multi-tenancy: Support for KMS SOPS decryption

[Frizlab]

Until now (w/ Flux1) we were using sops to decrypt secrets in our repository via a kustomize plugin which called sops directly. Our deployment was configured to use a service account that was bound to a gcp service account via workload identity, which had the permission to decrypt the files.

Now, w/ flux2 we cannot do that anymore because the same pod is used to process our “main” flux and the tenants, and we don’t want our tenants to be able to decrypt our secrets.

Do you think adding first-party support for KMS decryption would be feasible in flux2? sops already supports it, so it should be feasible.

The permission to decrypt or not the secrets would be directly handled by KMS: If the service account used for the Kustomization has the permission it works, otherwise it does not work.