Closed LoganBarnett closed 3 months ago
I know I can use
deps
to declare dependencies between generators. However I want to have dependencies between secrets.
No reasoning needed, dependencies are already between secrets - not generators :D I've built this precisely for the purpose of regenerating dependencies when the parent changes, because I wanted to auto-generate nginx htpasswd files (you can see this example in the readme).
The generator gets passed deps
as an argument so it has access to the specific dependencies of the secret that is generated. And it will automatically be regenerated if any of these deps changes. It might be a bit misleading that the definition of dependencies
is nested in the generator
scope, but this is becaues it's only relevant to the generator. What we usually refer to as the generator is really just the .script
setting.
Does this make sense or have I missed something specific in your example about certificates?
I think between your explanation here and a closer look at the htpasswd
example you mentioned, I get it now. The generator "script" is provided deps
but the generator.dependencies
are the script's dependencies given to that generator. I'll take another pass at it but I suspect this will do the trick. Thanks again!
I think we can close this. I can refine my question further if I run into something anew :)
It occurs to me that I mentioned #21 for an added settings
but that doesn't have it (nor is the branch I was thinking of actually there!). I'll get that filed, and update the references for posterity. I still believe a settings
is needed.
I'm open to the idea that I'm going about this the wrong way.
Some context: I have an ambitious goal of generating TLS certificates for all of my hosts, all chained to a CA - and the best part is I want
agenix-rekey
conducting all of this for me. My #21 PR is part of this work.I know TLS can get pretty complicated and distributed. I'm just working with the assumption of a single root + leaf certificates - nothing in between and no crazy features forwarded. That is presently beyond my simian mind.
I want my CA generated on the fly. Granted this happens once, but when I have to reissue it (for when it expires), I want the CA and the leaf certs to be regenerated as well. It also makes the configuration really easy to share with others as a reusable generator. Most of this
agenix-rekey
can already do as I understand it.Here's the caveat:
I know I can use
deps
to declare dependencies between generators. However I want to have dependencies between secrets. My reasoning: Let's say I have hostsalice
andbob
. They both will need leaf certificates tied to the same CA. I need a way of indicating that they are tied to this CA, and not just any CA. Under the current system ofdeps
, each host would generate a leaf on its own CA, unless I'm misunderstanding something. That, or I wouldn't be able to indicate an arbitrary CA (only one CA because there's only one CA generator).Okay that's a lot of words. Let's show some code that pushes this idea. Please, correct me if I'm just on the wrong path here :) Note that this does assume my
settings
addition in #21 went in.I have these generators:
The root:
The leaf:
You'll notice the leaf generator has some
ls
statements in it so I can see why I can't get thesettings.root-certificate.path
expression to give me some actual files. This is its output:The first
ls
showing me the signing key that was generating during this run, and the second showing me the root certificate decrypted values (I would hope). The secondls
is failing.This got me thinking: This error is likely presenting itself because
root-certificate
hasn't been emitted yet. That then leads me to the question I've had, which is: Is there a way we can depend upon and reference secrets from other secrets? Or is that the wrong approach entirely?For additional context, here is the secret definitions:
Thanks again for your work on this and all of your help!