cli: write coordinator policy hash to file, workspace-dir flag, nicer output

.gitignore

@@ -5,9 +5,6 @@ edgcoco
 result*
 layers_cache
 layers-cache.json
-mesh-root.pem
-coordinator-root.pem
-workload-owner.pem
 justfile.env
 workspace
 workspace.cache

cli/cmd/common.go

@@ -7,6 +7,7 @@ import (
 )
 
 const (
+	coordHashFilename      = "coordinator-policy.sha256"
 	coordRootPEMFilename   = "coordinator-root.pem"
 	coordIntermPEMFilename = "mesh-root.pem"
 	workloadOwnerPEM       = "workload-owner.pem"

cli/cmd/generate.go

@@ -84,6 +84,7 @@ func runGenerate(cmd *cobra.Command, args []string) error {
 	if err := generatePolicies(cmd.Context(), flags.policyPath, flags.settingsPath, paths, log); err != nil {
 		return fmt.Errorf("failed to generate policies: %w", err)
 	}
+	fmt.Fprintln(cmd.OutOrStdout(), "✔️ Generated workload policy annotations")
 
 	policies, err := policiesFromKubeResources(paths)
 	if err != nil {
@@ -132,10 +133,13 @@ func runGenerate(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to write manifest: %w", err)
 	}
 
-	log.Info("Updated manifest", "path", flags.manifestPath)
+	fmt.Fprintf(cmd.OutOrStdout(), "✔️ Updated manifest %s\n", flags.manifestPath)
 
 	if hash := getCoordinatorPolicyHash(policies, log); hash != "" {
-		fmt.Fprintln(cmd.OutOrStdout(), hash)
+		coordHashPath := filepath.Join(flags.workspaceDir, coordHashFilename)
+		if err := os.WriteFile(coordHashPath, []byte(hash), 0o644); err != nil {
+			return fmt.Errorf("failed to write coordinator policy hash: %w", err)
+		}
 	}
 
 	return nil
@@ -321,6 +325,7 @@ type generateFlags struct {
 	manifestPath      string
 	workloadOwnerKeys []string
 	disableUpdates    bool
+	workspaceDir      string
 }
 
 func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) {
@@ -344,13 +349,33 @@ func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) {
 	if err != nil {
 		return nil, err
 	}
+	workspaceDir, err := cmd.Flags().GetString("workspace-dir")
+	if err != nil {
+		return nil, err
+	}
+	if workspaceDir != "" {
+		// Prepend default paths with workspaceDir
+		if !cmd.Flags().Changed("settings") {
+			settingsPath = filepath.Join(workspaceDir, settingsFilename)
+		}
+		if !cmd.Flags().Changed("policy") {
+			policyPath = filepath.Join(workspaceDir, rulesFilename)
+		}
+		if !cmd.Flags().Changed("manifest") {
+			manifestPath = filepath.Join(workspaceDir, manifestFilename)
+		}
+		if !cmd.Flags().Changed("workload-owner-key") {
+			workloadOwnerKeys = []string{filepath.Join(workspaceDir, workloadOwnerKeys[0])}
+		}
+	}
 
 	return &generateFlags{
 		policyPath:        policyPath,
 		settingsPath:      settingsPath,
 		manifestPath:      manifestPath,
 		workloadOwnerKeys: workloadOwnerKeys,
 		disableUpdates:    disableUpdates,
+		workspaceDir:      workspaceDir,
 	}, nil
 }
 

cli/cmd/set.go

@@ -13,6 +13,7 @@ import (
 	"log/slog"
 	"net"
 	"os"
+	"path"
 	"slices"
 	"time"
 
@@ -132,14 +133,14 @@ func runSet(cmd *cobra.Command, args []string) error {
 				fmt.Fprintln(cmd.OutOrStdout(), msg)
 			}
 		}
-		return fmt.Errorf("failed to set manifest: %w", err)
+		return fmt.Errorf("setting manifest: %w", err)
 	}
 
-	fmt.Fprintln(cmd.OutOrStdout(), "Manifest set successfully")
+	fmt.Fprintln(cmd.OutOrStdout(), "✔️ Manifest set successfully")
 
 	filelist := map[string][]byte{
-		coordRootPEMFilename:   resp.CACert,
-		coordIntermPEMFilename: resp.IntermCert,
+		path.Join(flags.workspaceDir, coordRootPEMFilename):   resp.CACert,
+		path.Join(flags.workspaceDir, coordIntermPEMFilename): resp.IntermCert,
 	}
 	if err := writeFilelist(".", filelist); err != nil {
 		return fmt.Errorf("writing filelist: %w", err)
@@ -153,6 +154,7 @@ type setFlags struct {
 	coordinator          string
 	policy               []byte
 	workloadOwnerKeyPath string
+	workspaceDir         string
 }
 
 func parseSetFlags(cmd *cobra.Command) (*setFlags, error) {
@@ -179,6 +181,20 @@ func parseSetFlags(cmd *cobra.Command) (*setFlags, error) {
 	if err != nil {
 		return nil, fmt.Errorf("getting workload-owner-key flag: %w", err)
 	}
+	flags.workspaceDir, err = cmd.Flags().GetString("workspace-dir")
+	if err != nil {
+		return nil, fmt.Errorf("getting workspace-dir flag: %w", err)
+	}
+
+	if flags.workspaceDir != "" {
+		// Prepend default paths with workspaceDir
+		if !cmd.Flags().Changed("manifest") {
+			flags.manifestPath = path.Join(flags.workspaceDir, flags.manifestPath)
+		}
+		if !cmd.Flags().Changed("workload-owner-key") {
+			flags.workloadOwnerKeyPath = path.Join(flags.workspaceDir, flags.workloadOwnerKeyPath)
+		}
+	}
 
 	return flags, nil
 }

cli/cmd/verify.go

@@ -39,7 +39,8 @@ func NewVerifyCmd() *cobra.Command {
 		RunE: runVerify,
 	}
 
-	cmd.Flags().StringP("output", "o", verifyDir, "directory to write files to")
+	// Override persistent workspace-dir flag with a default value.
+	cmd.Flags().String("workspace-dir", verifyDir, "directory to write files to, if not set explicitly to another location")
 	cmd.Flags().StringP("coordinator", "c", "", "endpoint the coordinator can be reached at")
 	must(cobra.MarkFlagRequired(cmd.Flags(), "coordinator"))
 	cmd.Flags().String("coordinator-policy-hash", DefaultCoordinatorPolicyHash, "expected policy hash of the coordinator, will not be checked if empty")
@@ -98,27 +99,27 @@ func runVerify(cmd *cobra.Command, _ []string) error {
 		pHash := manifest.NewHexString(sha256sum[:])
 		filelist[fmt.Sprintf("policy.%s.rego", pHash)] = p
 	}
-	if err := writeFilelist(flags.outputDir, filelist); err != nil {
+	if err := writeFilelist(flags.workspaceDir, filelist); err != nil {
 		return fmt.Errorf("writing filelist: %w", err)
 	}
 
-	fmt.Fprintln(cmd.OutOrStdout(), "Successfully verified coordinator")
+	fmt.Fprintln(cmd.OutOrStdout(), "✔️ Successfully verified coordinator")
 
 	return nil
 }
 
 type verifyFlags struct {
-	coordinator string
-	outputDir   string
-	policy      []byte
+	coordinator  string
+	workspaceDir string
+	policy       []byte
 }
 
 func parseVerifyFlags(cmd *cobra.Command) (*verifyFlags, error) {
 	coordinator, err := cmd.Flags().GetString("coordinator")
 	if err != nil {
 		return nil, err
 	}
-	outputDir, err := cmd.Flags().GetString("output")
+	workspaceDir, err := cmd.Flags().GetString("workspace-dir")
 	if err != nil {
 		return nil, err
 	}
@@ -132,9 +133,9 @@ func parseVerifyFlags(cmd *cobra.Command) (*verifyFlags, error) {
 	}
 
 	return &verifyFlags{
-		coordinator: coordinator,
-		outputDir:   outputDir,
-		policy:      policy,
+		coordinator:  coordinator,
+		workspaceDir: workspaceDir,
+		policy:       policy,
 	}, nil
 }
 

cli/main.go

@@ -34,6 +34,7 @@ func newRootCmd() *cobra.Command {
 	root.SetOut(os.Stdout)
 
 	root.PersistentFlags().String("log-level", "warn", "set logging level (debug, info, warn, error, or a number)")
+	root.PersistentFlags().String("workspace-dir", "", "directory to write files to, if not set explicitly to another location")
 
 	root.InitDefaultVersionFlag()
 	root.AddCommand(

e2e/openssl/openssl_test.go

@@ -71,12 +71,12 @@ func TestFrontend(t *testing.T) {
 		require.NoError(err)
 		defer cancelPortForward()
 
-		output, err := os.MkdirTemp("", "nunki-verify.*")
+		workspaceDir, err := os.MkdirTemp("", "nunki-verify.*")
 		require.NoError(err)
 
 		verify := cmd.NewVerifyCmd()
 		verify.SetArgs([]string{
-			"--output", output,
+			"--workspace-dir", workspaceDir,
 			"--coordinator-policy-hash=", // TODO(burgerdev): enable policy checking
 			"--coordinator", coordinator,
 		})
@@ -90,7 +90,7 @@ func TestFrontend(t *testing.T) {
 			"coordinator-root.pem",
 			"mesh-root.pem",
 		} {
-			pem, err := os.ReadFile(path.Join(output, certFile))
+			pem, err := os.ReadFile(path.Join(workspaceDir, certFile))
 			assert.NoError(t, err)
 			certs[certFile] = pem
 		}

justfile

@@ -49,10 +49,8 @@ generate target=default_deploy_target cli=default_cli:
         --replace edg-default {{ target }}${namespace_suffix-}
     t=$(date +%s)
     nix run .#{{ cli }} -- generate \
-        -m ./{{ workspace_dir }}/manifest.json \
-        -p ./{{ workspace_dir }}/rules.rego \
-        -s ./{{ workspace_dir }}/genpolicy-msft.json \
-        ./{{ workspace_dir }}/deployment/*.yml > ./{{ workspace_dir }}/just.coordinator-policy-hash
+        --workspace-dir ./{{ workspace_dir }} \
+        ./{{ workspace_dir }}/deployment/*.yml
     duration=$(( $(date +%s) - $t ))
     echo "Generated policies in $duration seconds."
     echo "generate $duration" >> ./{{ workspace_dir }}/just.perf
@@ -102,10 +100,10 @@ set cli=default_cli:
     PID=$!
     trap "kill $PID" EXIT
     nix run .#scripts.wait-for-port-listen -- 1313
-    policy=$(<./{{ workspace_dir }}/just.coordinator-policy-hash)
+    policy=$(< ./{{ workspace_dir }}/coordinator-policy.sha256)
     t=$(date +%s)
     nix run .#{{ cli }} -- set \
-        -m ./{{ workspace_dir }}/manifest.json \
+        --workspace-dir ./{{ workspace_dir }} \
         -c localhost:1313 \
         --coordinator-policy-hash "${policy}" \
         ./{{ workspace_dir }}/deployment/*.yml
@@ -126,8 +124,8 @@ verify cli=default_cli:
     nix run .#scripts.wait-for-port-listen -- 1314
     t=$(date +%s)
     nix run .#{{ cli }} -- verify \
-        -c localhost:1314 \
-        -o ./{{ workspace_dir }}/verify
+        --workspace-dir ./{{ workspace_dir }}/verify \
+        -c localhost:1314
     duration=$(( $(date +%s) - $t ))
     echo "Verified in $duration seconds."
     echo "verify $duration" >> ./{{ workspace_dir }}/just.perf