From 39cb5403288463058e88e55f5066cd33a737f978 Mon Sep 17 00:00:00 2001
From: David Landry <david@dmwl.net>
Date: Fri, 24 May 2024 22:34:01 -0400
Subject: [PATCH] chore(argocd): add ksops integration

---
 .sops.yaml                                    |  2 +
 .../argocd-repo-server-ksops-patch.yaml       | 59 +++++++++++++++++++
 bootstrap/argo-cd/kustomization.yaml          |  4 ++
 3 files changed, 65 insertions(+)
 create mode 100644 .sops.yaml
 create mode 100644 bootstrap/argo-cd/argocd-repo-server-ksops-patch.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..7021297
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,2 @@
+creation_rules:
+  - age: "age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9"
diff --git a/bootstrap/argo-cd/argocd-repo-server-ksops-patch.yaml b/bootstrap/argo-cd/argocd-repo-server-ksops-patch.yaml
new file mode 100644
index 0000000..bef31a7
--- /dev/null
+++ b/bootstrap/argo-cd/argocd-repo-server-ksops-patch.yaml
@@ -0,0 +1,59 @@
+# argo-cd-repo-server-ksops-patch.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argocd-repo-server
+spec:
+  template:
+    spec:
+      # 1. Define an emptyDir volume which will hold the custom binaries
+      volumes:
+        - name: custom-tools
+          emptyDir: {}
+        - name: sops-age
+          secret:
+            secretName: sops-age
+      # 2. Use an init container to download/copy custom binaries into the emptyDir
+      # initContainers:
+      #   - name: install-ksops
+      #     image: viaductoss/ksops:v4.3.1
+      #     command: ["/bin/sh", "-c"]
+      #     args:
+      #       - echo "Installing KSOPS...";
+      #         mv ksops /custom-tools/;
+      #         mv kustomize /custom-tools/;
+      #         echo "Done.";
+      #     volumeMounts:
+      #       - mountPath: /custom-tools
+      #         name: custom-tools
+      # # 3. Volume mount the custom binary to the bin directory (overriding the existing version)
+      # containers:
+      #   - name: argocd-repo-server
+      #     volumeMounts:
+      #       - mountPath: /usr/local/bin/kustomize
+      #         name: custom-tools
+      #         subPath: kustomize
+      #       - mountPath: /usr/local/bin/ksops
+      #         name: custom-tools
+      #         subPath: ksops
+      #       - name: sops-age
+      #         readOnly: true
+      #         mountPath: "/.config/sops/age"
+
+      env:
+        - name: XDG_CONFIG_HOME
+          value: /.config
+        - name: SOPS_AGE_KEY_FILE
+          value: /.config/sops/age/keys.txt
+          ## If you use AWS or GCP KMS, don't forget to include the necessary credentials to decrypt the secrets!
+          # env:
+          #  - name: AWS_ACCESS_KEY_ID
+          #    valueFrom:
+          #      secretKeyRef:
+          #        name: argocd-aws-credentials
+          #        key: accesskey
+          #  - name: AWS_SECRET_ACCESS_KEY
+          #    valueFrom:
+          #      secretKeyRef:
+          #        name: argocd-aws-credentials
+          #        key: secretkey
diff --git a/bootstrap/argo-cd/kustomization.yaml b/bootstrap/argo-cd/kustomization.yaml
index 268d2d3..0146593 100644
--- a/bootstrap/argo-cd/kustomization.yaml
+++ b/bootstrap/argo-cd/kustomization.yaml
@@ -7,6 +7,7 @@ configMapGenerator:
     behavior: merge
     literals:
       - url=https://argocd.int.nc.landry.land
+      - kustomize.buildOptions="--enable-alpha-plugins --enable-exec"
       - |
         repository.credentials=- passwordSecret:
             key: git_token
@@ -20,3 +21,6 @@ resources:
   - github.com/argoproj-labs/argocd-autopilot/manifests/base?ref=v0.4.17
   - ./argogrpc.service.yaml
   - ./ingress.yaml
+
+patches:
+  - path: argocd-repo-server-ksops-patch.yaml