# The name "sync" must be sorted after "flux-system" to ensure
# Flux CRDs are instantiated first
cat <<'EOF' >${SCRIPTDIR}/addons/sync.yaml
+{{- if .Values.flux.decryptionSecret }}
+---
+apiVersion: v1
+type: Opaque
+kind: Secret
+metadata:
+ name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
+ namespace: flux-system
+data:
+ sops.asc: {{ .Values.flux.decryptionSecret | b64enc }}
+{{- end }}
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
sourceRef:
kind: GitRepository
name: {{ .Values.flux.repositoryName }}
+{{- if .Values.flux.decryptionSecret }}
+ decryption:
+ provider: sops
+ secretRef:
+ name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
+{{- end }}
EOF
cat <<EOF >${SCRIPTDIR}/templates/flux-addon.yaml
{{- if .Values.flux }}
- Ingress
---
sync.yaml: |
+ {{- if .Values.flux.decryptionSecret }}
+ ---
+ apiVersion: v1
+ type: Opaque
+ kind: Secret
+ metadata:
+ name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
+ namespace: flux-system
+ data:
+ sops.asc: {{ .Values.flux.decryptionSecret | b64enc }}
+ {{- end }}
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
sourceRef:
kind: GitRepository
name: {{ .Values.flux.repositoryName }}
+ {{- if .Values.flux.decryptionSecret }}
+ decryption:
+ provider: sops
+ secretRef:
+ name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
+ {{- end }}
kind: ConfigMap
metadata:
creationTimestamp: null
# path is the repository to the resources to be applied to the
# cluster.
path: ./deploy/site/cluster-icn
+ # decryptionSecret is the SOPS secret key used by Flux to decrypt
+ # any SOPS-encrypted data stored in the resources at path.
+ #decryptionSecret: |
+ # -----BEGIN PGP PRIVATE KEY BLOCK-----
+ # ...
# containerRuntime may be containerd or docker.
containerRuntime: containerd