Building the Operator

This operator is written in Rust.

It is developed against the latest stable Rust release, and we currently don’t support any older versions.

However, the Secret Operator is a Container Storage Interface (CSI) provider plugin for the local Kubelet, which means that it should only be executed inside of a Kubernetes Pod. We currently support two ways of building the Secret Operator: docker build and Nix. docker build is currently our primary deployment target, and our official images are built using it. However, Nix has much faster incremental build and deploy times, making it ideal for local development.

Docker

To build and deploy to the active Kind cluster, run:

$ echo Building with Docker
# Ensure that all submodules are up-to-date
$ git submodule update --recursive --init
# Update the Chart metadata and CRD definitions
$ make compile-chart
# Create a unique image ID
$ REPO=secret-operator
$ TAG="$(uuidgen)"
# Build the image
$ docker build . -f docker/Dockerfile -t "$REPO:$TAG"
# Load the image onto the Kind nodes
$ kind load docker-image "$REPO:$TAG"
# Deploy
$ helm upgrade secret-operator deploy/helm/secret-operator \
       --install \
       --set-string "image.repository=$REPO,image.tag=$TAG"

Nix

To build and deploy to the active Kind cluster, run:

$ echo Building with Nix
# Ensure that all submodules are up-to-date
$ git submodule update --recursive --init
# Ensure that the Cargo.lock is up-to-date
# This is not required if you use a tool that invokes Cargo regularly anyway, such as Rust-Analyzer
$ cargo generate-lockfile
# Use crate2nix (https://github.com/kolloch/crate2nix) to convert Cargo.lock into a Nix derivation
$ nix run -f . crate2nix generate
# Build the Docker images
$ nix build -f . docker
# Load the images onto the Kind nodes
# Nix does not use the Docker daemon, instead it builds individual layers, as well as a script (`result/load-image`) that combines them into a Docker image archive
$ kind load image-archive <(./result/load-image)
# Deploy
$ kubectl apply -f result/crds.yaml -f provisioner.yaml
$ kubectl rollout restart ds/secret-provisioner

You may need to add extra-experimental-features = nix-command to /etc/nix/nix.conf, or add --experimental-features nix-command to the Nix commands.

You can also use Tilt to automatically recompile and redeploy when files are changed:

$ nix run -f . tilt up

K3d

Secret-Operator, as with most CSI providers, requires the Kubernetes node’s root folder to be mounted as rshared. K3d does not do this by default, but can be prodded into doing this by running mount --make-rshared / in each node container.

To do this for each running node K3d node, run the following script:

for i in $(k3d node list -o json | jq -r .[].name); do
  docker exec -it $i mount --make-rshared /
done

This is not persistent, and must be re-executed every time the cluster (or a node in it) is restarted.