# argo-cd-repo-server-ksops-patch.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: argocd-repo-server
spec:
  template:
    spec:
      # 1. Define an emptyDir volume which will hold the custom binaries
      volumes:
        - name: custom-tools
          emptyDir: {}
        - name: sops-age
          secret:
            secretName: sops-age
      # 2. Use an init container to download/copy custom binaries into the emptyDir
      initContainers:
        - name: install-ksops
          image: viaductoss/ksops:v4.3.1
          command: ["/bin/sh", "-c"]
          args:
            - echo "Installing KSOPS...";
              mv ksops /custom-tools/;
              mv kustomize /custom-tools/;
              echo "Done.";
          volumeMounts:
            - mountPath: /custom-tools
              name: custom-tools
      # 3. Volume mount the custom binary to the bin directory (overriding the existing version)
      containers:
        - name: argocd-repo-server
          volumeMounts:
            - mountPath: /usr/local/bin/kustomize
              name: custom-tools
              subPath: kustomize
            - mountPath: /usr/local/bin/ksops
              name: custom-tools
              subPath: ksops
            - name: sops-age
              readOnly: true
              mountPath: "/.config/sops/age"

          env:
            - name: XDG_CONFIG_HOME
              value: /.config
            - name: SOPS_AGE_KEY_FILE
              value: /.config/sops/age/keys.txt

          ## If you use AWS or GCP KMS, don't forget to include the necessary credentials to decrypt the secrets!
          # env:
          #  - name: AWS_ACCESS_KEY_ID
          #    valueFrom:
          #      secretKeyRef:
          #        name: argocd-aws-credentials
          #        key: accesskey
          #  - name: AWS_SECRET_ACCESS_KEY
          #    valueFrom:
          #      secretKeyRef:
          #        name: argocd-aws-credentials
          #        key: secretkey