feat: use age instead of gpg for sops

[onedr0p]

Signed-off-by: Devin Buhl devin@buhl.casa

Description of the change

Use age instead of gpg

Benefits

Age is easier to configure and use, Flux also mentions in their documentation to use this over GPG when you are able to.

Possible drawbacks

Applicable issues

• fixes Investigate support for age as an alternative for gnupg #152

Additional information

To migrate from GPG to Age:

• Create age public / private key:

age-keygen -o age.agekey
mkdir -p ~/.config/sops/age
mv age.agekey ~/.config/sops/age/keys.txt
export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt
source ~/.bashrc

• Decrypt all secrets (e.g. find ./cluster -type f -iname "*sops*" -exec sops --decrypt --in-place {} \;
• Update .sops.yaml with age public key and remove pgp keys.
• Encrypt all secrets with age (e.g. find ./cluster -type f -iname "*sops*" -exec sops --encrypt --in-place {} \;)
• Create sops-age secret for flux:

cat ~/.config/sops/age/keys.txt |
    kubectl -n flux-system create secret generic sops-age \
    --from-file=age.agekey=/dev/stdin

• Update sops-gpg secret to sops-age in the 3 files in the ./cluster/base directory
• Commit and push your changes
• Apply the flux-system kustomization (e.g. k apply -k cluster/base/flux-system/)

[mrueg]

In general looks good to me, I still need to execute in on a cluster.
One thing that might be worth for users to cover is:

• Migration from gnupg to age (or recommend a reinstall)

[onedr0p]

I added a rough migration guide to the PR