4dd68859d8
- .sops.yaml with 3 age keys (admin, dev, prod) - infra/gitea/values/*.enc.yaml — per-env encrypted Helm values - infra/kargo/values/*.enc.yaml — per-env encrypted Kargo admin secrets - kargo/credentials/*.enc.yaml — per-env encrypted git credentials (ksops) - infra/kargo-credentials/ — ArgoCD app for deploying Kargo creds via ksops - All repoURLs point to deploy-app-kargo-private Structure from deploy-app-kargo (reference), adapted for SOPS workflow
25 lines
824 B
Markdown
25 lines
824 B
Markdown
# deploy-app-kargo-private
|
|
|
|
Private ArgoCD ApplicationSet repository with SOPS-encrypted secrets.
|
|
|
|
## Structure
|
|
|
|
- `infra/` — Infrastructure apps (cert-manager, gitea, kargo, etc.)
|
|
- `ci/` — CI apps (gitea-runner, etc.)
|
|
- `kargo/` — Kargo pipeline definitions + encrypted credentials
|
|
- `.sops.yaml` — SOPS encryption rules (3 age keys: admin, dev, prod)
|
|
|
|
## Encryption
|
|
|
|
Secrets in `*.enc.yaml` files are encrypted with SOPS + age:
|
|
- `*.dev.enc.yaml` — decryptable by admin + dev keys
|
|
- `*.prod.enc.yaml` — decryptable by admin + prod keys
|
|
- `*.shared.enc.yaml` — decryptable by all three keys
|
|
|
|
## Branches
|
|
|
|
- `main` — source of truth
|
|
- `infra/stage/dev` — dev cluster (Kargo promotion)
|
|
- `infra/stage/test` — test stage (Kargo verification)
|
|
- `infra/stage/prod` — prod cluster (Kargo promotion via PR)
|