diff --git a/.gitignore b/.gitignore index 6df321ff8b..063e04fa04 100644 --- a/.gitignore +++ b/.gitignore @@ -5,9 +5,6 @@ edgcoco result* layers_cache layers-cache.json -mesh-root.pem -coordinator-root.pem -workload-owner.pem justfile.env workspace workspace.cache diff --git a/cli/cmd/generate.go b/cli/cmd/generate.go index 981c5b622e..3ea9ad3a1b 100644 --- a/cli/cmd/generate.go +++ b/cli/cmd/generate.go @@ -136,7 +136,8 @@ func runGenerate(cmd *cobra.Command, args []string) error { fmt.Fprintf(cmd.OutOrStdout(), "✔️ Updated manifest %s\n", flags.manifestPath) if hash := getCoordinatorPolicyHash(policies, log); hash != "" { - if err := os.WriteFile(coordHashFilename, []byte(hash), 0o644); err != nil { + coordHashPath := filepath.Join(flags.workspaceDir, coordHashFilename) + if err := os.WriteFile(coordHashPath, []byte(hash), 0o644); err != nil { return fmt.Errorf("failed to write coordinator policy hash: %w", err) } } @@ -324,6 +325,7 @@ type generateFlags struct { manifestPath string workloadOwnerKeys []string disableUpdates bool + workspaceDir string } func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) { @@ -347,6 +349,25 @@ func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) { if err != nil { return nil, err } + workspaceDir, err := cmd.Flags().GetString("workspace-dir") + if err != nil { + return nil, err + } + if workspaceDir != "" { + // Prepend default paths with workspaceDir + if !cmd.Flags().Changed("settings") { + settingsPath = filepath.Join(workspaceDir, settingsFilename) + } + if !cmd.Flags().Changed("policy") { + policyPath = filepath.Join(workspaceDir, rulesFilename) + } + if !cmd.Flags().Changed("manifest") { + manifestPath = filepath.Join(workspaceDir, manifestFilename) + } + if !cmd.Flags().Changed("workload-owner-key") { + workloadOwnerKeys = []string{filepath.Join(workspaceDir, workloadOwnerKeys[0])} + } + } return &generateFlags{ policyPath: policyPath, @@ -354,6 +375,7 @@ func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) { manifestPath: manifestPath, workloadOwnerKeys: workloadOwnerKeys, disableUpdates: disableUpdates, + workspaceDir: workspaceDir, }, nil } diff --git a/cli/cmd/set.go b/cli/cmd/set.go index 267e7f5084..8bc5f6f33e 100644 --- a/cli/cmd/set.go +++ b/cli/cmd/set.go @@ -13,6 +13,7 @@ import ( "log/slog" "net" "os" + "path" "slices" "time" @@ -138,8 +139,8 @@ func runSet(cmd *cobra.Command, args []string) error { fmt.Fprintln(cmd.OutOrStdout(), "✔️ Manifest set successfully") filelist := map[string][]byte{ - coordRootPEMFilename: resp.CACert, - coordIntermPEMFilename: resp.IntermCert, + path.Join(flags.workspaceDir, coordRootPEMFilename): resp.CACert, + path.Join(flags.workspaceDir, coordIntermPEMFilename): resp.IntermCert, } if err := writeFilelist(".", filelist); err != nil { return fmt.Errorf("writing filelist: %w", err) @@ -153,6 +154,7 @@ type setFlags struct { coordinator string policy []byte workloadOwnerKeyPath string + workspaceDir string } func parseSetFlags(cmd *cobra.Command) (*setFlags, error) { @@ -179,6 +181,20 @@ func parseSetFlags(cmd *cobra.Command) (*setFlags, error) { if err != nil { return nil, fmt.Errorf("getting workload-owner-key flag: %w", err) } + flags.workspaceDir, err = cmd.Flags().GetString("workspace-dir") + if err != nil { + return nil, fmt.Errorf("getting workspace-dir flag: %w", err) + } + + if flags.workspaceDir != "" { + // Prepend default paths with workspaceDir + if !cmd.Flags().Changed("manifest") { + flags.manifestPath = path.Join(flags.workspaceDir, flags.manifestPath) + } + if !cmd.Flags().Changed("workload-owner-key") { + flags.workloadOwnerKeyPath = path.Join(flags.workspaceDir, flags.workloadOwnerKeyPath) + } + } return flags, nil } diff --git a/cli/cmd/verify.go b/cli/cmd/verify.go index 410a543ecc..298617c5ab 100644 --- a/cli/cmd/verify.go +++ b/cli/cmd/verify.go @@ -39,7 +39,8 @@ func NewVerifyCmd() *cobra.Command { RunE: runVerify, } - cmd.Flags().StringP("output", "o", verifyDir, "directory to write files to") + // Override persistent workspace-dir flag with a default value. + cmd.Flags().String("workspace-dir", verifyDir, "directory to write files to, if not set explicitly to another location") cmd.Flags().StringP("coordinator", "c", "", "endpoint the coordinator can be reached at") must(cobra.MarkFlagRequired(cmd.Flags(), "coordinator")) cmd.Flags().String("coordinator-policy-hash", DefaultCoordinatorPolicyHash, "expected policy hash of the coordinator, will not be checked if empty") @@ -98,7 +99,7 @@ func runVerify(cmd *cobra.Command, _ []string) error { pHash := manifest.NewHexString(sha256sum[:]) filelist[fmt.Sprintf("policy.%s.rego", pHash)] = p } - if err := writeFilelist(flags.outputDir, filelist); err != nil { + if err := writeFilelist(flags.workspaceDir, filelist); err != nil { return fmt.Errorf("writing filelist: %w", err) } @@ -108,9 +109,9 @@ func runVerify(cmd *cobra.Command, _ []string) error { } type verifyFlags struct { - coordinator string - outputDir string - policy []byte + coordinator string + workspaceDir string + policy []byte } func parseVerifyFlags(cmd *cobra.Command) (*verifyFlags, error) { @@ -118,7 +119,7 @@ func parseVerifyFlags(cmd *cobra.Command) (*verifyFlags, error) { if err != nil { return nil, err } - outputDir, err := cmd.Flags().GetString("output") + workspaceDir, err := cmd.Flags().GetString("workspace-dir") if err != nil { return nil, err } @@ -132,9 +133,9 @@ func parseVerifyFlags(cmd *cobra.Command) (*verifyFlags, error) { } return &verifyFlags{ - coordinator: coordinator, - outputDir: outputDir, - policy: policy, + coordinator: coordinator, + workspaceDir: workspaceDir, + policy: policy, }, nil } diff --git a/cli/main.go b/cli/main.go index f0f32df316..8796c57258 100644 --- a/cli/main.go +++ b/cli/main.go @@ -34,6 +34,7 @@ func newRootCmd() *cobra.Command { root.SetOut(os.Stdout) root.PersistentFlags().String("log-level", "warn", "set logging level (debug, info, warn, error, or a number)") + root.PersistentFlags().String("workspace-dir", "", "directory to write files to, if not set explicitly to another location") root.InitDefaultVersionFlag() root.AddCommand( diff --git a/e2e/openssl/openssl_test.go b/e2e/openssl/openssl_test.go index 6777271501..3c15606f70 100644 --- a/e2e/openssl/openssl_test.go +++ b/e2e/openssl/openssl_test.go @@ -71,12 +71,12 @@ func TestFrontend(t *testing.T) { require.NoError(err) defer cancelPortForward() - output, err := os.MkdirTemp("", "nunki-verify.*") + workspaceDir, err := os.MkdirTemp("", "nunki-verify.*") require.NoError(err) verify := cmd.NewVerifyCmd() verify.SetArgs([]string{ - "--output", output, + "--workspace-dir", workspaceDir, "--coordinator-policy-hash=", // TODO(burgerdev): enable policy checking "--coordinator", coordinator, }) @@ -90,7 +90,7 @@ func TestFrontend(t *testing.T) { "coordinator-root.pem", "mesh-root.pem", } { - pem, err := os.ReadFile(path.Join(output, certFile)) + pem, err := os.ReadFile(path.Join(workspaceDir, certFile)) assert.NoError(t, err) certs[certFile] = pem } diff --git a/justfile b/justfile index 01c5741c1e..b4fdc133c7 100644 --- a/justfile +++ b/justfile @@ -49,9 +49,7 @@ generate target=default_deploy_target cli=default_cli: --replace edg-default {{ target }}${namespace_suffix-} t=$(date +%s) nix run .#{{ cli }} -- generate \ - -m ./{{ workspace_dir }}/manifest.json \ - -p ./{{ workspace_dir }}/rules.rego \ - -s ./{{ workspace_dir }}/genpolicy-msft.json \ + --workspace-dir ./{{ workspace_dir }} \ ./{{ workspace_dir }}/deployment/*.yml duration=$(( $(date +%s) - $t )) echo "Generated policies in $duration seconds." @@ -102,10 +100,10 @@ set cli=default_cli: PID=$! trap "kill $PID" EXIT nix run .#scripts.wait-for-port-listen -- 1313 - policy=$(< ./coordinator-policy.sha256) + policy=$(< ./{{ workspace_dir }}/coordinator-policy.sha256) t=$(date +%s) nix run .#{{ cli }} -- set \ - -m ./{{ workspace_dir }}/manifest.json \ + --workspace-dir ./{{ workspace_dir }} \ -c localhost:1313 \ --coordinator-policy-hash "${policy}" \ ./{{ workspace_dir }}/deployment/*.yml @@ -126,8 +124,8 @@ verify cli=default_cli: nix run .#scripts.wait-for-port-listen -- 1314 t=$(date +%s) nix run .#{{ cli }} -- verify \ - -c localhost:1314 \ - -o ./{{ workspace_dir }}/verify + --workspace-dir ./{{ workspace_dir }}/verify \ + -c localhost:1314 duration=$(( $(date +%s) - $t )) echo "Verified in $duration seconds." echo "verify $duration" >> ./{{ workspace_dir }}/just.perf