contrast.{resourcegen,cli,e2e}: split from core package

sespiros · sespiros · commit 24e8aa962268 · 2026-02-04T12:31:39.000+01:00
resourcegen,cli and e2e are tools meant to run on the operator's side
while coordinator and initializer are binaries that run on the cluster.
As we want to decouple the contrast binaries from the runtime binaries,
it makes sense to split them so that they can be built separately.

Signed-off-by: Spyros Seimenis &lt;sse@edgeless.systems&gt;
diff --git a/packages/by-name/contrast/cli/package.nix b/packages/by-name/contrast/cli/package.nix
@@ -1,4 +1,101 @@
 # Copyright 2025 Edgeless Systems GmbH
 # SPDX-License-Identifier: BUSL-1.1
 
-{ contrast }: contrast.cli
+{
+  lib,
+  buildGoModule,
+  contrast,
+  kata,
+  installShellFiles,
+  contrastPkgsStatic,
+  reference-values,
+}:
+
+buildGoModule (finalAttrs: {
+  pname = "${contrast.pname}-cli";
+  inherit (contrast)
+    version
+    proxyVendor
+    vendorHash
+    ;
+
+  # The source of the main module of this repo. We filter for Go files so that
+  # changes in the other parts of this repo don't trigger a rebuild.
+  src =
+    let
+      inherit (lib) fileset path hasSuffix;
+      root = ../../../../.;
+    in
+    fileset.toSource {
+      inherit root;
+      fileset = fileset.unions [
+        (path.append root "go.mod")
+        (path.append root "go.sum")
+        (path.append root "cli/cmd/assets/image-replacements.txt")
+        (fileset.fileFilter (file: hasSuffix ".yaml" file.name) (
+          path.append root "internal/kuberesource/assets"
+        ))
+        (path.append root "internal/manifest/Milan.pem")
+        (path.append root "internal/manifest/Genoa.pem")
+        (path.append root "internal/manifest/Intel_SGX_Provisioning_Certification_RootCA.pem")
+        (fileset.intersection (fileset.fileFilter (file: hasSuffix ".go" file.name) root) (
+          fileset.unions [
+            (path.append root "internal")
+            (path.append root "cli")
+            (path.append root "sdk")
+          ]
+        ))
+      ];
+    };
+
+  subPackages = [ "cli" ];
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  prePatch = ''
+    install -D ${lib.getExe contrastPkgsStatic.kata.genpolicy} cli/genpolicy/assets/genpolicy-kata
+    install -D ${kata.genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules-kata.rego
+    install -D ${reference-values} internal/manifest/assets/reference-values.json
+  '';
+
+  # postPatch will be overwritten by the release-cli derivation, prePatch won't.
+  postPatch = ''
+    install -D ${kata.genpolicy.settings-dev}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings-kata.json
+  '';
+
+  env.CGO_ENABLED = 0;
+
+  ldflags = [
+    "-s"
+    "-X github.com/edgelesssys/contrast/internal/constants.Version=v${finalAttrs.version}"
+    "-X github.com/edgelesssys/contrast/internal/constants.KataGenpolicyVersion=${kata.genpolicy.version}"
+  ];
+
+  tags = [ "contrast_unstable_api" ];
+
+  preCheck = ''
+    export CGO_ENABLED=1
+  '';
+
+  checkPhase = ''
+    runHook preCheck
+    go test -tags=${lib.concatStringsSep "," finalAttrs.tags} -race ./cli/...
+    runHook postCheck
+  '';
+
+  postInstall = ''
+    # rename the cli binary to contrast
+    mv "$out/bin/cli" "$out/bin/contrast"
+
+    installShellCompletion --cmd contrast \
+      --bash <($out/bin/contrast completion bash) \
+      --fish <($out/bin/contrast completion fish) \
+      --zsh <($out/bin/contrast completion zsh)
+  '';
+
+  # Skip fixup as binaries are already stripped and we don't
+  # need any other fixup, saving some seconds.
+  dontFixup = true;
+
+  meta.mainProgram = "contrast";
+})
diff --git a/packages/by-name/contrast/contrast/package.nix b/packages/by-name/contrast/contrast/package.nix
@@ -4,17 +4,13 @@
 {
   lib,
   buildGoModule,
-  kata,
-  installShellFiles,
-  contrastPkgsStatic,
   reference-values,
 }:
 
 let
   packageOutputs = [
     "coordinator"
     "initializer"
-    "cli"
   ];
 in
 
@@ -36,7 +32,6 @@ buildGoModule (finalAttrs: {
       fileset = fileset.unions [
         (path.append root "go.mod")
         (path.append root "go.sum")
-        (path.append root "cli/cmd/assets/image-replacements.txt")
         (fileset.fileFilter (file: hasSuffix ".dat" file.name) (
           path.append root "internal/attestation/tdx/qgs/testdata"
         ))
@@ -46,15 +41,12 @@ buildGoModule (finalAttrs: {
         (path.append root "internal/manifest/Milan.pem")
         (path.append root "internal/manifest/Genoa.pem")
         (path.append root "internal/manifest/Intel_SGX_Provisioning_Certification_RootCA.pem")
-        (fileset.difference (fileset.fileFilter (file: hasSuffix ".go" file.name) root) (
+        (fileset.intersection (fileset.fileFilter (file: hasSuffix ".go" file.name) root) (
           fileset.unions [
-            (path.append root "service-mesh")
-            (path.append root "tools")
-            (path.append root "imagepuller")
-            (path.append root "imagestore")
-            (path.append root "initdata-processor")
-            (path.append root "e2e")
-            (path.append root "nodeinstaller")
+            (path.append root "internal")
+            (path.append root "coordinator")
+            (path.append root "initializer")
+            (path.append root "sdk")
           ]
         ))
       ];
@@ -63,27 +55,17 @@ buildGoModule (finalAttrs: {
   proxyVendor = true;
   vendorHash = "sha256-bZqDo21FxfE76iZmlYcQmwerH4V5fYyi53XI4Vy8kro=";
 
-  nativeBuildInputs = [ installShellFiles ];
-
-  subPackages = packageOutputs ++ [ "internal/kuberesource/resourcegen" ];
+  subPackages = packageOutputs;
 
   prePatch = ''
-    install -D ${lib.getExe contrastPkgsStatic.kata.genpolicy} cli/genpolicy/assets/genpolicy-kata
-    install -D ${kata.genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules-kata.rego
     install -D ${reference-values} internal/manifest/assets/reference-values.json
   '';
 
-  # postPatch will be overwritten by the release-cli derivation, prePatch won't.
-  postPatch = ''
-    install -D ${kata.genpolicy.settings-dev}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings-kata.json
-  '';
-
   env.CGO_ENABLED = 0;
 
   ldflags = [
     "-s"
     "-X github.com/edgelesssys/contrast/internal/constants.Version=v${finalAttrs.version}"
-    "-X github.com/edgelesssys/contrast/internal/constants.KataGenpolicyVersion=${kata.genpolicy.version}"
   ];
 
   tags = [ "contrast_unstable_api" ];
@@ -103,22 +85,9 @@ buildGoModule (finalAttrs: {
       mkdir -p "''${!sub}/bin"
       mv "$out/bin/$sub" "''${!sub}/bin/$sub"
     done
-
-    # rename the cli binary to contrast
-    mv "$cli/bin/cli" "$cli/bin/contrast"
-
-    installShellCompletion --cmd contrast \
-      --bash <($cli/bin/contrast completion bash) \
-      --fish <($cli/bin/contrast completion fish) \
-      --zsh <($cli/bin/contrast completion zsh)
-
-    mkdir -p $cli/share
-    mv $out/share/* $cli/share
   '';
 
   # Skip fixup as binaries are already stripped and we don't
   # need any other fixup, saving some seconds.
   dontFixup = true;
-
-  meta.mainProgram = "contrast";
 })
diff --git a/packages/by-name/contrast/resourcegen/package.nix b/packages/by-name/contrast/resourcegen/package.nix
@@ -1,4 +1,73 @@
 # Copyright 2025 Edgeless Systems GmbH
 # SPDX-License-Identifier: BUSL-1.1
 
-{ contrast }: contrast.out
+{
+  lib,
+  buildGoModule,
+  contrast,
+  reference-values,
+}:
+
+buildGoModule (_finalAttrs: {
+  pname = "${contrast.pname}-resourcegen";
+  inherit (contrast)
+    version
+    proxyVendor
+    vendorHash
+    ;
+
+  # The source of the main module of this repo. We filter for Go files so that
+  # changes in the other parts of this repo don't trigger a rebuild.
+  src =
+    let
+      inherit (lib) fileset path hasSuffix;
+      root = ../../../../.;
+    in
+    fileset.toSource {
+      inherit root;
+      fileset = fileset.unions [
+        (path.append root "go.mod")
+        (path.append root "go.sum")
+        (fileset.fileFilter (file: hasSuffix ".yaml" file.name) (
+          path.append root "internal/kuberesource/assets"
+        ))
+        (path.append root "internal/manifest/Milan.pem")
+        (path.append root "internal/manifest/Genoa.pem")
+        (path.append root "internal/manifest/Intel_SGX_Provisioning_Certification_RootCA.pem")
+        (fileset.intersection (fileset.fileFilter (file: hasSuffix ".go" file.name) root) (
+          fileset.unions [
+            (path.append root "internal/attestation")
+            (path.append root "internal/constants")
+            (path.append root "internal/idblock")
+            (path.append root "internal/kuberesource")
+            (path.append root "internal/manifest")
+            (path.append root "internal/platforms")
+            (path.append root "internal/userapi")
+          ]
+        ))
+      ];
+    };
+
+  subPackages = [ "internal/kuberesource/resourcegen" ];
+
+  prePatch = ''
+    install -D ${reference-values} internal/manifest/assets/reference-values.json
+  '';
+
+  env.CGO_ENABLED = 0;
+
+  ldflags = [
+    "-s"
+  ];
+
+  tags = [ "contrast_unstable_api" ];
+
+  # Skip fixup as binaries are already stripped and we don't
+  # need any other fixup, saving some seconds.
+  dontFixup = true;
+
+  meta = {
+    description = "Resource generator for Contrast";
+    mainProgram = "resourcegen";
+  };
+})
