Skip to content

Commit

Permalink
cli: separate nix rule for cli release build
Browse files Browse the repository at this point in the history
We would like to include a standard coordinator policy hash into cli
releases, so that the coordinator can be deployed separately and is
still verified by the cli.

We cannot embed a default coordinator policy into the existing build
rule:

* To generate a policy hash, we need to build the coordinator, publish
  it as an OCI image and run genpolicy on it.
* To embed the hash in the binary, it needs to go into  the build inputs.
* If it's in the build inputs, the output store location changes.
* If the output store location changes, the OCI layer (and thus the
  required policy) changes.

On the other hand, we would like to keep the multi-binary build rule for
development, so we introduce a new build rule exclusively for cli
releases, and only that rule consumes the coordinator policy hash as
input.
  • Loading branch information
burgerdev committed Feb 8, 2024
1 parent 100fbf8 commit f5f2142
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 1 deletion.
Empty file.
2 changes: 1 addition & 1 deletion cli/runtime.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ package main
// DefaultCoordinatorPolicyHash is derived from the coordinator release candidate and injected at release build time.
//
// It is intentionally left empty for dev builds.
var DefaultCoordinatorPolicyHash = "" // TODO(burgerdev): actually inject something at build time.
var DefaultCoordinatorPolicyHash = ""
27 changes: 27 additions & 0 deletions packages/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,33 @@ rec {
};
inherit (nunki) cli;

cli-release = buildGoModule {
inherit version;
name = "nunki";

src = goFiles;
proxyVendor = true;
vendorHash = "sha256-WDkEJC8Bv1gl85BewcaaVQEvzLEcCNhBTnWUl/ZjCPA=";

prePatch = ''
install -D ${lib.getExe genpolicy} cli/assets/genpolicy
install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/assets/genpolicy-settings.json
install -D ${genpolicy.rules}/genpolicy-rules.rego cli/assets/genpolicy-rules.rego
'';

CGO_ENABLED = 0;
ldflags = [
"-s"
"-w"
"-X main.version=v${version}"
"-X main.DefaultCoordinatorPolicyHash=${builtins.readFile ../cli/assets/coordinator-policy-hash}"
];

postInstall = ''
mv "$out/bin/cli" "$out/bin/nunki"
'';
};

coordinator = dockerTools.buildImage {
name = "coordinator";
tag = "v${version}";
Expand Down

0 comments on commit f5f2142

Please sign in to comment.