makeitworkcloud
diff --git a/‎.sops.yaml‎
Lines changed: 7 additions & 0 deletions b/‎.sops.yaml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 100 additions & 3 deletions b/‎AGENTS.md‎
Lines changed: 100 additions & 3 deletions
diff --git a/‎bootstrap/secrets/ci-token-sync-secret.yaml‎
Lines changed: 17 additions & 16 deletions b/‎bootstrap/secrets/ci-token-sync-secret.yaml‎
Lines changed: 17 additions & 16 deletions
diff --git a/‎bootstrap/secrets/github-oauth-secret.yaml‎
Lines changed: 21 additions & 22 deletions b/‎bootstrap/secrets/github-oauth-secret.yaml‎
Lines changed: 21 additions & 22 deletions
diff --git a/‎bootstrap/secrets/openshift-oauth/github-oauth-secret.yaml‎
Lines changed: 15 additions & 15 deletions b/‎bootstrap/secrets/openshift-oauth/github-oauth-secret.yaml‎
Lines changed: 15 additions & 15 deletions
diff --git a/‎operators/arc/dind-application.yaml‎
Lines changed: 46 additions & 0 deletions b/‎operators/arc/dind-application.yaml‎
Lines changed: 46 additions & 0 deletions
@@ -1,3 +1,10 @@
 ---
 creation_rules:
+  # Default: encrypt only common secret fields
   - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
+    encrypted_regex: '^(token|api-token|apiToken|clientID|clientSecret|client_id|client_secret|password|secret|github_token|CLOUDFLARE_API_TOKEN|credentials\.json|.*_SERVICE_KEY|GF_AUTH_GITHUB_CLIENT_SECRET|GF_SECURITY_ADMIN_PASSWORD|dex\.github\.clientID|dex\.github\.clientSecret)$'
+
+  # For Cloudflare credentials JSON (special case - entire value is secret)
+  - path_regex: cloudflared-credentials-secret\.yaml$
+    age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
+    encrypted_regex: '^(credentials\.json)$'
@@ -67,16 +67,113 @@ Public `*.makeitwork.cloud` app DNS records are operator-managed from `TunnelBin
 
 ## SOPS/KSOPS Encryption
 
-Secrets encrypted with age. Each directory with secrets has a KSOPS generator file.
+Secrets are encrypted with age using **selective field encryption**. Only actual secret values are encrypted; metadata, comments, and non-sensitive configuration remain readable.
+
+### Configuration
+
+The `.sops.yaml` file defines `encrypted_regex` to target only sensitive fields:
+
+```yaml
+encrypted_regex: '^(token|api-token|clientID|clientSecret|password|secret|github_token|CLOUDFLARE_API_TOKEN|credentials\.json|.*_SERVICE_KEY|GF_AUTH_GITHUB_CLIENT_SECRET|GF_SECURITY_ADMIN_PASSWORD|dex\.github\.clientID|dex\.github\.clientSecret)$'
+```
+
+### File Structure Best Practices
+
+**DO:**
+- Create separate Secret files for sensitive values
+- Reference secrets from Applications/CRDs by name
+- Keep non-secret manifests completely unencrypted
+- Use comments in secret files to document purpose
+
+**DON'T:**
+- Encrypt entire Kubernetes manifests (configs, Namespaces, RBAC)
+- Mix secrets with configuration in the same file
+- Encrypt metadata fields (names, namespaces, labels, annotations)
+
+### Example: Proper Secret Structure
+
+```yaml
+# GitHub OAuth for ArgoCD - encrypted with sops
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-github-oauth
+  namespace: openshift-gitops
+  labels:
+    app.kubernetes.io/part-of: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+type: Opaque
+stringData:
+  # Only these values are encrypted
+  dex.github.clientID: Ov23liV3VghvjBnQjsWQ
+  dex.github.clientSecret: ae75f6c64ba9833bf7323c205f7b5ea368390788
+```
+
+### Commands
 
 ```bash
-# Encrypt
+# Encrypt a file (applies encrypted_regex from .sops.yaml)
 sops -e -i secret.yaml
 
-# Decrypt for viewing
+# Decrypt for viewing (stdout only, doesn't modify file)
 sops -d secret.yaml
+
+# Edit an encrypted file (decrypts in editor, re-encrypts on save)
+sops secret.yaml
+
+# Check if encryption worked correctly
+sops -d secret.yaml | grep -E "(apiVersion|kind|metadata|name|namespace)"
 ```
 
+### Adding New Secrets
+
+1. Create a plain YAML Secret file with the sensitive values
+2. Run `sops -e -i your-secret.yaml`
+3. Verify only the secret values are encrypted (metadata should be readable)
+4. Add the file to the appropriate `ksops-*.yaml` generator
+5. Never commit unencrypted secret files
+
+### KSOPS Integration
+
+Each directory with secrets has a KSOPS generator file that lists encrypted files:
+
+```yaml
+# ksops-example-secrets.yaml
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: ksops-example-secrets
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - github-oauth-secret.yaml
+  - api-token-secret.yaml
+```
+
+The kustomization.yaml separates resources (unencrypted) from generators (encrypted):
+
+```yaml
+resources:
+  - deployment.yaml        # Unencrypted manifest
+  - configmap.yaml         # Unencrypted config
+generators:
+  - ksops-example-secrets.yaml  # Decrypts secrets during kustomize build
+```
+
+### Migration from Full-File Encryption
+
+If you encounter files where everything is encrypted (apiVersion, kind, metadata):
+
+1. Decrypt the file: `sops -d old-file.yaml > decrypted.yaml`
+2. Split into separate files:
+   - One for Secret resources (re-encrypt with `sops -e -i`)
+   - One for non-secret resources (keep unencrypted)
+3. Update the kustomization.yaml to reference new file names
+4. Delete the old over-encrypted files
+
 **Key:** `age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l`
 
 ## Tor Hidden Services
 
@@ -1,25 +1,26 @@
-apiVersion: ENC[AES256_GCM,data:VQk=,iv:8Iz5K0Jdf3wR1FNZnj81Jm9MXAaxErfD4anrn8uZbr4=,tag:oS0tNZqC20620maA236IRQ==,type:str]
-kind: ENC[AES256_GCM,data:s6GJ4f0A,iv:zkjGKYvfftl6+huW5YuQ5PPN5cVUYjshbZnF+Ik4KTQ=,tag:pVRCk2ISpQmoUJ/OeR64Xg==,type:str]
+# GitHub PAT for CI token sync job
+apiVersion: v1
+kind: Secret
 metadata:
-    name: ENC[AES256_GCM,data:356CkXc5U+MQTSPbqyTQabZmEojGpqKr,iv:IYFuCvj+ugcBmnSpHSnB9PTVM3o5/Ic0GpnS+VPA55k=,tag:TDwXp1x/56QY3H7F2xtLow==,type:str]
-    namespace: ENC[AES256_GCM,data:MBHrZGqWNalrYMHZV8+yCQ==,iv:9Ke+/iyuX0buA3IltNcpqvCWMwk87W2c5kvDBATuYfU=,tag:DHonDfXMYpY7cIrXIdre8A==,type:str]
+    name: ci-token-sync-github-pat
+    namespace: openshift-gitops
     annotations:
-        argocd.argoproj.io/sync-wave: ENC[AES256_GCM,data:TA==,iv:7t316IfpyVTOK6w75dXpJD8YNci+BPka5sg1YRTeuPE=,tag:VszmcTr9hNBzuAtscE0p4A==,type:str]
-type: ENC[AES256_GCM,data:ORt/cNmM,iv:5vr6iYyodRvRGLnqM7OBkVv6Ws5/MWbswcv541ucPXM=,tag:fnixLeEG9Rue5pJi6XVvkg==,type:str]
+        argocd.argoproj.io/sync-wave: "0"
+type: Opaque
 stringData:
-    token: ENC[AES256_GCM,data:GQ7pxNfuDZNzJPE4Hu/CsWaNWe4jogoWGILGU9ssIyOkeAAcjxN5vw==,iv:+Mtik0YZmE+NdkBH02YL/6lXh6MQxfHwDf+bzefomVc=,tag:EC0fUd+XHA+0dNSoJII5jA==,type:str]
+    token: ENC[AES256_GCM,data:Ognt3fGKnWP4/qQVu2hiJiHkOA6/4p9tOSI2smJH+aqZM8O+DvTuZQ==,iv:GxUbBrd9zJ8n3rca3rnkwVI3pCPUslV5ChF0j5Yq95Y=,tag:eou5jdEiNO+UqPh+hRFvBw==,type:str]
 sops:
     age:
         - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqbHdzRkduYldSQmlFS1p0
-            TDhmaitjNGQzdFl3Z2ZHYVpuVUFRSUo1Y0RvCk9LOWp6R1puaVNNZ2F5N09SUWJQ
-            VnlTWENOd1pXYS9sNGY1anRPd01rVWcKLS0tIHA1WittN24vbjhIcHNjb2UzOE11
-            RzFKcEhPQVdacFNORzdaRk1SUXpoSGcKx6FL2ltsasUNVTu5BIgBNHr9PfEgRENw
-            WnI03yOSBkwPtX9LlrWtIzBURRPAuQmD4tHwfzf6aDoU2XM+u/NkVw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGSEtEM3ZzcXF6RTRiajZu
+            SkVaL3hKQU5ZTDQ5L0c0SkVIUjZPS243SG1JCkhzUDhiVUhwRFpCdS9PN2szYlI1
+            ZUF3UFNYNmxHSGxSMnhlTmNnYlNwbjgKLS0tIE5rK3E3S21ZN0hLOEkyV3YraUwv
+            RGh2Tm01cGtka3ErSjhrMUZONlF4encKS8O4QyPAB5tClbtfZvf1WwSWjMTxRzWs
+            6psAKBGnmzK2kXWgdisc2RXT+QWGlWOooI+af3KwFtMq2BWN6Ssk6A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-22T02:38:13Z"
-    mac: ENC[AES256_GCM,data:ySY+SE/2sWHISxLu4B/kLRNJ0PBMnZVZgyS+jUhvSxbuPEX8sPhLeRxq0pw3Jez/fnywGBvKM0Vk+whBX8hNq5G6+dAVcCFUS2qMez9t8w2Hkebt1J42aWjq6V2B7uZHGaKqbmy57eZR14YZLX0r9PnBdnHTCpW8DITkmXgdrqM=,iv:NWzEzSdCm1cZcz4hz/dgSbY4l8+OgbNqFLACtoByLrU=,tag:W0575Z2NuhhGaAEOe/0Ngg==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    lastmodified: "2026-03-16T14:34:14Z"
+    mac: ENC[AES256_GCM,data:oz/t2jXTkbWycrjfRXu3rgr2rU0fq3oeDHa8t70P0rh+eBh/NAuveZwvuLDfTFT3skA0D+3RBRRi0Cmz+qaWDXOdp9Yw9Bd536ZtByn6Qs1JHlTqRHC9eqaQ5iNdq78QxOjpeHJZG0Vro8t4vuTy4HY+ADnTS1c+nw17LU29L9s=,iv:lx+HPiCx9UqWAupQafWSr9dGymeGTohpzv8IKC5186g=,tag:DQ1zH28y8648Fwp2jsWNow==,type:str]
+    encrypted_regex: ^(token|api-token|apiToken|clientID|clientSecret|client_id|client_secret|password|secret|github_token|CLOUDFLARE_API_TOKEN|credentials\.json|.*_SERVICE_KEY|GF_AUTH_GITHUB_CLIENT_SECRET|GF_SECURITY_ADMIN_PASSWORD|dex\.github\.clientID|dex\.github\.clientSecret)$
+    version: 3.12.1
@@ -1,32 +1,31 @@
-#ENC[AES256_GCM,data:KlBjV+QAysfCA5IhkPgMD1+JxYA1f9TirA1yfvg4W768ImjTOjnhBJ1ihCLY9fkBVtk=,iv:AkdEYDOxgb5EzrKh7naUZjGatIA93YzdOnDtsesdGFg=,tag:MjjIdmqeANLcM5AaAbMLUQ==,type:comment]
-#ENC[AES256_GCM,data:dp2HVFpJItj0CSIGgVVq2cYZ0C75pNXJ/AbGzFPJSQZzjCkzq0ZZXM61UUKKn9ftNQ==,iv:9lz7C13MzdjeAWFC6YfabBVBsC7M/dKPLlSrC7AYmSc=,tag:ZAbtY9CuI676pWc93YiI9Q==,type:comment]
-#ENC[AES256_GCM,data:eg+ZOpVnOS98aximBNYGecoCcSETGt3xC3yoi7rTALfV2DLzpquP6lp9NhG4y4Sr,iv:yux4QAO8wzxzgdldE0GIGLVUAKKTEA54lUx36tIfeU8=,tag:dDR1VNPYk3ftUahgX+VHug==,type:comment]
-apiVersion: ENC[AES256_GCM,data:NJQ=,iv:PlDZa7RNLA5qSZOzoH48jwh8v069v21/3smNygltyJY=,tag:23tfSA2woS41uySVKn0qsA==,type:str]
-kind: ENC[AES256_GCM,data:kTpyJCoA,iv:e0yep/CJBmCBoUyrvrRauGrejZHSKhT0fR0HVCCnZW4=,tag:WvR+N0D2CpqdhTXqW5Ep1Q==,type:str]
+# GitHub OAuth credentials for ArgoCD Dex connector
+# This secret must be labeled to be read by ArgoCD
+apiVersion: v1
+kind: Secret
 metadata:
-    name: ENC[AES256_GCM,data:fOz2ELuCGLGqKNKE+w==,iv:MbOmbehtcQ882Tldr/2cEfpLh2Bsw0A5SMfiBR54YWI=,tag:nTTfMMumH0VlNofP9bMBxA==,type:str]
-    namespace: ENC[AES256_GCM,data:AsTFPuzttUT2fQp4IZZNRA==,iv:gTonwFIKfYsR8fh4ENlUk6M+tki8HY5bgtekFg03XtQ=,tag:JpInvioXdgKWwmWv/FyIQw==,type:str]
+    name: argocd-secret
+    namespace: openshift-gitops
     labels:
-        app.kubernetes.io/part-of: ENC[AES256_GCM,data:lAK3fQUd,iv:iHLJCJIbmiUj4Tn5H2SnppKCa2J8/yOQrf6To1scc6c=,tag:a4QY/6igO/ZEjkJs8nreHw==,type:str]
+        app.kubernetes.io/part-of: argocd
     annotations:
-        argocd.argoproj.io/sync-wave: ENC[AES256_GCM,data:zw==,iv:jJMHRcMFg8Qjqs+Ny1SkLxDLpnHN6g+tliW2vtQp9aQ=,tag:LBp6vtOvKIgaF9OQruOV8w==,type:str]
+        argocd.argoproj.io/sync-wave: "0"
 stringData:
-    #ENC[AES256_GCM,data:t8QUrNRqqam32H0BJ+bs+R7W+Bz/on8TZNMfFEd0PL2xljUUi8NKojBPEQ/BRxHKp5qOIi9ab/T/1PktQZmIYr8ER1Wg/u7nublr4N4G3znncblOSX+M0F8D/o3RuMih,iv:WhlH41qOMYjp/tzONPZoyD5O8m/p8QyfTAt/r/hbhMo=,tag:2IcsaQObHbdfPx3CC+HCTw==,type:comment]
-    #ENC[AES256_GCM,data:cP7c6hAPoj6OW7HLpdi23vCJmV/oFNeGy8nAXE/w/NLnpeG3XjgQCk/0wmMn2UvLvdW7VrL6zxuKfJWHLNMXfafTfM7gjjsjKDyZv5kMHpsI2uYUH3+kuOuRDJfTNYmscmDoYe2C,iv:TecnYwJQgEAbbnUJcneEFJ571UJXElOHV9mjKZORqaw=,tag:app4Cgr7znrBcTVrrpiGIA==,type:comment]
-    dex.github.clientID: ENC[AES256_GCM,data:lszuIZi+fACSkA22r/rWtKJlgQA=,iv:5j4ZIoJuX0IQE/Yk0JAIIbO8GUgxRz1tYbzLgIoz6hw=,tag:AvmVznBITElCflyYbZYwqQ==,type:str]
-    dex.github.clientSecret: ENC[AES256_GCM,data:f/CIHwUoTLDDsN/zp2xeVWJw/vNdVE3sw2A1JrafSxzzdAqZTUq0Sw==,iv:Xi3NkSY8YtVRcURcKpfLFB+zqs4GyRTgB4Vj3IjxTJ0=,tag:vi1/QWUEyaarlRexp079Mw==,type:str]
+    # Create OAuth App at: https://github.com/organizations/makeitworkcloud/settings/applications/new
+    # Callback URL: https://openshift-gitops-server-openshift-gitops.apps.makeitwork.cloud/api/dex/callback
+    dex.github.clientID: ENC[AES256_GCM,data:IKYr6n+vYWr9unNn2v6vjRVDqXI=,iv:LYbvfZDk0/CsT/BAMYeY8E4kdfstdKIFbR5q9R1RtjU=,tag:H0tEE8PFfMSnSADKQsD7IA==,type:str]
+    dex.github.clientSecret: ENC[AES256_GCM,data:PIjOmNllArXojt9XEuGMKZQk8yvwBoe5ITwOBLdieHXV9AuzyXKB+Q==,iv:iBj8yplENYjRVoST9ypifH6c2+Ai3mbY/BCZkpXf6B4=,tag:Vitakp1hVd20LesgGgngmg==,type:str]
 sops:
     age:
         - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBaDhCZVlQNHlTS2I1ZFBX
-            dUhoZG10Ykt6ajBtWnlKeDVkbVFTT2QyYnlnCjZ0RG5UUWRDTy83MXJMYVlKQUxo
-            TTRBdmxORHpTTFZFZGZhcit0TXBycUUKLS0tIEVWblljSEpvSDZvZGcwYzZQWU1N
-            MXdVQmljVVAzdkl2NmtwSlJ0VHl5RHcK8mwt+11CX4qJE0banJVcuQ8RBtuXcuaA
-            nmk5NepXlMnk/reM/BgpylvX5xkVZvrkBk1cwSeFRRSeLCUMIKDhyg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdTBEM1RrQ3UrWDU0VCtS
+            NUxML2FzTEY2K3h6ZFdVTDhlVFYzOExtQ0dZClh4ck53Q0JZN0oyVmhKM1lVRWtq
+            aWsyRHozTm8wWGMvZStxR25tMnJOQkkKLS0tIFVEMlVBL05odGU4QkJwUExLOFY5
+            Y1RWYWFzUjlkeEZMcTFJQjFsaEJCZ0kKM3XMmt4AIo+Nk2nnwliKepjD+pveGeoc
+            GYa3eyUxgw1mHubDaMOCT8Su9UAA2pcQvmfxxdzcvYf4iDeYu23ikw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-21T19:24:14Z"
-    mac: ENC[AES256_GCM,data:YkuIa0Skn+2eSQNpaebqQAdGNtXC7tBiTbjhW7Lz6x+ubazUroGFE7q4rYbYd2tPAguNg/mGe2x0hIxMeriLGdaMAZiNDzGcEcCJxdHTLepWcZiaj6bP/RUfCyodrUICKdGjvXgYRV1/yC+b8hmiFX0DH8sU3O5saWJjy20GaWc=,iv:KHS62ImuEURc3KrCqHUwOQJt0StvTKXQ0YvhxHHEG5c=,tag:K7zu2ly5X1jurThZGmncEw==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    lastmodified: "2026-03-16T14:34:18Z"
+    mac: ENC[AES256_GCM,data:d7xkhy1EinJh8yQvHzdOm6/WBuH6sZg4xSeJOXrwxnR9t5t4RoFJJA8r2zSg4oM67wghPkxlB0EmZkysCZjtDo8jLLpmd9AZ+TYZgv49U34eMM6xMsDmMjHDC+gpmEy8IcCn7mRtfU5peqSaQ8wxqqFomuYR5GSplP+qrynqlk0=,iv:oflPF+MI3xgLwbCbDqiGDm7+VubCc9NfV7NB4J2AgGc=,tag:QHYSoe1/tPAcSCy9a06cMw==,type:str]
+    encrypted_regex: ^(token|api-token|apiToken|clientID|clientSecret|client_id|client_secret|password|secret|github_token|CLOUDFLARE_API_TOKEN|credentials\.json|.*_SERVICE_KEY|GF_AUTH_GITHUB_CLIENT_SECRET|GF_SECURITY_ADMIN_PASSWORD|dex\.github\.clientID|dex\.github\.clientSecret)$
+    version: 3.12.1
@@ -1,23 +1,23 @@
-apiVersion: ENC[AES256_GCM,data:hSc=,iv:Xeo2njtyppQgXwJg63cLuw7EO2E7c68kug6z3W6vTkE=,tag:OfPO5CG5IVYZ2z7igNQZTA==,type:str]
-kind: ENC[AES256_GCM,data:Q8dge6V8,iv:cTknW6o5ODmGQzPGRR+NvNHkua4K6jEMpTfr/qy33Ig=,tag:/qmxzegove3clu7lCpM22w==,type:str]
+apiVersion: v1
+kind: Secret
 metadata:
-    name: ENC[AES256_GCM,data:GN5uN3NOYWSVCPO3tUaJHmY/ew==,iv:bV7F/cg5wRMG68JVzdmi7Hgm06IAoQjba77JXLN6izU=,tag:im6EMIZTugo9Hx8UFsU6Qg==,type:str]
-    namespace: ENC[AES256_GCM,data:R0rlpU5qhnd4W+ypE+6L8Q==,iv:JuWD1Dz29dgg9jMnMLy6HJCHjyEn3TPkx7qo865gQhI=,tag:SNea9sL/OPhnwlo7N/WT7w==,type:str]
-type: ENC[AES256_GCM,data:IqRDkgRr,iv:AYCk44+YXsrAo+v7PCmKti/Zik0g0rCwvNmaKgW6tnM=,tag:ClEu5foxzYOh9yMhhfZLBA==,type:str]
+    name: github-oauth-secret
+    namespace: openshift-config
+type: Opaque
 stringData:
-    clientSecret: ENC[AES256_GCM,data:WKqON8VZKpSoGS5A0lVFaZVpEPloKoINMmI8zr/BacbAJkjPVshUwg==,iv:mVZ4sM1xjDqAUrMmfX8d1qsZ0/xhD5Dl+na5xUQHKfs=,tag:aX3E//FBAr442Idmw/ON1A==,type:str]
+    clientSecret: ENC[AES256_GCM,data:M2XkMMhZaKO3iZLQMso3uRPJ2CMdhGHqylND0qNm2pIdzPPJjoKu3A==,iv:eewiddf/mOJEOqIoMF8nUp53BMCQD5DXv05dAMcZjUY=,tag:pwBozd6p2oAz6Zzg8H3F3Q==,type:str]
 sops:
     age:
         - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIOFhsb2FWb1A0Q1pCRmNW
-            ZVk3SVplWHlzb1ZDWXNwWjhyWkpMQm0ycTA4CkpDcGQ3TkFORUdCa21BUERsTTBU
-            ZzBkQThOeXd0Tzk1WmNiSkIydlBVSTgKLS0tIHQrYW54eWg0SmJ2cFdKbWFyOWFG
-            RDBBQTMvd3JDS2hmQ3Z3eTNtdkcrQUkKHpr0yiSS9/tuUMAStzZCV6oefXXLaXTt
-            Df9OsddEdvSG6/kb+Dx0K6k4Vw1tgwlLgW6An0mmqPR7s/zR4uK01A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSU5scVRqWXZMSjg5R1Ux
+            QmRVb1FsdUtFbWc2TXdJTldBR2lTZ3pEMldRCndHdEhvSUdlNUptWTc0eUpxWTh6
+            akF4YVFxVDdsL3JTYTlLT1o3Nm9xcm8KLS0tIFlGS1hNWEJaM1ZsMGJpaGs4dXg0
+            LzdjdUgrOXFPTlpoYlNSWlYxZCsvc1UKCYMGUuTiUwdrOvdAqRnn9xKNDHWEGn9l
+            wffbPKF4nzuSlcfyxUKDq4J/ybI6jLS2uUXeXi1H/SD37moB/8kf7A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-28T17:09:34Z"
-    mac: ENC[AES256_GCM,data:I0xDHxMuje9re6H+Gu6swngcMK8pvNpCIYZsNn8NPPp4fl1v2ol82KOJOtCgZgjLRU6d2GllAuFcgul65o765D0dSUJ1hihXgFmhZlD93/clHGveLDnpvFnj9YhWYOZmTsza5c5d3DEVTAi7vmcaYL4DFk+I3mTIXbibCj5D7FQ=,iv:Fkn7yhH6VXGsNFlxwL1McedvIKnrFslwQ7WH6dpci9s=,tag:xGpKK+2charlAIiV/52l+g==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    lastmodified: "2026-03-16T14:34:16Z"
+    mac: ENC[AES256_GCM,data:JyPug8zRBpeLD+dERNB9RcwKl3rFe8QCxZ0Q4TAClhTkF89JfA2MyfHdDMB3buPnk0TobsuX2q2j9hcspzU/AzmC+TpdFdMtFPNGqd8m24GWP0qOUiIfJeEW+j5OAAdBdrYgZk7uKnSW6Nw2FrgpdYPpeaSk0a/bllJKUmE0r8k=,iv:DZmjUgUmA+GR29iB3vTMYZ4CEEw0FfnWRRVwWdZHZxs=,tag:clTkehHkv7DiRKa5jOR9ow==,type:str]
+    encrypted_regex: ^(token|api-token|apiToken|clientID|clientSecret|client_id|client_secret|password|secret|github_token|CLOUDFLARE_API_TOKEN|credentials\.json|.*_SERVICE_KEY|GF_AUTH_GITHUB_CLIENT_SECRET|GF_SECURITY_ADMIN_PASSWORD|dex\.github\.clientID|dex\.github\.clientSecret)$
+    version: 3.12.1
@@ -0,0 +1,46 @@
+# ArgoCD Application for ARC dind-systems controller
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  name: arc-dind
+  namespace: openshift-gitops
+spec:
+  destination:
+    namespace: arc-dind-systems
+    server: https://kubernetes.default.svc
+  # Ignore fields on CRDs that Kubernetes mutates after creation
+  ignoreDifferences:
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+      jqPathExpressions:
+        - .metadata.annotations
+        - .spec.conversion
+        - .spec.preserveUnknownFields
+        - .status
+  project: default
+  source:
+    chart: actions-runner-controller
+    helm:
+      releaseName: arc-dind
+      valuesObject:
+        authSecret:
+          create: false
+          name: arc-dind-github-token
+        image:
+          repository: docker.io/summerwind/actions-runner-controller
+          actionsRunnerRepositoryAndTag: docker.io/summerwind/actions-runner:latest
+          dindSidecarRepositoryAndTag: docker.io/library/docker:dind
+        scope:
+          singleNamespace: true
+          watchNamespace: arc-dind-runners
+    repoURL: https://actions-runner-controller.github.io/actions-runner-controller
+    targetRevision: 0.23.7
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - ServerSideApply=true
+      - RespectIgnoreDifferences=true