f640de781d
- Create bootstrap/ dir: cert-manager, traefik-routes, argo-rollouts, kargo, kargo-*-pipeline (not managed by Kargo promotion) - infra/ now only: gitea, gitea-custom (promoted by Kargo) - ci/ unchanged: gitea-runner (promoted by Kargo) - Split kargo/credentials/ into dev/ and prod/ with separate ksops generators - Remove kargo-credentials from AppSet (managed by Pulumi Go code) - Update infra Warehouse: only gitea (was also argo-rollouts, cert-manager) - Update infra Stage dev: only yaml-update for gitea version - Fix test-env warehouse: valid subscription instead of empty array - Update step numbers: bootstrap 1-5, infra 1-2
deploy-app-kargo-private
Private ArgoCD ApplicationSet repository with SOPS-encrypted secrets.
Structure
infra/— Infrastructure apps (cert-manager, gitea, kargo, etc.)ci/— CI apps (gitea-runner, etc.)kargo/— Kargo pipeline definitions + encrypted credentials.sops.yaml— SOPS encryption rules (3 age keys: admin, dev, prod)
Encryption
Secrets in *.enc.yaml files are encrypted with SOPS + age:
*.dev.enc.yaml— decryptable by admin + dev keys*.prod.enc.yaml— decryptable by admin + prod keys*.shared.enc.yaml— decryptable by all three keys
Branches
main— source of truthinfra/stage/dev— dev cluster (Kargo promotion)infra/stage/test— test stage (Kargo verification)infra/stage/prod— prod cluster (Kargo promotion via PR)