nix: add rule to render a coordinator deployment

In order to embed a coordinator policy hash on release, we first need to establish what the default coordinator policy should be. This commit adds a nix rule that generates the canonical coordinator k8s resources, which can then be used to obtain a policy hash for inclusion in the CLI. Since the generated resources are then guaranteed to be compatible with the released CLI, we can include the resource definitions in the release and encourage users to take the coordinator from there.
edgelesssys · Feb 12, 2024 · 5804032 · 5804032
1 parent 41999f6
commit 5804032
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/packages/default.nix b/packages/default.nix
@@ -269,4 +269,32 @@ rec {
       exit 1
     '';
   };
+
+  # write-coordinator-yaml prints a Nunki Coordinator deployment including the default policy.
+  # It's intended for two purposes: (1) releasing a portable coordinator.yaml and (2) updating the embedded policy hash.
+  write-coordinator-yaml = writeShellApplication {
+    name = "print-coordinator-policy";
+    runtimeInputs = [
+      yq-go
+      genpolicy
+    ];
+    text = ''
+      imageRef=$1:v${version}
+
+      tmpdir=$(mktemp -d)
+      trap 'rm -rf $tmpdir' EXIT
+
+      # TODO(burgerdev): consider a dedicated coordinator template instead of the simple one
+      yq < deployments/simple/coordinator.yml > "$tmpdir/coordinator.yml" \
+        "del(.metadata.namespace) | (select(.kind == \"Deployment\") | .spec.template.spec.containers[0].image) = \"$imageRef\""
+
+      pushd "$tmpdir" >/dev/null
+      # TODO(burgerdev): this should not be dev, but there are unknown env vars
+      cp ${genpolicy.settings-dev}/genpolicy-settings.json .
+      cp ${genpolicy.rules-coordinator}/genpolicy-rules.rego rules.rego
+      genpolicy < "$tmpdir/coordinator.yml"
+      popd >/dev/null
+    '';
+  };
+
 }