Run SOPS decryption before krusty.run

[apeschel]

At the moment, the SOPS decryption happens on a per resource level after the krusty library has done a kustomize run, as seen here:

https://github.com/fluxcd/kustomize-controller/blob/main/controllers/kustomization_controller.go#L627-L640

This causes issues when a file encrypted with SOPS is merged with another file - the resulting merged file cannot be decrypted and errors will occur. This means that any file encrypted with SOPS is heavily limited in how it can be used.

If the SOPS decryption happened before the kustomize run, then there wouldn't be any restrictions on how SOPS encrypted files could be used.

---

One possible solution would be to decrypt the files with SOPS, then pass the decrypted files to krusty for a build. It could roughly look like this at the high level:

1. Make a temp dir and deep copy root/dirPath to the temp dir
2. Decrypt all SOPS encrypted files
3. Pass the temp dir to krusty.run.

This could either be done here, in the secureBuildKustomization function: https://github.com/fluxcd/kustomize-controller/blob/main/controllers/kustomization_generator.go#L252

Or just before the call to secureBuildKustomization, here: https://github.com/fluxcd/kustomize-controller/blob/main/controllers/kustomization_controller.go#L615

---

Some other potential options that come to mind:

• Move the SOPS decryption logic upstream to the krusty library.
• Override krusty.run with a new function that adds a SOPS decrypt for each file before the file is read.