From 5a96e7c7a60fb5b3e34b0b216967cc3f64e9e064 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Fri, 2 Feb 2024 09:42:35 +0100 Subject: [PATCH] cli: separate nix rule for cli release build We would like to include a standard coordinator policy hash into cli releases, so that the coordinator can be deployed separately and is still verified by the cli. We cannot embed a default coordinator policy into the existing build rule: * To generate a policy hash, we need to build the coordinator, publish it as an OCI image and run genpolicy on it. * To embed the hash in the binary, it needs to go into the build inputs. * If it's in the build inputs, the output store location changes. * If the output store location changes, the OCI layer (and thus the required policy) changes. On the other hand, we would like to keep the multi-binary build rule for development, so we introduce a new build rule exclusively for cli releases, and only that rule consumes the coordinator policy hash as input. Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- cli/assets/coordinator-policy-hash | 0 cli/runtime.go | 2 +- packages/default.nix | 8 +++++++- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 cli/assets/coordinator-policy-hash diff --git a/cli/assets/coordinator-policy-hash b/cli/assets/coordinator-policy-hash new file mode 100644 index 0000000000..e69de29bb2 diff --git a/cli/runtime.go b/cli/runtime.go index b0aabd088b..5c4782e8c0 100644 --- a/cli/runtime.go +++ b/cli/runtime.go @@ -3,4 +3,4 @@ package main // DefaultCoordinatorPolicyHash is derived from the coordinator release candidate and injected at release build time. // // It is intentionally left empty for dev builds. -var DefaultCoordinatorPolicyHash = "" // TODO(burgerdev): actually inject something at build time. +var DefaultCoordinatorPolicyHash = "" diff --git a/packages/default.nix b/packages/default.nix index 24fffd57af..cd6de0692e 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -34,7 +34,7 @@ rec { let subPackages = [ "coordinator" "initializer" "cli" ]; in - buildGoModule { + lib.makeOverridable buildGoModule { inherit version subPackages; name = "nunki"; @@ -77,6 +77,12 @@ rec { }; inherit (nunki) cli; + cli-release = (nunki.override (prevArgs: { + ldflags = prevArgs.ldflags ++ [ + "-X main.DefaultCoordinatorPolicyHash=${builtins.readFile ../cli/assets/coordinator-policy-hash}" + ]; + })).cli; + coordinator = dockerTools.buildImage { name = "coordinator"; tag = "v${version}";