add support for vals (#11)

docs/content/examples/secrets/_index.md

@@ -1,11 +1,5 @@
-Secrets management requires some extra care as we want to prevent values from
-ending up in the, world-readable, nix store.
+We support runtime secret (or config) value loading with [vals](https://github.com/variantdev/vals). A minimal example, using the file provider, might look like
 
-{{< hint "warning" >}}
-**WARNING**
+{{< source "default.nix" >}}
 
-The kubenix secrets story is incomplete. Do not trust it -- it has not been tested.
-{{< /hint >}}
-
-The easiest approach is to avoid writing to the store altogether with `nix eval` instead of `nix build`.
-This isn't a long-term device and we'll explore integrations with other tools soon(TM).
+The creation of `/path/to/secret` is out of scope but we recommend checking out one of [the many nix secrets management tools](https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes).

docs/content/examples/secrets/default.nix

@@ -0,0 +1,9 @@
+{kubenix ? import ../../../..}:
+kubenix.evalModules.x86_64-linux {
+  module = {kubenix, ...}: {
+    imports = with kubenix; [k8s];
+    kubernetes.resources.secrets.example.stringData = {
+      password = "ref+file:///path/to/secret";
+    };
+  };
+}

flake.nix

@@ -141,8 +141,11 @@
             inherit (pkgs) kubernetes kubectl;
           }
           // {
-            cli = pkgs.callPackage ./pkgs/kubenix.nix {};
+            cli = pkgs.callPackage ./pkgs/kubenix.nix {
+              inherit (self.packages.${system}) vals;
+            };
             default = self.packages.${system}.cli;
+            vals = pkgs.callPackage ./pkgs/vals.nix {};
             docs = import ./docs {
               inherit pkgs;
               options =

pkgs/kubenix.nix

@@ -3,6 +3,7 @@
   kubectl,
   kubernetes-helm,
   nix,
+  vals,
   writeShellScriptBin,
 }:
 writeShellScriptBin "kubenix" ''
@@ -28,7 +29,7 @@ writeShellScriptBin "kubenix" ''
   function _helm() {
     ${nix}/bin/nix eval ".#kubenix.$SYSTEM.config.kubernetes.helm" --json | jq -c '.releases[] | del(.objects)' | while read -r release; do
       values=$(mktemp)
-      echo "$release" | jq -r '.values' > $values
+      echo "$release" | jq -r '.values' | ${vals}/bin/vals eval > $values
 
       ${kubernetes-helm}/bin/helm $@ \
         -n $(echo "$release" | jq -r '.namespace // "default"') \
@@ -52,7 +53,7 @@ writeShellScriptBin "kubenix" ''
       render)
         cat $MANIFESTS;;
       *)
-        ${kubectl}/bin/kubectl $@ -f $MANIFESTS || true;;
+        cat $MANIFESTS | ${vals}/bin/vals eval | ${kubectl}/bin/kubectl $@ -f - || true;;
     esac
   }
 

pkgs/vals.nix

@@ -0,0 +1,17 @@
+{
+  buildGoModule,
+  fetchFromGitHub,
+}:
+buildGoModule rec {
+  pname = "vals";
+  version = "0.18.0";
+  src = fetchFromGitHub {
+    owner = "variantdev";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-R0Au34zywb0nv5LOvLb+7wSfn563uzQgiH3mefMlX7A=";
+  };
+
+  vendorSha256 = "sha256-fsTUgtMFDPjNJVhBlyq/rWAhOEAOSRQx3l1K0nNK2J8=";
+  checkPhase = null;
+}