42cb7ac5bf
- Add test-key (age1wtzdf8...) for shared test environment - Enable mac_only_encrypted: true in .sops.yaml (SOPS >= 3.9.0) Allows adding new YAML fields without decryption key - Re-encrypt all 10 files with mac_only_encrypted metadata - Strict isolation: dev-key ↔ *.dev.enc.yaml, prod-key ↔ *.prod.enc.yaml - test-key can only decrypt *.test.enc.yaml (not dev/prod) - Add dev/verify-sops-isolation.sh — 33-point verification script - Keep dev/prod files with admin+dev / admin+prod only (no test-key) Verified: 33/33 isolation checks passed Co-authored-by: XoR <xor@benadis.ru>
deploy-app-kargo-private
Private ArgoCD ApplicationSet repository with SOPS-encrypted secrets.
Structure
infra/— Infrastructure apps (cert-manager, gitea, kargo, etc.)ci/— CI apps (gitea-runner, etc.)kargo/— Kargo pipeline definitions + encrypted credentials.sops.yaml— SOPS encryption rules (3 age keys: admin, dev, prod)
Encryption
Secrets in *.enc.yaml files are encrypted with SOPS + age:
*.dev.enc.yaml— decryptable by admin + dev keys*.prod.enc.yaml— decryptable by admin + prod keys*.shared.enc.yaml— decryptable by all three keys
Branches
main— source of truthinfra/stage/dev— dev cluster (Kargo promotion)infra/stage/test— test stage (Kargo verification)infra/stage/prod— prod cluster (Kargo promotion via PR)