Merge "SOPS improvements"

manifests/phases/executors.yaml

@@ -55,6 +55,24 @@ config: |
     cmd: encrypt
     unencrypted-regex: '^(kind|apiVersion|group|metadata)$'
 ---
+apiVersion: airshipit.org/v1alpha1
+kind: GenericContainer
+metadata:
+  name: decrypter
+  labels:
+    airshipit.org/deploy-k8s: "false"
+spec:
+  type: krm
+  image: gcr.io/kpt-fn-contrib/sops:v0.1.0
+  envVars:
+  - SOPS_IMPORT_PGP
+  - SOPS_PGP_FP
+config: |
+  apiVersion: v1
+  kind: ConfigMap
+  data:
+    cmd: decrypt
+---
 # This executor launchs a bootstrap container, which creates
 # an Azure Kubernetes Service (AKS) cluster
 apiVersion: airshipit.org/v1alpha1

manifests/phases/phases.yaml

@@ -228,6 +228,28 @@ config:
 ---
 apiVersion: airshipit.org/v1alpha1
 kind: Phase
+metadata:
+  name: secret-show
+config:
+  executorRef:
+    apiVersion: airshipit.org/v1alpha1
+    kind: GenericContainer
+    name: decrypter
+  documentEntryPoint: target/generator/results
+---
+apiVersion: airshipit.org/v1alpha1
+kind: Phase
+metadata:
+  name: secret-reencrypt
+config:
+  executorRef:
+    apiVersion: airshipit.org/v1alpha1
+    kind: GenericContainer
+    name: encrypter
+  documentEntryPoint: target/generator/results
+---
+apiVersion: airshipit.org/v1alpha1
+kind: Phase
 metadata:
   name: remotedirect-ephemeral
 config:

manifests/site/test-site/target/generator/kustomization.yaml

@@ -1,2 +1,4 @@
 generators:
-- override
+- overridegeneration
+transformers:
+- overrideplacement

manifests/site/test-site/target/generator/overrideplacement/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- ../../../../../type/gating/target/generator/fileplacement

manifests/site/test-site/target/generator/results/decrypt-secrets/configurable-decryption.yaml

@@ -8,8 +8,10 @@ metadata:
         image: quay.io/airshipit/templater:latest
         envs:
         - TOLERATE_DECRYPTION_FAILURES
+        - DEBUG_SOPS_GPG
 template: |
   {{- $tolerate := env "TOLERATE_DECRYPTION_FAILURES" }}
+  {{- $debug := env "DEBUG_SOPS_GPG" }}
   apiVersion: v1
   kind: ConfigMap
   metadata:
@@ -26,3 +28,6 @@ template: |
     {{- if eq $tolerate "true" }}
     cmd-tolerate-failures: true
     {{- end }}
+    {{- if not (eq $debug "true")  }}
+    override-preexec-cmd: '[ "$SOPS_IMPORT_PGP" == "" ] || (echo "$SOPS_IMPORT_PGP" | gpg --import 2>/dev/null)'
+    {{- end }}

manifests/site/test-site/target/generator/results/kustomization.yaml

@@ -3,3 +3,4 @@ resources:
 
 transformers:
   - decrypt-secrets
+  - ../overrideplacement

manifests/type/gating/target/generator/fileplacement/filepaths.yaml

@@ -0,0 +1,11 @@
+apiVersion: builtin
+kind: PatchTransformer
+metadata:
+  name: filnames-patch
+patch: |
+  apiVersion: airshipit.org/v1alpha1
+  kind: VariableCatalogue
+  metadata:
+    name: generated-secrets
+    annotations:
+      config.kubernetes.io/path: secrets.yaml

manifests/type/gating/target/generator/fileplacement/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- filepaths.yaml

manifests/type/gating/target/generator/secret-template.yaml

@@ -28,8 +28,6 @@ template: |
     labels:
       airshipit.org/deploy-k8s: "false"
     name: generated-secrets
-    annotations:
-      config.kubernetes.io/path: secrets.yaml
   {{- $ephemeralClusterCa := genCAEx .ephemeralCluster.ca.subj .ephemeralCluster.ca.validity }}
   {{- $ephemeralKubeconfigCert := genSignedCertEx .ephemeralCluster.kubeconfigCert.subj nil nil .ephemeralCluster.kubeconfigCert.validity $ephemeralClusterCa }}
   ephemeralClusterCa: