feat(genconfig): talsecret.yaml will be envsubst too

This will make people that doesn't use `sops` to be able to also make
use of `talsecret.yaml` so the generated `talosconfig` file will not
cause any problem when using patches

docs/docs/guides.md

@@ -79,6 +79,40 @@ Here's the simplified step by step to achieve this:
 2. In `doppler`, create a project named i.e "talhelper". In that project, create a config i.e "env" that stores key and value of the secret like `AESCBCENCYPTIONKEY: <secret>.`.
 3. Run `doppler` CLI command that sets environment variable before running the `talhelper` command i.e: `doppler run -p talhelper -c env talhelper genconfig`.
 
+Thanks to [@jtcressy](https://github.com/jtcressy) you can also make use of `talsecret.yaml` file (which is a better way than doing `inlinePatch`).
+Note that you can only put the cluster secrets known by Talos here (you can use `talhelper gensecret` command and modify it).
+Here's the simplified step by step to achieve this:
+
+1. In `talsecret.yaml` file, put all your secrets with `${}` placeholder like this:
+
+    ```yaml
+    cluster:
+      id: ${CLUSTERNAME}
+      secret: ${CLUSTERSECRET}
+    secrets:
+      bootstraptoken: ${BOOTSTRAPTOKEN}
+      secretboxencryptionsecret: ${AESCBCENCYPTIONKEY}
+    trustdinfo:
+      token: ${TRUSTDTOKEN}
+    certs:
+      etcd:
+        crt: ${ETCDCERT}
+        key: ${ETCDKEY}
+      k8s:
+        crt: ${K8SCERT}
+        key: ${K8SKEY}
+      k8saggregator:
+        crt: ${K8SAGGCERT}
+        key: ${K8SAGGKEY}
+      k8sserviceaccount:
+        key: ${K8SSAKEY}
+      os:
+        crt: ${OSCERT}
+        key: ${OSKEY}
+    ```
+2. In `doppler`, create a project named i.e "talhelper". In that project, create a config i.e "env" that stores key and value of the secret like `AESCBCENCYPTIONKEY: <secret>.`.
+3. Run `doppler` CLI command that sets environment variable before running the `talhelper` command i.e: `doppler run -p talhelper -c env talhelper genconfig`.
+
 ## Shell completion
 
 Depending on how you install `talhelper`, you might not need to do anything to get autocompletion for `talhelper` commands i.e if you install using the Nix Flakes or AUR.

pkg/decrypt/decrypt.go

@@ -14,7 +14,8 @@ type sopsFile struct {
 // DecryptYamlWithSops reads a `sops` encrypted `yaml` file path
 // and decrypt the content using `sops/v3/decrypt.Data`.
 // The unencrypted data will be returned bytes.
-// Error will be returned when file is not encrypted with `sops`.
+// Data will be returned as it is if file is not encrypted with
+// `sops`. Error will be returned when decryption fails.
 func DecryptYamlWithSops(filePath string) ([]byte, error) {
 	data, err := os.ReadFile(filePath)
 	if err != nil {

pkg/talos/input.go

@@ -3,15 +3,16 @@ package talos
 import (
 	"github.com/budimanjojo/talhelper/pkg/config"
 	"github.com/budimanjojo/talhelper/pkg/decrypt"
+	"github.com/budimanjojo/talhelper/pkg/substitute"
 	tconfig "github.com/siderolabs/talos/pkg/machinery/config"
-	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
 	"github.com/siderolabs/talos/pkg/machinery/config/generate"
 	"github.com/siderolabs/talos/pkg/machinery/config/generate/secrets"
+	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
 	"gopkg.in/yaml.v3"
 )
 
 // NewClusterInput takes `Talhelper` config and path to encrypted `secretFile` and
-// returns Talos `generate.Input`. It also returns an error, if any. 
+// returns Talos `generate.Input`. It also returns an error, if any.
 func NewClusterInput(c *config.TalhelperConfig, secretFile string) (*generate.Input, error) {
 	kubernetesVersion := c.GetK8sVersion()
 
@@ -28,6 +29,11 @@ func NewClusterInput(c *config.TalhelperConfig, secretFile string) (*generate.In
 			return nil, err
 		}
 
+		decrypted, err = substitute.SubstituteEnvFromByte(decrypted)
+		if err != nil {
+			return nil, err
+		}
+
 		err = yaml.Unmarshal(decrypted, &sb)
 		if err != nil {
 			return nil, err