From 58040322e3d88154aafbec66f36172c14d809cf5 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Fri, 9 Feb 2024 13:09:49 +0100 Subject: [PATCH] nix: add rule to render a coordinator deployment In order to embed a coordinator policy hash on release, we first need to establish what the default coordinator policy should be. This commit adds a nix rule that generates the canonical coordinator k8s resources, which can then be used to obtain a policy hash for inclusion in the CLI. Since the generated resources are then guaranteed to be compatible with the released CLI, we can include the resource definitions in the release and encourage users to take the coordinator from there. --- packages/default.nix | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/packages/default.nix b/packages/default.nix index 6c7f4d199..a31f0e914 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -269,4 +269,32 @@ rec { exit 1 ''; }; + + # write-coordinator-yaml prints a Nunki Coordinator deployment including the default policy. + # It's intended for two purposes: (1) releasing a portable coordinator.yaml and (2) updating the embedded policy hash. + write-coordinator-yaml = writeShellApplication { + name = "print-coordinator-policy"; + runtimeInputs = [ + yq-go + genpolicy + ]; + text = '' + imageRef=$1:v${version} + + tmpdir=$(mktemp -d) + trap 'rm -rf $tmpdir' EXIT + + # TODO(burgerdev): consider a dedicated coordinator template instead of the simple one + yq < deployments/simple/coordinator.yml > "$tmpdir/coordinator.yml" \ + "del(.metadata.namespace) | (select(.kind == \"Deployment\") | .spec.template.spec.containers[0].image) = \"$imageRef\"" + + pushd "$tmpdir" >/dev/null + # TODO(burgerdev): this should not be dev, but there are unknown env vars + cp ${genpolicy.settings-dev}/genpolicy-settings.json . + cp ${genpolicy.rules-coordinator}/genpolicy-rules.rego rules.rego + genpolicy < "$tmpdir/coordinator.yml" + popd >/dev/null + ''; + }; + }