fixup! cli: optionally validate coordinator in set and verify

cli/set.go

@@ -42,8 +42,7 @@ func newSetCmd() *cobra.Command {
 	cmd.Flags().StringP("manifest", "m", manifestFilename, "path to manifest (.json) file")
 	cmd.Flags().StringP("coordinator", "c", "", "endpoint the coordinator can be reached at")
 	must(cobra.MarkFlagRequired(cmd.Flags(), "coordinator"))
-	// TODO(burgerdev): default --policy should be derived from released artifacts.
-	cmd.Flags().String("policy", "", "expected policy hash of the coordinator (64 hex-encoded bytes, will not be checked if empty)")
+	cmd.Flags().String("coordinator-policy-hash", manifest.DefaultCoordinatorPolicyHash.String(), "expected policy hash of the coordinator, will not be checked if empty")
 
 	return cmd
 }
@@ -140,13 +139,13 @@ func parseSetFlags(cmd *cobra.Command) (*setFlags, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to get coordinator flag: %w", err)
 	}
-	policyString, err := cmd.Flags().GetString("policy")
+	policyString, err := cmd.Flags().GetString("coordinator-policy-hash")
 	if err != nil {
-		return nil, fmt.Errorf("failed to get policy flag: %w", err)
+		return nil, fmt.Errorf("failed to get coordinator-policy-hash flag: %w", err)
 	}
 	flags.policy, err = hex.DecodeString(policyString)
 	if err != nil {
-		return nil, fmt.Errorf("hex-decoding policy flag: %w", err)
+		return nil, fmt.Errorf("hex-decoding coordinator-policy-hash flag: %w", err)
 	}
 
 	return flags, nil

cli/verify.go

@@ -41,9 +41,7 @@ func newVerifyCmd() *cobra.Command {
 	cmd.Flags().StringP("output", "o", verifyDir, "directory to write files to")
 	cmd.Flags().StringP("coordinator", "c", "", "endpoint the coordinator can be reached at")
 	must(cobra.MarkFlagRequired(cmd.Flags(), "coordinator"))
-	// TODO(burgerdev): default --policy should be derived from released artifacts.
-	cmd.Flags().String("policy", "", "expected policy hash of the coordinator (64 hex-encoded bytes, will not be checked if empty)")
-
+	cmd.Flags().String("coordinator-policy-hash", manifest.DefaultCoordinatorPolicyHash.String(), "expected policy hash of the coordinator, will not be checked if empty")
 	return cmd
 }
 
@@ -122,13 +120,13 @@ func parseVerifyFlags(cmd *cobra.Command) (*verifyFlags, error) {
 	if err != nil {
 		return nil, err
 	}
-	policyString, err := cmd.Flags().GetString("policy")
+	policyString, err := cmd.Flags().GetString("coordinator-policy-hash")
 	if err != nil {
 		return nil, err
 	}
 	policy, err := hex.DecodeString(policyString)
 	if err != nil {
-		return nil, fmt.Errorf("hex-decoding policy flag: %w", err)
+		return nil, fmt.Errorf("hex-decoding coordinator-policy-hash flag: %w", err)
 	}
 
 	return &verifyFlags{

internal/manifest/constants.go

@@ -1,5 +1,9 @@
 package manifest
 
+// DefaultCoordinatorPolicyHash is derived from the coordinator release candidate and injected at build time.
+// TODO(burgerdev): actually inject something at build time
+const DefaultCoordinatorPolicyHash HexString = ""
+
 // Default returns a default manifest.
 func Default() Manifest {
 	return Manifest{

justfile

@@ -75,12 +75,12 @@ set:
     PID=$!
     trap "kill $PID" EXIT
     nix run .#wait-for-port-listen -- 1313
-    policy=$(nix run .#get-coordinator-policy -- ./{{ workspace_dir }}/manifest.json)
+    policy=$(nix run .#get-coordinator-policy-hash -- ./{{ workspace_dir }}/deployment/*.yml)
     t=$(date +%s)
     nix run .#cli -- set \
         -m ./{{ workspace_dir }}/manifest.json \
         -c localhost:1313 \
-        --policy "${policy}" \
+        --coordinator-policy-hash "${policy}" \
         ./{{ workspace_dir }}/deployment/*.yml
     duration=$(( $(date +%s) - $t ))
     echo "Set manifest in $duration seconds."

packages/default.nix

@@ -248,12 +248,15 @@ rec {
     '';
   };
 
-  get-coordinator-policy = writeShellApplication {
-    name = "get-coordinator-policy";
-    runtimeInputs = [ jq ];
+  get-coordinator-policy-hash = writeShellApplication {
+    name = "get-coordinator-policy-hash";
+    runtimeInputs = [ yq-go ];
     text = ''
-      set -u
-      jq -r <"$1" '.Policies | to_entries[] | select(.value[] | startswith("coordinator.")) | .key'
+      set -o pipefail
+      yq -e eval-all \
+        'select(.kind == "Deployment" and .metadata.name == "coordinator") |
+         .spec.template.metadata.annotations["io.katacontainers.config.agent.policy"]' "$@" |
+        base64 -d | sha256sum | cut -d' ' -f1
     '';
   };
 }