Building the Operator
This operator is written in Rust.
It is developed against the latest stable Rust release, and we currently don’t support any older versions.
However, the Secret Operator is a Container Storage Interface (CSI) provider plugin
for the local Kubelet, which means that it should only be executed inside of a Kubernetes Pod
. We currently support two ways of building the
Secret Operator: docker build
and Nix. docker build
is currently our primary deployment target, and our official images are built
using it. However, Nix has much faster incremental build and deploy times, making it ideal for local development.
Docker
To build and deploy to the active Kind cluster, run:
$ echo Building with Docker
# Ensure that all submodules are up-to-date
$ git submodule update --recursive --init
# Update the Chart metadata and CRD definitions
$ make compile-chart
# Create a unique image ID
$ REPO=secret-operator
$ TAG="$(uuidgen)"
# Build the image
$ docker build . -f docker/Dockerfile -t "$REPO:$TAG"
# Load the image onto the Kind nodes
$ kind load docker-image "$REPO:$TAG"
# Deploy
$ helm upgrade secret-operator deploy/helm/secret-operator \
--install \
--set-string "image.repository=$REPO,image.tag=$TAG"
Nix
To build and deploy to the active Kind cluster, run:
$ echo Building with Nix
# Ensure that all submodules are up-to-date
$ git submodule update --recursive --init
# Ensure that the Cargo.lock is up-to-date
# This is not required if you use a tool that invokes Cargo regularly anyway, such as Rust-Analyzer
$ cargo generate-lockfile
# Use crate2nix (https://github.com/kolloch/crate2nix) to convert Cargo.lock into a Nix derivation
$ nix run -f . crate2nix generate
# Build the Docker images
$ nix build -f . docker
# Load the images onto the Kind nodes
# Nix does not use the Docker daemon, instead it builds individual layers, as well as a script (`result/load-image`) that combines them into a Docker image archive
$ kind load image-archive <(./result/load-image)
# Deploy
$ kubectl apply -f result/crds.yaml -f provisioner.yaml
$ kubectl rollout restart ds/secret-provisioner
You may need to add extra-experimental-features = nix-command
to /etc/nix/nix.conf
, or add --experimental-features nix-command
to the Nix commands.
You can also use Tilt to automatically recompile and redeploy when files are changed:
$ nix run -f . tilt up
K3d
Secret-Operator, as with most CSI providers, requires the Kubernetes node’s root folder to be mounted as rshared
. K3d does not do this by default,
but can be prodded into doing this by running mount --make-rshared /
in each node container.
To do this for each running node K3d node, run the following script:
for i in $(k3d node list -o json | jq -r .[].name); do
docker exec -it $i mount --make-rshared /
done
This is not persistent, and must be re-executed every time the cluster (or a node in it) is restarted. |