Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions flake.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

30 changes: 30 additions & 0 deletions flake.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{

description = "Kubernetes object analysis with recommendations for improved reliability and security";

inputs.flake-utils.url = "github:numtide/flake-utils";

outputs = { self, nixpkgs, flake-utils }:
flake-utils.lib.eachDefaultSystem (system:
let pkgs = import nixpkgs { inherit system; }; in
rec {
packages.kube-score = pkgs.buildGoModule {
name = "kube-score";
src = self;
vendorSha256 = "sha256-E9pcJsnoF/SKRCjrHZY8Ybd8kV1F3FYwdnLJ0mHyRLA="; # master
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As kube-score is using automated tooling for dependency management, especially for upgrades, I’d prefer if we didn’t have to specify this checksum. Is there a way to avoid it?

If it’s there, I’d assume that it will be out of date and that builds will start to fail as soon as go.mod is updated, or am I wrong here?

Copy link
Author

@blaggacao blaggacao Jul 19, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your assumptions are both right. vendorSha256 = null does disable the paranoic check. However, paranoic checks are considered a good thing looking at it on the aggregate level. And, when I tried building it without it, there seems to be a bug somwhere in the enviornment when resolving some kubeapiserver packages to .. I can have another go to this, but it looked rather obscure. Not sure if this is a bug on nix tooling's side. Maybe not.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately it looks like nixpkgs.buildGoPackage is built in a way so that it only can "trust" dependencies if they are vendored and checked into source.
See:
https://github.com/NixOS/nixpkgs/blob/0a2cff8e74baacfa8da9bad843699fe71a8c3053/pkgs/development/go-modules/generic/default.nix#L18-L20

So I'm afraid it looks like this is not possible, since I assume you neither want to vendor sources.

Copy link
Author

@blaggacao blaggacao Jul 19, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the root cause its that nix doesn't want to offload source of truth to another tooling. Even though Go arguably does a good job in reproducability and validation with go.sum. It's just that since those resources are fetched over the network, nix want's to make sure (on it's own) that it's in the box what it pretends to be.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it's possible to do something similar to what we do with Rust, namely get the dependencies from Cargo.lock. That way you don't need a vendorSha256 in your flake.nix that could get out of date. See https://github.com/edolstra/import-cargo.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds like it would be an excellent leverage for the nix community and would naturally lowers barrier of adoption.

# vendorSha256 = "sha256-COY4AonAvJhH+io6Z7I9CsK1pnsK/Yi248QMkVPK6u0="; # v1.7.2
buildFlagsArray = ''
-ldflags=
-w -s
-X main.version=rolling
-X main.commit=${if self ? rev then self.rev else "dirty"}
-X main.date=${self.lastModifiedDate}
-X main.builtBy=nix
'';
};
defaultPackage = packages.kube-score;
apps.kube-score = flake-utils.lib.mkApp { drv = packages.kube-score; };
defaultApp = apps.kube-score;
}
);
}