Aded setup_ksops role

Author: nsilla

roles/acm/setup_ksops/README.md

@@ -0,0 +1,30 @@
+# setup_ksops
+
+Installs and sets up the KSOPS Kustomize plugin on the OpenShift GitOps Operator.
+
+## Variables
+
+| Variable         | Default | Required | Description
+| ---------------- | ------- | -------- | -----------
+| sk_age_key       |         | yes      | A literal age generated (age-keygen) key. If kept in a version control service, it's recommeneded to vault-encrypt it.
+
+## Example of age key
+
+```
+# created: 2025-04-16T11:28:48Z
+# public key: age1j24rsa89nhv86dstnl696pfhxlngktjl5gcvya6y6ykg8t5jkqgsv0ua36
+AGE-SECRET-KEY-16NSYF9LSS3QZKLXFEYS5K36FPQC62QLZPNA02H7YWV0SFFVXF2PQNRZPNQ
+```
+
+## Usage examples
+
+```
+- name: Setup the KSOPS Kustomize plugin
+  ansible.builtin.include_role:
+    name: redhatci.ocp.acm.setup_ksops
+  vars:
+    sk_age_key: |
+      # created: 2025-04-16T11:28:48Z
+      # public key: age1j24rsa89nhv86dstnl696pfhxlngktjl5gcvya6y6ykg8t5jkqgsv0ua36
+      AGE-SECRET-KEY-16NSYF9LSS3QZKLXFEYS5K36FPQC62QLZPNA02H7YWV0SFFVXF2PQNRZPNQ
+```

roles/acm/setup_ksops/tasks/main.yml

@@ -0,0 +1,58 @@
+- name: Verify SOPS age key is set
+  ansible.builtin.assert:
+    that:
+      - sk_age_key | length > 0
+
+- name: Load the SOPS age key into the cluster
+  kubernetes.core.k8s:
+    definition:
+      apiVersion: v1
+      kind: Secret
+      type: Opaque
+      metadata:
+        name: sops-age
+        namespace: openshift-gitops
+      data:
+        keys.txt: "{{ sk_age_key | b64encode }}"
+
+- name: Patch the OpenShift GitOps ArgoCD resource
+  kubernetes.core.k8s:
+    definition:
+      apiVersion: argoproj.io/v1beta1
+      kind: ArgoCD
+      metadata:
+        name: openshift-gitops
+        namespace: openshift-gitops
+      spec:
+        kustomizeBuildOptions: --enable-alpha-plugins --enable-exec
+        repo:
+          env:
+           - name: XDG_CONFIG_HOME
+             value: /.config
+           - name: SOPS_AGE_KEY_FILE
+             value: /.config/sops/age/keys.txt
+          volumes:
+           - name: custom-tools
+             emptyDir: {}
+           - name: sops-age
+             secret:
+               secretName: sops-age
+          initContainers:
+           - name: install-ksops
+             image: quay.io/viaductoss/ksops:v4.3.3
+             command: ["/bin/sh", "-c"]
+             args:
+             - 'echo "Installing KSOPS..."; cp ksops /custom-tools/; cp $GOPATH/bin/kustomize /custom-tools/; echo "Done.";'
+             volumeMounts:
+               - mountPath: /custom-tools
+                 name: custom-tools
+          volumeMounts:
+           - mountPath: /usr/local/bin/kustomize
+             name: custom-tools
+             subPath: kustomize
+           - mountPath: /.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops
+             name: custom-tools
+             subPath: ksops
+           - mountPath: /.config/sops/age/keys.txt
+             name: sops-age
+             subPath: keys.txt