Additional documentation on kustomize patches with sops

Signed-off-by: Gergely Nagy <[email protected]>

Author: nagygergo

docs/spec/v1/kustomizations.md

@@ -1649,6 +1649,65 @@ secretGenerator:
       - .dockerconfigjson=ghcr.dockerconfigjson.encrypted
 ```
 
+### SOPS Encrypted Kustomize patches
+
+SOPS encrypted data can be stored as [Kustomize `patches`](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patches/) as long as they're in separate files, not inlined in `kustomization.yaml`. The kustomize-controller decrypts these before executing kustomization pipeline, allowing for adding secret data to resources or merging Secrets. For example:
+
+```yaml
+apiVersion: v1 #patch1.yaml
+kind: Secret
+metadata:
+  name: secret
+stringData:
+  secretConfig: "my-secret-configuration"
+```
+
+```yaml
+apiVersion: v1 #patch2.yaml
+kind: Secret
+metadata:
+  name: secret
+stringData:
+  secretToken: "my-secret-token"
+```
+
+```yaml
+apiVersion: v1 #base.yaml
+kind: Secret
+metadata:
+  name: secret
+stringData:
+  publicConifg: "my-public-config"
+```
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1 #kustomization.yaml
+kind: Kustomization
+resources:
+  - base.yaml
+patches:
+  - path: patch1.yaml
+  - path: patch2.yaml
+```
+
+```sh
+sops -e --input-type=yaml patch1.yaml 
+sops -e --input-type=yaml patch2.yaml
+```
+
+After kustomize-controller does the reconciliation of `kustomization.yaml`, the following secret will be generated in the cluster:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret
+stringData:
+  publicConifg: "my-public-config"
+  secretToken: "my-secret-token"
+  secretConfig: "my-secret-configuration"
+```
+
 ### Post build substitution of numbers and booleans
 
 When using [variable substitution](#post-build-variable-substitution) with values