5 gpg --with-colons --list-secret-keys $1 | awk -F: '/fpr/ {print $10;exit}'
8 function create_gpg_key {
11 # Create an rsa4096 key that does not expire
12 gpg --batch --full-generate-key <<EOF
19 Name-Real: ${key_name}
23 function export_gpg_private_key {
24 gpg --export-secret-keys --armor "$(_gpg_key_fp $1)"
27 function sops_encrypt_site {
31 local -r site_dir=$(dirname ${site_yaml})
32 local -r key_fp=$(_gpg_key_fp ${key_name})
34 # Commit the public key to the repository so that team members who
35 # clone the repo can encrypt new files
36 echo "Creating ${site_dir}/sops.pub.asc with public key used to encrypt secrets"
37 gpg --export --armor "${key_fp}" >${site_dir}/sops.pub.asc
39 # Add .sops.yaml so users won't have to worry about specifying the
40 # proper key for the target cluster or namespace
41 echo "Creating ${site_dir}/.sops.yaml SOPS configuration file"
42 cat <<EOF > ${site_dir}/.sops.yaml
45 encrypted_regex: ^(bmcPassword|hashedPassword)$
49 sops --encrypt --in-place --config=${site_dir}/.sops.yaml ${site_yaml}
52 function sops_decrypt_site {
55 local -r site_dir=$(dirname ${site_yaml})
56 sops --decrypt --in-place --config=${site_dir}/.sops.yaml ${site_yaml}
59 function flux_site_source_name {
62 echo $(basename ${url})-${branch}
65 function flux_site_kustomization_name {
69 echo $(flux_site_source_name ${url} ${branch})-site-$(basename ${path})
72 function flux_create_site {
78 local -r source_name=$(flux_site_source_name ${url} ${branch})
79 local -r kustomization_name=$(flux_site_kustomization_name ${url} ${branch} ${path})
80 local -r key_fp=$(gpg --with-colons --list-secret-keys ${key_name} | awk -F: '/fpr/ {print $10;exit}')
81 local -r secret_name="${key_name}-sops-gpg"
83 flux create source git ${source_name} --url=${url} --branch=${branch}
84 gpg --export-secret-keys --armor "$(_gpg_key_fp ${key_name})" |
85 kubectl -n flux-system create secret generic ${secret_name} --from-file=sops.asc=/dev/stdin --dry-run=client -o yaml |
87 flux create kustomization ${kustomization_name} --path=${path} --source=GitRepository/${source_name} --prune=true \
88 --decryption-provider=sops --decryption-secret=${secret_name}