Nextgen secrets implementation with separation per cluster

1. Extending templater with kyaml functions and creating combined catalogue
to be able to request/update the existing resources.
This is based on 'everything is transformer' concept introduced in kustomize 4.x
That includes gathering all secrets into 1 variable catalogue and
special mechanism to regenerate/merge with manual secrets.

2. Implementing 'catalogue per cluster' approach for secrets.

3. Rearranging secrets so it's possible to use:
pgp (each person may have his own key), age, Hachicorp Vault and etc
and the list of people who can decrypt documents is set in a special file.
Since in some cases there should be a separate list of people who can decrypt
data - this list is set for each cluster (ephemeral and target) separatelly.

Closes: #586
Change-Id: I038f84dd138d5ad4a35f4862c61ff2124c2fd530

manifests/site/test-site/kubeconfig/update.yaml

@@ -0,0 +1,69 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: k8scontrol-cluster-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: localhost/replacement-transformer
+replacements:
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: combined-target-secrets
+    fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=caCrt].data"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.clusters.[name=target-cluster].cluster.certificate-authority-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: combined-target-secrets
+    fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=crt].data"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.users.[name=target-cluster-admin].user.client-certificate-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: combined-target-secrets
+    fieldref: ".secretGroups.[name=targetK8sSecrets].values.[name=key].data"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.users.[name=target-cluster-admin].user.client-key-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: combined-ephemeral-secrets
+    fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=caCrt].data"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.clusters.[name=ephemeral-cluster].cluster.certificate-authority-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: combined-ephemeral-secrets
+    fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=crt].data"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.users.[name=ephemeral-cluster-admin].user.client-certificate-data"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: combined-ephemeral-secrets
+    fieldref: ".secretGroups.[name=ephemeralK8sSecrets].values.[name=key].data"
+  target:
+    objref:
+      kind: KubeConfig
+      name: default
+    fieldrefs: [".config.users.[name=ephemeral-cluster-admin].user.client-key-data"]