helm-external-secrets/Tiltfile

# -*- mode: Python -*-

kubectl_cmd = "kubectl"

# verify kubectl command exists
if str(local("command -v " + kubectl_cmd + " || true", quiet = True)) == "":
    fail("Required command '" + kubectl_cmd + "' not found in PATH")

# set defaults
settings = {
    "debug": {
        "enabled": False,
    },
}

# merge default settings with user defined settings
tilt_file = "./tilt-settings.yaml" if os.path.exists("./tilt-settings.yaml") else "./tilt-settings.json"
settings.update(read_yaml(
    tilt_file,
    default = {},
))

# set up the development environment

# Split the YAML into CRDs and other resources
objects = decode_yaml_stream(read_file('bin/deploy/manifests/external-secrets.yaml'))

crds = []
other_resources = []

for o in objects:
    if o.get('kind') == 'CustomResourceDefinition':
        crds.append(o)
    else:
        other_resources.append(o)

# Process deployments for development
for o in other_resources:
    if o.get('kind') == 'Deployment' and o.get('metadata').get('name') in ['external-secrets-cert-controller', 'external-secrets', 'external-secrets-webhook']:
        o['spec']['template']['spec']['containers'][0]['securityContext'] = {'runAsNonRoot': False, 'readOnlyRootFilesystem': False}
        o['spec']['template']['spec']['containers'][0]['imagePullPolicy'] = 'Always'
        if settings.get('debug').get('enabled') and o.get('metadata').get('name') == 'external-secrets':
            o['spec']['template']['spec']['containers'][0]['ports'] = [{'containerPort': 30000}]

# Create the directory
local('mkdir -p .tilt-tmp')

# Apply CRDs with server-side apply (handles large CRDs)
if crds:
    crd_yaml = encode_yaml_stream(crds)
    local('cat > .tilt-tmp/external-secrets-crds.yaml', stdin=crd_yaml)
    local_resource(
        'apply-crds',
        'kubectl apply --server-side -f .tilt-tmp/external-secrets-crds.yaml',
        deps=['bin/deploy/manifests/external-secrets.yaml']
    )

# Use regular k8s_yaml for deployments (Tilt will handle image substitution)
if other_resources:
    deployments_yaml = encode_yaml_stream(other_resources)
    local('cat > .tilt-tmp/external-secrets-deployments.yaml', stdin=deployments_yaml)
    k8s_yaml('.tilt-tmp/external-secrets-deployments.yaml')

load('ext://restart_process', 'docker_build_with_restart')

# enable hot reloading by doing the following:
# - locally build the whole project
# - create a docker imagine using tilt's hot-swap wrapper
# - push that container to the local tilt registry
# Once done, rebuilding now should be a lot faster since only the relevant
# binary is rebuilt and the hot swat wrapper takes care of the rest.
gcflags = ''
if settings.get('debug').get('enabled'):
    gcflags = '-N -l'

buildtags = settings.get('buildtags', 'all_providers')

local_resource(
    'external-secret-binary',
    "CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -tags '{buildtags}' -gcflags '{gcflags}' -v -o bin/external-secrets ./".format(buildtags=buildtags, gcflags=gcflags),
    deps = [
        "main.go",
        "go.mod",
        "go.sum",
        "apis",
        "cmd",
        "pkg",
    ],
)

# Build the docker image for our controller. We use a specific Dockerfile
# since tilt can't run on a scratch container.
# `only` here is important, otherwise, the container will get updated
# on _any_ file change. We only want to monitor the binary.
# If debugging is enabled, we switch to a different docker file using
# the delve port.
entrypoint = ['/external-secrets']
dockerfile = 'tilt.dockerfile'
if settings.get('debug').get('enabled'):
    k8s_resource('external-secrets', port_forwards=[
        port_forward(30000, 30000, 'debugger'),
    ])
    entrypoint = ['/dlv', '--listen=:30000', '--api-version=2', '--continue=true', '--accept-multiclient=true', '--headless=true', 'exec', '/external-secrets', '--']
    dockerfile = 'tilt.debug.dockerfile'

docker_build_with_restart(
    'ghcr.io/external-secrets/external-secrets',
    '.',
    dockerfile = dockerfile,
    entrypoint = entrypoint,
    only=[
      './bin',
    ],
    live_update = [
        sync('./bin/external-secrets', '/external-secrets'),
    ],
)