[home-assistant] Improve git-sync script, add git-crypt support (#40)

* Improve git-sync script, add git-crypt support

* Remove old comment

charts/home-assistant/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: 0.114.0
 description: Home Assistant
 name: home-assistant
-version: 2.0.0
+version: 2.1.0
 keywords:
 - home-assistant
 - hass

charts/home-assistant/README.md

@@ -222,7 +222,18 @@ Much of the home assistant configuration occurs inside the various files persist
 
 ## Git sync secret
 
-In order to sync the home assistant from a git repo, you have to store a ssh key as a kubernetes git secret
+In order to sync the home assistant from a git repo, you can optionally store an ssh key as a kubernetes git secret:
 ```shell
 kubectl create secret generic git-creds --from-file=id_rsa=git/k8s_id_rsa --from-file=known_hosts=git/known_hosts --from-file=id_rsa.pub=git/k8s_id_rsa.pub
 ```
+
+## git-crypt support
+
+When using Git sync it is possible to specify a file called `git-crypt-key` in the secret referred to in `git.secret`. When this file is present, `git-crypt unlock` will automatically be executed after the repo has been synced. 
+
+**Note:** `git-crypt` is not installed by default in the other images! If you wish to push changes from the VS Code or Configurator containers, you will have to make sure that it is installed.
+
+The value for this secret can be obtained by running the following command in an unlocked version of your Home Assistant settings repo. It will export the unlock key, base64 encode it and copy it to your clipboard.
+```shell
+git-crypt export-key ./tmp-key && cat ./tmp-key | base64 | pbcopy && rm ./tmp-key
+```

charts/home-assistant/templates/deployment.yaml

@@ -48,7 +48,28 @@ spec:
           - {{ . | quote }}
           {{- end }}
         {{- else }}
-        command: ['sh', '-c', '[ "$(ls {{ .Values.git.syncPath }})" ] || git clone {{ .Values.git.repo }} {{ .Values.git.syncPath }}']
+        command: ["/bin/sh", "-c"]
+        args:
+        - set -e;
+          if [ -d "{{ .Values.git.syncPath }}/.git" ];
+          then
+            git -C "{{ .Values.git.syncPath }}" pull || true;
+          else
+            if [ "$(ls -A {{ .Values.git.syncPath }})" ]; 
+            then
+              git clone --depth 2 "{{ .Values.git.repo }}" /tmp/repo;
+              cp -rf /tmp/repo/.git "{{ .Values.git.syncPath }}";
+              cd "{{ .Values.git.syncPath }}";
+              git checkout -f;
+            else
+              git clone --depth 2 "{{ .Values.git.repo }}" "{{ .Values.git.syncPath }}";
+            fi;
+          fi;
+          if [ -f "{{ .Values.git.keyPath }}/git-crypt-key" ];
+          then
+            cd {{ .Values.git.syncPath }};
+            git-crypt unlock "{{ .Values.git.keyPath }}/git-crypt-key";
+          fi;
         {{- end }}
         volumeMounts:
         - mountPath: /config
@@ -396,6 +417,7 @@ spec:
         secret:
           defaultMode: 256
           secretName: {{ .Values.git.secret }}
+          optional: true
       {{ end }}
       {{- if .Values.extraVolumes  }}{{ toYaml .Values.extraVolumes | trim | nindent 6 }}{{ end }}
     {{- with .Values.nodeSelector }}

charts/home-assistant/values.yaml

@@ -118,12 +118,9 @@ usePodSecurityContext: true
 git:
   enabled: false
 
-  ## we just use the hass-configurator container image
-  ## you can use any image which has git and openssh installed
-  ##
   image:
-    repository: causticlab/hass-configurator-docker
-    tag: 0.3.5-x86_64
+    repository: k8sathome/git-crypt
+    tag: 2020.09.07
     pullPolicy: IfNotPresent
 
   ## Specify the command that runs in the git-sync container to pull in configuration.
@@ -134,7 +131,7 @@ git:
     name: ""
     email: ""
 
-  # repo:
+  repo: ""
   secret: git-creds
   syncPath: /config
   keyPath: /root/.ssh