# deploy-app-kargo-private

Private ArgoCD ApplicationSet repository with SOPS-encrypted secrets.

## Structure

- `infra/` — Infrastructure apps (cert-manager, gitea, kargo, etc.)
- `ci/` — CI apps (gitea-runner, etc.)
- `kargo/` — Kargo pipeline definitions + encrypted credentials
- `.sops.yaml` — SOPS encryption rules (3 age keys: admin, dev, prod)

## Encryption

Secrets in `*.enc.yaml` files are encrypted with SOPS + age:
- `*.dev.enc.yaml` — decryptable by admin + dev keys
- `*.prod.enc.yaml` — decryptable by admin + prod keys
- `*.shared.enc.yaml` — decryptable by all three keys

## Branches

- `main` — source of truth
- `infra/stage/dev` — dev cluster (Kargo promotion)
- `infra/stage/test` — test stage (Kargo verification)
- `infra/stage/prod` — prod cluster (Kargo promotion via PR)