feat: add support for gitcrypt; add support for non-root path (#22)

- Add support for gitcrypt;
- Add support for non-root path
- Update docs

Author: user-cube

.gitleaksignore

@@ -0,0 +1,3 @@
+# Documentation examples — not real secrets
+docs/guides/secrets-management.md:private-key:64
+docs/guides/secrets-management.md:private-key:125

.pre-commit-config.yaml

@@ -9,7 +9,7 @@ repos:
       - id: trailing-whitespace
       - id: end-of-file-fixer
       - id: detect-private-key
-        exclude: "secrets\\..*\\.enc\\.yaml$"
+        exclude: "(secrets\\..*\\.enc\\.yaml$|docs/guides/secrets-management\\.md$)"
 
   - repo: https://github.com/gitleaks/gitleaks
     rev: v8.22.1

README.md

@@ -20,7 +20,7 @@ Online documentation available at [Cluster Boostrap Docs](https://user-cube.gith
 
 - `kubectl` configured with access to the target cluster
 - `helm` (for local template testing)
-- `sops` and `age` (for secrets encryption/decryption)
+- `sops` and `age` (for secrets encryption/decryption) **or** `git-crypt` (alternative encryption backend)
 - `go` 1.25+ (to build the CLI)
 - `task` ([Task runner](https://taskfile.dev/))
 - `pre-commit` ([pre-commit hooks](https://pre-commit.com/))
@@ -48,11 +48,28 @@ task build
 
 This will:
 
-1. Decrypt environment secrets using SOPS + age
+1. Decrypt environment secrets (SOPS + age by default, or git-crypt)
 2. Create the `argocd` namespace and SSH credentials secret
 3. Install ArgoCD via Helm
 4. Deploy the root **App of Apps** Application
 
+#### Using git-crypt instead of SOPS
+
+```bash
+./cli/cluster-bootstrap init --provider git-crypt
+./cli/cluster-bootstrap bootstrap dev --encryption git-crypt
+```
+
+#### Repo content in a subdirectory
+
+If your Kubernetes manifests live in a subdirectory (e.g. `k8s/`):
+
+```bash
+./cli/cluster-bootstrap --base-dir ./k8s bootstrap dev --app-path k8s/apps
+```
+
+`--base-dir` resolves local file paths (Chart.yaml, values, secrets). `--app-path` sets the `spec.source.path` in the ArgoCD Application CR.
+
 ### 4. Access ArgoCD UI
 
 ```bash
@@ -98,8 +115,16 @@ The `apps/` chart uses a **single dynamic template** that iterates over a `compo
 | Command | Description |
 |---------|-------------|
 | `bootstrap <env>` | Full cluster bootstrap (decrypt secrets, install ArgoCD, deploy App of Apps) |
-| `init` | Interactive setup for SOPS config and encrypted secrets files |
+| `init` | Interactive setup for encryption config and secrets files |
 | `vault-token` | Store Vault root token as Kubernetes secret |
+| `gitcrypt-key` | Store git-crypt symmetric key as Kubernetes secret |
+
+### Global Flags
+
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--base-dir` | `.` | Base directory for repo content (local file resolution) |
+| `-v, --verbose` | `false` | Enable verbose output |
 
 ## Development
 
@@ -124,7 +149,7 @@ task docs-serve   # Serve MkDocs documentation locally
 
 ### Secrets example
 
-`secrets.example.enc.yaml` contains the expected secrets structure. To create a new environment:
+**SOPS (default):** `secrets.example.enc.yaml` contains the expected secrets structure. To create a new environment:
 
 ```bash
 cp secrets.example.enc.yaml secrets.myenv.enc.yaml
@@ -133,6 +158,13 @@ sops --encrypt --in-place secrets.myenv.enc.yaml
 
 Or use the CLI interactively: `./cli/cluster-bootstrap init myenv`
 
+**git-crypt:** Secrets are stored as plaintext YAML (`secrets.<env>.yaml`) and encrypted transparently by git-crypt on commit:
+
+```bash
+git-crypt init
+./cli/cluster-bootstrap init --provider git-crypt myenv
+```
+
 To use a custom `.sops.yaml` path, set `SOPS_CONFIG` in your `.env`:
 
 ```bash

cli/cmd/bootstrap.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"path/filepath"
 
 	"github.com/spf13/cobra"
 
@@ -21,12 +22,15 @@ var (
 	kubeconfig        string
 	kubeContext       string
 	bootstrapAgeKey   string
+	encryption        string
+	gitcryptKeyFile   string
+	appPath           string
 )
 
 var bootstrapCmd = &cobra.Command{
 	Use:   "bootstrap <environment>",
 	Short: "Bootstrap a Kubernetes cluster with ArgoCD and secrets",
-	Long: `Decrypts the SOPS-encrypted secrets file, installs ArgoCD,
+	Long: `Decrypts the secrets file, installs ArgoCD,
 creates Kubernetes secrets, and applies the App of Apps root Application.
 
 Replaces the manual install.sh process.`,
@@ -35,12 +39,15 @@ Replaces the manual install.sh process.`,
 }
 
 func init() {
-	bootstrapCmd.Flags().StringVar(&secretsFile, "secrets-file", "", "path to SOPS-encrypted secrets file (default: secrets.<env>.enc.yaml)")
+	bootstrapCmd.Flags().StringVar(&secretsFile, "secrets-file", "", "path to secrets file (default: secrets.<env>.enc.yaml or secrets.<env>.yaml)")
 	bootstrapCmd.Flags().BoolVar(&dryRun, "dry-run", false, "print manifests without applying")
 	bootstrapCmd.Flags().BoolVar(&skipArgoCDInstall, "skip-argocd-install", false, "skip ArgoCD installation")
 	bootstrapCmd.Flags().StringVar(&kubeconfig, "kubeconfig", "", "path to kubeconfig file")
 	bootstrapCmd.Flags().StringVar(&kubeContext, "context", "", "kubeconfig context to use")
 	bootstrapCmd.Flags().StringVar(&bootstrapAgeKey, "age-key-file", "", "path to age private key file for SOPS decryption")
+	bootstrapCmd.Flags().StringVar(&encryption, "encryption", "sops", "encryption backend (sops|git-crypt)")
+	bootstrapCmd.Flags().StringVar(&gitcryptKeyFile, "gitcrypt-key-file", "", "path to git-crypt symmetric key file (creates K8s secret)")
+	bootstrapCmd.Flags().StringVar(&appPath, "app-path", "apps", "path inside the Git repo for the App of Apps source")
 
 	rootCmd.AddCommand(bootstrapCmd)
 }
@@ -50,16 +57,34 @@ func runBootstrap(cmd *cobra.Command, args []string) error {
 
 	fmt.Printf("==> Bootstrapping cluster for environment: %s\n", env)
 
-	// Step 2: Decrypt secrets
-	sf := secretsFile
-	if sf == "" {
-		sf = config.SecretsFileName(env)
-	}
-	fmt.Printf("==> Decrypting secrets from %s...\n", sf)
-	sopsOpts := &sops.Options{AgeKeyFile: bootstrapAgeKey}
-	envSecrets, err := config.LoadSecrets(sf, sopsOpts)
-	if err != nil {
-		return err
+	// Load secrets based on encryption backend
+	var envSecrets *config.EnvironmentSecrets
+	var err error
+
+	switch encryption {
+	case "git-crypt":
+		sf := secretsFile
+		if sf == "" {
+			sf = filepath.Join(baseDir, config.SecretsFileNamePlain(env))
+		}
+		fmt.Printf("==> Loading plaintext secrets from %s...\n", sf)
+		envSecrets, err = config.LoadSecretsPlaintext(sf)
+		if err != nil {
+			return err
+		}
+	case "sops":
+		sf := secretsFile
+		if sf == "" {
+			sf = filepath.Join(baseDir, config.SecretsFileName(env))
+		}
+		fmt.Printf("==> Decrypting secrets from %s...\n", sf)
+		sopsOpts := &sops.Options{AgeKeyFile: bootstrapAgeKey}
+		envSecrets, err = config.LoadSecrets(sf, sopsOpts)
+		if err != nil {
+			return err
+		}
+	default:
+		return fmt.Errorf("unsupported encryption backend: %s (use sops or git-crypt)", encryption)
 	}
 
 	if verbose {
@@ -68,18 +93,18 @@ func runBootstrap(cmd *cobra.Command, args []string) error {
 	}
 
 	if dryRun {
-		return printDryRun(envSecrets, env)
+		return printDryRun(envSecrets, env, appPath)
 	}
 
-	// Step 3: Create k8s client
+	// Create k8s client
 	client, err := k8s.NewClient(kubeconfig, kubeContext)
 	if err != nil {
 		return fmt.Errorf("failed to create kubernetes client: %w", err)
 	}
 
 	ctx := context.Background()
 
-	// Step 4: Create Kubernetes secrets (before Helm install, as the chart may reference them)
+	// Create Kubernetes secrets (before Helm install, as the chart may reference them)
 	fmt.Println("==> Creating Kubernetes secrets...")
 	if err := client.EnsureNamespace(ctx, "argocd"); err != nil {
 		return err
@@ -88,21 +113,33 @@ func runBootstrap(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	// Step 5: Install ArgoCD via Helm
+	// If git-crypt key file provided, store it as a K8s secret
+	if gitcryptKeyFile != "" {
+		keyData, err := os.ReadFile(gitcryptKeyFile)
+		if err != nil {
+			return fmt.Errorf("failed to read git-crypt key file: %w", err)
+		}
+		fmt.Println("==> Creating git-crypt-key secret...")
+		if err := client.CreateGitCryptKeySecret(ctx, keyData); err != nil {
+			return err
+		}
+	}
+
+	// Install ArgoCD via Helm
 	if !skipArgoCDInstall {
 		fmt.Println("==> Installing ArgoCD via Helm...")
-		if err := helm.InstallArgoCD(ctx, kubeconfig, kubeContext, env, verbose); err != nil {
+		if err := helm.InstallArgoCD(ctx, kubeconfig, kubeContext, env, baseDir, verbose); err != nil {
 			return fmt.Errorf("failed to install ArgoCD: %w", err)
 		}
 	}
 
-	// Step 6: Apply App of Apps
+	// Apply App of Apps
 	fmt.Printf("==> Applying App of Apps for environment: %s\n", env)
-	if _, err := client.ApplyAppOfApps(ctx, envSecrets.Repo.URL, envSecrets.Repo.TargetRevision, env, false); err != nil {
+	if _, err := client.ApplyAppOfApps(ctx, envSecrets.Repo.URL, envSecrets.Repo.TargetRevision, env, appPath, false); err != nil {
 		return err
 	}
 
-	// Step 7: Print access instructions
+	// Print access instructions
 	fmt.Println("\n==> Done! ArgoCD is installed and the app-of-apps root Application has been created.")
 	fmt.Println("    Access the ArgoCD UI:")
 	fmt.Println("      kubectl port-forward svc/argocd-server -n argocd 8080:443")
@@ -112,7 +149,7 @@ func runBootstrap(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-func printDryRun(envSecrets *config.EnvironmentSecrets, env string) error {
+func printDryRun(envSecrets *config.EnvironmentSecrets, env, appPath string) error {
 	fmt.Println("\n--- DRY RUN: Kubernetes Secrets ---")
 
 	// Repo SSH secret
@@ -155,7 +192,7 @@ func printDryRun(envSecrets *config.EnvironmentSecrets, env string) error {
 			"source": map[string]interface{}{
 				"repoURL":        envSecrets.Repo.URL,
 				"targetRevision": envSecrets.Repo.TargetRevision,
-				"path":           "apps",
+				"path":           appPath,
 				"helm": map[string]interface{}{
 					"valueFiles": []string{
 						fmt.Sprintf("values/%s.yaml", env),

cli/cmd/gitcrypt_key.go

@@ -0,0 +1,53 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"github.com/user-cube/cluster-bootstrap/cluster-bootstrap/internal/k8s"
+)
+
+var gitCryptKeyFile string
+
+var gitCryptKeyCmd = &cobra.Command{
+	Use:   "gitcrypt-key",
+	Short: "Store a git-crypt symmetric key as a Kubernetes secret",
+	Long: `Reads a git-crypt symmetric key file and stores it as the
+git-crypt-key secret in the argocd namespace. This allows ArgoCD
+to decrypt git-crypt encrypted repositories.`,
+	RunE: runGitCryptKey,
+}
+
+func init() {
+	gitCryptKeyCmd.Flags().StringVar(&gitCryptKeyFile, "key-file", "", "path to git-crypt symmetric key file (required)")
+	gitCryptKeyCmd.Flags().StringVar(&kubeconfig, "kubeconfig", "", "path to kubeconfig file")
+	gitCryptKeyCmd.Flags().StringVar(&kubeContext, "context", "", "kubeconfig context to use")
+	_ = gitCryptKeyCmd.MarkFlagRequired("key-file")
+
+	rootCmd.AddCommand(gitCryptKeyCmd)
+}
+
+func runGitCryptKey(cmd *cobra.Command, args []string) error {
+	keyData, err := os.ReadFile(gitCryptKeyFile)
+	if err != nil {
+		return fmt.Errorf("failed to read key file %s: %w", gitCryptKeyFile, err)
+	}
+
+	client, err := k8s.NewClient(kubeconfig, kubeContext)
+	if err != nil {
+		return fmt.Errorf("failed to create kubernetes client: %w", err)
+	}
+
+	ctx := context.Background()
+
+	fmt.Println("==> Creating git-crypt-key secret in argocd namespace...")
+	if err := client.CreateGitCryptKeySecret(ctx, keyData); err != nil {
+		return err
+	}
+
+	fmt.Println("Created secret argocd/git-crypt-key")
+	return nil
+}