.1 version: 3.12.1

29
infra/gitea/values/secret-values.prod.enc.yaml
View File

@@ -1,28 +1,27 @@
# Gitea secrets for prod cluster # Gitea secrets for prod cluster
admin-password: ENC[AES256_GCM,data:ZStjY7d/2LcgGm8roVRT7ndOwgNi,iv:QYCaEqO1P0fjVnd6Cw+HMJKYSlqj0Bin7aBSmkZ5Zb0=,tag:f3pM4+U84FJOR54ADGKMxw==,type:str] admin-password: ENC[AES256_GCM,data:4pXdFHPAXo9fnyEmAqDygucpGrOy,iv:Qa/fQvRoU8TXMlkSjlomwzOn0v1M/PJ606HZI+inRcQ=,tag:/fKGATm+rUSCUH+os12qlQ==,type:str]
db-password: ENC[AES256_GCM,data:gVcaEkJHP6LC/ufpW6/uyVceWvrx6vVnWg==,iv:Qt364af+t33gUKqHjkNUQzmJjCV+qrvoOJlwTpXmGy4=,tag:SURLKmepxtcrlmFR8wGvJw==,type:str] db-password: ENC[AES256_GCM,data:lw3I+smG/1DaMFd2V98D7ENu6MB0g+e81A==,iv:DZmS4R2buArXMkO/Cjtp9gN9AqpTaVHs7NfqQFqciWY=,tag:OA9kzug/Mel6+GDlnYU/jA==,type:str]
sops: sops:
age: age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7 - recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ckdkQzdIN0dFelVUSEMy YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCd2VUaHhQc0h4bmYwdmFy
QllGVTN4Z2IvZ0t3M29NcTNMSGEzczFjWnljCnA4NkZNcDdWUTRNRWIzRmhNckV3 WVJLS2dURWZnOUtCKzRoajB2RVI5U1ROOEVvCnV2VmxFTkhPNlErOE5SZzUyT0c1
ODZFWWdneUU3VHZiRC9TSlVkVjNhVEUKLS0tIHNYWHdML2o0dUlNb1BoWThUK29H VitrWFlJVUt5N2plMitWVjZPUHBmYU0KLS0tIFJVUnBBZjl6cWlRYUNiZSs1V0Q2
MDR0L1QwRlh0emFWMDJvMjhUMnJvb0UKBI+dEz95zrwzb42PpyxBMI70Aei68BIX b1NBVnZydDVlY09LeHNpbkdsTzRNNmcKO9GFvLHIWTh/Aseuo3Z8FE47dE92MxJ6
TQ/sCHKqvtdbEwTkg/ndhfPdorCIGwfCobJmWb8WySU1VZHCWYzJxw== p5OCsZRw+bpQfURStiyckaoMW8Of716uDIS3v1JaW8u4xm3e+lZXGg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk - recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbVZraFNrMDYzNndkNkxJ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoOUZjdlk4MU4yWGNPOEs4
OERtbXNOamRDSlhpV05mOTcxbXVxT2xVODM0Ci9WSG5vb0trTzkwZFFOdmlVd3Ar ZkplUzlyV1lmQUxidHk3aDFhU1NOeElxeVU4CngxWS8vOTdUbEVNM2thMWgxNGRo
UUN2TVZaMXBaL3d6TmRGZ1h0THhaNGsKLS0tIEFZcVRtNENMS3ZWMUxOeHlYTHlN ZUlYdjVPTXFJWGtNWEJEa2V1dGhqSTgKLS0tIEI2V1hrWUVnRnovblhVQ2ROSENE
UDRIM0RYNVdsSmUyOEFDcXdhNHlXVFkKxoX+LTe+xjXh2M45V4oYcLe9lAmxYexe dXhwWXJJbnVBaFpraXJURERMR1lkUjQKFzaekfQFqg2cVT5gks4fXX26GtZu+M1F
KJ5O588VLGVi4zBpVs1l16JmWAfcfCiMVKOpdvS8vsiQDkGAO3cH4w== g+pzNxpFVlzdrXiWrzjePshTVblVsxV8fKpUVoLYwwLOSILRzF3uwg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-12T14:08:13Z" lastmodified: "2026-03-11T06:57:04Z"
mac: ENC[AES256_GCM,data:mkgNY/EwLknddBdn0X9IZfqjmA7NpESqVDNndCKY5eA01s74Ym3sE4JF39abEAs7U7/l675qsF6ew7Cv0OLCArzYDRlN7vYcBqTsnuUOovxi6utAk6VfzYhH8XQpM3CuV6FlUbSoVovUl09O26kB9yDHe1uTOGVa3Kqk/XsKKoc=,iv:BdqsABAeOBAfTvb0q3KQ5ek3UOgu9oh5GQtsu0s1lEc=,tag:Ux1SmPWs7y1/gKx2vVthiA==,type:str] mac: ENC[AES256_GCM,data:qWDAgi9DeHnc4TfH2la54mKtkNRkO3ArfXJBxZ6D6yEk5nylMA+Fw3FBmsKuU+F1/JN7CQVHbez37jjOXDmoFUfGXunionqkaf4wYz/3duRjdm/ApTLLMAYaq1YHzp6XNF4x+1LBtp0RadK//wwhxXQHoYdui9IH2Ts5ALLjOzo=,iv:B86+ovgnit5oKxY1wgxvYBEhRmnjJiQ7GdveJAGytfA=,tag:QgVjYIvIgwXvfbTxiti1OA==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$ encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
mac_only_encrypted: true
version: 3.12.1 version: 3.12.1

0
bootstrap/kargo-ci-pipeline/config.yaml → infra/kargo-ci-pipeline/config.yaml
View File

6
ci/gitea-runner/config.yaml → infra/kargo-credentials/config.yaml
View File

@@ -1,10 +1,10 @@
{ {
"name": "gitea-runner", "name": "kargo-credentials",
"namespace": "gitea-runner", "namespace": "default",
"step": "5", "step": "5",
"source": { "source": {
"repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git", "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
"path": "ci/gitea-runner/manifests", "path": "kargo/credentials",
"targetRevision": "main" "targetRevision": "main"
} }
} }

0
bootstrap/kargo-infra-pipeline/config.yaml → infra/kargo-infra-pipeline/config.yaml
View File

0
bootstrap/kargo-test-env-pipeline/config.yaml → infra/kargo-test-env-pipeline/config.yaml
View File

0
bootstrap/kargo/config.yaml → infra/kargo/config.yaml
View File

27
infra/kargo/values/secret-values.dev.enc.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Kargo secrets for dev/test cluster
passwordHash: ENC[AES256_GCM,data:qmQr8l5EK92BZyadoAU0+hrOS2N8evnmxroL13GhQbD9idHKhHwkSt6fn1OgYyu+CtnJ6BxeyDyJCNbN,iv:4tnO8HczTo4GO+NFFQK6JRsOYXkS3wFiJfwYrCmot0M=,tag:LTeO8xl31f4+oLy/FDEyIQ==,type:str]
tokenSigningKey: ENC[AES256_GCM,data:Plf3vK+DJYmFsvS1cHTKtPvsvCC17i2/0lAEnG65CZVcrtux3+BiMY7rukLfW7uw/hQ+6JLB1PS4EWIGMNx/xw==,iv:54mdXGpgJ3f1dkeTyfZbfSoufJE89MUYIQpEz6jUt0E=,tag:KqK4shNvrQ7Dbu0+uYqjPw==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVHNjbmJ2K3ljSHNmdEpE
RzdrL1o5ZXhxQXl0N0ptWk5JWjlCYnVtTXdZCkRWUDl5RkkzYXFBbjRpMmdnY254
YWhPeEw0MzF6K2VoTEI1R09PV0szQlkKLS0tIG42S0h4VUtsaWN0WTI0V1piYTU5
MUYvbzVyWUVRZHRYd21MY2dWMzVBTE0KJ0cSonX/lD3PBjz3BFFPkea+XDDPqGAF
gd20j8xOjyV1nu6Dg1qq80ZN3E0rotXnTK5zu/AyW4wcByUTG465Hw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUmlEM1Z4NDRZaU9LSFF3
SjZnM0R6U0NlYWtkbGFMdGRXbW9YRjBIeVVjCk9nV05aZk04L0xvUnk4c3hRczZV
ZEY4dmI0NndjWHEvSDJ6OTUrS3owM3cKLS0tIFFhWUk5Qy9GMGNrWGM2WnY4SWNm
UVVUcktPakNYeWVxakp2RjQweG41MVEKoHKCkhsn29s4JuRCfBqoF78/UcShnCAx
sGnz9zTnE+LSVMbknG1+Y3kFdRNXesLFZfyyk3W2atjp7Tw9rGYWTw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-11T06:57:04Z"
mac: ENC[AES256_GCM,data:E4jKWJsO9bEMzEjmp+XhBx45heXB7W5op11YyC2TV2KA0PNfAa7eZXIAZ7PVjVIfhbmODv3pd3KG4mY7lJ9I1ly6VfFGl4wMtXZkQlVt5+2DF6GyLGGfjKftRcGni4xP2J4wfzZGiIiQ2G8IUfmGy8Wpegw9lo6/UvES1w1kies=,iv:6fwg2NNoZnKq9jiFHLRQ6FZXrx9OzFEnxWU1VwEVoj0=,tag:CiJAekk+4dp/pyWkqXJKVw==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
version: 3.12.1

27
infra/kargo/values/secret-values.prod.enc.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Kargo secrets for prod cluster
passwordHash: ENC[AES256_GCM,data:iYRGwF7yug4fy4q70CoWMJCAIwd5nszzTqXHXe88zGRRYw6YtvAszCpGcecRRFhCwIfycTnciXfN,iv:CwerCu5GfMhpTpeqQ2QmMBMwxf7t2L12PUM4yCT4yIE=,tag:XNhTKS0d6T0VhK6E9BDn1w==,type:str]
tokenSigningKey: ENC[AES256_GCM,data:+05VkEeKatxayA1wK0a19fE6PFc3utOHvvT3Z+4KwfUBI778n5X9rMwSQQSFsbQyduPLITGf5VYKGaC5z3okAQ==,iv:uuS6oHdCLrvh6H38sfYzXTsrZ1lw5CJxjNN/0jchV9Q=,tag:iVuTqL2zew18OMeFwnGqrQ==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYytrSWhtUWtEQUpQVEhh
S1RvN2N3ZFcvaFVmdU5KQ2pYTitPMUJJQTNFCml4YWMzRWdiZHAxRUoycHRmTU1L
RUhDOEJzSThIVDV0Y1RSQWczeEVXU0UKLS0tIHgwM0k3R2k1V1h5U2tWajdnMElj
SUdhZzh1S3Y3cktwTUJzQk5Lc3BjeTAK4LOXLhfyd4NMWsuUm0/Bjxq+9ni6wntw
6u2UgYliecKNw4IX+2Ukhp/z4jGlVEayAE8QrfCj7RjBATPUYncPEw==
-----END AGE ENCRYPTED FILE-----
- recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1bittd3daOE9jWUJKeHB4
R2k4Q3lNSzNkTDA0RTZlL1JrSFNMalRhWEVVCjNYSDVZU3kvRHlqZTRaOGRkZDJI
RUJiM2RMY0tFU2QvT25tQlFtK1l1NTgKLS0tIGJDYzhFelR1TkpNL2JmMGJ4YXd2
SGNGTGhGWGovbUJHMHh0QWhIWlhBdVUKAKxeFgOPJRaTl5z0bydzd1nr5SDmqfMx
7n/OjVadcCg4PLd54eMpgiJ7ts4UeaAK+RxdHtI9Y7jP1ConLffoAg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-11T06:57:04Z"
mac: ENC[AES256_GCM,data:Mp01K4uHW7ZFXzURs8nzkfwe6d7xgiOds12/VN1I5qB5OoC3afM1pZRQ7/mM0lTyueVt9hTh4B76zAFp6rB+/ombjJ5JPnwyEayAklovy7R6BFC1podhb78npC2u7K5P7DIFI54nJqj1XfFt4eIMQjkR6AnFeT1pqzquF7SVnLQ=,iv:VesrzDd09vugtzAYjB/oyHm99Dmm8dlDgP0NITvd4Rs=,tag:5z5zBC/7ulnqTRz9UXyrhw==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
version: 3.12.1

4
bootstrap/traefik-routes/config.yaml → infra/traefik-routes/config.yaml
View File

@@ -1,10 +1,10 @@
{ {
"name": "traefik-routes", "name": "traefik-routes",
"namespace": "kube-system", "namespace": "kube-system",
"step": "2", "step": "3",
"source": { "source": {
"repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git", "repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
"path": "bootstrap/traefik-routes/manifests", "path": "infra/traefik-routes/manifests",
"targetRevision": "main" "targetRevision": "main"
} }
} }

0
bootstrap/traefik-routes/manifests/gitea-ingress.yaml → infra/traefik-routes/manifests/gitea-ingress.yaml
View File

0
bootstrap/traefik-routes/manifests/gitea-ssh.yaml → infra/traefik-routes/manifests/gitea-ssh.yaml
View File

0
bootstrap/traefik-routes/manifests/kargo-ingress.yaml → infra/traefik-routes/manifests/kargo-ingress.yaml
View File

0
bootstrap/traefik-routes/manifests/kargo-transport.yaml → infra/traefik-routes/manifests/kargo-transport.yaml
View File

0
bootstrap/traefik-routes/manifests/middlewares.yaml → infra/traefik-routes/manifests/middlewares.yaml
View File

0
bootstrap/traefik-routes/manifests/namespaces.yaml → infra/traefik-routes/manifests/namespaces.yaml
View File

0
bootstrap/traefik-routes/manifests/tls-store.yaml → infra/traefik-routes/manifests/tls-store.yaml
View File

7
bootstrap/traefik-routes/manifests/traefik-dashboard.yaml → infra/traefik-routes/manifests/traefik-dashboard.yaml
View File

@@ -1,11 +1,8 @@
# Traefik Dashboard IngressRoute (HTTPS access) # Traefik Dashboard IngressRoute
# Named traefik-dashboard-https to avoid conflict with k3s built-in
# Traefik Helm chart which creates its own "traefik-dashboard" IngressRoute
# on the internal "traefik" entrypoint (port 9000).
apiVersion: traefik.io/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: IngressRoute kind: IngressRoute
metadata: metadata:
name: traefik-dashboard-https name: traefik-dashboard
namespace: kube-system namespace: kube-system
spec: spec:
entryPoints: entryPoints:

9
kargo/ci/kustomization.yaml
View File

@@ -1,9 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- project.yaml
- warehouse.yaml
- stages/dev.yaml
- stages/prod.yaml
- verification/runner-health.yaml

6
kargo/ci/namespace.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: ci
labels:
kargo.akuity.io/project: "true"

16
kargo/ci/project.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: kargo.akuity.io/v1alpha1
kind: Project
metadata:
name: ci
---
apiVersion: kargo.akuity.io/v1alpha1
kind: ProjectConfig
metadata:
name: ci
namespace: ci
spec:
promotionPolicies:
- stageSelector: { name: dev }
autoPromotionEnabled: true
- stageSelector: { name: prod }
autoPromotionEnabled: true

54
kargo/ci/stages/dev.yaml
View File

@@ -1,54 +0,0 @@
apiVersion: kargo.akuity.io/v1alpha1
kind: Stage
metadata:
name: dev
namespace: ci
spec:
requestedFreight:
- origin:
kind: Warehouse
name: ci-images
sources:
direct: true
promotionTemplate:
spec:
vars:
- name: gitopsRepo
value: https://github.com/Kargones/deploy-app-kargo-private.git
- name: targetBranch
value: ci/stage/${{ ctx.stage }}
steps:
- uses: git-clone
config:
repoURL: ${{ vars.gitopsRepo }}
checkout:
- branch: main
path: ./src
- branch: ${{ vars.targetBranch }}
create: true
path: ./out
- uses: git-clear
config:
path: ./out
- uses: copy
config:
inPath: ./src/ci
outPath: ./out/ci
- uses: yaml-update
config:
path: ./out/ci/gitea-runner/manifests/runner.yaml
updates:
- key: spec.template.spec.containers.0.image
value: gitea/act_runner:${{ imageFrom("gitea/act_runner").Tag }}
- uses: git-commit
as: commit
config:
path: ./out
message: "promote(ci/${{ ctx.stage }}): act_runner ${{ imageFrom(\"gitea/act_runner\").Tag }}"
- uses: git-push
config:
path: ./out
targetBranch: ${{ vars.targetBranch }}
verification:
analysisTemplates:
- name: runner-health

64
kargo/ci/stages/prod.yaml
View File

@@ -1,64 +0,0 @@
apiVersion: kargo.akuity.io/v1alpha1
kind: Stage
metadata:
name: prod
namespace: ci
spec:
requestedFreight:
- origin:
kind: Warehouse
name: ci-images
sources:
stages:
- dev
promotionTemplate:
spec:
vars:
- name: gitopsRepo
value: https://github.com/Kargones/deploy-app-kargo-private.git
- name: sourceBranch
value: ci/stage/dev
- name: targetBranch
value: ci/stage/prod
steps:
- uses: git-clone
config:
repoURL: ${{ vars.gitopsRepo }}
checkout:
- branch: ${{ vars.sourceBranch }}
path: ./src
- branch: ${{ vars.targetBranch }}
create: true
path: ./out
- uses: git-clear
config:
path: ./out
- uses: copy
config:
inPath: ./src/ci
outPath: ./out/ci
- uses: git-commit
as: commit
config:
path: ./out
message: "promote(ci/prod): act_runner ${{ imageFrom(\"gitea/act_runner\").Tag }}"
- uses: git-push
as: push
config:
path: ./out
generateTargetBranch: true
- uses: git-open-pr
as: open-pr
config:
repoURL: ${{ vars.gitopsRepo }}
sourceBranch: ${{ outputs.push.branch }}
targetBranch: ${{ vars.targetBranch }}
createTargetBranch: true
title: "promote(ci/prod): act_runner ${{ imageFrom(\"gitea/act_runner\").Tag }}"
description: |
## Kargo Promotion — CI
**Image:** gitea/act_runner:${{ imageFrom("gitea/act_runner").Tag }}
- uses: git-wait-for-pr
config:
repoURL: ${{ vars.gitopsRepo }}
prNumber: ${{ outputs['open-pr'].pr.id }}

25
kargo/ci/verification/runner-health.yaml
View File

@@ -1,25 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: AnalysisTemplate
metadata:
name: runner-health
namespace: ci
spec:
metrics:
- name: runner-deployment-exists
provider:
job:
spec:
backoffLimit: 0
template:
spec:
serviceAccountName: kargo-verifier
restartPolicy: Never
containers:
- name: check
image: alpine/k8s:1.35.1
command: ["/bin/sh", "-c"]
args:
- |
echo "Checking gitea-runner deployment..."
kubectl get deployment gitea-runner -n gitea-runner -o jsonpath='{.metadata.name}' && echo " exists" || exit 1
echo "Runner health check passed"

11
kargo/ci/warehouse.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: kargo.akuity.io/v1alpha1
kind: Warehouse
metadata:
name: ci-images
namespace: ci
spec:
subscriptions:
- image:
repoURL: gitea/act_runner
semverConstraint: ">=0.2.0"
discoveryLimit: 5

37
kargo/credentials/dev/git-creds-ci.dev.enc.yaml
View File

@@ -1,37 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: github-creds
namespace: ci
labels:
kargo.akuity.io/cred-type: git
type: Opaque
stringData:
repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
username: Kargones
password: ENC[AES256_GCM,data:swl5u5LpFYVKjZcuWaG+QNWLR02gi9dyXlD2yqkcFLTRpWMD3lvSfA==,iv:pixqI9FQMdQzlvs6Mmhp8DvAbofGby5zHISH3bjLwh4=,tag:PHfTfXN12bHrQCJPFW3xJw==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVc3JLYnBtWFZ6NGRhNjha
WW1xNW1JUFRTc1dXM203bUdPRmRWWGF6R1RBCmExN1N3STUxVGpIZmtDMzZXMWkz
Y2pJUklqM1YyWVlFVVpEQkQ2R0NRUE0KLS0tIDF0cXFYcllWYUlWQStMVU83MEd6
cnJia1lOQ21FTjJ3SkxJSDRFaExrNDAK4zDNcqeJsjZYR+b5qX97n+Asa8riugnL
kPuBWyO/R8XjvuNfMZb9njt6gSgX1u6aGyxL3rHXbNhvdRmmGfZIdg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaC9kb3ZIVU5zNitJWWVy
Ump3MFFBTUQwVUhCQ01PVnUxVVhxT1NaWGpNCnVvSUFNVlU3SDNHK3p6Y0pKLy83
eVdlWmRqNHk3ZWNuLzc5ODZXOEN0S0EKLS0tIFRFdDh1cVRxK0dNTEQxallBc01j
RmI5SHF5SE5GRTNudGZ6K3hheVZiZFEKXy6rNacjL40EiukSU/SxeiBUMyWe3EVe
LvyrP+d7GoC6+wix6IglQUTdV6YKjI0oCJOews+5wNveqc2SMMLlcw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-12T14:08:14Z"
mac: ENC[AES256_GCM,data:sy/CRatnNB8U7kMFfkqZlrB9Xs0bD7kmHu5EOGJHxtaMAE+Wql7D7yFh78mJuGJk8snmsGP2xK1Pkqcx38HwWUBbw8kqoT6X45NGn99uCT11sMvz/Kyp98PWVc+IFhqwnNyAfd76gvIkKx4CqkXbxCsxdQaw3RMYEArdGWPufrE=,iv:CUJTpRjXAraVTeBFh7Z4fB/Wk4cXdYnBXpRGJETSm2A=,tag:p+W7xx9thkAkA2iPIDuqjg==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
mac_only_encrypted: true
version: 3.12.1

37
kargo/credentials/dev/git-creds-infra.dev.enc.yaml
View File

@@ -1,37 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: github-creds
namespace: infra
labels:
kargo.akuity.io/cred-type: git
type: Opaque
stringData:
repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
username: Kargones
password: ENC[AES256_GCM,data:PYZtFr/Yui75oe0M6Bll8eU2qpGf5IygIHUA6L35s5IHPVxUIrbWcg==,iv:NIODrxhD1mTWxq74NoZWZpC9zQQxL3NYIxxO6lAhp8Q=,tag:tcrF1xcFKZBmWFWr7z7/sg==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMY3BSZUZwVytjYXQ3KzB6
K0JRdnVwTllMNGJYS05vc1c5R01UdzdUN3owCk80TmJ4RnZIMHU1U0FOWEVoUkZa
OVRLVytwMlpPZFRNcS9wdXZKaWlhWncKLS0tIElDZGgwOFdkNCsyUGxEU0tYYjE1
YS9TY09rdXRkRmV4bTVOZFBqeitLazgKZCOAKyuKeRN8X89FOdHaT94phsIAZCwk
bFPckh5jGn1QKVNYdvLmyPAFO55ehsMA/JRl42YdzCsDSifvuufcCw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UTlsc1hiRWN3UUVwTzhU
MkZteGhveUsxaFJ0djd4RXpTYjl1S2l3cmlNCi8zRStWVUVPMkJ0ZVBnZDROdEc4
Tk9LOTN5Y3krQXp3Tk9GLzVBVkMrdzQKLS0tIDNkcmpRSkpHMXdvQVZBU3J0UCt0
amFPNEpGbUxZb0luNEpaZlJuWnFkd3cKHs6+l+Kapohsah+Zhoob5DXXchw2C5kc
cl6KK79gbxN4pTTCmWJHfaiXuohRXol3Z1km6QWrEaNC9IGF6nmGJQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-12T14:08:14Z"
mac: ENC[AES256_GCM,data:q+gHiqfdUmeOdaHpuj42fHXnrrHY3elE2cDTqlU9+s3atsnDEERoFx/1qJvqlOCYmvHM4h3wyAQHPB6hIt205RKHQJ13TxTEzGWkgrk5eThAolu4w9Z6Vd7Ni0Sv4dyNtdPlkj1N0907sACCBMUelLIpD6acf8jL9+n6E+xIgsE=,iv:1ZsjWgntw6iHuQZYhSm9KrWs36D6FegsweLHwYmxHQM=,tag://6dNpONbhDQUKbaUT8/gA==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
mac_only_encrypted: true
version: 3.12.1

37
kargo/credentials/dev/git-creds-test-env.dev.enc.yaml
View File

@@ -1,37 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: github-creds
namespace: test-env
labels:
kargo.akuity.io/cred-type: git
type: Opaque
stringData:
repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
username: Kargones
password: ENC[AES256_GCM,data:BnToDVLq7wjdMDFL+y+OM6pJlIQibKr9hdLrA4o2hsCDMAxqgGrgdw==,iv:KDJMguvXjehgLfhb9E8Uw3zViT8gLegPGuoQfZsVwvc=,tag:PyZ5CwhnXC71pisaJYBt0Q==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWMW1YOE1QRStGVzBtTEo5
Q2lkWWxUeE1wT0t5OE1oSklhYmpaREVBWVdFClJ6NWVEUEtFV3pYanZHejZGbldi
NExoejZUd2ZFS3FMcHZvMUs1R2c3OG8KLS0tIHFOVmtDQ0pBRXBza25qNVNwOEZX
SVZCRWszaG5qS0crc1ZYUmRwMkNlNTAKJqmqt9sZG+zk3zbd9f9zbRtVEAO7soF6
AMFdNc6nrDY9KXOCVRwYn+bbcgWr1Gfzv4PF5Kjzp4ApQ/0aA7wLwQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTT216YjBGNnhFUVExbkdG
YmNONnU0SWp0aHNvd0YzK202K3owa0c1b3prClRYZ2RFeFUrTzhDdFFNbGxnZURu
UEZpY3lVbjZVam5adVJUbThXc0RYUjAKLS0tIG1qR3EzVjlmUE5DREdvbFMxbVRP
UDVSQ3lwcExOS1NwSkZwZk1iaXJacHMKrGWH26/kRCWuBjVLfqqVS4stxW/huyqa
u/QpRmKO0oFrX0u9l6DfHOaVUUgSao1p8nvEDrHKTLe574d8bayyQA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-12T14:08:14Z"
mac: ENC[AES256_GCM,data:20Te36BK8FWJ1jiUrMMl7yDhOJwCw/jGpoJbP5t5NjelJDlx9ygC7LtOkgck1FpaNvhsuroJWbOzojpkzRZKLrIUhpoiIaXpliZ3O5aNpHKFbJsf6tJmEY1cy7VaosF40f0RvH3RxWbjr5jWNGSoi5yKBcFZ32aCK6g2ToXpCHs=,iv:eGWVRv1que1NbfqAluy6UP3jLXpTWtDsFPDws3Addjg=,tag:kU/WSR26mDMdOz/i8Edf7w==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
mac_only_encrypted: true
version: 3.12.1

12
kargo/credentials/dev/ksops-generator.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: kargo-git-credentials
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- git-creds-infra.dev.enc.yaml
- git-creds-ci.dev.enc.yaml
- git-creds-test-env.dev.enc.yaml

5
kargo/credentials/dev/kustomization.yaml
View File

@@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
- ksops-generator.yaml

37
kargo/credentials/prod/git-creds-ci.prod.enc.yaml
View File

@@ -1,37 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: github-creds
namespace: ci
labels:
kargo.akuity.io/cred-type: git
type: Opaque
stringData:
repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
username: Kargones
password: ENC[AES256_GCM,data:tmjqB73hSjvgQy4fhUiJqz4Sclj41PIgYS9TLRly38eGN3CX75CX3Q==,iv:oICPKbWpVposLMLBErRY1s0MkNw8NISAS04iq+MbA6g=,tag:LF2/oRd3S84oA1kWvoQe5Q==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbFZzaFRUTkFZYmNxaGt4
akhoV3J5RW1aYlQ2U3VOaFpnT1Z2TlJhVmtrCkcwM3JBZmNTdWVLdmY5SGtCeUR0
SWxWdW0va2hQZkFnZzhydGJjcEhIRFUKLS0tIE9CTXY0Y0ozWHhLanBzeitnNHUw
c1RzY1grRFVmN09rK2VnY3RsWHhYbDQK+OkyZkNX3GtnQJIPYCgjlgz4aCc5Axow
4oLiPPgo3MKDMz/mDA3MSZFM7dU19Yj613Eg3Y/aqLU/XGLm13RenQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzSzYweVY5VW9kMW1PaCsr
UjFuN1l2b0NqZlBBVU9PRFAvblNUanY2dENJClcvcnVEMEJ0aDBYdXZBcDdQSkQ5
Rk1aeTJralZoUU9EazZieC9sVlJuZ0UKLS0tIFNmaVhXVWxxVVRVQXB5b21xcVRr
ZXYxQjMvMmR4enl6VzlObjBkT0pKVDAKC+29tK9WxsYzzzgz8c7ob6Z7I+XseXpB
pHoaft6P/lyLA0reVEHgeWs5VfqQFtLyrfOOx9KKf6hHxpdfhcZ+KA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-12T14:08:14Z"
mac: ENC[AES256_GCM,data:IaDYevGdOT9//dj9HR5XoPcu7wkOe6z1NFhC8KDK6EWZvuAhSix0Rlg21OBpJicszZv3dEgd/pQkGr9i9BFW0T52oClg9bCZQUhd1Kh1VZRtA9VE+bXfdHqgt8+AC9sXS4epeZrRBLHv3swmLYYeokXRYFm9Ffi28y2xWthnywA=,iv:Sqdg7HySRrBuXJleJi/2kXrCSlQUh3zJ1I6lVIvgqa0=,tag:35u7xo34avuPK/TrHtbdJg==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
mac_only_encrypted: true
version: 3.12.1

37
kargo/credentials/prod/git-creds-infra.prod.enc.yaml
View File

@@ -1,37 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: github-creds
namespace: infra
labels:
kargo.akuity.io/cred-type: git
type: Opaque
stringData:
repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
username: Kargones
password: ENC[AES256_GCM,data:iKCAh7QI2+aCk+91Z7EepDZgVAVqwG/+Wg2ywEtg2eyQN4iR2z6QXQ==,iv:1GtbHc7lgi5LI3+WuD2LMG6sFjPR1tfYmrHYOkSiUJs=,tag:oxMmtgOJgbaNRdvzqmtIgQ==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZ1lzYWJ6ekl1Rk1wcnZH
YnRpdzVtRTkrZFNQWTBab0NncHlyb04wYlc4CnJSUEs5OW9kZ1JBZ0FOTWZuTzRl
Z2NCd2tHaVRJVFhqdXlTNjZwa1V2Q0kKLS0tIHRkS1FmMW5kTWw1azY1NC9iYXY0
R2g4V0JyYzcySG5GNEVMaWZ1c3hpZDAKfJLwr81KsZmYmjfGov8z/GVhBZCQrLq5
cfG3vgEGm90g4tOzyo6lwfy84ZRjymcyucGn3AwSLW9/UlxQT4PsKw==
-----END AGE ENCRYPTED FILE-----
- recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUTVtMkNpekNDU1FiaEEr
cmI2RGo2L2VNeUZjUVVBYnVyaFhVczRTUWpBClAxV3AwSS9Tc2JJK2FwelFVck5i
OXVud3locysybUhaNm9RMGN3RkViUTgKLS0tIDh0SjQ3alhjQjR2QmZWdjVrSzVt
c0JTZnVNSk5ERUNXVDRNc2E4d3JLR2sKjyidz2xqy61sJ26sELHansCcAPN+x9VS
j6vSt/0CPPADzaVzsvHiVY6gWoDI5EtdYeUFPUw8cSBc+eT/846lyQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-12T14:08:14Z"
mac: ENC[AES256_GCM,data:ZGN9t/KEMATRH4YWbnxe39lJyKyCbEEADQLk2Sj+jPY9LF6yZq2ixRaB9mMKzrz4MLq+eghzZoWeCD0MaqjtcaNTSP7tiVL7PCFZMXT7IPYbMDbeLEPiLYg4gNb0lim6bHcQH2R5N6ZA//1+cLEdJVJ0gH8YHfIxOKzvGT3fBCk=,iv:qE2Z+q5Znbo+Wv040TuBJuvU/N2dFKb64LYHyfUSKhA=,tag:l3h7cwlM/jmuGlCPo9gm8A==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
mac_only_encrypted: true
version: 3.12.1

37
kargo/credentials/prod/git-creds-test-env.prod.enc.yaml
View File

@@ -1,37 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: github-creds
namespace: test-env
labels:
kargo.akuity.io/cred-type: git
type: Opaque
stringData:
repoURL: https://github.com/Kargones/deploy-app-kargo-private.git
username: Kargones
password: ENC[AES256_GCM,data:bni/9XNGoW9KwzL3ovyu/BDcdv5dgKo6vDoZUVSebueX60SJwnc+CA==,iv:ef3MR/6a6VRzanDMfl7H9PygSHV7HGqp0OkeY/Yv27Q=,tag:D4OWKTbj5HB+TURvJAEfbg==,type:str]
sops:
age:
- recipient: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4TS92bXkwRGZaK0s4OHdE
Y25rMFRyK2FLeUJ1c0gwWlVQdm1OMDl5eUdrCmxQZ01vb2NwVXBoWXpJMzJ6VS9N
eTBKbjdQUmdIclFObmpqVW9qb2RUcWcKLS0tIDVjN2lTSWJ4ZVQwazZObThJRVhI
czJib0UzS0ZuOE9uaVpOclQ3cEI3cjQKnrqviLM7T5OEqhtT0rhSZ86vtr88gAtw
je4yt20hcATuKLKnjIorFtXR6tww1zW92LiORP2VTiYC25IuHv4ccA==
-----END AGE ENCRYPTED FILE-----
- recipient: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZDhDdVBQS3hsTDZVdi9G
dzk3SFpzT0NVdzhUcTB6bm16YlRhSjFNa1h3CllFR1hxdDNZc1JZMERtTlIxY1R3
dUtmRGlranY3eFFWTWU0VFVBMkRyREEKLS0tIEFNWG1wZG9SWkJCTGkxNUQwaU05
UFcwbGhuVXI0Q3d0VWpqM09KaWFGZkkKOfVRoQqOKWVPsvcnRrCLAUfvXZje2zrw
EQ5CeyjoZL9lxzuWMxoe71e1lzo1ecwV4Wdu4G54wSuzhxA9vwpSTg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-12T14:08:14Z"
mac: ENC[AES256_GCM,data:mc59PsRuw1JnjMxFR/y37oOJmnoojpFd8hEKounvA/lMf1rBvUAcQ6sYK+qajBHvtnzlCuMpuetxYY1v2djfRrp4GhwQotmSpAb2fqO1kz1JEqHkFeZ2ZeBtnytVf9I95VAeU/zJV1X2TrUW14ZmOvowtdRYFkSdY6Z3/Hs9vic=,iv:DlsN9rmiEq/2xBQS/LghBoVQcT+7XfSJJ7r5rKhTB/k=,tag:cuLvv4e7r25mjVCGrQZYNA==,type:str]
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
mac_only_encrypted: true
version: 3.12.1

12
kargo/credentials/prod/ksops-generator.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: kargo-git-credentials
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- git-creds-infra.prod.enc.yaml
- git-creds-ci.prod.enc.yaml
- git-creds-test-env.prod.enc.yaml

5
kargo/credentials/prod/kustomization.yaml
View File

@@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
- ksops-generator.yaml

12
kargo/infra/kustomization.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- project.yaml
- warehouse.yaml
- stages/dev.yaml
- stages/test.yaml
- stages/prod.yaml
- verification/rbac.yaml
- verification/dev-health-check.yaml
- verification/prod-health-check.yaml

6
kargo/infra/namespace.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: infra
labels:
kargo.akuity.io/project: "true"

18
kargo/infra/project.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: kargo.akuity.io/v1alpha1
kind: Project
metadata:
name: infra
---
apiVersion: kargo.akuity.io/v1alpha1
kind: ProjectConfig
metadata:
name: infra
namespace: infra
spec:
promotionPolicies:
- stageSelector: { name: dev }
autoPromotionEnabled: true
- stageSelector: { name: test }
autoPromotionEnabled: true
- stageSelector: { name: prod }
autoPromotionEnabled: true # creates PR, not direct push

55
kargo/infra/stages/dev.yaml
View File

@@ -1,55 +0,0 @@
apiVersion: kargo.akuity.io/v1alpha1
kind: Stage
metadata:
name: dev
namespace: infra
spec:
requestedFreight:
- origin:
kind: Warehouse
name: infra-charts
sources:
direct: true
promotionTemplate:
spec:
vars:
- name: gitopsRepo
value: https://github.com/Kargones/deploy-app-kargo-private.git
- name: targetBranch
value: infra/stage/${{ ctx.stage }}
steps:
- uses: git-clone
config:
repoURL: ${{ vars.gitopsRepo }}
checkout:
- branch: main
path: ./src
- branch: ${{ vars.targetBranch }}
create: true
path: ./out
- uses: git-clear
config:
path: ./out
- uses: yaml-update
as: update-gitea
config:
path: ./src/infra/gitea/config.yaml
updates:
- key: source.targetRevision
value: ${{ chartFrom("https://dl.gitea.com/charts", "gitea").Version }}
- uses: copy
config:
inPath: ./src/infra
outPath: ./out/infra
- uses: git-commit
as: commit
config:
path: ./out
message: "promote(infra/${{ ctx.stage }}): freight ${{ ctx.targetFreight.name }}"
- uses: git-push
config:
path: ./out
targetBranch: ${{ vars.targetBranch }}
verification:
analysisTemplates:
- name: dev-health-check

76
kargo/infra/stages/prod.yaml
View File

@@ -1,76 +0,0 @@
apiVersion: kargo.akuity.io/v1alpha1
kind: Stage
metadata:
name: prod
namespace: infra
spec:
requestedFreight:
- origin:
kind: Warehouse
name: infra-charts
sources:
stages:
- test
promotionTemplate:
spec:
vars:
- name: gitopsRepo
value: https://github.com/Kargones/deploy-app-kargo-private.git
- name: sourceBranch
value: infra/stage/test
- name: targetBranch
value: infra/stage/prod
steps:
- uses: git-clone
config:
repoURL: ${{ vars.gitopsRepo }}
checkout:
- branch: ${{ vars.sourceBranch }}
path: ./src
- branch: ${{ vars.targetBranch }}
create: true
path: ./out
- uses: git-clear
config:
path: ./out
- uses: copy
config:
inPath: ./src/infra
outPath: ./out/infra
- uses: git-commit
as: commit
config:
path: ./out
message: "promote(infra/prod): freight ${{ ctx.targetFreight.name }}"
- uses: git-push
as: push
config:
path: ./out
generateTargetBranch: true
- uses: git-open-pr
as: open-pr
config:
repoURL: ${{ vars.gitopsRepo }}
sourceBranch: ${{ outputs.push.branch }}
targetBranch: ${{ vars.targetBranch }}
title: "promote(infra/prod): ${{ ctx.targetFreight.name }}"
description: |
## Kargo Promotion
**Freight:** ${{ ctx.targetFreight.name }}
**Project:** infra
**Stage:** prod
## Verified in
- ✅ dev (pod-health)
- ✅ test (pod-health)
## Review
Check the diff below for version changes.
Verify changelogs before merging.
- uses: git-wait-for-pr
config:
repoURL: ${{ vars.gitopsRepo }}
prNumber: ${{ outputs['open-pr'].pr.id }}
verification:
analysisTemplates:
- name: prod-health-check

51
kargo/infra/stages/test.yaml
View File

@@ -1,51 +0,0 @@
apiVersion: kargo.akuity.io/v1alpha1
kind: Stage
metadata:
name: test
namespace: infra
spec:
requestedFreight:
- origin:
kind: Warehouse
name: infra-charts
sources:
stages:
- dev
promotionTemplate:
spec:
vars:
- name: gitopsRepo
value: https://github.com/Kargones/deploy-app-kargo-private.git
- name: sourceBranch
value: infra/stage/dev
- name: targetBranch
value: infra/stage/${{ ctx.stage }}
steps:
- uses: git-clone
config:
repoURL: ${{ vars.gitopsRepo }}
checkout:
- branch: ${{ vars.sourceBranch }}
path: ./src
- branch: ${{ vars.targetBranch }}
create: true
path: ./out
- uses: git-clear
config:
path: ./out
- uses: copy
config:
inPath: ./src/infra
outPath: ./out/infra
- uses: git-commit
as: commit
config:
path: ./out
message: "promote(infra/${{ ctx.stage }}): freight ${{ ctx.targetFreight.name }}"
- uses: git-push
config:
path: ./out
targetBranch: ${{ vars.targetBranch }}
verification:
analysisTemplates:
- name: dev-health-check

37
kargo/infra/verification/dev-health-check.yaml
View File

@@ -1,37 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: AnalysisTemplate
metadata:
name: dev-health-check
namespace: infra
spec:
metrics:
- name: pod-health
successCondition: result == "healthy"
provider:
job:
spec:
template:
spec:
serviceAccountName: kargo-verifier
containers:
- name: check
image: alpine/k8s:1.35.1
command: [sh, -c]
args:
- |
set -e
echo "Checking pod health..."
cm=$(kubectl get pods -n cert-manager --no-headers 2>/dev/null | grep -c Running || echo 0)
echo "cert-manager running pods: $cm"
ar=$(kubectl get pods -n argo-rollouts --no-headers 2>/dev/null | grep -c Running || echo 0)
echo "argo-rollouts running pods: $ar"
gt=$(kubectl get pods -n gitea --no-headers 2>/dev/null | grep -c Running || echo 0)
echo "gitea running pods: $gt"
if [ "$cm" -ge 1 ] && [ "$ar" -ge 1 ] && [ "$gt" -ge 1 ]; then
echo "healthy"
else
echo "unhealthy"
exit 1
fi
restartPolicy: Never
backoffLimit: 2

37
kargo/infra/verification/prod-health-check.yaml
View File

@@ -1,37 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: AnalysisTemplate
metadata:
name: prod-health-check
namespace: infra
spec:
metrics:
- name: pod-health
successCondition: result == "healthy"
provider:
job:
spec:
template:
spec:
serviceAccountName: kargo-verifier
containers:
- name: check
image: alpine/k8s:1.35.1
command: [sh, -c]
args:
- |
set -e
echo "Checking pod health..."
cm=$(kubectl get pods -n cert-manager --no-headers 2>/dev/null | grep -c Running || echo 0)
echo "cert-manager running pods: $cm"
ar=$(kubectl get pods -n argo-rollouts --no-headers 2>/dev/null | grep -c Running || echo 0)
echo "argo-rollouts running pods: $ar"
gt=$(kubectl get pods -n gitea --no-headers 2>/dev/null | grep -c Running || echo 0)
echo "gitea running pods: $gt"
if [ "$cm" -ge 1 ] && [ "$ar" -ge 1 ] && [ "$gt" -ge 1 ]; then
echo "healthy"
else
echo "unhealthy"
exit 1
fi
restartPolicy: Never
backoffLimit: 2

27
kargo/infra/verification/rbac.yaml
View File

@@ -1,27 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kargo-verifier
namespace: infra
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kargo-verifier-infra
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kargo-verifier-infra
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kargo-verifier-infra
subjects:
- kind: ServiceAccount
name: kargo-verifier
namespace: infra

12
kargo/infra/warehouse.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: kargo.akuity.io/v1alpha1
kind: Warehouse
metadata:
name: infra-charts
namespace: infra
spec:
subscriptions:
- chart:
repoURL: https://dl.gitea.com/charts
name: gitea
semverConstraint: ">=10.6.0"
discoveryLimit: 5

7
kargo/test-env/kustomization.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- project.yaml
- warehouse.yaml
- stages/dev.yaml

6
kargo/test-env/namespace.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: test-env
labels:
kargo.akuity.io/project: "true"

14
kargo/test-env/project.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: kargo.akuity.io/v1alpha1
kind: Project
metadata:
name: test-env
---
apiVersion: kargo.akuity.io/v1alpha1
kind: ProjectConfig
metadata:
name: test-env
namespace: test-env
spec:
promotionPolicies:
- stageSelector: { name: dev }
autoPromotionEnabled: true

45
kargo/test-env/stages/dev.yaml
View File

@@ -1,45 +0,0 @@
apiVersion: kargo.akuity.io/v1alpha1
kind: Stage
metadata:
name: dev
namespace: test-env
spec:
requestedFreight:
- origin:
kind: Warehouse
name: test-env-images
sources:
direct: true
promotionTemplate:
spec:
vars:
- name: gitopsRepo
value: https://github.com/Kargones/deploy-app-kargo-private.git
- name: targetBranch
value: test-env/stage/${{ ctx.stage }}
steps:
- uses: git-clone
config:
repoURL: ${{ vars.gitopsRepo }}
checkout:
- branch: main
path: ./src
- branch: ${{ vars.targetBranch }}
create: true
path: ./out
- uses: git-clear
config:
path: ./out
- uses: copy
config:
inPath: ./src/test-env
outPath: ./out/test-env
- uses: git-commit
as: commit
config:
path: ./out
message: "promote(test-env/${{ ctx.stage }}): freight ${{ ctx.targetFreight.name }}"
- uses: git-push
config:
path: ./out
targetBranch: ${{ vars.targetBranch }}

14
kargo/test-env/warehouse.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: kargo.akuity.io/v1alpha1
kind: Warehouse
metadata:
name: test-env-images
namespace: test-env
spec:
# Placeholder: no subscriptions yet.
# When test services are added, subscribe to their container images here.
subscriptions:
- chart:
repoURL: https://dl.gitea.com/charts
name: gitea
semverConstraint: ">=0.0.1"
discoveryLimit: 1

10
test-env/config.yaml
View File

@@ -1,10 +0,0 @@
{
"name": "test-env",
"namespace": "test-env",
"step": "6",
"source": {
"repoURL": "https://github.com/Kargones/deploy-app-kargo-private.git",
"path": "test-env",
"targetRevision": "main"
}
}

24
test-env/gitea-runner/configmap.yaml
View File

@@ -1,24 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: test-env-runner-config
namespace: test-env
data:
config.yaml: |
log:
level: info
runner:
file: .runner
capacity: 1
timeout: 3h
labels:
- "edt:docker://benadis/ar-edt-slim:latest"
- "ubuntu-latest:docker://node:20-bullseye"
cache:
enabled: true
dir: ""
container:
network: ""
privileged: false
options:
workdir_parent:

161
test-env/gitea-runner/deployment.yaml
View File

@@ -1,161 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-env-runner
namespace: test-env
labels:
app: test-env-runner
spec:
replicas: 1
selector:
matchLabels:
app: test-env-runner
template:
metadata:
labels:
app: test-env-runner
spec:
serviceAccountName: runner-registrar
initContainers:
# Obtain registration token from Gitea API once, write to shared volume.
# Uses the same token if .runner file already exists (idempotent).
- name: register
image: alpine/k8s:1.35.1
command:
- sh
- -c
- |
set -e
# If already registered, skip
if [ -f /data/.runner ]; then
echo "Runner already registered, skipping."
exit 0
fi
# Get Gitea admin credentials
USER=$(kubectl -n gitea get secret gitea-admin -o jsonpath='{.data.username}' | base64 -d)
PASS=$(kubectl -n gitea get secret gitea-admin -o jsonpath='{.data.password}' | base64 -d)
# Resolve Gitea pod IP (headless service)
GITEA_POD_IP=$(kubectl -n gitea get pod -l app.kubernetes.io/name=gitea \
-o jsonpath='{.items[0].status.podIP}')
GITEA_URL="http://${GITEA_POD_IP}:3000"
# Wait for Gitea API
for i in $(seq 1 30); do
if curl -sf "$GITEA_URL/api/v1/version" > /dev/null 2>&1; then
break
fi
echo "Waiting for Gitea API... ($i/30)"
sleep 5
done
# Get registration token
TOKEN=$(curl -sf -X POST -u "$USER:$PASS" \
"$GITEA_URL/api/v1/user/actions/runners/registration-token" \
| sed 's/.*"token":"\([^"]*\)".*/\1/')
if [ -z "$TOKEN" ]; then
echo "ERROR: Failed to get registration token"
exit 1
fi
echo "Got token: ${TOKEN:0:8}..."
# Write token for the runner container
echo "$TOKEN" > /data/.registration-token
echo "$GITEA_URL" > /data/.gitea-url
echo "Token saved to /data/.registration-token"
volumeMounts:
- name: data
mountPath: /data
containers:
# Docker-in-Docker sidecar (required for act_runner to execute workflows)
- name: dind
image: docker:27-dind
securityContext:
privileged: true
env:
- name: DOCKER_TLS_CERTDIR
value: ""
volumeMounts:
- name: docker-socket
mountPath: /var/run
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: "2"
memory: 2Gi
- name: runner
image: gitea/act_runner:0.2.11
command:
- sh
- -c
- |
# Wait for Docker daemon
echo "Waiting for Docker daemon..."
for i in $(seq 1 30); do
if docker info > /dev/null 2>&1; then
echo "Docker daemon is ready"
break
fi
sleep 2
done
# Register if not yet registered
if [ ! -f /data/.runner ] && [ -f /data/.registration-token ]; then
TOKEN=$(cat /data/.registration-token)
GITEA_URL=$(cat /data/.gitea-url)
echo "Registering runner at $GITEA_URL..."
act_runner register --no-interactive \
--instance "$GITEA_URL" \
--token "$TOKEN" \
--name "test-env-runner" \
--labels "edt:docker://benadis/ar-edt-slim:latest,ubuntu-latest:docker://node:20-bullseye"
fi
# Start daemon
exec act_runner daemon
env:
- name: DOCKER_HOST
value: "unix:///var/run/docker.sock"
- name: GITEA_INSTANCE_URL
value: "http://gitea-http.gitea.svc.cluster.local:3000"
volumeMounts:
- name: docker-socket
mountPath: /var/run
- name: config
mountPath: /config
readOnly: true
- name: data
mountPath: /data
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: "2"
memory: 2Gi
volumes:
- name: docker-socket
emptyDir: {}
- name: config
configMap:
name: test-env-runner-config
- name: data
persistentVolumeClaim:
claimName: runner-data
---
# PVC for runner data — persists .runner registration across pod restarts
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: runner-data
namespace: test-env
spec:
storageClassName: local-path
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi

34
test-env/gitea-runner/rbac.yaml
View File

@@ -1,34 +0,0 @@
# RBAC for runner registration initContainer
# Allows reading gitea-admin secret and listing pods in gitea namespace
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: runner-registrar
namespace: test-env
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-env-gitea-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["gitea-admin"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: test-env-gitea-reader
subjects:
- kind: ServiceAccount
name: runner-registrar
namespace: test-env
roleRef:
kind: ClusterRole
name: test-env-gitea-reader
apiGroup: rbac.authorization.k8s.io

18
test-env/kustomization.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# NOTE: namespace.yaml removed — ArgoCD creates namespace via syncOptions.CreateNamespace
# The namespace is shared with kargo-test-env-pipeline app.
# PostgreSQL 18.x-2.1C (image has built-in 1C entrypoint)
- postgres/statefulset.yaml
- postgres/service.yaml
# 1C:Enterprise server (ragent + crserver + ras)
- onec-server/statefulset.yaml
- onec-server/service.yaml
- onec-server/service-nodeport.yaml
- onec-server/configmap.yaml
# Gitea Actions runner (for apk-ci-ng workflows)
- gitea-runner/deployment.yaml
- gitea-runner/configmap.yaml
- gitea-runner/rbac.yaml

7
test-env/namespace.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: test-env
labels:
name: test-env
environment: dev

48
test-env/onec-server/configmap.yaml
View File

@@ -1,48 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: onec-config
namespace: test-env
data:
# HASP license server configuration
# Points to external license server for 1C client mode
nethasp.ini: |
[NH_COMMON]
NH_TCPIP = Enabled
[NH_TCPIP]
NH_SERVER_ADDR = 89.110.88.209
NH_PORT_NUMBER = 475
# 1C server entrypoint: starts ragent, crserver, ras, sshd
# Based on docker-compose env service from tester.benadis.org
entrypoint.sh: |
#!/bin/bash
set -e
ONEC_BASE="/opt/1cv8/x86_64"
# Auto-detect 1C version directory
ONEC_VER=$(ls -1 "$ONEC_BASE" | sort -V | tail -1)
ONEC_BIN="$ONEC_BASE/$ONEC_VER"
echo "=== Starting 1C:Enterprise $ONEC_VER ==="
mkdir -p /data/srv1c /data/storage
# Start ragent (cluster manager) — port 1540
$ONEC_BIN/ragent -port 1540 -regport 1541 -range 1560:1591 -d /data/srv1c &
# Start crserver (configuration repository server) — port 1542
$ONEC_BIN/crserver -port 1542 -d /data/storage &
# Wait for ragent to start, then launch RAS
sleep 3
$ONEC_BIN/ras cluster --port 1545 &
# Start SSH daemon if available
if [ -x /usr/sbin/sshd ]; then
/usr/sbin/sshd 2>/dev/null || true
fi
echo "Test environment ready (ragent:1540, crserver:1542, ras:1545)"
exec tail -f /dev/null

34
test-env/onec-server/service-nodeport.yaml
View File

@@ -1,34 +0,0 @@
# NodePort service for external access to 1C server
# Accessed via SSH tunnels from connect-multi.ps1
apiVersion: v1
kind: Service
metadata:
name: onec-nodeport
namespace: test-env
labels:
app: onec-server
spec:
type: NodePort
selector:
app: onec-server
ports:
- name: ragent
port: 1540
targetPort: 1540
nodePort: 31540
protocol: TCP
- name: regport
port: 1541
targetPort: 1541
nodePort: 31541
protocol: TCP
- name: crserver
port: 1542
targetPort: 1542
nodePort: 31542
protocol: TCP
- name: ras
port: 1545
targetPort: 1545
nodePort: 31545
protocol: TCP

28
test-env/onec-server/service.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: onec-server
namespace: test-env
labels:
app: onec-server
spec:
type: ClusterIP
selector:
app: onec-server
ports:
- name: ragent
port: 1540
targetPort: 1540
protocol: TCP
- name: regport
port: 1541
targetPort: 1541
protocol: TCP
- name: crserver
port: 1542
targetPort: 1542
protocol: TCP
- name: ras
port: 1545
targetPort: 1545
protocol: TCP

107
test-env/onec-server/statefulset.yaml
View File

@@ -1,107 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: onec-server
namespace: test-env
labels:
app: onec-server
spec:
serviceName: onec-server
replicas: 1
selector:
matchLabels:
app: onec-server
template:
metadata:
labels:
app: onec-server
spec:
# Stable hostname for 1C community license (tied to hostname, not hardware)
hostname: test-env-0
containers:
- name: onec
image: benadis/ar-edt:6.2.27.1
command: ["/scripts/entrypoint.sh"]
env:
- name: LANG
value: "ru_RU.UTF-8"
- name: LC_ALL
value: "ru_RU.UTF-8"
- name: TZ
value: "Europe/Moscow"
- name: PGHOST
value: "postgres.test-env.svc.cluster.local"
- name: PGPORT
value: "5432"
- name: PGUSER
value: "usr1cv8"
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: test-env-secrets
key: pg-password
ports:
- name: ragent
containerPort: 1540
protocol: TCP
- name: regport
containerPort: 1541
protocol: TCP
- name: crserver
containerPort: 1542
protocol: TCP
- name: ras
containerPort: 1545
protocol: TCP
volumeMounts:
- name: onec-data
mountPath: /data
- name: onec-scripts
mountPath: /scripts
readOnly: true
- name: onec-nethasp
mountPath: /opt/1cv8/conf/nethasp.ini
subPath: nethasp.ini
readOnly: true
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: "4"
memory: 4Gi
readinessProbe:
exec:
command: ["sh", "-c", "pgrep ragent && pgrep crserver"]
initialDelaySeconds: 15
periodSeconds: 10
timeoutSeconds: 5
livenessProbe:
exec:
command: ["sh", "-c", "pgrep ragent"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
volumes:
- name: onec-scripts
configMap:
name: onec-config
items:
- key: entrypoint.sh
path: entrypoint.sh
mode: 0755
- name: onec-nethasp
configMap:
name: onec-config
items:
- key: nethasp.ini
path: nethasp.ini
volumeClaimTemplates:
- metadata:
name: onec-data
spec:
storageClassName: local-path
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi

10
test-env/postgres/configmap.yaml
View File

@@ -1,10 +0,0 @@
# PostgreSQL ConfigMap
# The benadis/pg-1c image has a built-in entrypoint that:
# 1. Configures postgresql.conf with 1C optimizations on first run
# 2. Sets pg_hba.conf for network access
# 3. Creates usr1cv8 superuser
# 4. Starts PostgreSQL
#
# No additional configuration needed — all settings are baked into the image.
# This file is kept as documentation placeholder.
# If custom settings are needed in the future, mount them via ConfigMap.

16
test-env/postgres/service.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: postgres
namespace: test-env
labels:
app: test-pg
spec:
type: ClusterIP
selector:
app: test-pg
ports:
- name: postgres
port: 5432
targetPort: 5432
protocol: TCP

104
test-env/postgres/statefulset.yaml
View File

@@ -1,104 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: test-pg
namespace: test-env
labels:
app: test-pg
spec:
serviceName: postgres
replicas: 1
selector:
matchLabels:
app: test-pg
template:
metadata:
labels:
app: test-pg
spec:
initContainers:
# On first run the PVC is empty — copy the pre-built PG cluster
# from the image so the main entrypoint can configure and start it.
- name: init-pgdata
image: benadis/pg-1c:18.1-2.1C
command:
- sh
- -c
- |
if [ ! -d /data/18/main ]; then
echo "Initializing PG data from image..."
cp -a /var/lib/postgresql/. /data/
echo "Done."
else
echo "PG data already exists, skipping init."
fi
volumeMounts:
- name: pg-data
mountPath: /data
containers:
- name: postgres
image: benadis/pg-1c:18.1-2.1C
# Override entrypoint to handle "role already exists" on PVC reuse.
# The image entrypoint uses `set -e` + CREATE USER without IF NOT EXISTS,
# causing crash when PVC already has the user from a previous init.
command:
- bash
- -c
- |
# Patch entrypoint: make CREATE USER idempotent.
# Image entrypoint uses `set -e` + bare CREATE USER which fails
# when PVC is reused and the role already exists.
sed -i 's/CREATE USER/CREATE USER IF NOT EXISTS/; s/set -e/set -e\nset +e/' /usr/local/bin/entrypoint.sh 2>/dev/null || true
exec /usr/local/bin/entrypoint.sh postgres
env:
- name: LANG
value: "ru_RU.UTF-8"
- name: LC_ALL
value: "ru_RU.UTF-8"
- name: TZ
value: "Europe/Moscow"
ports:
- name: postgres
containerPort: 5432
protocol: TCP
volumeMounts:
- name: pg-data
mountPath: /var/lib/postgresql
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: "2"
memory: 4Gi
readinessProbe:
exec:
command:
- su
- "-"
- postgres
- "-c"
- "/usr/lib/postgresql/18/bin/pg_isready"
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
livenessProbe:
exec:
command:
- su
- "-"
- postgres
- "-c"
- "/usr/lib/postgresql/18/bin/pg_isready"
initialDelaySeconds: 60
periodSeconds: 30
timeoutSeconds: 5
volumeClaimTemplates:
- metadata:
name: pg-data
spec:
storageClassName: local-path
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 20Gi

22
test-env/secrets/placeholder.yaml
View File

@@ -1,22 +0,0 @@
# Placeholder for SOPS-encrypted secrets
# Actual secrets will be encrypted with: sops --encrypt --age <admin-key>,<dev-key>
#
# Required secrets (create as test-env-secrets):
# pg-password: password for PostgreSQL usr1cv8 user
#
# Required secrets (create as test-env-runner-token):
# token: Gitea Actions runner registration token
#
# Example (before encryption):
# apiVersion: v1
# kind: Secret
# metadata:
# name: test-env-secrets
# namespace: test-env
# type: Opaque
# stringData:
# pg-password: "usr1cv8"
#
# For now, create secrets manually in the cluster:
# kubectl -n test-env create secret generic test-env-secrets --from-literal=pg-password=usr1cv8
# kubectl -n test-env create secret generic test-env-runner-token --from-literal=token=<TOKEN>