Localize external-secrets on ringtail (amd64 nix build) #368

Merged

eblume merged 2 commits from external-secrets-ringtail-nix into main 2026-06-04 15:37:43 -07:00

Conversation 0 Commits 2 Files changed 4 +74 -1

eblume commented 2026-06-04 15:24:58 -07:00

Owner

Copy link

Follow-up to #367. That PR localized external-secrets but the Dagger build (on indri's Apple Silicon runner) only produces an arm64 image — and external-secrets also runs on ringtail (amd64) via the same shared manifest. This completes the localization so both clusters run the local binary on their native arch.

Approach (matches the kube-state-metrics dual-build pattern)

• containers/external-secrets/default.nix (new) — builds the amd64 image on ringtail's nix-container-builder. buildGoModule with Go 1.26 (v2.2.0 requires ≥1.26.1; nixpkgs default is 1.25.x) and -tags all_providers, faithful to upstream. Same v2.2.0 source from the forge mirror.
• argocd/manifests/external-secrets-ringtail/ (new) — thin kustomize overlay that reuses the shared indri manifest as a base and overrides only the image to the -nix (amd64) tag. No manifest duplication.
• argocd/apps/external-secrets-ringtail.yaml — repointed at the new overlay.

Result: indri → v2.2.0-… (arm64, Dagger), ringtail → v2.2.0-…-nix (amd64, nix).

Build

Run #581 built both arches at the branch commit. Verified the nix image is linux/amd64, entrypoint = the binary, user 65534.

Deployed from branch & verified on ringtail (k3s, amd64)

• All 3 pods rolled to the nix amd64 image, 1/1 Running (no exec-format error → arch correct)
• Controller logs clean
• Live secret fetch proven: force-synced homepage/homepage-grafana → refreshTime advanced, Ready=True
• All 20 ringtail ExternalSecrets remain SecretSynced=True

Post-merge

The external-secrets-ringtail app is temporarily pointed at this branch + overlay path (apps app left on main, manual-sync, untouched). After merge:

argocd app sync apps                       # picks up the new Application path on main
argocd app set external-secrets-ringtail --revision main && argocd app sync external-secrets-ringtail

I'll also rebuild off main so both clusters land on stable main-sha tags (as done for indri in #367).

🤖 Generated with Claude Code

Follow-up to #367. That PR localized external-secrets but the Dagger build (on indri's Apple Silicon runner) only produces an **arm64** image — and external-secrets also runs on **ringtail (amd64)** via the same shared manifest. This completes the localization so both clusters run the local binary on their native arch. ## Approach (matches the kube-state-metrics dual-build pattern) - **`containers/external-secrets/default.nix`** (new) — builds the **amd64** image on ringtail's nix-container-builder. `buildGoModule` with Go 1.26 (v2.2.0 requires ≥1.26.1; nixpkgs default is 1.25.x) and `-tags all_providers`, faithful to upstream. Same v2.2.0 source from the forge mirror. - **`argocd/manifests/external-secrets-ringtail/`** (new) — thin kustomize overlay that reuses the shared indri manifest as a base and overrides **only** the image to the `-nix` (amd64) tag. No manifest duplication. - **`argocd/apps/external-secrets-ringtail.yaml`** — repointed at the new overlay. Result: indri → `v2.2.0-…` (arm64, Dagger), ringtail → `v2.2.0-…-nix` (amd64, nix). ## Build Run #581 built both arches at the branch commit. Verified the nix image is `linux/amd64`, entrypoint = the binary, user 65534. ## Deployed from branch & verified on ringtail (k3s, amd64) - All 3 pods rolled to the nix amd64 image, `1/1 Running` (no exec-format error → arch correct) - Controller logs clean - **Live secret fetch proven:** force-synced `homepage/homepage-grafana` → `refreshTime` advanced, `Ready=True` - **All 20** ringtail ExternalSecrets remain `SecretSynced=True` ## Post-merge The `external-secrets-ringtail` app is temporarily pointed at this branch + overlay path (apps app left on `main`, manual-sync, untouched). After merge: ``` argocd app sync apps # picks up the new Application path on main argocd app set external-secrets-ringtail --revision main && argocd app sync external-secrets-ringtail ``` I'll also rebuild off `main` so both clusters land on stable main-sha tags (as done for indri in #367). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 2 commits 2026-06-04 15:25:00 -07:00

Localize external-secrets for ringtail (amd64) via nix build ... 59dace8b1a

container.py builds arm64 (indri/Dagger); add default.nix to build the amd64
image on ringtail's nix-container-builder (Go 1.26, -tags all_providers).
external-secrets-ringtail now uses a thin overlay over the shared manifest,
overriding only the image to the -nix tag. Repoints the app at the overlay.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Set ringtail external-secrets image to nix amd64 build (v2.2.0-59dace8-nix) ... 9df624289e

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

eblume merged commit 13895bb04a into main 2026-06-04 15:37:43 -07:00

eblume referenced this pull request from a commit 2026-06-04 15:37:44 -07:00

Localize external-secrets on ringtail (amd64 nix build) (#368)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!368

No description provided.