technofab/kubenix
1
0
Fork 0
mirror of https://github.com/TECHNOFAB11/kubenix.git synced 2025-12-12 16:10:05 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

add support for vals (#11)

Browse source
This commit is contained in:
Bryton Hall 2022-09-15 21:49:08 -04:00 committed by GitHub
parent b015d6ac2a
commit 467dc14978
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 36 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

12
docs/content/examples/secrets/_index.md
View file

@ -1,11 +1,5 @@
Secrets management requires some extra care as we want to prevent values from We support runtime secret (or config) value loading with [vals](https://github.com/variantdev/vals). A minimal example, using the file provider, might look like
ending up in the, world-readable, nix store.
{{< hint "warning" >}} {{< source "default.nix" >}}
**WARNING**
The kubenix secrets story is incomplete. Do not trust it -- it has not been tested. The creation of `/path/to/secret` is out of scope but we recommend checking out one of [the many nix secrets management tools](https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes).
{{< /hint >}}
The easiest approach is to avoid writing to the store altogether with `nix eval` instead of `nix build`.
This isn't a long-term device and we'll explore integrations with other tools soon(TM).

9
docs/content/examples/secrets/default.nix Normal file
View file

@ -0,0 +1,9 @@
{kubenix ? import ../../../..}:
kubenix.evalModules.x86_64-linux {
module = {kubenix, ...}: {
imports = with kubenix; [k8s];
kubernetes.resources.secrets.example.stringData = {
password = "ref+file:///path/to/secret";
};
};
}

5
flake.nix
View file

@ -141,8 +141,11 @@
inherit (pkgs) kubernetes kubectl; inherit (pkgs) kubernetes kubectl;
} }
// { // {
cli = pkgs.callPackage ./pkgs/kubenix.nix {}; cli = pkgs.callPackage ./pkgs/kubenix.nix {
inherit (self.packages.${system}) vals;
};
default = self.packages.${system}.cli; default = self.packages.${system}.cli;
vals = pkgs.callPackage ./pkgs/vals.nix {};
docs = import ./docs { docs = import ./docs {
inherit pkgs; inherit pkgs;
options = options =

5
pkgs/kubenix.nix
View file

@ -3,6 +3,7 @@
kubectl, kubectl,
kubernetes-helm, kubernetes-helm,
nix, nix,
vals,
writeShellScriptBin, writeShellScriptBin,
}: }:
writeShellScriptBin "kubenix" '' writeShellScriptBin "kubenix" ''
@ -28,7 +29,7 @@ writeShellScriptBin "kubenix" ''
function _helm() { function _helm() {
${nix}/bin/nix eval ".#kubenix.$SYSTEM.config.kubernetes.helm" --json | jq -c '.releases[] | del(.objects)' | while read -r release; do ${nix}/bin/nix eval ".#kubenix.$SYSTEM.config.kubernetes.helm" --json | jq -c '.releases[] | del(.objects)' | while read -r release; do
values=$(mktemp) values=$(mktemp)
echo "$release" | jq -r '.values' > $values echo "$release" | jq -r '.values' | ${vals}/bin/vals eval > $values
${kubernetes-helm}/bin/helm $@ \ ${kubernetes-helm}/bin/helm $@ \
-n $(echo "$release" | jq -r '.namespace // "default"') \ -n $(echo "$release" | jq -r '.namespace // "default"') \
@ -52,7 +53,7 @@ writeShellScriptBin "kubenix" ''
render) render)
cat $MANIFESTS;; cat $MANIFESTS;;
*) *)
${kubectl}/bin/kubectl $@ -f $MANIFESTS || true;; cat $MANIFESTS | ${vals}/bin/vals eval | ${kubectl}/bin/kubectl $@ -f - || true;;
esac esac
} }

17
pkgs/vals.nix Normal file
View file

@ -0,0 +1,17 @@
{
buildGoModule,
fetchFromGitHub,
}:
buildGoModule rec {
pname = "vals";
version = "0.18.0";
src = fetchFromGitHub {
owner = "variantdev";
repo = pname;
rev = "v${version}";
sha256 = "sha256-R0Au34zywb0nv5LOvLb+7wSfn563uzQgiH3mefMlX7A=";
};
vendorSha256 = "sha256-fsTUgtMFDPjNJVhBlyq/rWAhOEAOSRQx3l1K0nNK2J8=";
checkPhase = null;
}