provisioning/o-klab/sops.yaml

# creation rules are evaluated sequentially, the first match wins
creation_rules:
    # - encrypted_regex: (key|user|username|password|passwd|email|stringData)$
    # upon creation of a file that matches the pattern *.dev.yaml,
    # KMS set A as well as PGP and age is used
    - path_regex: \.k\.dev\.yaml$
      age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla'

    # prod files use KMS set B in the PROD IAM, PGP and age
    - path_regex: \.k\.prod\.yaml$
      age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla'

    # Finally, if the rules above have not matched, this one is a
    # catchall that will encrypt the file using KMS set C as well as PGP
    # The absence of a path_regex means it will match everything
    -
      age: age1vjvgsyr2nef6rk60gj54yqqqdjtc7saj63fxr3ec567wycnrlqxscdyw34
chore: add current provisioning state before migration 2025-09-22 22:11:41 +00:00			`# creation rules are evaluated sequentially, the first match wins`
			`creation_rules:`
			`# - encrypted_regex: (key\|user\|username\|password\|passwd\|email\|stringData)$`
			`# upon creation of a file that matches the pattern *.dev.yaml,`
			`# KMS set A as well as PGP and age is used`
			`- path_regex: \.k\.dev\.yaml$`
			`age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla'`

			`# prod files use KMS set B in the PROD IAM, PGP and age`
			`- path_regex: \.k\.prod\.yaml$`
			`age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla'`

			`# Finally, if the rules above have not matched, this one is a`
			`# catchall that will encrypt the file using KMS set C as well as PGP`
			`# The absence of a path_regex means it will match everything`
			`-`
			`age: age1vjvgsyr2nef6rk60gj54yqqqdjtc7saj63fxr3ec567wycnrlqxscdyw34`