fix case when secrets are regenerated during update/install
This commit is contained in:
parent
573a462aee
commit
b3522b73aa
@ -36,12 +36,13 @@ def generate_service_facts(
|
||||
public_facts_store: FactStoreBase,
|
||||
tmpdir: Path,
|
||||
prompt: Callable[[str], str],
|
||||
) -> None:
|
||||
) -> bool:
|
||||
service_dir = tmpdir / service
|
||||
# check if all secrets exist and generate them if at least one is missing
|
||||
needs_regeneration = not check_secrets(machine, service=service)
|
||||
log.debug(f"{service} needs_regeneration: {needs_regeneration}")
|
||||
if needs_regeneration:
|
||||
if not needs_regeneration:
|
||||
return False
|
||||
if not isinstance(machine.flake, Path):
|
||||
msg = f"flake is not a Path: {machine.flake}"
|
||||
msg += "fact/secret generation is only supported for local flakes"
|
||||
@ -59,9 +60,7 @@ def generate_service_facts(
|
||||
else:
|
||||
generator = machine.facts_data[service]["generator"]["finalScript"]
|
||||
if machine.facts_data[service]["generator"]["prompt"]:
|
||||
prompt_value = prompt(
|
||||
machine.facts_data[service]["generator"]["prompt"]
|
||||
)
|
||||
prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"])
|
||||
env["prompt_value"] = prompt_value
|
||||
# fmt: off
|
||||
cmd = nix_shell(
|
||||
@ -125,12 +124,13 @@ def generate_service_facts(
|
||||
machine.flake_dir,
|
||||
f"Update facts/secrets for service {service} in machine {machine.name}",
|
||||
)
|
||||
return True
|
||||
|
||||
|
||||
def generate_facts(
|
||||
machine: Machine,
|
||||
prompt: None | Callable[[str], str] = None,
|
||||
) -> None:
|
||||
) -> bool:
|
||||
secret_facts_module = importlib.import_module(machine.secret_facts_module)
|
||||
secret_facts_store = secret_facts_module.SecretStore(machine=machine)
|
||||
|
||||
@ -145,10 +145,11 @@ def generate_facts(
|
||||
|
||||
prompt = prompt_func
|
||||
|
||||
was_regenerated = False
|
||||
with TemporaryDirectory() as tmp:
|
||||
tmpdir = Path(tmp)
|
||||
for service in machine.facts_data:
|
||||
generate_service_facts(
|
||||
was_regenerated |= generate_service_facts(
|
||||
machine=machine,
|
||||
service=service,
|
||||
secret_facts_store=secret_facts_store,
|
||||
@ -157,7 +158,12 @@ def generate_facts(
|
||||
prompt=prompt,
|
||||
)
|
||||
|
||||
print("successfully generated secrets")
|
||||
if was_regenerated:
|
||||
# flush caches to make sure the new secrets are available in evaluation
|
||||
machine.flush_caches()
|
||||
else:
|
||||
print("All secrets and facts are already up to date")
|
||||
return was_regenerated
|
||||
|
||||
|
||||
def generate_command(args: argparse.Namespace) -> None:
|
||||
|
@ -81,6 +81,12 @@ class Machine:
|
||||
|
||||
self.vm: QMPWrapper = QMPWrapper(state_dir)
|
||||
|
||||
def flush_caches(self) -> None:
|
||||
self._deployment_info = None
|
||||
self._flake_path = None
|
||||
self.build_cache.clear()
|
||||
self.eval_cache.clear()
|
||||
|
||||
def __str__(self) -> str:
|
||||
return f"Machine(name={self.data.name}, flake={self.data.flake_id})"
|
||||
|
||||
|
@ -96,6 +96,11 @@ def deploy_nixos(hosts: HostGroup) -> None:
|
||||
ssh_arg = f"-p {h.port}" if h.port else ""
|
||||
env = os.environ.copy()
|
||||
env["NIX_SSHOPTS"] = ssh_arg
|
||||
machine: Machine = h.meta["machine"]
|
||||
|
||||
generate_facts(machine)
|
||||
upload_secrets(machine)
|
||||
|
||||
path = upload_sources(".", target)
|
||||
|
||||
if h.host_key_check != HostKeyCheck.STRICT:
|
||||
@ -105,11 +110,6 @@ def deploy_nixos(hosts: HostGroup) -> None:
|
||||
|
||||
ssh_arg += " -i " + h.key if h.key else ""
|
||||
|
||||
machine: Machine = h.meta["machine"]
|
||||
|
||||
generate_facts(machine)
|
||||
upload_secrets(machine)
|
||||
|
||||
extra_args = h.meta.get("extra_args", [])
|
||||
cmd = [
|
||||
"nixos-rebuild",
|
||||
|
Loading…
Reference in New Issue
Block a user