# SOPS configuration for deploy-app-kargo-private
# Three age keys: admin (all access), dev (dev/test cluster), prod (prod cluster)
#
# admin: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7
# dev:   age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
# prod:  age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk

creation_rules:
  # Prod-specific secrets — admin + prod only
  - path_regex: \.prod\.enc\.yaml$
    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
    age: >-
      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk

  # Dev-specific secrets — admin + dev only
  - path_regex: \.dev\.enc\.yaml$
    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
    age: >-
      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
      age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g

  # Shared secrets (e.g. kargo credentials) — all three keys
  - path_regex: \.shared\.enc\.yaml$
    encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|repoURL|username)$
    age: >-
      age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
      age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g,
      age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk