diff --git a/charts/home-assistant/Chart.yaml b/charts/home-assistant/Chart.yaml index e9cd4b3d..f20954c4 100644 --- a/charts/home-assistant/Chart.yaml +++ b/charts/home-assistant/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.114.0 description: Home Assistant name: home-assistant -version: 2.0.0 +version: 2.1.0 keywords: - home-assistant - hass diff --git a/charts/home-assistant/README.md b/charts/home-assistant/README.md index c9afef5e..ffaa5473 100644 --- a/charts/home-assistant/README.md +++ b/charts/home-assistant/README.md @@ -222,7 +222,18 @@ Much of the home assistant configuration occurs inside the various files persist ## Git sync secret -In order to sync the home assistant from a git repo, you have to store a ssh key as a kubernetes git secret +In order to sync the home assistant from a git repo, you can optionally store an ssh key as a kubernetes git secret: ```shell kubectl create secret generic git-creds --from-file=id_rsa=git/k8s_id_rsa --from-file=known_hosts=git/known_hosts --from-file=id_rsa.pub=git/k8s_id_rsa.pub ``` + +## git-crypt support + +When using Git sync it is possible to specify a file called `git-crypt-key` in the secret referred to in `git.secret`. When this file is present, `git-crypt unlock` will automatically be executed after the repo has been synced. + +**Note:** `git-crypt` is not installed by default in the other images! If you wish to push changes from the VS Code or Configurator containers, you will have to make sure that it is installed. + +The value for this secret can be obtained by running the following command in an unlocked version of your Home Assistant settings repo. It will export the unlock key, base64 encode it and copy it to your clipboard. +```shell +git-crypt export-key ./tmp-key && cat ./tmp-key | base64 | pbcopy && rm ./tmp-key +``` diff --git a/charts/home-assistant/templates/deployment.yaml b/charts/home-assistant/templates/deployment.yaml index 02811ac1..0d539f52 100644 --- a/charts/home-assistant/templates/deployment.yaml +++ b/charts/home-assistant/templates/deployment.yaml @@ -48,7 +48,28 @@ spec: - {{ . | quote }} {{- end }} {{- else }} - command: ['sh', '-c', '[ "$(ls {{ .Values.git.syncPath }})" ] || git clone {{ .Values.git.repo }} {{ .Values.git.syncPath }}'] + command: ["/bin/sh", "-c"] + args: + - set -e; + if [ -d "{{ .Values.git.syncPath }}/.git" ]; + then + git -C "{{ .Values.git.syncPath }}" pull || true; + else + if [ "$(ls -A {{ .Values.git.syncPath }})" ]; + then + git clone --depth 2 "{{ .Values.git.repo }}" /tmp/repo; + cp -rf /tmp/repo/.git "{{ .Values.git.syncPath }}"; + cd "{{ .Values.git.syncPath }}"; + git checkout -f; + else + git clone --depth 2 "{{ .Values.git.repo }}" "{{ .Values.git.syncPath }}"; + fi; + fi; + if [ -f "{{ .Values.git.keyPath }}/git-crypt-key" ]; + then + cd {{ .Values.git.syncPath }}; + git-crypt unlock "{{ .Values.git.keyPath }}/git-crypt-key"; + fi; {{- end }} volumeMounts: - mountPath: /config @@ -396,6 +417,7 @@ spec: secret: defaultMode: 256 secretName: {{ .Values.git.secret }} + optional: true {{ end }} {{- if .Values.extraVolumes }}{{ toYaml .Values.extraVolumes | trim | nindent 6 }}{{ end }} {{- with .Values.nodeSelector }} diff --git a/charts/home-assistant/values.yaml b/charts/home-assistant/values.yaml index 47513e39..2a34313b 100644 --- a/charts/home-assistant/values.yaml +++ b/charts/home-assistant/values.yaml @@ -118,12 +118,9 @@ usePodSecurityContext: true git: enabled: false - ## we just use the hass-configurator container image - ## you can use any image which has git and openssh installed - ## image: - repository: causticlab/hass-configurator-docker - tag: 0.3.5-x86_64 + repository: k8sathome/git-crypt + tag: 2020.09.07 pullPolicy: IfNotPresent ## Specify the command that runs in the git-sync container to pull in configuration. @@ -134,7 +131,7 @@ git: name: "" email: "" - # repo: + repo: "" secret: git-creds syncPath: /config keyPath: /root/.ssh