just: inject imagepuller config

Author: charludo

justfile

@@ -103,6 +103,16 @@ populate target=default_deploy_target platform=default_platform:
     if [[ -f ./{{ workspace_dir }}/deployment/deployment.yml ]]; then
         echo "---" >> ./{{ workspace_dir }}/deployment/deployment.yml
     fi
+    if [ -n "$CONTRAST_GHCR_READ" ]; then
+        cat > "./{{ workspace_dir }}/contrast-imagepuller.toml" <<EOF
+        [registries]
+        [registries."ghcr.io."]
+        auth = "$(printf "user-not-required-here:%s" "$CONTRAST_GHCR_READ" | base64 -w0)"
+        EOF
+        kubectl create secret generic contrast-node-installer-imagepuller-config \
+            --from-file "contrast-imagepuller.toml"="./{{ workspace_dir }}/contrast-imagepuller.toml"
+            --namespace {{ target }}${namespace_suffix-} \
+    fi
     dmesgFlag=""
     # For debug, we already add the debugshell container which exposes the full journal.
     if [[ "${debug:-}" != "true" ]]; then
@@ -335,12 +345,20 @@ get-credentials platform=default_platform:
         ;;
     esac
 
+    token=$(nix run -L .#scripts.get-read-token "projects/796962942582/secrets/ghcr-read-token/versions/latest")
+    sed -i "s/^CONTRAST_GHCR_READ=.*/CONTRAST_GHCR_READ=\"${token}\"/" justfile.env
+
 # Load the kubeconfig from the dev cluster.
 get-credentials-dev:
+    #!/usr/bin/env bash
+    set -euo pipefail
     nix run -L .#scripts.get-credentials "projects/796962942582/secrets/hetzner-ax162-snp-kubeconfig/versions/latest"
     sed -i 's/^default_platform=.*/default_platform="Metal-QEMU-SNP"/' justfile.env
     sed -i 's/^node_installer_target_conf_type=.*/node_installer_target_conf_type="k3s"/' justfile.env
 
+    token=$(nix run -L .#scripts.get-read-token "projects/796962942582/secrets/ghcr-read-token/versions/latest")
+    sed -i "s/^CONTRAST_GHCR_READ=.*/CONTRAST_GHCR_READ=\"${token}\"/" justfile.env
+
 # Run code generators.
 codegen:
     nix run -L .#scripts.generate
@@ -395,6 +413,8 @@ namespace_suffix=""
 CONTRAST_CACHE_DIR="./workspace.cache"
 # Log level for the CLI.
 CONTRAST_LOG_LEVEL=""
+# A Github token with read access to Contrast's ghcr.io packages.
+CONTRAST_GHCR_READ=""
 '''
 
 # Developer onboarding.

packages/scripts.nix

@@ -381,7 +381,7 @@ lib.makeScope pkgs.newScope (scripts: {
 
   # Usage: get-credentials $gcloudSecretRef
   get-credentials = writeShellApplication {
-    name = "extract-policies";
+    name = "get-credentials";
     runtimeInputs = with pkgs; [
       google-cloud-sdk
       scripts.merge-kube-config
@@ -394,6 +394,19 @@ lib.makeScope pkgs.newScope (scripts: {
     '';
   };
 
+  # Usage: get-read-token $gcloudSecretRef
+  get-read-token = writeShellApplication {
+    name = "get-read-token";
+    runtimeInputs = with pkgs; [
+      google-cloud-sdk
+    ];
+    text = ''
+      set -euo pipefail
+      # this is the officially recommended way to get the raw output...
+      gcloud secrets versions access "$1" --format='get(payload.data)' | tr '_-' '/+' | base64 -d
+    '';
+  };
+
   # Usage: get-logs [start | download] $namespaceFile
   get-logs = writeShellApplication {
     name = "get-logs";