Expand description
Consumer-side provisioning: fetch the ProvisionDoc from the reserved
/.hackamore/provision path on hackamore’s proxy listener — the only address a sandboxed
consumer can reach — and render it into native tool config. write_configs
writes everything under a
caller-supplied home directory — nothing outside it is touched, so a sandbox (or a
test) can configure stock tools without polluting the host’s real ~/.kube, ~/.aws,
or git config.
Every write is recorded in a manifest (<home>/.hackamore/manifest) so teardown can
remove exactly what hackamore wrote and nothing else. Line-oriented files (git
credentials) are merged idempotently rather than clobbered, so re-provisioning a second
service doesn’t drop the first. When hackamore terminates TLS, the doc carries a CA bundle
(ProvisionDoc::hackamore_ca); it is written once and referenced by path from every
tool’s config (kubeconfig, ~/.aws/config, .gitconfig).
Functions§
- fetch_
provision - Fetch the provision doc from the reserved
/.hackamore/provisionpath on the proxy listener atproxy_url, presenting the token viaX-Hackamore-Token. The proxy listener is the only address a sandboxed consumer can reach; the admin listener (which also serves the unauthenticated/mint) stays operator-only. - render_
env - Render shell
exportlines from a provision doc. - render_
status - Render a human-readable summary.
- teardown
- Remove every file hackamore previously wrote under
home, per its manifest, then the manifest itself. Returns the files removed. Idempotent: a missing manifest or already-removed file is not an error. Nothing outside the manifest is touched. - write_
configs - Write native tool config for every service into
home(an isolated directory). Returns the files written and records them in the manifest. Always writeshackamore.envand (when hackamore terminates TLS) the CA bundle; per service it writes git config (github), a kubeconfig (k8s), and/or an AWS profile (SigV4).