From d19bcb61e7aaf52a9bfa1cfd47ab26abb62cd4bc Mon Sep 17 00:00:00 2001
From: Mohamed Shafiq <mohamed.shafiq@elastisys.com>
Date: Mon, 8 Dec 2025 14:55:25 +0100
Subject: [PATCH 1/4] added temp gpg key script

---
 bin/setup-local-gpg | 26 ++++++++++++++++++++++++++
 tests/bats.lib.bash | 16 ++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100755 bin/setup-local-gpg

diff --git a/bin/setup-local-gpg b/bin/setup-local-gpg
new file mode 100755
index 0000000000..e27f3f918b
--- /dev/null
+++ b/bin/setup-local-gpg
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+GNUPGHOME="$(mktemp -d)"
+export GNUPGHOME
+
+cat >"$GNUPGHOME/gpg-batch" <<EOF
+%echo Generating a basic OpenPGP key
+Key-Type: RSA
+Key-Length: 4096
+Name-Real: Local Test User
+Name-Email: local-test@welkin.test
+Expire-Date: 0
+%no-protection
+%commit
+%echo done
+EOF
+
+gpg --batch --generate-key "$GNUPGHOME/gpg-batch" >/dev/null 2>&1
+
+# SOPS needs this fingerprint to know which key to use
+FINGERPRINT=$(gpg --list-secret-keys --keyid-format LONG | grep sec | awk '{print $2}' | cut -d'/' -f2)
+
+echo "export GNUPGHOME='$GNUPGHOME'"
+echo "export CK8S_PGP_FP='$FINGERPRINT'"
+echo "export SOPS_PGP_FP='$FINGERPRINT'"
diff --git a/tests/bats.lib.bash b/tests/bats.lib.bash
index 1f9ce833fb..1b5a235d76 100644
--- a/tests/bats.lib.bash
+++ b/tests/bats.lib.bash
@@ -162,6 +162,22 @@ with_kubeconfig() {
   export DETIK_CLIENT_NAME="kubectl"
 }
 
+# sets up a temporary GPG home and key for local testing
+# usage: with_temporary_gpg
+with_temporary_gpg() {
+  if ! command -v setup-local-gpg &>/dev/null; then
+    log.fatal "setup-local-gpg script not found in path"
+  fi
+
+  eval "$(setup-local-gpg)"
+
+  if [[ -z "${CK8S_PGP_FP:-}" ]]; then
+    fail "Failed to generate temporary GPG key"
+  fi
+
+  log.trace "Temporary GPG initialized. Fingerprint: $CK8S_PGP_FP"
+}
+
 # sets the kubeconfig to use
 # usage: with_static_wc_kubeconfig <dev|...?>
 with_static_wc_kubeconfig() {

From 733e75449a8f11a04034cba16ff38280fde081ed Mon Sep 17 00:00:00 2001
From: Mohamed Shafiq <mohamed.shafiq@elastisys.com>
Date: Wed, 10 Dec 2025 11:18:05 +0100
Subject: [PATCH 2/4] added to localcluster script

---
 bin/setup-local-gpg      |  1 -
 scripts/local-cluster.sh | 31 +++++++++++++++++++++++++++++--
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/bin/setup-local-gpg b/bin/setup-local-gpg
index e27f3f918b..d0e1596135 100755
--- a/bin/setup-local-gpg
+++ b/bin/setup-local-gpg
@@ -23,4 +23,3 @@ FINGERPRINT=$(gpg --list-secret-keys --keyid-format LONG | grep sec | awk '{prin
 
 echo "export GNUPGHOME='$GNUPGHOME'"
 echo "export CK8S_PGP_FP='$FINGERPRINT'"
-echo "export SOPS_PGP_FP='$FINGERPRINT'"
diff --git a/scripts/local-cluster.sh b/scripts/local-cluster.sh
index 78704a7443..1437950a85 100755
--- a/scripts/local-cluster.sh
+++ b/scripts/local-cluster.sh
@@ -296,16 +296,31 @@ config() {
   export flavor
   export ops_prefix
 
+  local config_path_was_unset=false
+  local pgp_key_was_unset=false
+
   if [[ -z "${name}" ]] || [[ -z "${flavor}" ]] || [[ -z "${domain}" ]]; then
     log.usage
   fi
 
   if [[ -z "${CK8S_CONFIG_PATH:-}" ]]; then
-    log.fatal "CK8S_CONFIG_PATH is unset"
+    config_path_was_unset=true
+    export CK8S_CONFIG_PATH="${HOME}/welkin-quick-start"
+    mkdir -p "${CK8S_CONFIG_PATH}"
+    log.info "CK8S_CONFIG_PATH is unset. Using default: ${CK8S_CONFIG_PATH}"
   fi
 
   if [[ -z "${CK8S_PGP_FP:-}" ]]; then
-    log.fatal "CK8S_PGP_FP is unset"
+    pgp_key_was_unset=true
+    if [[ -x "${ROOT}/bin/setup-local-gpg" ]]; then
+      eval "$("${ROOT}/bin/setup-local-gpg")"
+      log.info "CK8S_PGP_FP is unset. Using temp gpgkey: ${CK8S_PGP_FP}"
+      log.info "Using temp GNUPGHOME: ${GNUPGHOME}"
+    fi
+
+    if [[ -z "${CK8S_PGP_FP:-}" ]]; then
+      log.fatal "CK8S_PGP_FP is unset and automatic generation failed."
+    fi
   fi
 
   if ! [[ -d "${CK8S_CONFIG_PATH}" ]]; then
@@ -353,6 +368,18 @@ config() {
   fi
 
   "${ROOT}/bin/ck8s" init both
+
+  if [[ "${config_path_was_unset}" == "true" ]] || [[ "${pgp_key_was_unset}" == "true" ]]; then
+    log.info "Run these commands to configure your current shell session before creating cluster"
+    if [[ "${config_path_was_unset}" == "true" ]]; then
+      log.info "export CK8S_CONFIG_PATH='${CK8S_CONFIG_PATH}'"
+    fi
+
+    if [[ "${pgp_key_was_unset}" == "true" ]]; then
+      log.info "export CK8S_PGP_FP='${CK8S_PGP_FP}'"
+      log.info "export GNUPGHOME='${GNUPGHOME}'"
+    fi
+  fi
 }
 
 create() {

From 741a1a8386533bd77b2c93eb1e67a7fd9d9f90f6 Mon Sep 17 00:00:00 2001
From: Mohamed Shafiq <mohamed.shafiq@elastisys.com>
Date: Wed, 10 Dec 2025 12:55:57 +0100
Subject: [PATCH 3/4] changed home dir

---
 scripts/local-cluster.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/local-cluster.sh b/scripts/local-cluster.sh
index 1437950a85..2a546c1166 100755
--- a/scripts/local-cluster.sh
+++ b/scripts/local-cluster.sh
@@ -305,7 +305,7 @@ config() {
 
   if [[ -z "${CK8S_CONFIG_PATH:-}" ]]; then
     config_path_was_unset=true
-    export CK8S_CONFIG_PATH="${HOME}/welkin-quick-start"
+    export CK8S_CONFIG_PATH="${HOME}/.ck8s/welkin-quick-start"
     mkdir -p "${CK8S_CONFIG_PATH}"
     log.info "CK8S_CONFIG_PATH is unset. Using default: ${CK8S_CONFIG_PATH}"
   fi

From 52238bb54b35eef29615c8e32d18ddfc65c05547 Mon Sep 17 00:00:00 2001
From: Mohamed Shafiq <mohamed.shafiq@elastisys.com>
Date: Mon, 15 Dec 2025 19:16:05 +0100
Subject: [PATCH 4/4] fixed comments

---
 scripts/local-cluster.sh |  3 ++-
 tests/bats.lib.bash      | 16 ----------------
 2 files changed, 2 insertions(+), 17 deletions(-)

diff --git a/scripts/local-cluster.sh b/scripts/local-cluster.sh
index 2a546c1166..d4dda885eb 100755
--- a/scripts/local-cluster.sh
+++ b/scripts/local-cluster.sh
@@ -314,8 +314,9 @@ config() {
     pgp_key_was_unset=true
     if [[ -x "${ROOT}/bin/setup-local-gpg" ]]; then
       eval "$("${ROOT}/bin/setup-local-gpg")"
-      log.info "CK8S_PGP_FP is unset. Using temp gpgkey: ${CK8S_PGP_FP}"
+      log.info "CK8S_PGP_FP is unset. Using temporary GPP key: ${CK8S_PGP_FP}"
       log.info "Using temp GNUPGHOME: ${GNUPGHOME}"
+      log.warn "Once this is cleared you will loose the ability to decrypt the secrets for this config path."
     fi
 
     if [[ -z "${CK8S_PGP_FP:-}" ]]; then
diff --git a/tests/bats.lib.bash b/tests/bats.lib.bash
index 1b5a235d76..1f9ce833fb 100644
--- a/tests/bats.lib.bash
+++ b/tests/bats.lib.bash
@@ -162,22 +162,6 @@ with_kubeconfig() {
   export DETIK_CLIENT_NAME="kubectl"
 }
 
-# sets up a temporary GPG home and key for local testing
-# usage: with_temporary_gpg
-with_temporary_gpg() {
-  if ! command -v setup-local-gpg &>/dev/null; then
-    log.fatal "setup-local-gpg script not found in path"
-  fi
-
-  eval "$(setup-local-gpg)"
-
-  if [[ -z "${CK8S_PGP_FP:-}" ]]; then
-    fail "Failed to generate temporary GPG key"
-  fi
-
-  log.trace "Temporary GPG initialized. Fingerprint: $CK8S_PGP_FP"
-}
-
 # sets the kubeconfig to use
 # usage: with_static_wc_kubeconfig <dev|...?>
 with_static_wc_kubeconfig() {