From 4549f47bb49913597ee6b265bd0b2ed7397745da Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Fri, 2 Feb 2024 09:42:35 +0100 Subject: [PATCH] cli: separate nix rule for cli release build We would like to include a standard coordinator policy hash into cli releases, so that the coordinator can be deployed separately and is still verified by the cli. We cannot embed a default coordinator policy into the existing build rule: * To generate a policy hash, we need to build the coordinator, publish it as an OCI image and run genpolicy on it. * To embed the hash in the binary, it needs to go into the build inputs. * If it's in the build inputs, the output store location changes. * If the output store location changes, the OCI layer (and thus the required policy) changes. On the other hand, we would like to keep the multi-binary build rule for development, so we introduce a new build rule exclusively for cli releases, and only that rule consumes the coordinator policy hash as input. --- cli/assets/coordinator-policy-hash | 0 cli/runtime.go | 2 +- packages/default.nix | 11 ++++++++++- 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 cli/assets/coordinator-policy-hash diff --git a/cli/assets/coordinator-policy-hash b/cli/assets/coordinator-policy-hash new file mode 100644 index 0000000000..e69de29bb2 diff --git a/cli/runtime.go b/cli/runtime.go index b0aabd088b..5c4782e8c0 100644 --- a/cli/runtime.go +++ b/cli/runtime.go @@ -3,4 +3,4 @@ package main // DefaultCoordinatorPolicyHash is derived from the coordinator release candidate and injected at release build time. // // It is intentionally left empty for dev builds. -var DefaultCoordinatorPolicyHash = "" // TODO(burgerdev): actually inject something at build time. +var DefaultCoordinatorPolicyHash = "" diff --git a/packages/default.nix b/packages/default.nix index 24fffd57af..57095ea5c0 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -34,7 +34,7 @@ rec { let subPackages = [ "coordinator" "initializer" "cli" ]; in - buildGoModule { + lib.makeOverridable buildGoModule { inherit version subPackages; name = "nunki"; @@ -77,6 +77,15 @@ rec { }; inherit (nunki) cli; + cli-release = nunki.override (previousAttrs: { + subPackages = ["cli"]; + outputs = ["out"]; + + ldflags = previousAttrs.ldflags ++ ["-X main.DefaultCoordinatorPolicyHash=${builtins.readFile ../cli/assets/coordinator-policy-hash}"]; + + postInstall = ''mv "$out/bin/cli" "$out/bin/nunki"''; + }); + coordinator = dockerTools.buildImage { name = "coordinator"; tag = "v${version}";