(#8 ) Create secret subcommand

This patch adds a holos create secret command that behaves like kubectl create secret, but for the specific use case of provisioning holos clusters. ``` ❯ holos create secret k2-talos --cluster-name=k2 --from-file=secrets.yaml 4:48PM INF secret.go:104 created: k2-talos-49546d9fd7 version=0.45.0 secret=k2-talos-49546d9fd7 name=k2-talos namespace=secrets ``` Once the corresponding `holos get secret` subcommands are implemented the kv subcommand may be removed.
(#6 ) Holos kv put command to create secrets
2026-03-19 08:44:58 +00:00 · 2024-02-23 16:49:13 -08:00 · 2024-02-23 12:03:47 -08:00 · 2024-02-22 22:06:23 -08:00 · 2024-02-22 21:46:41 -08:00 · 2024-02-22 21:42:07 -08:00
23 changed files with 801 additions and 263 deletions
--- a/cmd/holos/main.go
+++ b/cmd/holos/main.go
@@ -4,14 +4,14 @@ import (
 	"context"
 	"errors"
 	"github.com/holos-run/holos/pkg/cli"
-	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/holos"
 	"github.com/holos-run/holos/pkg/wrapper"
 	"log/slog"
 	"os"
 )

 func main() {
-	cfg := config.New()
+	cfg := holos.New()
 	slog.SetDefault(cfg.Logger())
 	ctx := context.Background()
 	if err := cli.New(cfg).ExecuteContext(ctx); err != nil {
--- a/go.mod
+++ b/go.mod
@@ -54,6 +54,7 @@ require (
 	k8s.io/api v0.29.2 // indirect
 	k8s.io/klog/v2 v2.110.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	k8s.io/kubectl v0.29.2 // indirect
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -183,6 +183,8 @@ k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
 k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
+k8s.io/kubectl v0.29.2 h1:uaDYaBhumvkwz0S2XHt36fK0v5IdNgL7HyUniwb2IUo=
+k8s.io/kubectl v0.29.2/go.mod h1:BhizuYBGcKaHWyq+G7txGw2fXg576QbPrrnQdQDZgqI=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
--- a/pkg/cli/build/build.go
+++ b/pkg/cli/build/build.go
@@ -1,8 +1,9 @@
-package cli
+package build

 import (
 	"fmt"
-	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/holos"
 	"github.com/holos-run/holos/pkg/internal/builder"
 	"github.com/holos-run/holos/pkg/wrapper"
 	"github.com/spf13/cobra"
@@ -10,7 +11,7 @@ import (
 )

 // makeBuildRunFunc returns the internal implementation of the build cli command
-func makeBuildRunFunc(cfg *config.Config) runFunc {
+func makeBuildRunFunc(cfg *holos.Config) command.RunFunc {
 	return func(cmd *cobra.Command, args []string) error {
 		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.ClusterName()))
 		results, err := build.Run(cmd.Context())
@@ -29,9 +30,9 @@ func makeBuildRunFunc(cfg *config.Config) runFunc {
 	}
 }

-// newBuildCmd returns the build subcommand for the root command
-func newBuildCmd(cfg *config.Config) *cobra.Command {
-	cmd := newCmd("build [directory...]")
+// New returns the build subcommand for the root command
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("build [directory...]")
 	cmd.Args = cobra.MinimumNArgs(1)
 	cmd.Short = "build kubernetes api objects from a directory"
 	cmd.RunE = makeBuildRunFunc(cfg)
--- a/pkg/cli/command/cmd.go
+++ b/pkg/cli/command/cmd.go
@@ -0,0 +1,37 @@
+package command
+
+import (
+	"fmt"
+	"github.com/holos-run/holos/pkg/version"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+)
+
+// RunFunc is a cobra.Command RunE function.
+type RunFunc func(c *cobra.Command, args []string) error
+
+// New returns a new subcommand
+func New(name string) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     name,
+		Version: version.Version,
+		Args:    cobra.NoArgs,
+		CompletionOptions: cobra.CompletionOptions{
+			HiddenDefaultCmd: true,
+		},
+		RunE: func(c *cobra.Command, args []string) error {
+			return wrapper.Wrap(fmt.Errorf("could not run %v: not implemented", c.Name()))
+		},
+		SilenceUsage:  true,
+		SilenceErrors: true,
+	}
+	return cmd
+}
+
+// EnsureNewline adds a trailing newline if not already there.
+func EnsureNewline(b []byte) []byte {
+	if len(b) > 0 && b[len(b)-1] != '\n' {
+		b = append(b, '\n')
+	}
+	return b
+}
--- a/pkg/cli/create/create.go
+++ b/pkg/cli/create/create.go
@@ -0,0 +1,23 @@
+package create
+
+import (
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/cli/secret"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/spf13/cobra"
+)
+
+// New returns the create command for the cli
+func New(hc *holos.Config) *cobra.Command {
+	cmd := command.New("create")
+	cmd.Short = "create resources"
+	cmd.Flags().SortFlags = false
+	cmd.RunE = func(c *cobra.Command, args []string) error {
+		return c.Usage()
+	}
+	// flags
+	cmd.PersistentFlags().SortFlags = false
+	// commands
+	cmd.AddCommand(secret.NewCreateCmd(hc))
+	return cmd
+}
--- a/pkg/cli/kv.go
+++ b/pkg/cli/kv.go
@@ -1,90 +0,0 @@
-package cli
-
-import (
-	"github.com/holos-run/holos/pkg/config"
-	"github.com/holos-run/holos/pkg/logger"
-	"github.com/holos-run/holos/pkg/wrapper"
-	"github.com/spf13/cobra"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/tools/clientcmd"
-	"sort"
-)
-
-const NameLabel = "holos.run/secret.name"
-
-// newKVRootCmd returns the kv root command for the cli
-func newKVRootCmd(cfg *config.Config) *cobra.Command {
-	cmd := newCmd("kv")
-	cmd.Short = "work with secrets in the provisioner cluster"
-	cmd.Flags().SortFlags = false
-	cmd.RunE = func(c *cobra.Command, args []string) error {
-		return c.Usage()
-	}
-	// flags
-	cmd.PersistentFlags().SortFlags = false
-	cmd.PersistentFlags().AddGoFlagSet(cfg.KVFlagSet())
-	// subcommands
-	cmd.AddCommand(newKVGetCmd(cfg))
-	return cmd
-}
-
-func newKVGetCmd(cfg *config.Config) *cobra.Command {
-	cmd := newCmd("get")
-	cmd.Args = cobra.MinimumNArgs(1)
-	cmd.Short = "print secret data in txtar format"
-	cmd.Flags().SortFlags = false
-	cmd.RunE = makeKVGetRunFunc(cfg)
-
-	return cmd
-}
-
-func makeKVGetRunFunc(cfg *config.Config) runFunc {
-	return func(cmd *cobra.Command, args []string) error {
-		ctx := cmd.Context()
-		log := logger.FromContext(ctx)
-		kcfg, err := clientcmd.BuildConfigFromFlags("", cfg.KVKubeconfig())
-		if err != nil {
-			return wrapper.Wrap(err)
-		}
-		clientset, err := kubernetes.NewForConfig(kcfg)
-		if err != nil {
-			return wrapper.Wrap(err)
-		}
-
-		for _, name := range args {
-			nlog := log.With(NameLabel, name)
-			opts := metav1.ListOptions{
-				LabelSelector: NameLabel + "=" + name,
-			}
-			list, err := clientset.CoreV1().Secrets(cfg.KVNamespace()).List(ctx, opts)
-			if err != nil {
-				return wrapper.Wrap(err)
-			}
-			nlog.DebugContext(ctx, "results", "len", len(list.Items))
-			if len(list.Items) < 1 {
-				continue
-			}
-
-			sort.Slice(list.Items, func(i, j int) bool {
-				return list.Items[i].CreationTimestamp.Before(&list.Items[j].CreationTimestamp)
-			})
-
-			// most recent secret is the one we want.
-			secret := list.Items[len(list.Items)-1]
-
-			for k, v := range secret.Data {
-				nlog.DebugContext(ctx, "data", "name", secret.Name, "key", k, "len", len(v))
-			}
-
-			if len(secret.Data) > 0 {
-				cfg.Println(secret.Name)
-			}
-			for k, v := range secret.Data {
-				cfg.Printf("-- %s --\n", k)
-				cfg.Write(ensureNewline(v))
-			}
-		}
-		return nil
-	}
-}
--- a/pkg/cli/kv/get.go
+++ b/pkg/cli/kv/get.go
@@ -0,0 +1,97 @@
+package kv
+
+import (
+	"flag"
+	"fmt"
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/cli/secret"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sort"
+)
+
+type getConfig struct {
+	file *string
+}
+
+func newGetCmd(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("get")
+	cmd.Args = cobra.MinimumNArgs(1)
+	cmd.Short = "print secret data in txtar format"
+
+	cf := getConfig{}
+	flagSet := flag.NewFlagSet("", flag.ContinueOnError)
+	cf.file = flagSet.String("file", "", "file to print to stdout")
+
+	cmd.Flags().SortFlags = false
+	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
+	cmd.Flags().AddGoFlagSet(flagSet)
+	cmd.RunE = makeGetRunFunc(cfg, cf)
+
+	return cmd
+}
+
+func makeGetRunFunc(cfg *holos.Config, cf getConfig) command.RunFunc {
+	return func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Context()
+		log := logger.FromContext(ctx)
+
+		cs, err := newClientSet(cfg)
+		if err != nil {
+			return err
+		}
+
+		for _, name := range args {
+			nlog := log.With(secret.NameLabel, name)
+			opts := metav1.ListOptions{
+				LabelSelector: secret.NameLabel + "=" + name,
+			}
+			if name := cfg.ClusterName(); name != "" {
+				opts.LabelSelector += fmt.Sprintf(",%s=%s", secret.ClusterLabel, name)
+			}
+			list, err := cs.CoreV1().Secrets(cfg.KVNamespace()).List(ctx, opts)
+			if err != nil {
+				return wrapper.Wrap(err)
+			}
+			nlog.DebugContext(ctx, "results", "len", len(list.Items))
+			if len(list.Items) < 1 {
+				continue
+			}
+
+			sort.Slice(list.Items, func(i, j int) bool {
+				return list.Items[i].CreationTimestamp.Before(&list.Items[j].CreationTimestamp)
+			})
+
+			// most recent secret is the one we want.
+			secret := list.Items[len(list.Items)-1]
+
+			keys := make([]string, 0, len(secret.Data))
+			for k, v := range secret.Data {
+				keys = append(keys, k)
+				nlog.DebugContext(ctx, "data", "name", secret.Name, "key", k, "len", len(v))
+			}
+
+			//  Print one file to stdout
+			if key := *cf.file; key != "" {
+				if data, found := secret.Data[key]; found {
+					cfg.Write(command.EnsureNewline(data))
+					return nil
+				}
+				return wrapper.Wrap(fmt.Errorf("not found: %s have %#v", key, keys))
+			}
+
+			if len(secret.Data) > 0 {
+				cfg.Println(secret.Name)
+			}
+
+			for k, v := range secret.Data {
+				cfg.Printf("-- %s --\n", k)
+				cfg.Write(command.EnsureNewline(v))
+			}
+		}
+		return nil
+	}
+}
--- a/pkg/cli/kv/kv.go
+++ b/pkg/cli/kv/kv.go
@@ -0,0 +1,40 @@
+package kv
+
+import (
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+// New returns the kv root command for the cli
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("kv")
+	cmd.Short = "work with secrets in the provisioner cluster"
+	cmd.Flags().SortFlags = false
+	cmd.RunE = func(c *cobra.Command, args []string) error {
+		return c.Usage()
+	}
+	// flags
+	cmd.PersistentFlags().SortFlags = false
+	cmd.PersistentFlags().AddGoFlagSet(cfg.KVFlagSet())
+	// subcommands
+	cmd.AddCommand(newGetCmd(cfg))
+	cmd.AddCommand(newListCmd(cfg))
+	cmd.AddCommand(newPutCmd(cfg))
+	return cmd
+}
+
+func newClientSet(cfg *holos.Config) (*kubernetes.Clientset, error) {
+	kcfg, err := clientcmd.BuildConfigFromFlags("", cfg.KVKubeconfig())
+	if err != nil {
+		return nil, wrapper.Wrap(err)
+	}
+	clientset, err := kubernetes.NewForConfig(kcfg)
+	if err != nil {
+		return nil, wrapper.Wrap(err)
+	}
+	return clientset, nil
+}
--- a/pkg/cli/kv/list.go
+++ b/pkg/cli/kv/list.go
@@ -0,0 +1,46 @@
+package kv
+
+import (
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/cli/secret"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func newListCmd(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("list")
+	cmd.Args = cobra.NoArgs
+	cmd.Short = "list secrets"
+	cmd.Flags().SortFlags = false
+	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
+	cmd.RunE = makeListRunFunc(cfg)
+
+	return cmd
+}
+
+func makeListRunFunc(cfg *holos.Config) command.RunFunc {
+	return func(cmd *cobra.Command, _ []string) error {
+		ctx := cmd.Context()
+		cs, err := newClientSet(cfg)
+		if err != nil {
+			return err
+		}
+		selector := metav1.ListOptions{LabelSelector: secret.NameLabel}
+		secrets, err := cs.CoreV1().Secrets(cfg.KVNamespace()).List(ctx, selector)
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+		labels := make(map[string]bool)
+		for _, s := range secrets.Items {
+			if value, ok := s.Labels[secret.NameLabel]; ok {
+				labels[value] = true
+			}
+		}
+		for label := range labels {
+			cfg.Println(label)
+		}
+		return nil
+	}
+}
--- a/pkg/cli/kv/put.go
+++ b/pkg/cli/kv/put.go
@@ -0,0 +1,200 @@
+package kv
+
+import (
+	"bytes"
+	"context"
+	"flag"
+	"fmt"
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/cli/secret"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	"golang.org/x/tools/txtar"
+	"io"
+	"io/fs"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/kubectl/pkg/util/hash"
+	"os"
+	"path/filepath"
+	"sigs.k8s.io/yaml"
+	"strings"
+)
+
+type putConfig struct {
+	secretName *string
+	file       *string
+	dryRun     *bool
+}
+
+func newPutCmd(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("put")
+	cmd.Args = cobra.MinimumNArgs(0)
+	cmd.Short = "put a secret from stdin or file args"
+	cmd.Flags().SortFlags = false
+
+	pcfg := putConfig{}
+	flagSet := flag.NewFlagSet("", flag.ContinueOnError)
+	pcfg.secretName = flagSet.String("name", "", "secret name to use instead of txtar comment")
+	pcfg.file = flagSet.String("file", "", "file name to use instead of txtar path")
+	pcfg.dryRun = flagSet.Bool("dry-run", false, "print to standard output instead of creating")
+
+	cmd.Flags().AddGoFlagSet(flagSet)
+	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
+	cmd.RunE = makePutRunFunc(cfg, pcfg)
+
+	return cmd
+}
+
+func makePutRunFunc(cfg *holos.Config, pcfg putConfig) command.RunFunc {
+	return func(cmd *cobra.Command, args []string) error {
+		a := &txtar.Archive{}
+
+		// Add stdin to the archive.
+		if len(args) == 0 {
+			data, err := io.ReadAll(cfg.Stdin())
+			if err != nil {
+				return wrapper.Wrap(err)
+			}
+
+			if *pcfg.file != "" {
+				file := txtar.File{
+					Name: *pcfg.file,
+					Data: data,
+				}
+				a.Files = append(a.Files, file)
+			} else {
+				a = txtar.Parse(data)
+			}
+		}
+
+		// Do we have a secret name?
+		if *pcfg.secretName != "" {
+			a.Comment = []byte(*pcfg.secretName)
+		}
+		if len(a.Comment) == 0 {
+			// Use the first argument if not
+			if len(args) > 0 {
+				a.Comment = []byte(filepath.Base(args[0]))
+			} else {
+				err := fmt.Errorf("missing secret name from name, args, or txtar comment")
+				return wrapper.Wrap(err)
+			}
+		}
+
+		head, _, _ := bytes.Cut(a.Comment, []byte("\n"))
+		secretName := string(head)
+
+		// Add files from the filesystem to the archive
+		for _, name := range args {
+			if err := filepath.WalkDir(name, makeWalkFunc(a, name)); err != nil {
+				return wrapper.Wrap(err)
+			}
+		}
+
+		log := logger.FromContext(cmd.Context())
+		ctx := cmd.Context()
+
+		// Nothing to do?
+		if len(a.Files) == 0 {
+			log.WarnContext(ctx, "nothing to do")
+			return nil
+		}
+
+		// Create the secret.
+		secret, err := createSecret(ctx, cfg, pcfg, a, secretName)
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+
+		if *pcfg.dryRun {
+			data, err := yaml.Marshal(secret)
+			if err != nil {
+				return wrapper.Wrap(err)
+			}
+			cfg.Println(string(data))
+			return nil
+		}
+
+		// Make the API call
+		cs, err := newClientSet(cfg)
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+
+		secret, err = cs.CoreV1().Secrets(cfg.KVNamespace()).Create(ctx, secret, metav1.CreateOptions{})
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+
+		log.InfoContext(ctx, "created: "+secret.Name, "secret", secret.Name, "name", secretName, "namespace", secret.Namespace)
+		return nil
+	}
+}
+
+func createSecret(ctx context.Context, cfg *holos.Config, pcfg putConfig, a *txtar.Archive, secretName string) (*v1.Secret, error) {
+	secretData := make(map[string][]byte)
+	for _, file := range a.Files {
+		secretData[file.Name] = file.Data
+	}
+
+	labels := map[string]string{secret.NameLabel: secretName}
+	if owner := os.Getenv("USER"); owner != "" {
+		labels[secret.OwnerLabel] = owner
+	}
+	if cluster := cfg.ClusterName(); cluster != "" {
+		labels[secret.ClusterLabel] = cluster
+	}
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   secretName,
+			Labels: labels,
+		},
+		Data: secretData,
+	}
+
+	secretHash, err := hash.SecretHash(secret)
+	if err != nil {
+		return nil, wrapper.Wrap(err)
+	}
+	secret.Name = fmt.Sprintf("%s-%s", secret.Name, secretHash)
+
+	return secret, nil
+}
+
+func makeWalkFunc(a *txtar.Archive, rootDir string) fs.WalkDirFunc {
+	return func(path string, d os.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Depth is the count of path separators from the root
+		depth := strings.Count(path[len(rootDir):], string(filepath.Separator))
+
+		if depth > 1 {
+			if d.IsDir() {
+				return filepath.SkipDir
+			}
+		}
+
+		if !d.IsDir() {
+			if file, err := file(path); err != nil {
+				return wrapper.Wrap(err)
+			} else {
+				file.Name = filepath.Base(path)
+				a.Files = append(a.Files, file)
+			}
+		}
+
+		return nil
+	}
+}
+
+func file(path string) (file txtar.File, err error) {
+	file.Name = path
+	file.Data, err = os.ReadFile(path)
+	return
+}
--- a/pkg/cli/render/render.go
+++ b/pkg/cli/render/render.go
@@ -1,15 +1,16 @@
-package cli
+package render

 import (
 	"fmt"
-	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/holos"
 	"github.com/holos-run/holos/pkg/internal/builder"
 	"github.com/holos-run/holos/pkg/logger"
 	"github.com/holos-run/holos/pkg/wrapper"
 	"github.com/spf13/cobra"
 )

-func makeRenderRunFunc(cfg *config.Config) runFunc {
+func makeRenderRunFunc(cfg *holos.Config) command.RunFunc {
 	return func(cmd *cobra.Command, args []string) error {
 		if cfg.ClusterName() == "" {
 			return wrapper.Wrap(fmt.Errorf("missing cluster name"))
@@ -42,9 +43,9 @@ func makeRenderRunFunc(cfg *config.Config) runFunc {
 	}
 }

-// newRenderCmd returns the render subcommand for the root command
-func newRenderCmd(cfg *config.Config) *cobra.Command {
-	cmd := newCmd("render [directory...]")
+// New returns the render subcommand for the root command
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("render [directory...]")
 	cmd.Args = cobra.MinimumNArgs(1)
 	cmd.Short = "write kubernetes api objects to the filesystem"
 	cmd.Flags().SortFlags = false
--- a/pkg/cli/root.go
+++ b/pkg/cli/root.go
@@ -1,19 +1,20 @@
 package cli

 import (
-	"fmt"
-	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/cli/build"
+	"github.com/holos-run/holos/pkg/cli/create"
+	"github.com/holos-run/holos/pkg/cli/kv"
+	"github.com/holos-run/holos/pkg/cli/render"
+	"github.com/holos-run/holos/pkg/cli/txtar"
+	"github.com/holos-run/holos/pkg/holos"
 	"github.com/holos-run/holos/pkg/logger"
 	"github.com/holos-run/holos/pkg/version"
-	"github.com/holos-run/holos/pkg/wrapper"
 	"github.com/spf13/cobra"
 	"log/slog"
 )

-type runFunc func(c *cobra.Command, args []string) error
-
 // New returns a new root *cobra.Command for command line execution.
-func New(cfg *config.Config) *cobra.Command {
+func New(cfg *holos.Config) *cobra.Command {
 	rootCmd := &cobra.Command{
 		Use:     "holos",
 		Short:   "holos manages a holistic integrated software development platform",
@@ -45,35 +46,15 @@ func New(cfg *config.Config) *cobra.Command {
 	rootCmd.PersistentFlags().AddGoFlagSet(cfg.LogFlagSet())

 	// subcommands
-	rootCmd.AddCommand(newBuildCmd(cfg))
-	rootCmd.AddCommand(newRenderCmd(cfg))
-	rootCmd.AddCommand(newKVRootCmd(cfg))
-	rootCmd.AddCommand(newTxtarCmd(cfg))
+	rootCmd.AddCommand(build.New(cfg))
+	rootCmd.AddCommand(render.New(cfg))
+	rootCmd.AddCommand(create.New(cfg))
+
+	// Maybe not needed?
+	rootCmd.AddCommand(txtar.New(cfg))
+
+	// Deprecated, remove?
+	rootCmd.AddCommand(kv.New(cfg))

 	return rootCmd
 }
-
-// newCmd returns a new subcommand
-func newCmd(name string) *cobra.Command {
-	cmd := &cobra.Command{
-		Use:     name,
-		Version: version.Version,
-		Args:    cobra.NoArgs,
-		CompletionOptions: cobra.CompletionOptions{
-			HiddenDefaultCmd: true,
-		},
-		RunE: func(c *cobra.Command, args []string) error {
-			return wrapper.Wrap(fmt.Errorf("could not run %v: not implemented", c.Name()))
-		},
-		SilenceUsage:  true,
-		SilenceErrors: true,
-	}
-	return cmd
-}
-
-func ensureNewline(b []byte) []byte {
-	if len(b) > 0 && b[len(b)-1] != '\n' {
-		b = append(b, '\n')
-	}
-	return b
-}
--- a/pkg/cli/root_test.go
+++ b/pkg/cli/root_test.go
@@ -2,7 +2,7 @@ package cli

 import (
 	"bytes"
-	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/holos"
 	"github.com/holos-run/holos/pkg/logger"
 	"github.com/holos-run/holos/pkg/version"
 	"github.com/spf13/cobra"
@@ -13,7 +13,7 @@ import (
 func newCommand() (*cobra.Command, *bytes.Buffer) {
 	var b1, b2 bytes.Buffer
 	// discard stdout for now, it's a bunch of usage messages.
-	cmd := New(config.New(config.Stdout(&b1), config.Stderr(&b2)))
+	cmd := New(holos.New(holos.Stdout(&b1), holos.Stderr(&b2)))
 	return cmd, &b2
 }

@@ -89,7 +89,7 @@ func TestInvalidArgs(t *testing.T) {
 	}
 	for _, args := range invalidArgs {
 		var b bytes.Buffer
-		cmd := New(config.New(config.Stdout(&b)))
+		cmd := New(holos.New(holos.Stdout(&b)))
 		cmd.SetArgs(args)
 		err := cmd.Execute()
 		if err == nil {
@@ -114,7 +114,7 @@ func TestLoggerFromContext(t *testing.T) {

 func TestVersion(t *testing.T) {
 	var b bytes.Buffer
-	cmd := New(config.New(config.Stdout(&b)))
+	cmd := New(holos.New(holos.Stdout(&b)))
 	cmd.SetOut(&b)
 	cmd.SetArgs([]string{"--version"})
 	if err := cmd.Execute(); err != nil {
--- a/pkg/cli/secret/secret.go
+++ b/pkg/cli/secret/secret.go
@@ -0,0 +1,133 @@
+package secret
+
+import (
+	"flag"
+	"fmt"
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	"io/fs"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/kubectl/pkg/util/hash"
+	"os"
+	"path/filepath"
+	"sigs.k8s.io/yaml"
+	"strings"
+)
+
+const NameLabel = "holos.run/secret.name"
+const OwnerLabel = "holos.run/secret.owner"
+const ClusterLabel = "holos.run/cluster.name"
+
+type secretData map[string][]byte
+
+type config struct {
+	files     holos.StringSlice
+	dryRun    *bool
+	cluster   *string
+	namespace *string
+}
+
+func NewCreateCmd(hc *holos.Config) *cobra.Command {
+	cmd := command.New("secret NAME [--from-file=source]")
+	cmd.Args = cobra.ExactArgs(1)
+	cmd.Short = "Create a holos secret from files or directories"
+	cmd.Flags().SortFlags = false
+
+	cfg := &config{}
+	flagSet := flag.NewFlagSet("", flag.ContinueOnError)
+	flagSet.Var(&cfg.files, "from-file", "store files as keys in the secret")
+	cfg.namespace = flagSet.String("namespace", holos.DefaultProvisionerNamespace, "namespace in the provisioner cluster where the secret is created")
+	cfg.cluster = flagSet.String("cluster-name", "", "cluster name")
+	cfg.dryRun = flagSet.Bool("dry-run", false, "dry run")
+	cmd.Flags().AddGoFlagSet(flagSet)
+	cmd.RunE = makeCreateRunFunc(hc, cfg)
+	return cmd
+
+}
+
+func makeCreateRunFunc(hc *holos.Config, cfg *config) command.RunFunc {
+	return func(cmd *cobra.Command, args []string) error {
+		secretName := args[0]
+		secret := &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   secretName,
+				Labels: map[string]string{NameLabel: secretName},
+			},
+			Data: make(secretData),
+		}
+
+		for _, file := range cfg.files {
+			if err := filepath.WalkDir(file, makeWalkFunc(secret.Data, file)); err != nil {
+				return wrapper.Wrap(err)
+			}
+		}
+
+		if owner := os.Getenv("USER"); owner != "" {
+			secret.Labels[OwnerLabel] = owner
+		}
+		if *cfg.cluster != "" {
+			secret.Labels[ClusterLabel] = *cfg.cluster
+		}
+
+		if secretHash, err := hash.SecretHash(secret); err != nil {
+			return wrapper.Wrap(err)
+		} else {
+			secret.Name = fmt.Sprintf("%s-%s", secret.Name, secretHash)
+		}
+
+		if *cfg.dryRun {
+			out, err := yaml.Marshal(secret)
+			if err != nil {
+				return wrapper.Wrap(err)
+			}
+			hc.Write(out)
+			return nil
+		}
+
+		cs, err := hc.ProvisionerClientset()
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+		ctx := cmd.Context()
+		secret, err = cs.CoreV1().
+			Secrets(*cfg.namespace).
+			Create(ctx, secret, metav1.CreateOptions{})
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+
+		log := logger.FromContext(ctx)
+		log.InfoContext(ctx, "created: "+secret.Name, "secret", secret.Name, "name", secretName, "namespace", secret.Namespace)
+		return nil
+	}
+}
+
+func makeWalkFunc(data secretData, root string) fs.WalkDirFunc {
+	return func(path string, d os.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Depth is the count of path separators from the root
+		depth := strings.Count(path[len(root):], string(filepath.Separator))
+
+		if depth > 1 {
+			if d.IsDir() {
+				return filepath.SkipDir
+			}
+		}
+
+		if !d.IsDir() {
+			key := filepath.Base(path)
+			if data[key], err = os.ReadFile(path); err != nil {
+				return wrapper.Wrap(err)
+			}
+		}
+
+		return nil
+	}
+}
--- a/pkg/cli/txtar.go
+++ b/pkg/cli/txtar.go
@@ -1,103 +0,0 @@
-package cli
-
-import (
-	"bytes"
-	"fmt"
-	"github.com/holos-run/holos/pkg/config"
-	"github.com/holos-run/holos/pkg/wrapper"
-	"github.com/spf13/cobra"
-	"golang.org/x/tools/txtar"
-	"io"
-	"io/fs"
-	"os"
-	"path/filepath"
-)
-
-func newTxtarCmd(cfg *config.Config) *cobra.Command {
-	cmd := newCmd("txtar")
-	cmd.Short = "trivial text-based file archives"
-	cmd.Long = "writes arguments to stdout otherwise extracts"
-	cmd.Args = cobra.MinimumNArgs(0)
-	cmd.RunE = makeTxtarRun(cfg)
-	cmd.Flags().SortFlags = false
-	cmd.Flags().AddGoFlagSet(cfg.TxtarFlagSet())
-	return cmd
-}
-
-func makeTxtarRun(cfg *config.Config) runFunc {
-	return func(cmd *cobra.Command, args []string) error {
-		if len(args) == 0 {
-			return txExtract(cfg)
-		}
-		a := &txtar.Archive{}
-		for _, name := range args {
-			if err := filepath.WalkDir(name, makeWalkFunc(a)); err != nil {
-				return wrapper.Wrap(err)
-			}
-		}
-		cfg.Write(txtar.Format(a))
-		return nil
-	}
-}
-
-func makeWalkFunc(a *txtar.Archive) fs.WalkDirFunc {
-	return func(path string, d os.DirEntry, err error) error {
-		if err != nil {
-			return wrapper.Wrap(err)
-		}
-
-		if !d.IsDir() {
-			if file, err := txFile(path); err != nil {
-				return wrapper.Wrap(err)
-			} else {
-				a.Files = append(a.Files, file)
-			}
-		}
-
-		return nil
-	}
-}
-
-func txFile(path string) (file txtar.File, err error) {
-	file.Name = path
-	file.Data, err = os.ReadFile(path)
-	return
-}
-
-func txExtract(cfg *config.Config) error {
-	input, err := io.ReadAll(cfg.Stdin())
-	if err != nil {
-		return wrapper.Wrap(fmt.Errorf("could not read stdin: %w", err))
-	}
-	archive := txtar.Parse(input)
-	header := bytes.Split(archive.Comment, []byte{'\n'})[:1]
-	if len(header) == 0 {
-		header = append(header, []byte{})
-	}
-
-	// Print one file to stdout
-	idx := cfg.TxtarIndex()
-	if idx > 0 {
-		cfg.Write(ensureNewline(archive.Files[idx-1].Data))
-		return nil
-	}
-	if idx < 0 {
-		tail := len(archive.Files)
-		cfg.Write(ensureNewline(archive.Files[tail+idx].Data))
-		return nil
-	}
-
-	// Write all files
-	for _, file := range archive.Files {
-		log := cfg.Logger().With("header", string(header[0]), "path", file.Name, "bytes", len(file.Data))
-		path := filepath.Join(".", file.Name)
-		log.Info("writing: " + file.Name)
-		if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
-			return wrapper.Wrap(fmt.Errorf("could not make directory: %w", err))
-		}
-		if err := os.WriteFile(path, file.Data, 0644); err != nil {
-			return wrapper.Wrap(fmt.Errorf("could not write file: %w", err))
-		}
-	}
-	return nil
-}
--- a/pkg/cli/txtar/txtar.go
+++ b/pkg/cli/txtar/txtar.go
@@ -0,0 +1,95 @@
+package txtar
+
+import (
+	"bytes"
+	"fmt"
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	"golang.org/x/tools/txtar"
+	"io"
+	"log/slog"
+	"os"
+	"path/filepath"
+)
+
+// New returns a new txtar command.
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("txtar")
+	cmd.Short = "trivial text-based file archives"
+	cmd.Long = "writes arguments to stdout otherwise extracts"
+	cmd.Args = cobra.MinimumNArgs(0)
+	cmd.RunE = makeRunFunc(cfg)
+	cmd.Flags().SortFlags = false
+	cmd.Flags().AddGoFlagSet(cfg.TxtarFlagSet())
+	return cmd
+}
+
+func makeRunFunc(cfg *holos.Config) command.RunFunc {
+	return func(cmd *cobra.Command, args []string) error {
+		// extract an archive
+		if len(args) == 0 {
+			return extract(cfg)
+		}
+		// create an archive
+		a := &txtar.Archive{}
+		for _, name := range args {
+			if err := filepath.WalkDir(name, util.MakeWalkFunc(a)); err != nil {
+				return wrapper.Wrap(err)
+			}
+		}
+		if _, err := cfg.Stdout().Write(txtar.Format(a)); err != nil {
+			return wrapper.Wrap(err)
+		}
+		return nil
+	}
+}
+
+// extract files from the configured Stdin to Stdout or the filesystem.
+func extract(cfg *holos.Config) error {
+	input, err := io.ReadAll(cfg.Stdin())
+	if err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not read stdin: %w", err))
+	}
+	archive := txtar.Parse(input)
+	if idx := cfg.TxtarIndex(); idx != 0 {
+		return printFile(cfg.Stdout(), idx, archive)
+	}
+
+	return writeFiles(cfg.Logger(), archive)
+}
+
+// printFile prints one file from the txtar archive by index.
+func printFile(w io.Writer, idx int, a *txtar.Archive) (err error) {
+	if idx == 0 {
+		return wrapper.Wrap(fmt.Errorf("idx cannot be 0"))
+	}
+	if idx > 0 {
+		_, err = w.Write(command.EnsureNewline(a.Files[idx-1].Data))
+	} else {
+		_, err = w.Write(command.EnsureNewline(a.Files[len(a.Files)+idx].Data))
+	}
+	return
+}
+
+// writeFiles writes all files in the archive.
+func writeFiles(logger *slog.Logger, a *txtar.Archive) (err error) {
+	var header string
+	if h := bytes.Split(a.Comment, []byte{'\n'})[:1]; len(h) > 0 {
+		header = string(h[0])
+	}
+	for _, file := range a.Files {
+		log := logger.With("header", header, "path", file.Name, "bytes", len(file.Data))
+		path := filepath.Join(".", file.Name)
+		log.Info("writing: " + file.Name)
+		if err = os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+			return wrapper.Wrap(fmt.Errorf("could not make directory: %w", err))
+		}
+		if err = os.WriteFile(path, file.Data, 0644); err != nil {
+			return wrapper.Wrap(fmt.Errorf("could not write file: %w", err))
+		}
+	}
+	return
+}
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -1,10 +1,13 @@
-package config
+package holos

 import (
 	"flag"
 	"fmt"
 	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/wrapper"
 	"io"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/util/homedir"
 	"log/slog"
 	"os"
@@ -80,19 +83,20 @@ func New(opts ...Option) *Config {
 // should be initialized early at a well known location in the program lifecycle
 // then remain immutable.
 type Config struct {
-	logConfig      *logger.Config
-	writeTo        string
-	clusterName    string
-	logger         *slog.Logger
-	options        *options
-	finalized      bool
-	writeFlagSet   *flag.FlagSet
-	clusterFlagSet *flag.FlagSet
-	kvKubeconfig   *string
-	kvNamespace    *string
-	kvFlagSet      *flag.FlagSet
-	txtarIndex     *int
-	txtarFlagSet   *flag.FlagSet
+	logConfig            *logger.Config
+	writeTo              string
+	clusterName          string
+	logger               *slog.Logger
+	options              *options
+	finalized            bool
+	writeFlagSet         *flag.FlagSet
+	clusterFlagSet       *flag.FlagSet
+	kvKubeconfig         *string
+	kvNamespace          *string
+	kvFlagSet            *flag.FlagSet
+	txtarIndex           *int
+	txtarFlagSet         *flag.FlagSet
+	provisionerClientset *kubernetes.Clientset
 }

 // LogFlagSet returns the logging *flag.FlagSet for use by the command handler.
@@ -224,6 +228,22 @@ func (c *Config) TxtarIndex() int {
 	return *c.txtarIndex
 }

+// ProvisionerClientset returns a kubernetes client set for the provisioner cluster.
+func (c *Config) ProvisionerClientset() (*kubernetes.Clientset, error) {
+	if c.provisionerClientset == nil {
+		kcfg, err := clientcmd.BuildConfigFromFlags("", c.KVKubeconfig())
+		if err != nil {
+			return nil, wrapper.Wrap(err)
+		}
+		clientset, err := kubernetes.NewForConfig(kcfg)
+		if err != nil {
+			return nil, wrapper.Wrap(err)
+		}
+		c.provisionerClientset = clientset
+	}
+	return c.provisionerClientset, nil
+}
+
 // getenv is equivalent to os.LookupEnv with a default value.
 func getenv(key, defaultValue string) string {
 	if value, exists := os.LookupEnv(key); exists {
--- a/pkg/config/config_test.go
+++ b/pkg/config/config_test.go
@@ -1,4 +1,4 @@
-package config
+package holos

 import (
 	"bytes"
--- a/pkg/holos/types.go
+++ b/pkg/holos/types.go
@@ -0,0 +1,22 @@
+package holos
+
+import (
+	"fmt"
+	"strings"
+)
+
+// StringSlice represents zero or more flag values.
+type StringSlice []string
+
+// String implements the flag.Value interface.
+func (i *StringSlice) String() string {
+	return fmt.Sprint(*i)
+}
+
+// Set implements the flag.Value interface.
+func (i *StringSlice) Set(value string) error {
+	for _, str := range strings.Split(value, ",") {
+		*i = append(*i, str)
+	}
+	return nil
+}
--- a/pkg/util/txtar.go
+++ b/pkg/util/txtar.go
@@ -0,0 +1,32 @@
+package util
+
+import (
+	"github.com/holos-run/holos/pkg/wrapper"
+	"golang.org/x/tools/txtar"
+	"io/fs"
+	"os"
+)
+
+func MakeWalkFunc(a *txtar.Archive) fs.WalkDirFunc {
+	return func(path string, d os.DirEntry, err error) error {
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+
+		if !d.IsDir() {
+			if file, err := file(path); err != nil {
+				return wrapper.Wrap(err)
+			} else {
+				a.Files = append(a.Files, file)
+			}
+		}
+
+		return nil
+	}
+}
+
+func file(path string) (file txtar.File, err error) {
+	file.Name = path
+	file.Data, err = os.ReadFile(path)
+	return
+}
--- a/pkg/version/embedded/minor
+++ b/pkg/version/embedded/minor
@@ -1 +1 @@
-43
+45
--- a/pkg/version/embedded/patch
+++ b/pkg/version/embedded/patch
@@ -1 +1 @@
-1
+0
Author	SHA1	Message	Date
Jeff McCune	0d7033d063	(#8 ) Create secret subcommand This patch adds a holos create secret command that behaves like kubectl create secret, but for the specific use case of provisioning holos clusters. ``` ❯ holos create secret k2-talos --cluster-name=k2 --from-file=secrets.yaml 4:48PM INF secret.go:104 created: k2-talos-49546d9fd7 version=0.45.0 secret=k2-talos-49546d9fd7 name=k2-talos namespace=secrets ``` Once the corresponding `holos get secret` subcommands are implemented the kv subcommand may be removed.	2024-02-23 16:49:13 -08:00
Jeff McCune	84bf0c8945	(#6 ) Holos kv put command to create secrets A "holos secret" is a Secret in the secrets namespace of the provisioner cluster. The put command creates a unique secret from files and directories listed as arguments, or from a txtar archive provided on standard input. Secret data may come from any or all of the following sources: 1. Create a secret from raw data on standard input. --name and --file must be specified. 2. Create a secret from txtar data on standard input. The secret name is taken from the --name flag if provided, otherwise is taken from the first line of the txtar comment. 3. Create a secret from files and directories specified as arguments. The secret name is the base name of the first argument unless it is overridden by the --name flag. This is likely doing too much, really all we care about is this use case: holos kv put talosconfig holos kv get talosconfig \| holos txtar Additionally, I want to get get one command without writing a file: DATA="$(holos kv get talosconfig --file talosconfig)	2024-02-23 12:03:47 -08:00
Jeff McCune	466b48966a	(#3 ) holos kv list command Simple list command that finds the unique holos.run/secret.name label values and prints them out. holos kv list k2-flux-system k2-talos test	2024-02-22 22:06:23 -08:00
Jeff McCune	84bcf4b2d0	Handle write errors when creating an archive	2024-02-22 21:46:41 -08:00
Jeff McCune	bdd76c78a7	Refactor txtar package for readability	2024-02-22 21:42:07 -08:00
Jeff McCune	95e0dfa44a	Refactor render cli to a package Tidy up the structure of the cli package, keep subcommand related functions grouped together in a package.	2024-02-22 21:20:51 -08:00
Jeff McCune	90d70a6afa	Refactor build cli to a package Tidy up the structure of the cli package, keep subcommand related functions grouped together in a package.	2024-02-22 21:20:45 -08:00
Jeff McCune	d0c2d85246	(#3 ) Refactor txtar cli to a package Tidy up the structure of the cli package, keep txtar related functions grouped together in a package.	2024-02-22 21:13:40 -08:00
Jeff McCune	7e637b4647	(#3 ) Refactor kv command to kv package The structure of the cli package was getting to be a bit of a mess, time to clean it up. The structure is much easier to read with each command in a separate package of related functionality.	2024-02-22 21:09:45 -08:00