59 lines
1.1 KiB
Nix
59 lines
1.1 KiB
Nix
# unpackPhase
|
|
# patchPhase
|
|
# configurePhase
|
|
# buildPhase
|
|
# checkPhase
|
|
# installPhase
|
|
# fixupPhase
|
|
# installCheckPhase
|
|
# distPhase
|
|
{
|
|
lib,
|
|
stdenv,
|
|
runCommand,
|
|
writeText,
|
|
...
|
|
}:
|
|
let
|
|
kube_encryption_key = runCommand "kube_encryption_key" { } ''
|
|
head -c 32 /dev/urandom | base64 | tee $out
|
|
'';
|
|
kube_encryption_config = {
|
|
kind = "EncryptionConfig";
|
|
apiVersion = "v1";
|
|
resources = [
|
|
{
|
|
resources = [ "secrets" ];
|
|
providers = [
|
|
{
|
|
aescbc = {
|
|
keys = [
|
|
{
|
|
name = "key1";
|
|
secret = (builtins.readFile "${kube_encryption_key}");
|
|
}
|
|
];
|
|
};
|
|
}
|
|
{ identity = { }; }
|
|
];
|
|
}
|
|
];
|
|
};
|
|
kube_encryption_config_yaml = (
|
|
writeText "encryption-config.yaml" (lib.generators.toYAML { } kube_encryption_config)
|
|
);
|
|
in
|
|
stdenv.mkDerivation (finalAttrs: {
|
|
name = "k8s-encryption-key";
|
|
nativeBuildInputs = [ ];
|
|
buildInputs = [ ];
|
|
|
|
unpackPhase = "true";
|
|
|
|
installPhase = ''
|
|
mkdir "$out"
|
|
cp "${kube_encryption_config_yaml}" $out/encryption-config.yaml
|
|
'';
|
|
})
|