42cb7ac5bf
- Add test-key (age1wtzdf8...) for shared test environment - Enable mac_only_encrypted: true in .sops.yaml (SOPS >= 3.9.0) Allows adding new YAML fields without decryption key - Re-encrypt all 10 files with mac_only_encrypted metadata - Strict isolation: dev-key ↔ *.dev.enc.yaml, prod-key ↔ *.prod.enc.yaml - test-key can only decrypt *.test.enc.yaml (not dev/prod) - Add dev/verify-sops-isolation.sh — 33-point verification script - Keep dev/prod files with admin+dev / admin+prod only (no test-key) Verified: 33/33 isolation checks passed Co-authored-by: XoR <xor@benadis.ru>
57 lines
2.9 KiB
YAML
57 lines
2.9 KiB
YAML
# SOPS configuration for deploy-app-kargo-private
|
|
# Zero Trust key model: dev cannot decrypt prod, prod cannot decrypt dev.
|
|
# Test secrets accessible to both dev and prod.
|
|
#
|
|
# Keys:
|
|
# admin: age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7 (master, backup/audit)
|
|
# dev: age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g (dev cluster only)
|
|
# test: age1wtzdf8k5fhazffq5t5erm0azvp463mzk6fm4vghqwah2lz9sf3eszksf33 (shared test environment)
|
|
# prod: age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk (prod cluster only)
|
|
#
|
|
# Trust model:
|
|
# *.dev.enc.yaml → admin + dev (ONLY dev-admin can decrypt)
|
|
# *.test.enc.yaml → admin + dev + test + prod (everyone can decrypt)
|
|
# *.prod.enc.yaml → admin + prod (ONLY prod-admin can decrypt)
|
|
# *.shared.enc.yaml → admin + dev + prod (legacy, both can decrypt)
|
|
#
|
|
# mac_only_encrypted: true — allows adding new YAML keys/structure without
|
|
# having the decryption key. MAC is computed only over encrypted values.
|
|
# This enables dev to add fields to *.prod.enc.yaml without decrypting them.
|
|
# Requires SOPS >= 3.9.0.
|
|
|
|
creation_rules:
|
|
# Dev-specific secrets — ONLY admin + dev can decrypt
|
|
- path_regex: \.dev\.enc\.yaml$
|
|
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
|
|
mac_only_encrypted: true
|
|
age: >-
|
|
age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
|
|
age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g
|
|
|
|
# Test secrets — all keys can decrypt (shared test environment)
|
|
- path_regex: \.test\.enc\.yaml$
|
|
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
|
|
mac_only_encrypted: true
|
|
age: >-
|
|
age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
|
|
age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g,
|
|
age1wtzdf8k5fhazffq5t5erm0azvp463mzk6fm4vghqwah2lz9sf3eszksf33,
|
|
age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
|
|
|
|
# Prod-specific secrets — ONLY admin + prod can decrypt
|
|
- path_regex: \.prod\.enc\.yaml$
|
|
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|passwordHash|tokenSigningKey)$
|
|
mac_only_encrypted: true
|
|
age: >-
|
|
age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
|
|
age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
|
|
|
|
# Shared secrets (legacy, both clusters) — admin + dev + prod
|
|
- path_regex: \.shared\.enc\.yaml$
|
|
encrypted_regex: ^(password|token|secret|key|privateKey|admin-password|db-password|repoURL|username)$
|
|
mac_only_encrypted: true
|
|
age: >-
|
|
age1xmnaqlrjzpk5hl7uhel9sehqh7zdz8p59qte2myt97aqd7lyeuxszuess7,
|
|
age1ame2tp44sq9rmkqzqvxy77eu7qd2035kmlgcsfjfxj2jughv3clqlku03g,
|
|
age16p0gwk8vt90vy2gm8jjca8rcyd2drv5526e997ukdelnv5ek8unqm0smuk
|