# SOPS configuration for deploy-app-kargo-private
# Zero Trust key model: dev cannot decrypt prod, prod cannot decrypt dev.
# Test secrets accessible to both dev and prod.
#
# Keys:
#   admin: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7  (master, backup/audit)
#   dev:   age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g  (dev cluster only)
#   test:  age1wtzdf8k5fhazffq5t5erm0azvp463mzk6fm4vghqwah2lz9sf3eszksf33  (shared test environment)
#   prod:  age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk  (prod cluster only)
#
# Trust model:
#   *.dev.enc.yaml  → admin + dev           (ONLY dev-admin can decrypt)
#   *.test.enc.yaml → admin + dev + test + prod (everyone can decrypt)
#   *.prod.enc.yaml → admin + prod          (ONLY prod-admin can decrypt)
#   *.shared.enc.yaml → admin + dev + prod  (legacy, both can decrypt)
#
# mac_only_encrypted: true — allows adding new YAML keys/structure without
# having the decryption key. MAC is computed only over encrypted values.
# This enables dev to add fields to *.prod.enc.yaml without decrypting them.
# Requires SOPS >= 3.9.0.

creation_rules:
  # Dev-specific secrets — ONLY admin + dev can decrypt
  - path_regex: \.dev\.enc\.yaml$
    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
    mac_only_encrypted: true
    age: >-
      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
      age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g

  # Test secrets — all keys can decrypt (shared test environment)
  - path_regex: \.test\.enc\.yaml$
    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
    mac_only_encrypted: true
    age: >-
      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
      age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g,
      age1wtzdf8k5fhazffq5t5erm0azvp463mzk6fm4vghqwah2lz9sf3eszksf33,
      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk

  # Prod-specific secrets — ONLY admin + prod can decrypt
  - path_regex: \.prod\.enc\.yaml$
    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
    mac_only_encrypted: true
    age: >-
      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk

  # Shared secrets (legacy, both clusters) — admin + dev + prod
  - path_regex: \.shared\.enc\.yaml$
    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|repoURL|username)$
    mac_only_encrypted: true
    age: >-
      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
      age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g,
      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk