distrust-stack/Makefile

include $(PWD)/src/toolchain/Makefile

BACKEND_TF := $(wildcard infra/backend/*.tf)
MAIN_TF := $(wildcard infra/main/*.tf)
ENVIRONMENT := production
REGION := sfo3
ROOT_DIR := $(shell pwd)
TERRAFORM := $(ROOT_DIR)/out/terraform
SOPS := $(ROOT_DIR)/out/sops
GO := cache/fetch/go/bin/go
KEYS := \
	6B61ECD76088748C70590D55E90A401336C8AAA9 \
	88823A75ECAA786B0FF38B148E401478A3FBEF72 \
	3D7C8D39E8C4DF771583D3F0A8A091FD346001CA

.DEFAULT_GOAL :=
.PHONY: default
default: \
	toolchain \
	$(patsubst %,$(KEY_DIR)/%.asc,$(KEYS)) \
	$(OUT_DIR)/website/.well-known/openpgpkey \
	apply

.PHONY:
clean:
	rm -rf $(CACHE_DIR)

.PHONY:
credentials: \
	$(CACHE_DIR)/secrets/credentials.tfvars

$(KEY_DIR)/%.asc:
	$(call fetch_pgp_key,$(basename $(notdir $@)))

$(OUT_DIR)/website/.well-known/openpgpkey:
	$(call toolchain," \
		sq wkd \
			generate $(OUT_DIR)/website distrust.co \
			<(cat $(patsubst %,$(KEY_DIR)/%.asc,$(KEYS))) \
	")

$(OUT_DIR)/website/index.html: \
	$(OUT_DIR)/website/.well-known/openpgpkey
	$(call toolchain," \
		cd $(SRC_DIR)/website \
		&& jekyll build \
		&& cp -R _site/* /home/build/out/website/ \
	")

infra/backend/.terraform: \
	$(TERRAFORM) \
	$(BACKEND_TF)
	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
		env -C infra/backend $(TERRAFORM) init -upgrade \
		'

infra/main/.terraform: | \
	$(TERRAFORM) \
	config/$(ENVIRONMENT).tfbackend \
	$(MAIN_TF)
	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
		env -C infra/main $(TERRAFORM) init -upgrade \
		-backend-config="../../config/$(ENVIRONMENT).tfbackend" \
		'

infra/backend/$(ENVIRONMENT).tfstate: \
	$(TERRAFORM) \
	$(SOPS) \
	infra/backend/.terraform
	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
		env -C infra/backend \
		$(TERRAFORM) apply \
		-var environment=$(ENVIRONMENT) \
		-var namespace=$(ENVIRONMENT) \
		-var region=$(REGION) \
		-state ../../$@ \
		'

config/$(ENVIRONMENT).tfbackend: | \
	$(TERRAFORM) \
	$(SOPS) \
	# File is not committed and this has no shared state
	$(MAKE) infra/backend/$(ENVIRONMENT).tfstate
	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
		env -C infra/backend \
		$(TERRAFORM) \
		output -state ../../$< \
		> $@ \
		'

.PHONY:
apply: \
	$(TERRAFORM) \
	$(SOPS) \
	infra/main/.terraform
	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig)
	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig)
	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml)
	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml)
	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
		env -C infra/main \
		$(TERRAFORM) apply \
		-var environment=$(ENVIRONMENT) \
		-var namespace=$(ENVIRONMENT) \
		-var region=$(REGION) \
		'
	$(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig)
	$(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig)
	$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)
	$(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml)

$(CACHE_DIR)/secrets:
	mkdir -p $@

$(FETCH_DIR)/go:
	mkdir -p $@ $@.tmp
	wget https://go.dev/dl/$(GO_VERSION).src.tar.gz -O $@.tmp/$(GO_VERSION).src.tar.gz
	echo "$(GO_HASH) $@.tmp/$(GO_VERSION).src.tar.gz" | sha256sum --strict --check -
	# Verify tar file is still in same format from 1.20.x
	tar -x go/VERSION -f $@.tmp/$(GO_VERSION).src.tar.gz -O > /dev/null
	tar -xf $@.tmp/$(GO_VERSION).src.tar.gz -C $(FETCH_DIR)
	rm -r $@.tmp

$(FETCH_DIR)/terraform:
	$(call git_clone,$@,$(TERRAFORM_REPO),$(TERRAFORM_REF))

$(FETCH_DIR)/sops:
	$(call git_clone,$@,$(SOPS_REPO),$(SOPS_REF))

$(FETCH_DIR)/talosctl:
	$(call git_clone,$@,$(TALOSCTL_REPO),$(TALOSCTL_REF))

$(FETCH_DIR)/kubectl:
	$(call git_clone,$@,$(KUBECTL_REPO),$(KUBECTL_REF))

$(FETCH_DIR)/kustomize:
	$(call git_clone,$@,$(KUSTOMIZE_REPO),$(KUSTOMIZE_REF))

$(FETCH_DIR)/go/bin/go: $(FETCH_DIR)/go
	$(call toolchain," \
		cd $(FETCH_DIR)/go/src && \
		./make.bash \
	")

$(OUT_DIR)/terraform: $(FETCH_DIR)/terraform $(GO)
	$(call toolchain," \
		cd $(FETCH_DIR)/terraform && \
		export SSL_CERT_DIR=/etc/ssl/certs && \
		export CGO_ENABLED=0 && \
		export GOCACHE=/home/build/$(CACHE_DIR) && \
		export GOPATH=/home/build/$(CACHE_DIR) && \
		/home/build/$(GO) build \
			-v \
			-trimpath \
			-ldflags='-w -extldflags=-static' \
			-o /home/build/$@ \
	")

$(OUT_DIR)/sops: $(FETCH_DIR)/sops $(GO)
	$(call toolchain," \
		cd $(FETCH_DIR)/sops && \
		export CGO_ENABLED=0 && \
		export GOCACHE=/home/build/$(CACHE_DIR) && \
		export GOPATH=/home/build/$(CACHE_DIR) && \
		/home/build/$(GO) build \
			-v \
			-trimpath \
			-ldflags='-w -extldflags=-static' \
			-o /home/build/$@ $(SOPS_PKG) \
	")

$(OUT_DIR)/talosctl: $(FETCH_DIR)/talosctl $(GO)
	$(call toolchain," \
		cd $(FETCH_DIR)/talosctl && \
		export CGO_ENABLED=0 && \
		export GOCACHE=/home/build/$(CACHE_DIR) && \
		export GOPATH=/home/build/$(CACHE_DIR) && \
		/home/build/$(GO) build \
			-v \
			-trimpath \
			-ldflags='-w -extldflags=-static' \
			-o /home/build/$@ $(TALOSCTL_PKG) \
	")

$(OUT_DIR)/kubectl: $(FETCH_DIR)/kubectl $(GO)
	$(call toolchain," \
		cd $(FETCH_DIR)/kubectl && \
		export CGO_ENABLED=0 && \
		export GOCACHE=/home/build/$(CACHE_DIR) && \
		export GOPATH=/home/build/$(CACHE_DIR) && \
		/home/build/$(GO) build \
			-v \
			-trimpath \
			-ldflags='-w -extldflags=-static' \
			-o /home/build/$@ $(KUBECTL_PKG) \
	")

$(OUT_DIR)/kustomize: $(FETCH_DIR)/kustomize $(GO)
	$(call toolchain," \
		cd $(FETCH_DIR)/kustomize && \
		export CGO_ENABLED=0 && \
		export GOCACHE=/home/build/$(CACHE_DIR) && \
		export GOPATH=/home/build/$(CACHE_DIR) && \
		/home/build/$(GO) build \
			-v \
			-trimpath \
			-ldflags='-w -extldflags=-static' \
			-o /home/build/$@ $(KUSTOMIZE_PKG) \
	")

# Note: Decryption MUST reset the mod time to avoid encryption/decryption loops
# Encrypt if:
# - Both files exist, local is newer than remote
# - Only local exists
define maybe_encrypt_secret
	test \( -f $(1) -a -f $(2) -a $(1) -nt $(2) \) -o \
		\( -f $(1) -a ! -f $(2) \) && \
		$(SOPS) --encrypt $(1) > $(2) || true
endef

# Only decrypt when local files don't exist
# Unfortunately, this means we can't decrypt if the secrets update. We can't
# do that because otherwise it creates a loop. The secrets update, therefore we
# decrypt secrets, but because the modtime of the decrypted secrets is newer
# than the encrypted secrets, we want to reencrypt encrypted secrets.
define maybe_decrypt_secret
	test -f $(1) -a ! -f $(2) && \
		$(SOPS) --decrypt $(1) > $(2) && \
		touch -d 1970-01-01 $(2) || \
		true
endef
working terraform backend creation 2023-03-10 04:43:38 +00:00			`include $(PWD)/src/toolchain/Makefile`

initial toolchain-refactor pass 2023-02-17 06:09:13 +00:00			`BACKEND_TF := $(wildcard infra/backend/*.tf)`
working terraform state sharing 2023-04-14 03:22:35 +00:00			`MAIN_TF := $(wildcard infra/main/*.tf)`
initial toolchain-refactor pass 2023-02-17 06:09:13 +00:00			`ENVIRONMENT := production`
working terraform backend creation 2023-03-10 04:43:38 +00:00			`REGION := sfo3`
			`ROOT_DIR := $(shell pwd)`
			`TERRAFORM := $(ROOT_DIR)/out/terraform`
Makefile: use sops only when needed 2023-05-06 20:35:46 +00:00			`SOPS := $(ROOT_DIR)/out/sops`
Makefile: fix gopath issues 2023-06-09 01:46:25 +00:00			`GO := cache/fetch/go/bin/go`
fetch pgp keys for all team members with make 2023-03-17 03:13:01 +00:00			`KEYS := \`
			`6B61ECD76088748C70590D55E90A401336C8AAA9 \`
			`88823A75ECAA786B0FF38B148E401478A3FBEF72 \`
generate wkd structure in out 2023-03-17 03:37:07 +00:00			`3D7C8D39E8C4DF771583D3F0A8A091FD346001CA`
initial toolchain-refactor pass 2023-02-17 06:09:13 +00:00
ready to apply 2023-03-10 07:43:21 +00:00			`.DEFAULT_GOAL :=`
			`.PHONY: default`
			`default: \`
			`toolchain \`
generate wkd structure in out 2023-03-17 03:37:07 +00:00			`$(patsubst %,$(KEY_DIR)/%.asc,$(KEYS)) \`
auto upload website to DO bucket 2023-03-17 04:14:39 +00:00			`$(OUT_DIR)/website/.well-known/openpgpkey \`
ready to apply 2023-03-10 07:43:21 +00:00			`apply`

initial toolchain-refactor pass 2023-02-17 06:09:13 +00:00			`.PHONY:`
			`clean:`
			`rm -rf $(CACHE_DIR)`

			`.PHONY:`
			`credentials: \`
			`$(CACHE_DIR)/secrets/credentials.tfvars`

fetch pgp keys for all team members with make 2023-03-17 03:13:01 +00:00			`$(KEY_DIR)/%.asc:`
			`$(call fetch_pgp_key,$(basename $(notdir $@)))`

auto upload website to DO bucket 2023-03-17 04:14:39 +00:00			`$(OUT_DIR)/website/.well-known/openpgpkey:`
generate wkd structure in out 2023-03-17 03:37:07 +00:00			`$(call toolchain," \`
			`sq wkd \`
auto upload website to DO bucket 2023-03-17 04:14:39 +00:00			`generate $(OUT_DIR)/website distrust.co \`
generate wkd structure in out 2023-03-17 03:37:07 +00:00			`<(cat $(patsubst %,$(KEY_DIR)/%.asc,$(KEYS))) \`
			`")`

website deploy is a thing 2023-05-05 03:31:53 +00:00			`$(OUT_DIR)/website/index.html: \`
			`$(OUT_DIR)/website/.well-known/openpgpkey`
initial website integration 2023-04-14 04:19:08 +00:00			`$(call toolchain," \`
			`cd $(SRC_DIR)/website \`
			`&& jekyll build \`
			`&& cp -R _site/* /home/build/out/website/ \`
			`")`

working terraform backend creation 2023-03-10 04:43:38 +00:00			`infra/backend/.terraform: \`
Makefile: allow binary override 2023-05-13 05:03:35 +00:00			`$(TERRAFORM) \`
working terraform backend creation 2023-03-10 04:43:38 +00:00			`$(BACKEND_TF)`
terraform_modules/digitalocean_talos_cluster: initial commit 2023-05-09 11:32:53 +00:00			`$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\`
			`env -C infra/backend $(TERRAFORM) init -upgrade \`
			`'`
initial toolchain-refactor pass 2023-02-17 06:09:13 +00:00
Makefile: ignore time terraform has been built 2023-04-14 04:10:14 +00:00			`infra/main/.terraform: \| \`
Makefile: allow binary override 2023-05-13 05:03:35 +00:00			`$(TERRAFORM) \`
working terraform state sharing 2023-04-14 03:22:35 +00:00			`config/$(ENVIRONMENT).tfbackend \`
			`$(MAIN_TF)`
terraform_modules/digitalocean_talos_cluster: initial commit 2023-05-09 11:32:53 +00:00			`$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\`
			`env -C infra/main $(TERRAFORM) init -upgrade \`
			`-backend-config="../../config/$(ENVIRONMENT).tfbackend" \`
			`'`
ready to apply 2023-03-10 07:43:21 +00:00
working terraform backend creation 2023-03-10 04:43:38 +00:00			`infra/backend/$(ENVIRONMENT).tfstate: \`
Makefile: allow binary override 2023-05-13 05:03:35 +00:00			`$(TERRAFORM) \`
			`$(SOPS) \`
working terraform backend creation 2023-03-10 04:43:38 +00:00			`infra/backend/.terraform`
Makefile: remove hardcoded environment 2023-05-07 07:37:07 +00:00			`$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\`
Makefile: use sops only when needed 2023-05-06 20:35:46 +00:00			`env -C infra/backend \`
			`$(TERRAFORM) apply \`
working terraform backend creation 2023-03-10 04:43:38 +00:00			`-var environment=$(ENVIRONMENT) \`
			`-var namespace=$(ENVIRONMENT) \`
			`-var region=$(REGION) \`
Makefile: use sops only when needed 2023-05-06 20:35:46 +00:00			`-state ../../$@ \`
			`'`
initial toolchain-refactor pass 2023-02-17 06:09:13 +00:00
Makefile: ignore time terraform has been built 2023-04-14 04:10:14 +00:00			`config/$(ENVIRONMENT).tfbackend: \| \`
Makefile: allow binary override 2023-05-13 05:03:35 +00:00			`$(TERRAFORM) \`
			`$(SOPS) \`
fix all of ryans problems 2023-04-14 03:47:41 +00:00			`# File is not committed and this has no shared state`
			`$(MAKE) infra/backend/$(ENVIRONMENT).tfstate`
Makefile: remove hardcoded environment 2023-05-07 07:37:07 +00:00			`$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\`
Makefile: use sops only when needed 2023-05-06 20:35:46 +00:00			`env -C infra/backend \`
			`$(TERRAFORM) \`
ready to apply 2023-03-10 07:43:21 +00:00			`output -state ../../$< \`
Makefile: use sops only when needed 2023-05-06 20:35:46 +00:00			`> $@ \`
			`'`
initial toolchain-refactor pass 2023-02-17 06:09:13 +00:00
			`.PHONY:`
ready to apply 2023-03-10 07:43:21 +00:00			`apply: \`
Makefile: allow binary override 2023-05-13 05:03:35 +00:00			`$(TERRAFORM) \`
			`$(SOPS) \`
ready to apply 2023-03-10 07:43:21 +00:00			`infra/main/.terraform`
Makefile: improve encryption and decryption of secrets 2023-05-12 04:32:49 +00:00			`$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig)`
			`$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig)`
			`$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml)`
			`$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml)`
Makefile: remove hardcoded environment 2023-05-07 07:37:07 +00:00			`$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\`
Makefile: use sops only when needed 2023-05-06 20:35:46 +00:00			`env -C infra/main \`
			`$(TERRAFORM) apply \`
auto upload website to DO bucket 2023-03-17 04:14:39 +00:00			`-var environment=$(ENVIRONMENT) \`
			`-var namespace=$(ENVIRONMENT) \`
Makefile: use sops only when needed 2023-05-06 20:35:46 +00:00			`-var region=$(REGION) \`
			`'`
Makefile: improve encryption and decryption of secrets 2023-05-12 04:32:49 +00:00			`$(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig)`
			`$(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig)`
			`$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)`
			`$(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml)`
initial toolchain-refactor pass 2023-02-17 06:09:13 +00:00
			`$(CACHE_DIR)/secrets:`
			`mkdir -p $@`

go toolchain 1.20.4: not working, need to fix GOROOT 2023-05-25 03:18:29 +00:00			`$(FETCH_DIR)/go:`
			`mkdir -p $@ $@.tmp`
			`wget https://go.dev/dl/$(GO_VERSION).src.tar.gz -O $@.tmp/$(GO_VERSION).src.tar.gz`
			`echo "$(GO_HASH) $@.tmp/$(GO_VERSION).src.tar.gz" \| sha256sum --strict --check -`
			`# Verify tar file is still in same format from 1.20.x`
			`tar -x go/VERSION -f $@.tmp/$(GO_VERSION).src.tar.gz -O > /dev/null`
			`tar -xf $@.tmp/$(GO_VERSION).src.tar.gz -C $(FETCH_DIR)`
			`rm -r $@.tmp`

initial toolchain-refactor pass 2023-02-17 06:09:13 +00:00			`$(FETCH_DIR)/terraform:`
			`$(call git_clone,$@,$(TERRAFORM_REPO),$(TERRAFORM_REF))`

add sops binary target 2023-05-05 19:09:21 +00:00			`$(FETCH_DIR)/sops:`
			`$(call git_clone,$@,$(SOPS_REPO),$(SOPS_REF))`

Makefile: add talosctl 2023-05-12 01:25:59 +00:00			`$(FETCH_DIR)/talosctl:`
			`$(call git_clone,$@,$(TALOSCTL_REPO),$(TALOSCTL_REF))`

go toolchain 1.20.4: not working, need to fix GOROOT 2023-05-25 03:18:29 +00:00			`$(FETCH_DIR)/kubectl:`
			`$(call git_clone,$@,$(KUBECTL_REPO),$(KUBECTL_REF))`

Makefile: add kustomize 2023-06-09 01:54:20 +00:00			`$(FETCH_DIR)/kustomize:`
			`$(call git_clone,$@,$(KUSTOMIZE_REPO),$(KUSTOMIZE_REF))`

Makefile: fix gopath issues 2023-06-09 01:46:25 +00:00			`$(FETCH_DIR)/go/bin/go: $(FETCH_DIR)/go`
go toolchain 1.20.4: not working, need to fix GOROOT 2023-05-25 03:18:29 +00:00			`$(call toolchain," \`
			`cd $(FETCH_DIR)/go/src && \`
Makefile: fix gopath issues 2023-06-09 01:46:25 +00:00			`./make.bash \`
go toolchain 1.20.4: not working, need to fix GOROOT 2023-05-25 03:18:29 +00:00			`")`

Makefile: fix gopath issues 2023-06-09 01:46:25 +00:00			`$(OUT_DIR)/terraform: $(FETCH_DIR)/terraform $(GO)`
update toolchain 2023-03-10 05:06:33 +00:00			`$(call toolchain," \`
initial toolchain-refactor pass 2023-02-17 06:09:13 +00:00			`cd $(FETCH_DIR)/terraform && \`
			`export SSL_CERT_DIR=/etc/ssl/certs && \`
terraform builds now 2023-03-10 03:49:01 +00:00			`export CGO_ENABLED=0 && \`
update toolchain 2023-03-10 05:06:33 +00:00			`export GOCACHE=/home/build/$(CACHE_DIR) && \`
			`export GOPATH=/home/build/$(CACHE_DIR) && \`
Makefile: fix gopath issues 2023-06-09 01:46:25 +00:00			`/home/build/$(GO) build \`
terraform builds now 2023-03-10 03:49:01 +00:00			`-v \`
			`-trimpath \`
			`-ldflags='-w -extldflags=-static' \`
			`-o /home/build/$@ \`
initial toolchain-refactor pass 2023-02-17 06:09:13 +00:00			`")`
add sops binary target 2023-05-05 19:09:21 +00:00
Makefile: fix gopath issues 2023-06-09 01:46:25 +00:00			`$(OUT_DIR)/sops: $(FETCH_DIR)/sops $(GO)`
Makefile: add sops 2023-05-05 11:18:28 +00:00			`$(call toolchain," \`
			`cd $(FETCH_DIR)/sops && \`
			`export CGO_ENABLED=0 && \`
			`export GOCACHE=/home/build/$(CACHE_DIR) && \`
			`export GOPATH=/home/build/$(CACHE_DIR) && \`
Makefile: fix gopath issues 2023-06-09 01:46:25 +00:00			`/home/build/$(GO) build \`
add sops binary target 2023-05-05 19:09:21 +00:00			`-v \`
			`-trimpath \`
			`-ldflags='-w -extldflags=-static' \`
Makefile: add sops 2023-05-05 11:18:28 +00:00			`-o /home/build/$@ $(SOPS_PKG) \`
add sops binary target 2023-05-05 19:09:21 +00:00			`")`
Makefile: add talosctl 2023-05-12 01:25:59 +00:00
Makefile: fix gopath issues 2023-06-09 01:46:25 +00:00			`$(OUT_DIR)/talosctl: $(FETCH_DIR)/talosctl $(GO)`
Makefile: add talosctl 2023-05-12 01:25:59 +00:00			`$(call toolchain," \`
			`cd $(FETCH_DIR)/talosctl && \`
			`export CGO_ENABLED=0 && \`
			`export GOCACHE=/home/build/$(CACHE_DIR) && \`
			`export GOPATH=/home/build/$(CACHE_DIR) && \`
Makefile: fix gopath issues 2023-06-09 01:46:25 +00:00			`/home/build/$(GO) build \`
Makefile: add talosctl 2023-05-12 01:25:59 +00:00			`-v \`
			`-trimpath \`
			`-ldflags='-w -extldflags=-static' \`
			`-o /home/build/$@ $(TALOSCTL_PKG) \`
			`")`
Makefile: improve encryption and decryption of secrets 2023-05-12 04:32:49 +00:00
Makefile: fix gopath issues 2023-06-09 01:46:25 +00:00			`$(OUT_DIR)/kubectl: $(FETCH_DIR)/kubectl $(GO)`
go toolchain 1.20.4: not working, need to fix GOROOT 2023-05-25 03:18:29 +00:00			`$(call toolchain," \`
			`cd $(FETCH_DIR)/kubectl && \`
			`export CGO_ENABLED=0 && \`
			`export GOCACHE=/home/build/$(CACHE_DIR) && \`
			`export GOPATH=/home/build/$(CACHE_DIR) && \`
Makefile: fix gopath issues 2023-06-09 01:46:25 +00:00			`/home/build/$(GO) build \`
go toolchain 1.20.4: not working, need to fix GOROOT 2023-05-25 03:18:29 +00:00			`-v \`
			`-trimpath \`
			`-ldflags='-w -extldflags=-static' \`
			`-o /home/build/$@ $(KUBECTL_PKG) \`
			`")`

Makefile: add kustomize 2023-06-09 01:54:20 +00:00			`$(OUT_DIR)/kustomize: $(FETCH_DIR)/kustomize $(GO)`
			`$(call toolchain," \`
			`cd $(FETCH_DIR)/kustomize && \`
			`export CGO_ENABLED=0 && \`
			`export GOCACHE=/home/build/$(CACHE_DIR) && \`
			`export GOPATH=/home/build/$(CACHE_DIR) && \`
			`/home/build/$(GO) build \`
			`-v \`
			`-trimpath \`
			`-ldflags='-w -extldflags=-static' \`
			`-o /home/build/$@ $(KUSTOMIZE_PKG) \`
			`")`

Makefile: improve encryption and decryption of secrets 2023-05-12 04:32:49 +00:00			`# Note: Decryption MUST reset the mod time to avoid encryption/decryption loops`
			`# Encrypt if:`
			`# - Both files exist, local is newer than remote`
			`# - Only local exists`
			`define maybe_encrypt_secret`
			`test \( -f $(1) -a -f $(2) -a $(1) -nt $(2) \) -o \`
			`\( -f $(1) -a ! -f $(2) \) && \`
			`$(SOPS) --encrypt $(1) > $(2) \|\| true`
			`endef`

			`# Only decrypt when local files don't exist`
			`# Unfortunately, this means we can't decrypt if the secrets update. We can't`
			`# do that because otherwise it creates a loop. The secrets update, therefore we`
			`# decrypt secrets, but because the modtime of the decrypted secrets is newer`
			`# than the encrypted secrets, we want to reencrypt encrypted secrets.`
			`define maybe_decrypt_secret`
			`test -f $(1) -a ! -f $(2) && \`
			`$(SOPS) --decrypt $(1) > $(2) && \`
			`touch -d 1970-01-01 $(2) \|\| \`
			`true`
			`endef`