just: credential getter as nix script

edgelesssys · Aug 7, 2024 · 5c446dd · 5c446dd
1 parent 8021608
commit 5c446dd
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 10 deletions.
diff --git a/justfile b/justfile
@@ -225,16 +225,7 @@ get-credentials-ci:
         --admin
 
 get-credentials-from-gcloud path:
-    #!/usr/bin/env bash
-    set -euo pipefail
-    tmpConfig=$(mktemp)
-    gcloud secrets versions access {{ path }} --out-file="$tmpConfig"
-    mergedConfig=$(mktemp)
-    KUBECONFIG_BAK=${KUBECONFIG:-~/.kube/config}
-    KUBECONFIG=$tmpConfig:${KUBECONFIG_BAK} kubectl config view --flatten > $mergedConfig
-    export newContext=$(yq -r '.contexts.[0].name' $tmpConfig)
-    yq -i '.current-context = env(newContext)' $mergedConfig
-    mv $mergedConfig ${KUBECONFIG_BAK%%:*}
+    nix run .#scripts.get-credentials {{ path }}
 
 get-credentials-tdxbm: (get-credentials-from-gcloud "projects/796962942582/secrets/m50-ganondorf-kubeconf/versions/2")
 

diff --git a/packages/scripts.nix b/packages/scripts.nix
@@ -298,4 +298,22 @@
       )
     '';
   };
+
+  # Usage: get-credentials $gcloudSecretRef
+  get-credentials = writeShellApplication {
+    name = "extract-policies";
+    runtimeInputs = with pkgs; [ google-cloud-sdk ];
+    text = ''
+      set -euo pipefail
+      tmpConfig=$(mktemp)
+      gcloud secrets versions access "$1" --out-file="$tmpConfig"
+      mergedConfig=$(mktemp)
+      KUBECONFIG_BAK=''${KUBECONFIG:-~/.kube/config}
+      KUBECONFIG=$tmpConfig:''${KUBECONFIG_BAK} kubectl config view --flatten > "$mergedConfig"
+      newContext=$(yq -r '.contexts.[0].name' "$tmpConfig")
+      declare -x newContext
+      yq -i '.current-context = env(newContext)' "$mergedConfig"
+      mv "$mergedConfig" "''${KUBECONFIG_BAK%%:*}"
+    '';
+  };
 }