From 467dc14978b6ed1fd3eefa1d2cf45f727e009ba0 Mon Sep 17 00:00:00 2001 From: Bryton Hall Date: Thu, 15 Sep 2022 21:49:08 -0400 Subject: [PATCH] add support for vals (#11) --- docs/content/examples/secrets/_index.md | 12 +++--------- docs/content/examples/secrets/default.nix | 9 +++++++++ flake.nix | 5 ++++- pkgs/kubenix.nix | 5 +++-- pkgs/vals.nix | 17 +++++++++++++++++ 5 files changed, 36 insertions(+), 12 deletions(-) create mode 100644 docs/content/examples/secrets/default.nix create mode 100644 pkgs/vals.nix diff --git a/docs/content/examples/secrets/_index.md b/docs/content/examples/secrets/_index.md index 09890f2..ddc4ec6 100644 --- a/docs/content/examples/secrets/_index.md +++ b/docs/content/examples/secrets/_index.md @@ -1,11 +1,5 @@ -Secrets management requires some extra care as we want to prevent values from -ending up in the, world-readable, nix store. +We support runtime secret (or config) value loading with [vals](https://github.com/variantdev/vals). A minimal example, using the file provider, might look like -{{< hint "warning" >}} -**WARNING** +{{< source "default.nix" >}} -The kubenix secrets story is incomplete. Do not trust it -- it has not been tested. -{{< /hint >}} - -The easiest approach is to avoid writing to the store altogether with `nix eval` instead of `nix build`. -This isn't a long-term device and we'll explore integrations with other tools soon(TM). +The creation of `/path/to/secret` is out of scope but we recommend checking out one of [the many nix secrets management tools](https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes). diff --git a/docs/content/examples/secrets/default.nix b/docs/content/examples/secrets/default.nix new file mode 100644 index 0000000..68f39fc --- /dev/null +++ b/docs/content/examples/secrets/default.nix @@ -0,0 +1,9 @@ +{kubenix ? import ../../../..}: +kubenix.evalModules.x86_64-linux { + module = {kubenix, ...}: { + imports = with kubenix; [k8s]; + kubernetes.resources.secrets.example.stringData = { + password = "ref+file:///path/to/secret"; + }; + }; +} diff --git a/flake.nix b/flake.nix index a423da9..530d759 100644 --- a/flake.nix +++ b/flake.nix @@ -141,8 +141,11 @@ inherit (pkgs) kubernetes kubectl; } // { - cli = pkgs.callPackage ./pkgs/kubenix.nix {}; + cli = pkgs.callPackage ./pkgs/kubenix.nix { + inherit (self.packages.${system}) vals; + }; default = self.packages.${system}.cli; + vals = pkgs.callPackage ./pkgs/vals.nix {}; docs = import ./docs { inherit pkgs; options = diff --git a/pkgs/kubenix.nix b/pkgs/kubenix.nix index 4dd491d..587f1ee 100644 --- a/pkgs/kubenix.nix +++ b/pkgs/kubenix.nix @@ -3,6 +3,7 @@ kubectl, kubernetes-helm, nix, + vals, writeShellScriptBin, }: writeShellScriptBin "kubenix" '' @@ -28,7 +29,7 @@ writeShellScriptBin "kubenix" '' function _helm() { ${nix}/bin/nix eval ".#kubenix.$SYSTEM.config.kubernetes.helm" --json | jq -c '.releases[] | del(.objects)' | while read -r release; do values=$(mktemp) - echo "$release" | jq -r '.values' > $values + echo "$release" | jq -r '.values' | ${vals}/bin/vals eval > $values ${kubernetes-helm}/bin/helm $@ \ -n $(echo "$release" | jq -r '.namespace // "default"') \ @@ -52,7 +53,7 @@ writeShellScriptBin "kubenix" '' render) cat $MANIFESTS;; *) - ${kubectl}/bin/kubectl $@ -f $MANIFESTS || true;; + cat $MANIFESTS | ${vals}/bin/vals eval | ${kubectl}/bin/kubectl $@ -f - || true;; esac } diff --git a/pkgs/vals.nix b/pkgs/vals.nix new file mode 100644 index 0000000..506a9e8 --- /dev/null +++ b/pkgs/vals.nix @@ -0,0 +1,17 @@ +{ + buildGoModule, + fetchFromGitHub, +}: +buildGoModule rec { + pname = "vals"; + version = "0.18.0"; + src = fetchFromGitHub { + owner = "variantdev"; + repo = pname; + rev = "v${version}"; + sha256 = "sha256-R0Au34zywb0nv5LOvLb+7wSfn563uzQgiH3mefMlX7A="; + }; + + vendorSha256 = "sha256-fsTUgtMFDPjNJVhBlyq/rWAhOEAOSRQx3l1K0nNK2J8="; + checkPhase = null; +}