2c5acd15df
The toYAML function is just an alias to toJSON which is technically fine since YAML is a superset of JSON, but these new functions will generate actual YAML.
73 lines
1.5 KiB
Nix
73 lines
1.5 KiB
Nix
# unpackPhase
|
|
# patchPhase
|
|
# configurePhase
|
|
# buildPhase
|
|
# checkPhase
|
|
# installPhase
|
|
# fixupPhase
|
|
# installCheckPhase
|
|
# distPhase
|
|
{
|
|
lib,
|
|
pkgs,
|
|
stdenv,
|
|
runCommand,
|
|
writeText,
|
|
...
|
|
}:
|
|
let
|
|
to_yaml_file =
|
|
file_name: contents:
|
|
let
|
|
settingsFormat = pkgs.formats.yaml { };
|
|
yaml_file = settingsFormat.generate file_name contents;
|
|
in
|
|
yaml_file;
|
|
to_yaml =
|
|
file_name: contents:
|
|
let
|
|
settingsFormat = pkgs.formats.yaml { };
|
|
yaml_file = settingsFormat.generate file_name contents;
|
|
yaml_content = builtins.readFile yaml_file;
|
|
in
|
|
yaml_content;
|
|
kube_encryption_key = runCommand "kube_encryption_key" { } ''
|
|
head -c 32 /dev/urandom | base64 | tee $out
|
|
'';
|
|
kube_encryption_config = {
|
|
kind = "EncryptionConfig";
|
|
apiVersion = "v1";
|
|
resources = [
|
|
{
|
|
resources = [ "secrets" ];
|
|
providers = [
|
|
{
|
|
aescbc = {
|
|
keys = [
|
|
{
|
|
name = "key1";
|
|
secret = (builtins.readFile "${kube_encryption_key}");
|
|
}
|
|
];
|
|
};
|
|
}
|
|
{ identity = { }; }
|
|
];
|
|
}
|
|
];
|
|
};
|
|
kube_encryption_config_yaml = (to_yaml_file "encryption-config.yaml" kube_encryption_config);
|
|
in
|
|
stdenv.mkDerivation (finalAttrs: {
|
|
name = "k8s-encryption-key";
|
|
nativeBuildInputs = [ ];
|
|
buildInputs = [ ];
|
|
|
|
unpackPhase = "true";
|
|
|
|
installPhase = ''
|
|
mkdir "$out"
|
|
cp "${kube_encryption_config_yaml}" $out/encryption-config.yaml
|
|
'';
|
|
})
|