apiVersion: airshipit.org/v1alpha1
kind: Templater
metadata:
  name: secret-template
  annotations:
    config.kubernetes.io/function: |
      container:
        image: localhost/templater
        envs:
        - TOLERATE_DECRYPTION_FAILURES
        - DEBUG_SOPS_GPG
template: |
  {{- $tolerate := env "TOLERATE_DECRYPTION_FAILURES" }}
  {{- $debug := env "DEBUG_SOPS_GPG" }}
  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: my-config2
    annotations:
      config.k8s.io/function: |
        container:
          image:  gcr.io/kpt-fn-contrib/sops:v0.3.0
          envs:
          - SOPS_IMPORT_PGP
          - SOPS_IMPORT_AGE
          - VAULT_ADDR
          - VAULT_TOKEN
          network: true
  data:
    ignore-mac: true
    cmd: decrypt
    {{- if eq $tolerate "true" }}
    cmd-tolerate-failures: true
    {{- end }}
    {{- if eq $debug "true"  }}
    override-preexec-cmd: '[ "$SOPS_IMPORT_PGP" == "" ] || (echo "$SOPS_IMPORT_PGP" | gpg --import >&2); [ "$SOPS_IMPORT_AGE" == "" ] || (echo "$SOPS_IMPORT_AGE" >> $XDG_CONFIG_HOME/sops/age/keys.txt);'
    {{- end }}
    cmd-extra-params-json-path-filter: '$[?(@.metadata.name=="decryption-key")]'