Marin Atanasov Nikolov A place about Open Source Software, Operating Systems and some random thoughts https://dnaeon.github.io Exporting org-roam notes to Hugo and Quartz <p>I use <a href="https://orgmode.org">Org Mode</a> for note taking and tracking purposes.</p> <p>Recently I have also made the switch to <a href="https://www.orgroam.com">Org Roam</a>, that is great extension to Org Mode, which leverages the <a href="https://en.wikipedia.org/wiki/Zettelkasten">Zettlekasten</a> method for organizing and linking your notes.</p> <p>I have also found this approach quite useful and intuitive once you start using it. Being able to establish relationships between your notes and then inspect them by looking at the backlinks is quite useful.</p> <p>There are plenty of resources about <code class="language-plaintext highlighter-rouge">org-roam</code> available, so if you are just starting out I’d suggest checking out the <a href="https://www.orgroam.com/manual.html">Org Roam Manual</a>, and the <a href="https://systemcrafters.net/build-a-second-brain-in-emacs/getting-started-with-org-roam/">Build a Second Brain in Emacs with Org Roam</a> guide for a good overview.</p> <p>In this post we will see how we can export our existing <code class="language-plaintext highlighter-rouge">org-roam</code> notes to Markdown, which can then be served by a static-site generator like <a href="https://gohugo.io">Hugo</a> or <a href="https://quartz.jzhao.xyz">Quartz</a>.</p> <p>My Emacs configuration for <code class="language-plaintext highlighter-rouge">org-mode</code> looks like this.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">(</span><span class="nb">use-package</span> <span class="nv">ox-pandoc</span> <span class="ss">:ensure</span> <span class="no">t</span> <span class="ss">:after</span> <span class="nv">ox</span><span class="p">)</span> <span class="p">(</span><span class="nb">use-package</span> <span class="nv">ob-go</span> <span class="ss">:ensure</span> <span class="no">t</span> <span class="ss">:after</span> <span class="nv">ox</span><span class="p">)</span> <span class="p">(</span><span class="nb">use-package</span> <span class="nv">ox-hugo</span> <span class="ss">:ensure</span> <span class="no">t</span> <span class="ss">:after</span> <span class="nv">ox</span><span class="p">)</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">dnaeon/set-creation-date-heading-property</span> <span class="p">()</span> <span class="s">"Sets the CREATED property on each org-mode heading"</span> <span class="p">(</span><span class="nv">save-excursion</span> <span class="p">(</span><span class="nv">org-back-to-heading</span><span class="p">)</span> <span class="p">(</span><span class="nv">org-set-property</span> <span class="s">"CREATED"</span> <span class="p">(</span><span class="nv">format-time-string</span> <span class="s">"%Y-%m-%d %T"</span><span class="p">))))</span> <span class="p">(</span><span class="nb">use-package</span> <span class="nv">org</span> <span class="ss">:defer</span> <span class="no">t</span> <span class="ss">:init</span> <span class="c1">;; (setq org-src-preserve-indentation t)</span> <span class="p">(</span><span class="nb">require</span> <span class="ss">'ob-shell</span><span class="p">)</span> <span class="p">(</span><span class="nb">require</span> <span class="ss">'ob-lisp</span><span class="p">)</span> <span class="p">(</span><span class="nb">require</span> <span class="ss">'ob-python</span><span class="p">)</span> <span class="p">(</span><span class="nb">require</span> <span class="ss">'ob-go</span><span class="p">)</span> <span class="p">(</span><span class="nv">org-babel-do-load-languages</span> <span class="ss">'org-babel-load-languages</span> <span class="o">'</span><span class="p">((</span><span class="nv">shell</span> <span class="o">.</span> <span class="no">t</span><span class="p">)</span> <span class="p">(</span><span class="nv">lisp</span> <span class="o">.</span> <span class="no">t</span><span class="p">)</span> <span class="p">(</span><span class="nv">python</span> <span class="o">.</span> <span class="no">t</span><span class="p">)))</span> <span class="ss">:config</span> <span class="p">(</span><span class="nv">add-hook</span> <span class="ss">'org-insert-heading-hook</span> <span class="nf">#'</span><span class="nv">dnaeon/set-creation-date-heading-property</span><span class="p">))</span> </code></pre></div></div> <p>It is a pretty simple and standard setup. I like to have a timestamp associated with each <code class="language-plaintext highlighter-rouge">org-mode</code> heading, and the <code class="language-plaintext highlighter-rouge">dnaeon/set-creation-date-heading-property</code> takes care of that.</p> <p>When creating a new heading using <code class="language-plaintext highlighter-rouge">org-insert-heading-respect-content</code> or <code class="language-plaintext highlighter-rouge">C-&lt;enter&gt;</code> we automatically have the <code class="language-plaintext highlighter-rouge">CREATED</code> property like in the example below.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">*</span> <span class="nv">TODO</span> <span class="nv">Just</span> <span class="nv">another</span> <span class="nv">entry</span> <span class="ss">:PROPERTIES:</span> <span class="ss">:CREATED:</span> <span class="nv">2026-02-23</span> <span class="nv">13:14:20</span> <span class="ss">:END:</span> <span class="nv">Something</span> <span class="nv">useful.</span> </code></pre></div></div> <p>My <code class="language-plaintext highlighter-rouge">org-roam</code> configuration looks like this.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">(</span><span class="nb">defun</span> <span class="nv">dnaeon/org-set-created-property</span> <span class="p">()</span> <span class="s">"Sets the CREATED property when a new org-roam node is created"</span> <span class="p">(</span><span class="nv">org-set-property</span> <span class="s">"CREATED"</span> <span class="p">(</span><span class="nv">format-time-string</span> <span class="s">"%Y-%m-%d %T"</span><span class="p">)))</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">dnaeon/tag-new-org-roam-node-as-draft</span> <span class="p">()</span> <span class="s">"Tags org-roam nodes as draft"</span> <span class="p">(</span><span class="nv">org-roam-tag-add</span> <span class="o">'</span><span class="p">(</span><span class="s">"draft"</span><span class="p">)))</span> <span class="p">(</span><span class="nb">use-package</span> <span class="nv">org-roam</span> <span class="ss">:defer</span> <span class="no">t</span> <span class="ss">:bind</span> <span class="p">((</span><span class="s">"C-c n f"</span> <span class="o">.</span> <span class="nv">org-roam-node-find</span><span class="p">)</span> <span class="p">(</span><span class="s">"C-c n i"</span> <span class="o">.</span> <span class="nv">org-roam-node-insert</span><span class="p">)</span> <span class="p">(</span><span class="s">"C-c n t"</span> <span class="o">.</span> <span class="nv">org-roam-buffer-toggle</span><span class="p">)</span> <span class="p">(</span><span class="s">"C-c n g"</span> <span class="o">.</span> <span class="nv">org-roam-graph</span><span class="p">)</span> <span class="p">(</span><span class="s">"C-c n c"</span> <span class="o">.</span> <span class="nv">org-roam-capture</span><span class="p">)</span> <span class="c1">;; Dailies</span> <span class="p">(</span><span class="s">"C-c n d"</span> <span class="o">.</span> <span class="nv">org-roam-dailies-capture-today</span><span class="p">))</span> <span class="ss">:config</span> <span class="c1">;; Display mtime for nodes</span> <span class="p">(</span><span class="nv">cl-defmethod</span> <span class="nv">org-roam-node-mtime</span> <span class="p">((</span><span class="nv">node</span> <span class="nv">org-roam-node</span><span class="p">))</span> <span class="p">(</span><span class="nv">format-time-string</span> <span class="s">"%Y-%m-%d %T"</span> <span class="p">(</span><span class="nv">org-roam-node-file-mtime</span> <span class="nv">node</span><span class="p">)))</span> <span class="c1">;; A method to display the :CREATED: property from each node when browsing the</span> <span class="c1">;; org-roam nodes. In order to display the :CREATED: property add the</span> <span class="c1">;; following to the ORG-ROAM-NODE-DISPLAY-TEMPLATE var.</span> <span class="c1">;;</span> <span class="c1">;; (propertize "${created-property}" 'face 'org-date)</span> <span class="p">(</span><span class="nv">cl-defmethod</span> <span class="nv">org-roam-node-created-property</span> <span class="p">((</span><span class="nv">node</span> <span class="nv">org-roam-node</span><span class="p">))</span> <span class="p">(</span><span class="nb">cdr</span> <span class="p">(</span><span class="nv">assoc-string</span> <span class="s">"CREATED"</span> <span class="p">(</span><span class="nv">org-roam-node-properties</span> <span class="nv">node</span><span class="p">))))</span> <span class="c1">;; Add CREATED property to each org-roam node</span> <span class="p">(</span><span class="nv">add-hook</span> <span class="ss">'org-roam-capture-new-node-hook</span> <span class="nf">#'</span><span class="nv">dnaeon/org-set-created-property</span><span class="p">)</span> <span class="c1">;; Add a `draft' tag to each newly created node, until we remove it.</span> <span class="p">(</span><span class="nv">add-hook</span> <span class="ss">'org-roam-capture-new-node-hook</span> <span class="nf">#'</span><span class="nv">dnaeon/tag-new-org-roam-node-as-draft</span><span class="p">)</span> <span class="c1">;; Richer context information when browsing nodes</span> <span class="p">(</span><span class="k">setq</span> <span class="nv">org-roam-node-display-template</span> <span class="p">(</span><span class="nv">concat</span> <span class="s">"${title:80} "</span> <span class="p">(</span><span class="nv">propertize</span> <span class="s">"${mtime}"</span> <span class="ss">'face</span> <span class="ss">'org-date</span><span class="p">)</span> <span class="s">" "</span> <span class="p">(</span><span class="nv">propertize</span> <span class="s">"${tags:25}"</span> <span class="ss">'face</span> <span class="ss">'org-tag</span><span class="p">)))</span> <span class="c1">;; Configure path to database and notes</span> <span class="p">(</span><span class="k">setq</span> <span class="nv">org-roam-directory</span> <span class="p">(</span><span class="nv">file-truename</span> <span class="s">"~/Projects/docs"</span><span class="p">)</span> <span class="nv">org-roam-db-location</span> <span class="p">(</span><span class="nv">file-truename</span> <span class="s">"~/.emacs.d/org-roam.db"</span><span class="p">))</span> <span class="p">(</span><span class="nv">setq-default</span> <span class="nv">org-roam-capture-templates</span> <span class="o">'</span><span class="p">((</span><span class="s">"d"</span> <span class="s">"default"</span> <span class="nv">plain</span> <span class="s">"%?"</span> <span class="ss">:target</span> <span class="p">(</span><span class="nv">file+head</span> <span class="s">"notes/%&lt;%Y&gt;/%&lt;%m&gt;/${slug}.org"</span> <span class="s">"#+title: ${title}\n"</span><span class="p">)</span> <span class="ss">:unnarrowed</span> <span class="no">t</span><span class="p">)</span> <span class="p">(</span><span class="s">"e"</span> <span class="s">"encrypted"</span> <span class="nv">plain</span> <span class="s">"%?"</span> <span class="ss">:target</span> <span class="p">(</span><span class="nv">file+head</span> <span class="s">"notes/%&lt;%Y&gt;/%&lt;%m&gt;/${slug}.org.gpg"</span> <span class="s">"#+title: ${title}\n#+filetags: :gpg:encrypted:\n"</span><span class="p">)</span> <span class="ss">:unnarrowed</span> <span class="no">t</span><span class="p">)))</span> <span class="c1">;; Configure what sections to display in the org-roam buffer.</span> <span class="c1">;;</span> <span class="c1">;; https://www.orgroam.com/manual.html#Configuring-what-is-displayed-in-the-buffer-1</span> <span class="p">(</span><span class="k">setq</span> <span class="nv">org-roam-mode-sections</span> <span class="o">'</span><span class="p">((</span><span class="nv">org-roam-backlinks-section</span> <span class="ss">:unique</span> <span class="no">t</span><span class="p">)</span> <span class="nv">org-roam-reflinks-section</span> <span class="c1">;; #'org-roam-unlinked-references-section</span> <span class="p">))</span> <span class="c1">;; Enable automatic database sync or invoke manually via `M-x org-roam-db-sync'</span> <span class="p">(</span><span class="nv">org-roam-db-autosync-mode</span><span class="p">))</span> </code></pre></div></div> <p>My <code class="language-plaintext highlighter-rouge">org-roam-capture-templates</code> contain two templates – one for regular notes, and another one for encrypted GPG notes.</p> <p>All notes reside in the <code class="language-plaintext highlighter-rouge">/path/to/docs/notes/YYYY/MM/&lt;note&gt;.org</code> path. I prefer organizing my notes in a timestamped directory structure, but that is a personal preference. The nice thing about <code class="language-plaintext highlighter-rouge">org-roam</code> (or capture templates in <code class="language-plaintext highlighter-rouge">org</code> in general) is that you can tweak it to your personal needs.</p> <p>Upon creating a new note I use a hook to add the <code class="language-plaintext highlighter-rouge">CREATED</code> property, similar to the other hook for regular <code class="language-plaintext highlighter-rouge">org</code> files and headings. Another hook takes care of adding a <code class="language-plaintext highlighter-rouge">draft</code> tag to newly created notes, which is manually removed once I’m done with the note. This helps me keep track of things I need to go back and work on.</p> <p>I also use a couple of functions for <a href="https://www.orgroam.com/manual.html#Customizing-Node-Completions-1">Customizing Node Completions</a> via the <code class="language-plaintext highlighter-rouge">org-roam-node-mtime</code> and <code class="language-plaintext highlighter-rouge">org-roam-node-created-property</code> functions.</p> <p>This is what it looks when browsing the list of notes via <a href="https://github.com/minad/consult">consult</a> and <a href="https://github.com/minad/marginalia">marginalia</a>.</p> <p><a href="/images/org-roam-node-select.png" class="glightbox"><img src="/images/org-roam-node-select.png" alt="" /></a></p> <p>A nice addition to <code class="language-plaintext highlighter-rouge">org-roam</code> is the graphical frontend <a href="https://github.com/org-roam/org-roam-ui">org-roam-ui</a>, with which you can browse and read your notes.</p> <p>At the time of writing this post this is what the graph of my notes looks like.</p> <p><a href="/images/org-roam-ui.png" class="glightbox"><img src="/images/org-roam-ui.png" alt="" /></a></p> <p>Other Emacs packages that I’ve found useful when working with <code class="language-plaintext highlighter-rouge">org-roam</code> (or <code class="language-plaintext highlighter-rouge">org-mode</code> in general) include <a href="https://github.com/nobiot/org-transclusion">org-transclusion</a>, <a href="https://github.com/alphapapa/org-ql">org-ql</a>, <a href="https://github.com/jgru/consult-org-roam">consult-org-roam</a> and <a href="https://github.com/ahmed-shariff/org-roam-ql">org-roam-ql</a>.</p> <p>Whenever I need to export my notes and share them with others I might create a single note composed of multiple, standalone notes using <a href="https://github.com/nobiot/org-transclusion">org-transclusion</a>, and then export it using <a href="https://github.com/kawabata/ox-pandoc">ox-pandoc</a> or another exporter, depending on what the audience of the document would be.</p> <p>We can also export our <code class="language-plaintext highlighter-rouge">org-roam</code> notes in Markdown format, which can then be served by a static-site generator like Hugo. The <a href="https://ox-hugo.scripter.co">ox-hugo</a> exporter does exactly this, and I also use it in order to self-host my notes on an internal system.</p> <p>Other options include <a href="https://orgmode.org/manual/Publishing.html">Org Mode Publishing</a>.</p> <p>My workflow for publishing notes usually involves two repos – one repo contains my <code class="language-plaintext highlighter-rouge">org-roam</code> notes, which is specifically being used for storing and tracking my notes only. And then I also use a second repo, which contains static-site generator specific configurations and files.</p> <p>I prefer keeping them separate, because I don’t want to pollute my main <code class="language-plaintext highlighter-rouge">org-roam</code> notes repo with anything else, which would simply <em>consume</em> these notes. This also allows me to experiment with different static-site generators without causing too much noise in the main notes repo.</p> <p>So, how do I get the notes from the <code class="language-plaintext highlighter-rouge">org-roam</code> notes repo to the static-site generator repo?</p> <p>Well, I use an <a href="https://www.gnu.org/software/emacs/manual/html_node/elisp/index.html">Emacs Lisp</a> script, which iterates through each <code class="language-plaintext highlighter-rouge">org-roam</code> node and exports it via <code class="language-plaintext highlighter-rouge">ox-hugo</code>. However, there were a few issues I have faced.</p> <p>The first one is related to the date-metadata, which is associated with each entry. <code class="language-plaintext highlighter-rouge">ox-hugo</code> expects that your <code class="language-plaintext highlighter-rouge">org</code> contain various <a href="https://ox-hugo.scripter.co/doc/dates/#dates-file-based-exports">File-level properties</a>, in order to produce a <a href="https://gohugo.io/content-management/front-matter/">valid front matter for Hugo</a>.</p> <p>Since all of my <code class="language-plaintext highlighter-rouge">org-roam</code> notes already contain the <code class="language-plaintext highlighter-rouge">CREATED</code> property, then the ideal solution would be for <code class="language-plaintext highlighter-rouge">ox-hugo</code> to use that when generating the Hugo front matter.</p> <p>Unfortunately <code class="language-plaintext highlighter-rouge">ox-hugo</code> <a href="https://github.com/kaushalmodi/ox-hugo/issues/772">does not support mapping properties to front-matter variables</a>. But with <a href="https://www.gnu.org/software/emacs/manual/html_node/elisp/Advising-Functions.html">Advising Emacs Lisp Functions</a> we can implement a function that affects the <code class="language-plaintext highlighter-rouge">org-mode</code> export environment, which <code class="language-plaintext highlighter-rouge">ox-hugo</code> uses in order to generate the Markdown document.</p> <p>The following <em>advice function</em> pushes the <code class="language-plaintext highlighter-rouge">:date</code> property to the org export environment. This property represents the <code class="language-plaintext highlighter-rouge">date</code> property from the Hugo front-matter. If needed, we can also push the <code class="language-plaintext highlighter-rouge">:hugo-publishdate</code> and <code class="language-plaintext highlighter-rouge">:hugo-lastmod</code> properties, which correspond to <code class="language-plaintext highlighter-rouge">publishDate</code> and <code class="language-plaintext highlighter-rouge">lastmod</code> properties respectively.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">;; All my org-roam notes contain the `CREATED' property, which specifies the</span> <span class="c1">;; creation date of the note. This wrapper adds the `:date' property to the</span> <span class="c1">;; export environment, which `ox-hugo' will use when exporting to Markdown.</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">org-export-get-environment/add-date</span> <span class="p">(</span><span class="nv">orig-fun</span> <span class="k">&amp;rest</span> <span class="nv">args</span><span class="p">)</span> <span class="p">(</span><span class="k">let</span> <span class="p">((</span><span class="nv">env</span> <span class="p">(</span><span class="nb">apply</span> <span class="nv">orig-fun</span> <span class="nv">args</span><span class="p">))</span> <span class="p">(</span><span class="nv">created</span> <span class="p">(</span><span class="nv">org-entry-get</span> <span class="no">nil</span> <span class="s">"CREATED"</span><span class="p">)))</span> <span class="p">(</span><span class="nv">plist-put</span> <span class="nv">env</span> <span class="ss">:date</span> <span class="nv">created</span><span class="p">)))</span> <span class="p">(</span><span class="nv">advice-add</span> <span class="ss">'org-export-get-environment</span> <span class="ss">:around</span> <span class="nf">#'</span><span class="nv">org-export-get-environment/add-date</span><span class="p">)</span> </code></pre></div></div> <p>Another issue I have faced when using <code class="language-plaintext highlighter-rouge">ox-hugo</code> is related to how links between notes are generated. Since my notes reside in the <code class="language-plaintext highlighter-rouge">notes/YYYY/MM/</code> directory structure, when exporting them <code class="language-plaintext highlighter-rouge">ox-hugo</code> would generate invalid links, in the form of <code class="language-plaintext highlighter-rouge">../MM/some-note.md</code>.</p> <p>This is documented in this issue about <a href="https://github.com/kaushalmodi/ox-hugo/issues/668">broken links when exporting</a>. Since the final Markdown documents, which will be served by Hugo (or Hugo-compatible service), we can implement the following hook, which strips away the directory part of the generated link.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">;; My org-roam capture templates store the notes in `notes/YYYY/MM' directory</span> <span class="c1">;; structure.</span> <span class="c1">;;</span> <span class="c1">;; When exporting to Markdown via `ox-hugo' the resulting links are invalid,</span> <span class="c1">;; because they would point to `../MM/filename.md'.</span> <span class="c1">;;</span> <span class="c1">;; Since all files are being exported to the `$HUGO_BASE_DIR/content/notes'</span> <span class="c1">;; directory we are simply stripping any leading directories from the filenames</span> <span class="c1">;; here, in order to have valid links.</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">org-export-resolve-id-link/strip-directory</span> <span class="p">(</span><span class="nv">val</span><span class="p">)</span> <span class="p">(</span><span class="nb">car</span> <span class="p">(</span><span class="nb">last</span> <span class="p">(</span><span class="nv">file-name-split</span> <span class="nv">val</span><span class="p">))))</span> <span class="p">(</span><span class="nv">advice-add</span> <span class="ss">'org-export-resolve-id-link</span> <span class="ss">:filter-return</span> <span class="nf">#'</span><span class="nv">org-export-resolve-id-link/strip-directory</span><span class="p">)</span> </code></pre></div></div> <p>Finally, we can assemble all the pieces together and automate the process of exporting all of our <code class="language-plaintext highlighter-rouge">org-roam</code> notes using the script below.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="err">#</span><span class="nv">!/usr/bin/env</span> <span class="nv">emacs</span> <span class="nv">--script</span> <span class="c1">;;</span> <span class="c1">;; A utility script to export all my org-roam notes via `ox-hugo'</span> <span class="c1">;;</span> <span class="c1">;; The script expects the `HUGO_BASE_DIR', `ORG_ROAM_DIR' and `ORG_ROAM_DB' env</span> <span class="c1">;; vars to be set.</span> <span class="c1">;;</span> <span class="c1">;; `HUGO_BASE_DIR' specifies the directory where org-roam nodes will be</span> <span class="c1">;; exported.</span> <span class="c1">;;</span> <span class="c1">;; Upon successful completion the script produces the following directories.</span> <span class="c1">;;</span> <span class="c1">;; $HUGO_BASE_DIR/content/notes - contains the generated Markdown files</span> <span class="c1">;; $HUGO_BASE_DIR/static/ox-hugo - contains static files, e.g. images</span> <span class="c1">;;</span> <span class="c1">;; In order to serve the notes generated by the script simply sync the Markdown</span> <span class="c1">;; files and static files from the directories above to your Hugo installation.</span> <span class="c1">;;</span> <span class="p">(</span><span class="nb">dolist</span> <span class="p">(</span><span class="nv">env-var</span> <span class="o">'</span><span class="p">(</span><span class="s">"HUGO_BASE_DIR"</span> <span class="s">"ORG_ROAM_DIR"</span> <span class="s">"ORG_ROAM_DB"</span><span class="p">))</span> <span class="p">(</span><span class="nb">unless</span> <span class="p">(</span><span class="nv">getenv</span> <span class="nv">env-var</span><span class="p">)</span> <span class="p">(</span><span class="nb">error</span> <span class="p">(</span><span class="nb">format</span> <span class="s">"%s env var is not set"</span> <span class="nv">env-var</span><span class="p">))))</span> <span class="p">(</span><span class="nb">require</span> <span class="ss">'package</span><span class="p">)</span> <span class="p">(</span><span class="nv">package-initialize</span><span class="p">)</span> <span class="p">(</span><span class="nb">require</span> <span class="ss">'org</span><span class="p">)</span> <span class="p">(</span><span class="nb">require</span> <span class="ss">'cl-lib</span><span class="p">)</span> <span class="p">(</span><span class="nb">require</span> <span class="ss">'ox-hugo</span><span class="p">)</span> <span class="p">(</span><span class="nb">use-package</span> <span class="nv">org-roam</span> <span class="ss">:ensure</span> <span class="no">t</span> <span class="ss">:config</span> <span class="c1">;; Configure path to the org-roam database and notes</span> <span class="p">(</span><span class="k">setq</span> <span class="nv">org-roam-directory</span> <span class="p">(</span><span class="nv">file-truename</span> <span class="p">(</span><span class="nv">getenv</span> <span class="s">"ORG_ROAM_DIR"</span><span class="p">))</span> <span class="nv">org-roam-db-location</span> <span class="p">(</span><span class="nv">file-truename</span> <span class="p">(</span><span class="nv">getenv</span> <span class="s">"ORG_ROAM_DB"</span><span class="p">))))</span> <span class="c1">;; My org-roam capture templates store the notes in `notes/YYYY/MM' directory</span> <span class="c1">;; structure.</span> <span class="c1">;;</span> <span class="c1">;; When exporting to Markdown via `ox-hugo' the resulting links are invalid,</span> <span class="c1">;; because they would point to `../MM/filename.md'.</span> <span class="c1">;;</span> <span class="c1">;; Since all files are being exported to the `$HUGO_BASE_DIR/content/notes'</span> <span class="c1">;; directory we are simply stripping any leading directories from the filenames</span> <span class="c1">;; here, in order to have valid links.</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">org-export-resolve-id-link/strip-directory</span> <span class="p">(</span><span class="nv">val</span><span class="p">)</span> <span class="p">(</span><span class="nb">car</span> <span class="p">(</span><span class="nb">last</span> <span class="p">(</span><span class="nv">file-name-split</span> <span class="nv">val</span><span class="p">))))</span> <span class="p">(</span><span class="nv">advice-add</span> <span class="ss">'org-export-resolve-id-link</span> <span class="ss">:filter-return</span> <span class="nf">#'</span><span class="nv">org-export-resolve-id-link/strip-directory</span><span class="p">)</span> <span class="c1">;; All my org-roam notes contain the `CREATED' property, which specifies the</span> <span class="c1">;; creation date of the note.</span> <span class="c1">;;</span> <span class="c1">;; This wrapper adds the `:date' property to the export environment, which</span> <span class="c1">;; `ox-hugo' will use when exporting to Markdown.</span> <span class="c1">;;</span> <span class="c1">;; Additional keys that may be added here include `:hugo-publishdate',</span> <span class="c1">;; `:hugo-lastmod', etc.</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">org-export-get-environment/add-date</span> <span class="p">(</span><span class="nv">orig-fun</span> <span class="k">&amp;rest</span> <span class="nv">args</span><span class="p">)</span> <span class="p">(</span><span class="k">let</span> <span class="p">((</span><span class="nv">env</span> <span class="p">(</span><span class="nb">apply</span> <span class="nv">orig-fun</span> <span class="nv">args</span><span class="p">))</span> <span class="p">(</span><span class="nv">created</span> <span class="p">(</span><span class="nv">org-entry-get</span> <span class="no">nil</span> <span class="s">"CREATED"</span><span class="p">)))</span> <span class="p">(</span><span class="nv">plist-put</span> <span class="nv">env</span> <span class="ss">:date</span> <span class="nv">created</span><span class="p">)))</span> <span class="p">(</span><span class="nv">advice-add</span> <span class="ss">'org-export-get-environment</span> <span class="ss">:around</span> <span class="nf">#'</span><span class="nv">org-export-get-environment/add-date</span><span class="p">)</span> <span class="c1">;; Iterate through the org-roam nodes and export each of them</span> <span class="p">(</span><span class="k">let*</span> <span class="p">((</span><span class="nv">hugo-base-dir</span> <span class="p">(</span><span class="nv">file-truename</span> <span class="p">(</span><span class="nv">getenv</span> <span class="s">"HUGO_BASE_DIR"</span><span class="p">)))</span> <span class="p">(</span><span class="nv">hugo-static-dir</span> <span class="p">(</span><span class="nv">file-name-concat</span> <span class="nv">hugo-base-dir</span> <span class="s">"static"</span><span class="p">))</span> <span class="p">(</span><span class="nv">org-roam-nodes</span> <span class="p">(</span><span class="nv">org-roam-node-list</span><span class="p">))</span> <span class="p">(</span><span class="nv">unique-roam-nodes</span> <span class="p">(</span><span class="nv">cl-remove-duplicates</span> <span class="nv">org-roam-nodes</span> <span class="ss">:key</span> <span class="p">(</span><span class="k">lambda</span> <span class="p">(</span><span class="nv">node</span><span class="p">)</span> <span class="p">(</span><span class="nv">org-roam-node-id</span> <span class="nv">node</span><span class="p">)))))</span> <span class="c1">;; ox-hugo expects that the $HUGO_BASE_DIR/static directory exists in advance.</span> <span class="p">(</span><span class="nb">unless</span> <span class="p">(</span><span class="nv">file-accessible-directory-p</span> <span class="nv">hugo-static-dir</span><span class="p">)</span> <span class="p">(</span><span class="nv">make-directory</span> <span class="nv">hugo-static-dir</span> <span class="no">t</span><span class="p">))</span> <span class="c1">;; Export each org-roam node</span> <span class="p">(</span><span class="nb">dolist</span> <span class="p">(</span><span class="nv">node</span> <span class="nv">unique-roam-nodes</span><span class="p">)</span> <span class="p">(</span><span class="k">let</span> <span class="p">((</span><span class="nv">node-title</span> <span class="p">(</span><span class="nv">org-roam-node-title</span> <span class="nv">node</span><span class="p">))</span> <span class="p">(</span><span class="nv">node-file</span> <span class="p">(</span><span class="nv">org-roam-node-file</span> <span class="nv">node</span><span class="p">)))</span> <span class="p">(</span><span class="nv">with-current-buffer</span> <span class="p">(</span><span class="nv">find-file-noselect</span> <span class="nv">node-file</span><span class="p">)</span> <span class="p">(</span><span class="nv">setq-local</span> <span class="nv">org-hugo-base-dir</span> <span class="nv">hugo-base-dir</span> <span class="nv">org-hugo-front-matter-format</span> <span class="s">"yaml"</span> <span class="nv">org-hugo-section</span> <span class="s">"notes"</span> <span class="nv">org-agenda-files</span> <span class="no">nil</span> <span class="nv">org-export-with-broken-links</span> <span class="no">t</span><span class="p">)</span> <span class="p">(</span><span class="nv">org-hugo-export-wim-to-md</span><span class="p">))))</span> <span class="p">(</span><span class="nv">message</span> <span class="p">(</span><span class="nb">format</span> <span class="s">"Exported %d org-roam node(s)"</span> <span class="p">(</span><span class="nb">length</span> <span class="nv">unique-roam-nodes</span><span class="p">))))</span> </code></pre></div></div> <p>You can also find the <a href="https://gist.github.com/dnaeon/87427d319ae0b0a14bf7bf2bc0c49a77">full script here</a>.</p> <p>Download the script and make it executable.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wget https://gist.githubusercontent.com/dnaeon/87427d319ae0b0a14bf7bf2bc0c49a77/raw/5034f599a2beb234c6bd28e67dba4f47b17f126d/export-roam-notes-to-hugo.el <span class="nb">chmod</span> +x export-roam-notes-to-hugo.el </code></pre></div></div> <p>The script expects the following env vars to be provided.</p> <ul> <li><code class="language-plaintext highlighter-rouge">HUGO_BASE_DIR</code> - base directory of your Hugo site</li> <li><code class="language-plaintext highlighter-rouge">ORG_ROAM_DIR</code> - directory, which contains your <code class="language-plaintext highlighter-rouge">org-roam</code> notes</li> <li><code class="language-plaintext highlighter-rouge">ORG_ROAM_DB</code> - path to the <code class="language-plaintext highlighter-rouge">org-roam</code> database</li> </ul> <p>In order to run the script either <code class="language-plaintext highlighter-rouge">export</code> the env vars, or pass them using <code class="language-plaintext highlighter-rouge">env</code>, e.g.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">env </span><span class="nv">HUGO_BASE_DIR</span><span class="o">=</span>/path/to/hugo <span class="se">\</span> <span class="nv">ORG_ROAM_DIR</span><span class="o">=</span>/path/to/org-notes <span class="se">\</span> <span class="nv">ORG_ROAM_DB</span><span class="o">=</span>/path/to/org-roam.db <span class="se">\</span> export-roam-notes-to-hugo.el </code></pre></div></div> <p>Upon successful completion it will generate the following directories.</p> <ul> <li><code class="language-plaintext highlighter-rouge">$HUGO_BASE_DIR/content/notes</code> - contains the generated Markdown files</li> <li><code class="language-plaintext highlighter-rouge">$HUGO_BASE_DIR/static/ox-hugo</code> - contains static files, e.g. images</li> </ul> <p>At this point you can start up your Hugo instance and browse your <code class="language-plaintext highlighter-rouge">org-roam</code> notes.</p> <p>Another alternative to Hugo, which I actually like is <a href="https://quartz.jzhao.xyz">Quartz</a>. Quartz comes with plugins like Graph View, backlinks, and many others.</p> <p>In case you are building a site to host your <code class="language-plaintext highlighter-rouge">org-roam</code> notes with Quartz you should check out the <a href="https://www.asterhu.com/post/20240220-publish-org-roam-with-quartz-oxhugo/">Publish org-roam notes to personal wiki using ox-hugo and Quartz</a> post, which provides details on how to get started with Quartz.</p> <p>Using the Emacs Lisp script from this post you can bulk-export your <code class="language-plaintext highlighter-rouge">org-roam</code> notes and serve them with Quartz. One thing to keep in mind is that when syncing your generated Markdown files and static files you need to copy them here.</p> <ul> <li><code class="language-plaintext highlighter-rouge">$HUGO_BASE_DIR/content/notes</code> - needs to be synced at <code class="language-plaintext highlighter-rouge">$QUARTZ_BASE_DIR/content/notes</code></li> <li><code class="language-plaintext highlighter-rouge">$HUGO_BASE_DIR/static/ox-hugo</code> - needs to be synced at <code class="language-plaintext highlighter-rouge">$QUARTZ_BASE_DIR/content/ox-hugo</code></li> </ul> <p>After that, simply start your Quartz instance using the command below.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>npx quartz build <span class="nt">--serve</span> </code></pre></div></div> <p>Here is an example of Quartz serving my <code class="language-plaintext highlighter-rouge">org-roam</code> notes.</p> <p><a href="/images/quartz-node.png" class="glightbox"><img src="/images/quartz-node.png" alt="" /></a></p> <p>And here we can see the graph view of Quartz.</p> <p><a href="/images/quartz-graph-view.png" class="glightbox"><img src="/images/quartz-graph-view.png" alt="" /></a></p> <p>You can also deploy your site to any of the supported <a href="https://quartz.jzhao.xyz/hosting">hosting providers</a>.</p> Sun, 22 Feb 2026 00:00:00 +0000 https://dnaeon.github.io/exporting-org-roam-notes-hugo/ https://dnaeon.github.io/exporting-org-roam-notes-hugo/ Fixing the clicking fan noise of Synology DS224+ <p>Couple of days ago I got my brand new Synology <code class="language-plaintext highlighter-rouge">DS224+</code> disk station, which was meant to replace my current (and old) Synology <code class="language-plaintext highlighter-rouge">DS213j</code> system.</p> <p>My old <code class="language-plaintext highlighter-rouge">DS213j</code> system has served me well for the past ten years, and I have been pretty happy with it. Synology also did an awesome job by providing security updates for all these years to old devices such as the <code class="language-plaintext highlighter-rouge">DS213j</code> I have. However, it was time for an upgrade.</p> <p>After some researching I’ve decided to grab the <code class="language-plaintext highlighter-rouge">DS224+</code>, which is a great improvement over my current <code class="language-plaintext highlighter-rouge">DS213j</code>. It runs with with 4 cores Intel Celeron J4125 CPU and comes with 2GB of memory, and you have the option to upgrade the memory to 6GB in total. And it also has dual-port NICs. Sweet.</p> <p>For comparison my <code class="language-plaintext highlighter-rouge">DS213j</code> runs with a single core Marvell Kirkwood 1.2GHz and has 512MB of memory. And it has a single NIC.</p> <p>Like I’ve mentioned – my <code class="language-plaintext highlighter-rouge">DS213j</code> has served me well for the past years, and I still keep it around. One of the things that I really like about the <code class="language-plaintext highlighter-rouge">DS213j</code> is how quiet it actually is.</p> <p>So, after getting the <code class="language-plaintext highlighter-rouge">DS224+</code> and installing latest DSM 7.2.2 one thing immediately caught my attention – the noise coming from the fan. And that noise was simply annoying and clicking. I’ve <a href="/files/ds224-plus-fan-noise.mp4">recorded a video of the fan noise</a>, coming out of my brand new DS224+, which you can also listen to.</p> <p>The first I did was to make sure that the fan is configured in <code class="language-plaintext highlighter-rouge">Quiet Mode</code> and to my surprise – that was already the case.</p> <p><a href="/images/ds224plus-info.png" class="glightbox"><img src="/images/ds224plus-info.png" alt="" /></a></p> <p>Unfortunately, it turned out that I’m not the only one having such issues with the DS224+. A number of people have already reported similar issues, which you can find in the links below.</p> <ul> <li><a href="https://www.reddit.com/r/synology/comments/1bwq0wi/ds224_fan_noise_is_driving_me_crazy/">ds224+ fan noise is driving me crazy</a></li> <li><a href="https://www.reddit.com/r/synology/comments/193vsjl/ds224_disk_noise_and_slowness/">Ds224+ disk noise and slowness?</a></li> <li><a href="https://www.reddit.com/r/synology/comments/1bfwxa1/ds224_fan_noise_at_low_speed/">DS224+ fan noise at low speed</a></li> <li><a href="https://www.reddit.com/r/synology/comments/1kgf614/ds224_constant_clicking_sound_that_doesnt_seem/">DS224+ constant “clicking” sound that doesn’t seem related to the drives</a></li> </ul> <p>Interestingly, the only way you can make that annoying noise disappear is if you simply switch from <code class="language-plaintext highlighter-rouge">Quiet Mode</code> to <code class="language-plaintext highlighter-rouge">Full-speed mode</code> in the <code class="language-plaintext highlighter-rouge">Fan Speed Mode</code> settings. However, that’s not what I really want to do.</p> <p>The <code class="language-plaintext highlighter-rouge">DS213j</code> and <code class="language-plaintext highlighter-rouge">DS224+</code> while being different in terms of CPUs, architecture, amount of memory, etc., are identical in one thing – and that is the fan they run with.</p> <p>The <a href="https://www.synology.com/en-global/products/spare_parts?search_by=category&amp;category=Fan">Synology Spare Parts</a> page confirms that as well.</p> <p><a href="/images/syno-fan-parts.png" class="glightbox"><img src="/images/syno-fan-parts.png" alt="" /></a></p> <p>Back in the day I had to replace the fan of my old DS213j and I’ve used a <code class="language-plaintext highlighter-rouge">Noctua NF-A9 FLX / 3 pins</code>, which to this day is still running. So, I thought about doing the same with my DS224+ as well – replace the stock fan with a NF-A9 FLX 3-pin fan, however some people have reported issues when using this fan in particular with DSM 7.2.x (check the links above for more details).</p> <p>Another Noctua fan, for which people have reported good results in replacing their stock fan is the <code class="language-plaintext highlighter-rouge">Noctua NF-B9-redux-1600, 92 x 92 x 25 mm / 3 pins</code>, however I didn’t have a spare one I could use immediately, and I had to order one.</p> <p>And while waiting for the NF-B9-redux-1600 to arrive I had to keep listening to that annoying, clicking sound coming from the DS224+ stock fan. Needless to say, I had time to tinker with the new DS224+ and see what can be done to fix this.</p> <p>After some researching and testing various things I eventually found out about <code class="language-plaintext highlighter-rouge">/usr/syno/etc.defaults/scemd.xml</code>, which is the configuration for the fan curve. This file is parsed by the <code class="language-plaintext highlighter-rouge">scemd</code> service and is used to configure various disk and CPU temperature thresholds, which when reached will configure the fan to run either at low and high speeds, so that the system can cool down.</p> <p>Comparing this file on my DS224+ with the same file on my old DS213j showed some differences, which I expected anyways. However, having the exact same fan on both systems, I would at least expect that the fans behave the same (unless one of them is actually broken).</p> <p>You can find the original <code class="language-plaintext highlighter-rouge">scemd.xml</code> files for DS213j and DS224+, which I’ve extracted from my systems here.</p> <ul> <li><a href="/files/scemd-ds213j.xml">DS213j scemd.xml</a></li> <li><a href="/files/scemd-ds224plus.xml">DS224+ scemd.xml</a></li> </ul> <p>Some time later I’ve also found a post from a folk at Reddit, who has provided details about how he/she fixed the same annoying noise by adjusting the fan curve profile in <code class="language-plaintext highlighter-rouge">/usr/syno/etc.defaults/scemd.xml</code>. You can find the <a href="https://www.reddit.com/r/synology/comments/1lbvdp6/solution_for_ds224_fan_noise/">post here</a>.</p> <p>I’ve tried the instructions he left and it actually made a difference on my DS224+, however there was still a minor low frequency noise coming out of that fan, which I was not happy with.</p> <p>Then I’ve decided to simply adapt my existing DS213j config for DS224+. Turned out it was pretty simple, and I didn’t have to deal with any of the conversions from frequency (<code class="language-plaintext highlighter-rouge">Hz</code>) to RPM values.</p> <p>A snippet of changes I did to my <code class="language-plaintext highlighter-rouge">/usr/syno/etc.defaults/scemd.xml</code> file are provided below.</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="nt">&lt;fan_config</span> <span class="na">period=</span><span class="s">"20"</span> <span class="na">threshold=</span><span class="s">"6"</span> <span class="na">type=</span><span class="s">"DUAL_MODE_HIGH"</span> <span class="na">hibernation_speed=</span><span class="s">"UNKNOWN"</span><span class="nt">&gt;</span> <span class="nt">&lt;disk_temperature</span> <span class="na">fan_speed=</span><span class="s">"ULTRA_LOW"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>0<span class="nt">&lt;/disk_temperature&gt;</span> <span class="nt">&lt;disk_temperature</span> <span class="na">fan_speed=</span><span class="s">"VERY_LOW"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>33<span class="nt">&lt;/disk_temperature&gt;</span> <span class="nt">&lt;disk_temperature</span> <span class="na">fan_speed=</span><span class="s">"LOW"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>41<span class="nt">&lt;/disk_temperature&gt;</span> <span class="nt">&lt;disk_temperature</span> <span class="na">fan_speed=</span><span class="s">"VERY_HIGH"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>47<span class="nt">&lt;/disk_temperature&gt;</span> <span class="nt">&lt;disk_temperature</span> <span class="na">fan_speed=</span><span class="s">"ULTRA_HIGH"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>53<span class="nt">&lt;/disk_temperature&gt;</span> <span class="nt">&lt;disk_temperature</span> <span class="na">fan_speed=</span><span class="s">"ULTRA_HIGH"</span> <span class="na">action=</span><span class="s">"SHUTDOWN"</span><span class="nt">&gt;</span>61<span class="nt">&lt;/disk_temperature&gt;</span> <span class="nt">&lt;cpu_temperature</span> <span class="na">fan_speed=</span><span class="s">"ULTRA_LOW"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>0<span class="nt">&lt;/cpu_temperature&gt;</span> <span class="nt">&lt;cpu_temperature</span> <span class="na">fan_speed=</span><span class="s">"LOW"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>55<span class="nt">&lt;/cpu_temperature&gt;</span> <span class="nt">&lt;cpu_temperature</span> <span class="na">fan_speed=</span><span class="s">"HIGH"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>65<span class="nt">&lt;/cpu_temperature&gt;</span> <span class="nt">&lt;cpu_temperature</span> <span class="na">fan_speed=</span><span class="s">"ULTRA_HIGH"</span> <span class="na">action=</span><span class="s">"SHUTDOWN"</span><span class="nt">&gt;</span>95<span class="nt">&lt;/cpu_temperature&gt;</span> <span class="nt">&lt;/fan_config&gt;</span> <span class="nt">&lt;fan_config</span> <span class="na">period=</span><span class="s">"20"</span> <span class="na">threshold=</span><span class="s">"6"</span> <span class="na">type=</span><span class="s">"DUAL_MODE_LOW"</span> <span class="na">hibernation_speed=</span><span class="s">"UNKNOWN"</span><span class="nt">&gt;</span> <span class="nt">&lt;disk_temperature</span> <span class="na">fan_speed=</span><span class="s">"ULTRA_LOW"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>0<span class="nt">&lt;/disk_temperature&gt;</span> <span class="nt">&lt;disk_temperature</span> <span class="na">fan_speed=</span><span class="s">"VERY_LOW"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>38<span class="nt">&lt;/disk_temperature&gt;</span> <span class="nt">&lt;disk_temperature</span> <span class="na">fan_speed=</span><span class="s">"LOW"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>46<span class="nt">&lt;/disk_temperature&gt;</span> <span class="nt">&lt;disk_temperature</span> <span class="na">fan_speed=</span><span class="s">"HIGH"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>52<span class="nt">&lt;/disk_temperature&gt;</span> <span class="nt">&lt;disk_temperature</span> <span class="na">fan_speed=</span><span class="s">"VERY_HIGH"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>55<span class="nt">&lt;/disk_temperature&gt;</span> <span class="nt">&lt;disk_temperature</span> <span class="na">fan_speed=</span><span class="s">"ULTRA_HIGH"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>58<span class="nt">&lt;/disk_temperature&gt;</span> <span class="nt">&lt;disk_temperature</span> <span class="na">fan_speed=</span><span class="s">"ULTRA_HIGH"</span> <span class="na">action=</span><span class="s">"SHUTDOWN"</span><span class="nt">&gt;</span>61<span class="nt">&lt;/disk_temperature&gt;</span> <span class="nt">&lt;cpu_temperature</span> <span class="na">fan_speed=</span><span class="s">"ULTRA_LOW"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>0<span class="nt">&lt;/cpu_temperature&gt;</span> <span class="nt">&lt;cpu_temperature</span> <span class="na">fan_speed=</span><span class="s">"LOW"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>55<span class="nt">&lt;/cpu_temperature&gt;</span> <span class="nt">&lt;cpu_temperature</span> <span class="na">fan_speed=</span><span class="s">"HIGH"</span> <span class="na">action=</span><span class="s">"NONE"</span><span class="nt">&gt;</span>65<span class="nt">&lt;/cpu_temperature&gt;</span> <span class="nt">&lt;cpu_temperature</span> <span class="na">fan_speed=</span><span class="s">"ULTRA_HIGH"</span> <span class="na">action=</span><span class="s">"SHUTDOWN"</span><span class="nt">&gt;</span>95<span class="nt">&lt;/cpu_temperature&gt;</span> <span class="nt">&lt;/fan_config&gt;</span> </code></pre></div></div> <p>You can also find the <a href="/files/scemd-ds224plus-updated.xml">full updated scemd.xml file here</a>.</p> <p>Feel free to adjust the threshold temperatures for disk and CPU to other values, if needed.</p> <p>After you make changes to the <code class="language-plaintext highlighter-rouge">/usr/syno/etc.defaults/scemd.xml</code> file make sure that you restart the <code class="language-plaintext highlighter-rouge">scemd</code> service.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>systemctl restart scemd </code></pre></div></div> <p>And with these changes made to <code class="language-plaintext highlighter-rouge">scemd.xml</code> the clicking noise coming from the DS224+ fan went away for me, so now I don’t even have to replace it.</p> Tue, 19 Aug 2025 00:00:00 +0000 https://dnaeon.github.io/ds224-plus-clicking-fan-noise/ https://dnaeon.github.io/ds224-plus-clicking-fan-noise/ Remote SDR setup with SDRplay & Raspberry Pi <p>One of the things I like doing in my spare time is messing around with <a href="https://en.wikipedia.org/wiki/Software-defined_radio">Software-defined radio (SDR)</a>.</p> <p>Few years ago I started out with a simple setup – got myself an <a href="https://www.rtl-sdr.com/">RTL-SDR dongle</a>, hooked it up to the computer and connected an antenna. My choice of operating system is GNU/Linux and (btw) I run <a href="https://archlinux.org/">Arch Linux</a> as my daily driver. Next thing was to <a href="https://wiki.archlinux.org/title/RTL-SDR">configure the RTL-SDR driver</a>, install <a href="https://www.gqrx.dk/">gqrx</a> and start it up. Pure joy.</p> <p>Ever since I’ve started with SDR I’ve been using it to listen to random ham operator conversations, track satellites, listen to distant short-wave stations, receive and decode <a href="https://en.wikipedia.org/wiki/Radiofax">radio faxes</a>, <a href="https://www.ariss.org/contact-the-iss.html">listening to the International Space Station (ISS)</a>, etc.</p> <p>It’s a fun thing to do with lots of possibilities! My wife thinks differently, though. She thinks that “I’m just playing with some toys”. And in a way she might be right, but it’s still a fun thing to mess with.</p> <p>This is a <a href="https://en.wikipedia.org/wiki/Radiofax">radio fax</a> transmitted by the <a href="https://de.wikipedia.org/wiki/Deutscher_Wetterdienst">Deutscher Wetterdienst (DWD)</a>, which is more than 1000 kilometers away from where I live and captured the broadcast.</p> <p><a href="/images/sdr/wefax_20230609_083939_12789999_gui.png" class="glightbox"><img src="/images/sdr/wefax_20230609_083939_12789999_gui.png" alt="" /></a></p> <p>At some later point I got a <a href="https://support.nooelec.com/hc/en-us/articles/360005812474-Ham-It-Up-Upconverter">Ham it Up Plus Upconverter</a>, which you can use in combination with your RTL-SDR dongle for short-wave listening.</p> <p>Then an <a href="https://airspy.com/airspy-r2/">Airspy R2</a> with a <a href="https://airspy.com/spyverter-r2/">Spyverter R2</a>. Compared to RTL-SDR, the Airspy R2 is the better choice, at least to me. I was getting better reception with the Airspy, than I was getting with the RTL-SDR dongle.</p> <p>I should also mention that I live in <a href="https://en.wikipedia.org/wiki/Sofia">Sofia</a>, which is the capital of <a href="https://en.wikipedia.org/wiki/Bulgaria">Bulgaria</a>. I also live in an apartment, which means that I don’t have much spare space to practice my hobby. I can’t just install an antenna pole on the balcony here or spread out some long antenna wires across the buildings. So I have to plan things a bit.</p> <p>I’m using one <a href="https://www.amazon.com/dp/B07RRSBTVW?ref=ppx_yo2ov_dt_b_fed_asin_title">GRA-D220 144/440/900/1200MHz Mini Discone Antenna</a>, which is a multi-band antenna and is good enough for listening on 2m and 70cm bands.</p> <p><a href="/images/sdr/gra-d220.jpg" class="glightbox"><img src="/images/sdr/gra-d220.jpg" alt="" /></a></p> <p>The other antenna I use is the <a href="https://www.amazon.com/dp/B095K89WND?ref=ppx_yo2ov_dt_b_fed_asin_title&amp;th=1">MLA-30+ Loop Antenna,0.5-30MHz Active Receiving Antenna</a>, which is used for short-wave listening.</p> <p><a href="/images/sdr/mla30-plus.jpg" class="glightbox"><img src="/images/sdr/mla30-plus.jpg" alt="" /></a></p> <p>One of the challenges I’ve always had with my SDR setup is that each time I wanted to start it up and just scan through the frequencies I had to take out the SDR receivers, get the long coax cable from the balcony and take it inside the room with me, connect it to the SDR, and then plug into the computer. This takes time, then I have cables crossing the room, and later I’ll have to undo everything I did once I’m done with it.</p> <p>I managed to save myself some time by mounting the SDRs on a wooden plate, which I then mounted next to my computer, but still the problem with dragging the antenna cables with me inside the room was bugging me. And drilling holes through the wall was not an option.</p> <p><a href="/images/sdr/airspy-ham-it-up-rtlsdr.jpg" class="glightbox"><img src="/images/sdr/airspy-ham-it-up-rtlsdr.jpg" alt="" /></a></p> <p>This setup worked well for some time, but it was about time to take things to the next level.</p> <p>Using <a href="https://github.com/pinkavaj/rtl-sdr/blob/master/src/rtl_tcp.c">rtl_tcp</a> allows you to stream your SDR over the network, so if you have an SDR running on a remote location, you could connect to it via the network from a remote client. That means I could just leave the SDRs in a waterproof box on the balcony and then connect to them over the network. And that also means no more cables running across the room. I could also access my SDRs from elsewhere by simply connecting to my home network via <a href="https://www.wireguard.com/">WireGuard</a>. Easy as that.</p> <p>Okay, so what do I need to get this up and running?</p> <p>I’ve got the SDRs already, and the antennas, I would also need a computer as well, which I can simply put inside the box with the rest of the SDRs. The obvious choice here is to use a <a href="https://www.raspberrypi.com/products/raspberry-pi-5/">Raspberry Pi</a>, first because of it’s dimensions, and second because it’s powerful enough to serve this purpose.</p> <p>However, putting all these things in a single box ended up as quite a challenge and eventually I started looking for a new compact SDR, with dual antenna ports, which I could put inside the box along with the Raspberry Pi.</p> <p>Eventually, I ended with the <a href="https://www.sdrplay.com/rspduo/">RSPduo from SDRplay</a>. The RSPduo can operate between 1kHz and 2GHz, which meant that I don’t actually need an upconverter anymore, and that also means less space is required to fit all these components in a single waterproof box.</p> <p>With all these details out of the way it was time to get some work done.</p> <p><a href="/images/sdr/rpi-rspduo-parts.jpg" class="glightbox"><img src="/images/sdr/rpi-rspduo-parts.jpg" alt="" /></a></p> <p>Here’s a list of the components I’ve used.</p> <ul> <li><a href="https://www.raspberrypi.com/products/raspberry-pi-5/">Raspberry Pi 5</a> - 16GB (8GB is more than enough, but I’ve got the 16GB anyways)</li> <li>SanDisk SD Card</li> <li><a href="https://odseven.com/collections/micro-bit/products/heavy-duty-aluminum-passive-cooling-case-for-raspberry-pi-5">Aluminium Passive Cooling Case</a></li> <li><a href="https://www.raspberrypi.com/products/27w-power-supply/">Raspberry Pi 27W USB-C Power Supply</a></li> <li><a href="https://www.sdrplay.com/rspduo/">RSPduo</a></li> <li>USB-A to USB-B cable (RSPduo doesn’t come with USB cables)</li> </ul> <p>After putting all these components in a box it looks like this. This is the Raspberry Pi in it’s aluminium case.</p> <p><a href="/images/sdr/rpi-case.jpg" class="glightbox"><img src="/images/sdr/rpi-case.jpg" alt="" /></a></p> <p>All components packed nicely in the box. I’ve used some velcro strips to get the components <em>mounted</em> in the box, which I think ended up good enough.</p> <p><a href="/images/sdr/sdr01-box-open.jpg" class="glightbox"><img src="/images/sdr/sdr01-box-open.jpg" alt="" /></a></p> <p><a href="/images/sdr/sdr01-box-open2.jpg" class="glightbox"><img src="/images/sdr/sdr01-box-open2.jpg" alt="" /></a></p> <p>And this is how the box looks like when closed.</p> <p><a href="/images/sdr/sdr01-box-closed.jpg" class="glightbox"><img src="/images/sdr/sdr01-box-closed.jpg" alt="" /></a></p> <p>Having all the components in place it was time to install the software. The Raspberry Pi runs with <a href="https://sourceforge.net/projects/dragonos-pi64/">DragonOS</a>, which comes with many SDR-related tools pre-installed. In order to install it download the <a href="https://sourceforge.net/projects/dragonos-pi64/">DragonOS_Pi64</a> image and install it on your SD card using the <a href="https://www.raspberrypi.com/software/">Raspberry Pi Imager</a>.</p> <p>Once installed boot your Raspberry Pi and login to it. The default username and password in DragonOS are:</p> <ul> <li>Username: <code class="language-plaintext highlighter-rouge">ubuntu</code></li> <li>Password: <code class="language-plaintext highlighter-rouge">dragon</code></li> </ul> <p>Now it’s time to configure the Pi. You can use the <code class="language-plaintext highlighter-rouge">raspi-config</code> tool to configure various system settings such as hostname, password, WiFi, etc.</p> <p><a href="/images/sdr/raspi-config.png" class="glightbox"><img src="/images/sdr/raspi-config.png" alt="" /></a></p> <p>Make sure that your system is up-to-date as well.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt-get update <span class="nb">sudo </span>apt-get upgrade </code></pre></div></div> <p>In case you need any other packages, now is the time to install them as well, e.g. install command-line editors (<code class="language-plaintext highlighter-rouge">mg</code>), <code class="language-plaintext highlighter-rouge">sudo(8)</code> access, <code class="language-plaintext highlighter-rouge">tmux</code>, <code class="language-plaintext highlighter-rouge">lm-sensors</code> for monitoring the sensors of your Pi, etc.</p> <p>Once you are done with updating and configuring your Pi we need to reboot it.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>reboot </code></pre></div></div> <p><strong>NOTE</strong>: In case you are connecting to your Pi using VNC and experiencing strange issues such as blank screen you can follow the steps below to get VNC up and running. If you don’t use VNC at all, or don’t experience such issue, you can safely skip the next few steps, which discuss how to fix the VNC connection to your Pi.</p> <p>Check the status of the <code class="language-plaintext highlighter-rouge">vncserver-x11-serviced</code> service.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ubuntu@sdr01:~<span class="nv">$ </span><span class="nb">sudo </span>journalctl <span class="nt">-u</span> vncserver-x11-serviced.service May 21 06:45:45 ubuntu systemd[1]: Started vncserver-x11-serviced.service - VNC Server <span class="k">in </span>Service Mode daemon. May 21 06:45:46 ubuntu vncserver-x11[2568]: ServerManager: Server started May 21 06:45:48 ubuntu vncserver-x11[2568]: ConsoleDisplay: Cannot find a running X server on vt1 May 21 06:46:08 ubuntu vncserver-x11[2568]: ConsoleDisplay: Found running X server <span class="o">(</span><span class="nv">pid</span><span class="o">=</span>3471, <span class="nv">binary</span><span class="o">=</span>/usr/lib/xorg/Xorg<span class="o">)</span> May 29 11:25:12 ubuntu vncserver-x11[2568]: Connections: connected: 192.168.88.70::63330 <span class="o">(</span>TCP<span class="o">)</span> May 29 11:25:12 ubuntu vncserver-x11[2568]: Connections: disconnected: 192.168.88.70::63330 <span class="o">(</span>TCP<span class="o">)</span> <span class="o">([</span>ConnFailed] No configured security <span class="nb">type </span>is supported by 3.3 VNC Viewer<span class="o">)</span> May 29 11:25:32 ubuntu vncserver-x11[2568]: Connections: connected: 192.168.88.70::63335 <span class="o">(</span>TCP<span class="o">)</span> May 29 11:25:32 ubuntu vncserver-x11[2568]: Connections: disconnected: 192.168.88.70::63335 <span class="o">(</span>TCP<span class="o">)</span> <span class="o">([</span>ConnFailed] No configured security <span class="nb">type </span>is supported by 3.3 VNC Viewer<span class="o">)</span> May 29 11:26:51 ubuntu vncserver-x11[2568]: Connections: connected: 192.168.88.70::63352 <span class="o">(</span>TCP<span class="o">)</span> May 29 11:26:51 ubuntu vncserver-x11[2568]: Connections: disconnected: 192.168.88.70::63352 <span class="o">(</span>TCP<span class="o">)</span> <span class="o">([</span>ConnFailed] No configured security <span class="nb">type </span>is supported by 3.3 VNC Viewer<span class="o">)</span> </code></pre></div></div> <p>I was having issues with VNC on my Pi, and from the logs above you can see that as soon as the session is established it is followed immediately by closing the session. Here is how I’ve fixed it on my Pi.</p> <p>First, stop and disable the VNC services.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>systemctl stop vncserver-virtuald.service <span class="nb">sudo </span>systemctl stop vncserver-x11-serviced.service <span class="nb">sudo </span>systemctl disable vncserver-virtuald.service <span class="nb">sudo </span>systemctl disable vncserver-x11-serviced.service </code></pre></div></div> <p>Then remove the <code class="language-plaintext highlighter-rouge">realvnc-vnc-server</code> server package.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt-get remove realvnc-vnc-server </code></pre></div></div> <p>Now we will install <code class="language-plaintext highlighter-rouge">tigervnc</code> server instead, which works just fine.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt-get <span class="nb">install </span>tigervnc-standalone-server tigervnc-xorg-extension tigervnc-tools </code></pre></div></div> <p>For <code class="language-plaintext highlighter-rouge">tigervnc</code> we need to configure user mappings in <code class="language-plaintext highlighter-rouge">/etc/tigervnc/vncserver.users</code> file.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># TigerVNC User assignment</span> <span class="c">#</span> <span class="c"># This file assigns users to specific VNC display numbers.</span> <span class="c"># The syntax is &lt;display&gt;=&lt;username&gt;. E.g.:</span> <span class="c">#</span> <span class="c"># :2=andrew</span> <span class="c"># :3=lisa</span> :1<span class="o">=</span>ubuntu </code></pre></div></div> <p>In the config above we have mapped user <code class="language-plaintext highlighter-rouge">ubuntu</code> to the <code class="language-plaintext highlighter-rouge">:1</code> display on port <code class="language-plaintext highlighter-rouge">5901</code>.</p> <p>Create a VNC password for your <code class="language-plaintext highlighter-rouge">ubuntu</code> user.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vncpasswd </code></pre></div></div> <p>Type and verify your password. The password will be hashed and stored in <code class="language-plaintext highlighter-rouge">~/.vnc/passwd</code>.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Password: Verify: Would you like to enter a view-only password <span class="o">(</span>y/n<span class="o">)</span>? n A view-only password is not used </code></pre></div></div> <p>Enable and start an instance of the <code class="language-plaintext highlighter-rouge">tigervncserver</code> service.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>systemctl start tigervncserver@:1.service <span class="nb">sudo </span>systemctl <span class="nb">enable </span>tigervncserver@:1.service </code></pre></div></div> <p>You should be able to verify that the VNC server is up and running and it’s already listening for new connections.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ubuntu@sdr01:~<span class="nv">$ </span>netstat <span class="nt">-tlpan</span> | <span class="nb">grep </span>5901 <span class="o">(</span>Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.<span class="o">)</span> tcp 0 0 127.0.0.1:5901 0.0.0.0:<span class="k">*</span> LISTEN 248895/Xtigervnc tcp6 0 0 ::1:5901 :::<span class="k">*</span> LISTEN 248895/Xtigervnc </code></pre></div></div> <p>Note that it listens on <code class="language-plaintext highlighter-rouge">localhost</code> interface only, which is fine with me, since I don’t want it exposed anyways. In order to access the VNC server I’m doing it over an SSH tunnel.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh <span class="nt">-L</span> 5901:localhost:5901 sdr01.internal </code></pre></div></div> <p>Now we can start up a VNC client and connect to <code class="language-plaintext highlighter-rouge">localhost:5901</code> using the password we’ve set before with <code class="language-plaintext highlighter-rouge">vncpasswd</code>.</p> <p>For additional information about TigerVNC, please refer to the <a href="https://wiki.archlinux.org/title/TigerVNC">TigerVNC Arch Linux Wiki</a> page.</p> <p>With the VNC issues out of the way, we can proceed and install the <a href="https://www.sdrplay.com/api/">SDRplay API</a> and <a href="https://www.sdrplay.com/sdrconnect/">SDRconnect</a> on our Pi.</p> <p>You can also watch this nice <a href="https://www.youtube.com/watch?v=kHOVAJi1JBs">intro about SDRconnect in this video here</a>.</p> <p>At the time of writing this document the version of SDRconnect I’m installing is release <code class="language-plaintext highlighter-rouge">83273bcd8</code>, which was downloaded from the SDRplay website.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ubuntu@sdr01:~<span class="nv">$ </span>wget https://www.sdrplay.com/software/SDRconnect_linux-arm64_83273bcd8.run ubuntu@sdr01:~<span class="nv">$ </span>./SDRconnect_linux-arm64_83273bcd8.run </code></pre></div></div> <p>Once SDRconnect is successfully installed you should see output similar to the one below.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Press y and RETURN to accept the license agreement and <span class="k">continue </span>with the installation, or press n and RETURN to <span class="nb">exit </span>the installer <span class="o">[</span>y/n] y Testing <span class="k">for </span>arm64 compliance.......Done Checking <span class="k">for </span>package tools...apt found Checking <span class="k">for </span>libusb-1.0...found Checking <span class="k">for </span>libasound2...found Checking <span class="k">for </span>libuuid1...found Checking <span class="k">for </span>libudev1...found udev directory found, adding rules <span class="k">for </span>RSPs...Done SDRconnect will be installed into /opt/sdrconnect To change the installation path, enter the new location at the prompt. Installation location <span class="o">[</span>/opt/sdrconnect]: SDRconnect will be installed to: /opt/sdrconnect To start the installation press y and RETURN or n and RETURN to <span class="nb">exit</span> <span class="o">[</span>y/n] y Installing to /opt/sdrconnect.............Done Create a system menu entry to launch SDRconnect client? <span class="o">[</span>y/n] y Installing menu entry......Done Checking SDRconnect Server Service status...not installed Do you want this installation to operate the SDRconnect server as a continuous background service? <span class="o">[</span>y/n] y SDRconnect Server Service options file installed. <span class="nt">--</span><span class="o">&gt;</span> /opt/sdrconnect/server_options.txt SDRconnect Server Service file created. Installing service... <span class="o">(</span>may take a <span class="k">while</span>, please wait...<span class="o">)</span> SDRconnect Server Service started. To change the server service <span class="nb">command </span>line options, edit the /opt/sdrconnect/server_options.txt file and start the service again. To stop and start the service, use... <span class="nb">sudo </span>systemctl stop sdrconnect <span class="nb">sudo </span>systemctl start sdrconnect To disable the service <span class="o">(</span>e.g. to stop the service starting after a reboot<span class="o">)</span> and <span class="k">then </span><span class="nb">enable </span>it again, use... <span class="nb">sudo </span>systemctl disable sdrconnect.service <span class="nb">sudo </span>systemctl <span class="nb">enable </span>sdrconnect.service Make a note of this information! Important Note: When the server service is running, the RSP that it is using cannot be used by another application on this host. You will need to stop the server service to make that RSP available to other applications. Press any key to <span class="k">continue </span>To add the new installation folder to your search path, please add the following line to the bottom of your ~/.bashrc file and restart your terminal window... <span class="nb">export </span><span class="nv">PATH</span><span class="o">=</span>/opt/sdrconnect:<span class="nv">$PATH</span> Warning: System files have been changed on your system, so it is recommended that you reboot your system <span class="k">for </span>correct operation. SDRconnect installation finished. </code></pre></div></div> <p>Add <code class="language-plaintext highlighter-rouge">/opt/sdrconnect</code> to your PATH as mentioned in the output above.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">echo</span> <span class="s1">'export PATH=/opt/sdrconnect:$PATH'</span> <span class="o">&gt;&gt;</span> ~/.bashrc </code></pre></div></div> <p>Time to install SDRplay RSP API.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ubuntu@sdr01:~<span class="nv">$ </span>wget https://www.sdrplay.com/software/SDRplay_RSP_API-Linux-3.15.2.run ubuntu@sdr01:~<span class="nv">$ </span>./SDRplay_RSP_API-Linux-3.15.2.run </code></pre></div></div> <p>This is what the output from the install script looks like.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Verifying archive integrity... All good. Uncompressing SDRplay RSP API Install Package V3.15 <span class="o">(</span>installer v2<span class="o">)</span> SDRplay API 3.15 Installation <span class="o">=============================</span> This installation requires to either be run as root, or it will request root access through the <span class="nb">sudo </span>program. This is required to <span class="nb">install </span>the daemon into the system files. Press RETURN to view the license agreement ... Press y and RETURN to accept the license agreement and <span class="k">continue </span>with the installation, or press n and RETURN to <span class="nb">exit </span>the installer <span class="o">[</span>y/n] y A copy of the license agreement can be found here: /home/ubuntu/sdrplay_license.txt Architecture reported as being 64 bit System reports 64 bit files found System is also setup to produce 64 bit files Architecture reports machine as being arm64 compliant Checking <span class="k">for </span>root permissions. You may be prompted <span class="k">for </span>your password... The rest of the installation will <span class="k">continue </span>with root permission... This API requires the following system dependencies... libusb and lidudev If the installer cannot detect the presence of these, you will have the option to <span class="k">continue </span>and you will need to <span class="nb">install </span>them Checking <span class="k">for </span>package tools... apt found Checking <span class="k">for </span>packages... libusb-1.0 found libudev1 found Udev directory found, adding rules...rules added Adding SDRplay devices to the <span class="nb">local </span>hardware database...Done USB name database not found, continuing... Installing API files, the default locations are... API service : /opt/sdrplay_api API header files : /usr/local/include API shared library : /usr/local/lib Daemon start scripts : /etc/systemd/system Daemon start system : SystemD To <span class="k">continue </span>the installation with these defaults press y and RETURN or press n and RETURN to change them <span class="o">[</span>y/n] y Cleaning old API files...Done. Installing /usr/local/lib/libsdrplay_api.so.3.15...Done Installing header files <span class="k">in</span> /usr/local/include...Done Installing API Service <span class="k">in</span> /opt/sdrplay_api...Done Installing Service scripts and starting daemon...Created symlink /etc/systemd/system/multi-user.target.wants/sdrplay.service → /etc/systemd/system/sdrplay.service. Done The API Service has been installed and started. After the installation has finished, please reboot this device. To start and stop the API service, use the following commands... <span class="nb">sudo </span>systemctl start sdrplay <span class="nb">sudo </span>systemctl stop sdrplay If supported on your system, lsusb will now show the RSP name SDRplay API 3.15 Installation Finished </code></pre></div></div> <p>Time to reboot the system as mentioned in the output above.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>reboot </code></pre></div></div> <p>Verify that you can see your SDRPlay device after rebooting and connecting your SDR.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ubuntu@sdr01:~<span class="nv">$ </span>lsusb Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 002: ID 1df7:3020 SDRplay RSPduo Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 005 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub </code></pre></div></div> <p>In order to connect remotely via SDRConnect the <code class="language-plaintext highlighter-rouge">sdrconnect</code> service should already be running and listening on port <code class="language-plaintext highlighter-rouge">50000</code>.</p> <p>Verify that the <code class="language-plaintext highlighter-rouge">sdrconnect.service</code> is up and running.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ubuntu@sdr01:~<span class="nv">$ </span><span class="nb">sudo </span>systemctl status sdrconnect ● sdrconnect.service - SDRconnect Server Loaded: loaded <span class="o">(</span>/etc/systemd/system/sdrconnect.service<span class="p">;</span> enabled<span class="p">;</span> preset: enabled<span class="o">)</span> Active: active <span class="o">(</span>running<span class="o">)</span> since Sun 2025-07-13 13:19:50 EEST<span class="p">;</span> 26min ago Process: 2052 <span class="nv">ExecStartPre</span><span class="o">=</span>/bin/sleep 30 <span class="o">(</span><span class="nv">code</span><span class="o">=</span>exited, <span class="nv">status</span><span class="o">=</span>0/SUCCESS<span class="o">)</span> Main PID: 6096 <span class="o">(</span>startServer.sh<span class="o">)</span> Tasks: 24 <span class="o">(</span>limit: 18709<span class="o">)</span> Memory: 38.9M <span class="o">(</span>peak: 39.3M<span class="o">)</span> CPU: 9.191s CGroup: /system.slice/sdrconnect.service ├─6096 /bin/sh /opt/sdrconnect/startServer.sh └─6098 /opt/sdrconnect/SDRconnect <span class="nt">--server</span> <span class="nt">--port</span><span class="o">=</span>50000 Jul 13 13:19:52 sdr01.internal startServer.sh[6098]: RF Notch Disabled Jul 13 13:19:52 sdr01.internal startServer.sh[6098]: DAB Notch Disabled Jul 13 13:19:52 sdr01.internal startServer.sh[6098]: Hardware Control: 1st Client can control the hardware Jul 13 13:19:52 sdr01.internal startServer.sh[6098]: Maximum number of clients: 8 Jul 13 13:19:52 sdr01.internal startServer.sh[6098]: PPM Correction: 0 Jul 13 13:19:52 sdr01.internal startServer.sh[6098]: Full IQ: Allowed Jul 13 13:19:52 sdr01.internal startServer.sh[6098]: Audio mode: Allowed Jul 13 13:19:52 sdr01.internal startServer.sh[6098]: Virtual Receivers <span class="o">(</span>VRXs<span class="o">)</span>: Allowed Jul 13 13:19:52 sdr01.internal startServer.sh[6098]: Server started Jul 13 13:19:52 sdr01.internal startServer.sh[6098]: Press CTRL-C to stop the server </code></pre></div></div> <p>And confirm that it’s listening on port <code class="language-plaintext highlighter-rouge">50000</code> port.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ubuntu@sdr01:~<span class="nv">$ </span><span class="nb">sudo </span>netstat <span class="nt">-tlpan</span> | <span class="nb">grep </span>50000 tcp 0 0 0.0.0.0:50000 0.0.0.0:<span class="k">*</span> LISTEN 6098/SDRconnect </code></pre></div></div> <p><strong>NOTE</strong>: In case you want to use <code class="language-plaintext highlighter-rouge">gqrx</code> with your RSPduo device and upon starting up <code class="language-plaintext highlighter-rouge">gqrx</code> you don’t see the RSPduo in the device list, then make sure to stop the <code class="language-plaintext highlighter-rouge">sdrconnect</code> service as the device is already in use by it.</p> <p>So, to use <code class="language-plaintext highlighter-rouge">gqrx</code> with your RSPduo first stop the <code class="language-plaintext highlighter-rouge">sdrconnect</code> service.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>systemctl stop sdrconnect </code></pre></div></div> <p>Start up <code class="language-plaintext highlighter-rouge">gqrx</code> now and you should see the RSPduo in the device list. If you don’t intend to use <code class="language-plaintext highlighter-rouge">gqrx</code> and want to stick to <code class="language-plaintext highlighter-rouge">SDRconnect</code> you should leave the <code class="language-plaintext highlighter-rouge">sdrconnect</code> service up and running.</p> <p>In order to connect to your Pi using <code class="language-plaintext highlighter-rouge">SDRconnect</code> you should first add a new remote device. Go ahead and add your Pi to the <code class="language-plaintext highlighter-rouge">SDRconnect</code> remote devices list, test the connection and save.</p> <p><a href="/images/sdr/sdrconnect-remote-devices.png" class="glightbox"><img src="/images/sdr/sdrconnect-remote-devices.png" alt="" /></a></p> <p>Once you’ve saved your device you need to <code class="language-plaintext highlighter-rouge">Refresh Device List</code> as well.</p> <p><a href="/images/sdr/sdrconnect-refresh-device-list.png" class="glightbox"><img src="/images/sdr/sdrconnect-refresh-device-list.png" alt="" /></a></p> <p>And now you should see your device and be able to connect to it.</p> <p><a href="/images/sdr/sdrconnect-device-list.png" class="glightbox"><img src="/images/sdr/sdrconnect-device-list.png" alt="" /></a></p> <p>Here’s a screenshot of SDRconnect receiving from some local WFM broadcast stations.</p> <p><a href="/images/sdr/sdrconnect-wfm.png" class="glightbox"><img src="/images/sdr/sdrconnect-wfm.png" alt="" /></a></p> <p>Unfortunately at the time of writing this document there was no activity on the <code class="language-plaintext highlighter-rouge">2m</code> and <code class="language-plaintext highlighter-rouge">70cm</code> bands, so I could not take some screenshots of them as well.</p> <p>Well, that’s all for now.</p> <p>LZ1DFB, 73!</p> Sun, 13 Jul 2025 00:00:00 +0000 https://dnaeon.github.io/remote-sdr-setup/ https://dnaeon.github.io/remote-sdr-setup/ A new member of the homelab -- HP Pro Mini 400 G9 <p>My homelab setup hasn’t changed much for the last few years.</p> <p>I have been happily running a couple of Intel NUC systems over the years. Initially they have been running ESXi, then they got migrated to <a href="https://wiki.archlinux.org/title/KVM">Arch Linux and KVM</a>.</p> <p>The workloads running on these systems vary, depending on what I’m actually working on or testing at a given point in time, but the ones that keep running on them at all times are <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery">Kubernetes</a>, <a href="https://adguard.com/en/welcome.html">AdGuard</a>, <a href="https://syncthing.net/">SyncThing</a>, <a href="https://wiki.archlinux.org/title/Plex">Plex</a>, <a href="https://about.gitea.com/">Gitea</a> and some <a href="https://docs.gitea.com/usage/actions/act-runner">Gitea Action Runners</a>.</p> <p>For running Kubernetes I’m using <a href="https://www.talos.dev/">Talos Linux</a> nodes, and I really like the way Talos handles the Kubernetes lifecycle management using minimal and immutable nodes.</p> <p>I should mention that the Intel NUC systems are quite old. One of them is running an Intel i3 5th generation, and the other one is Intel NUC i5 8th generation. Over the years the only maintenance I had to do on these systems is to make sure to replace their fans, but besides that they have been rock solid.</p> <p>While these systems do serve their purpose just fine for my humble homelab requirements, I thought it was about time I upgrade it a bit, so that I can future-proof it for the years to come.</p> <p>In case you haven’t heard of this yet, Intel has discontinued development of the NUC systems. Future development of NUC is now handled by ASUS, so before I bite the bullet and order a new NUC, I’ve decided to do a bit of research about these new ASUS NUCs.</p> <p>Unfortunately, when reading reviews for the ASUS NUCs you will find lots of mixed feelings – some people claim they are good, others mention that they run pretty hot and thermal throttle. One of the most concerning things to me is the fact that I’ve been reading a lot of reviews about the ASUS NUC 14 (and 15) Pro from users complaining about the loud fan noise. And that is not something I’d like to have.</p> <p>With the old Intel NUCs it was easy – the CPUs back in the day were not that powerful and with low enough TDP, making them a no brainer when it comes to picking up an Intel NUC for your homelab.</p> <p>Eventually, I gave up on the idea of having an ASUS NUC as my new homelab node, and after some time spent on researching I decided to go with <a href="https://www.hp.com/us-en/shop/mdp/prodesk-400-mini">HP Pro Mini 400 G9</a>.</p> <p>I went with the following specs.</p> <ul> <li>Intel Core i5-13500T</li> <li>64GB memory</li> <li>2TB Samsung 990 Evo Plus NVME</li> </ul> <p>Additional specs about this machine can be found in the <a href="https://h20195.www2.hp.com/v2/getpdf.aspx/c08017709.pdf">HP Pro Series 400 G9 specs</a> page.</p> <p><a href="/images/hp-pro-mini-400-g9.jpg" class="glightbox"><img src="/images/hp-pro-mini-400-g9.jpg" alt="" /></a></p> <p>Compared to my old Intel NUCs this system is more powerful and capable of replacing my two NUC nodes. The case is all metal, which is better than any plastic case, and helps with thermal dissipation.</p> <p>Besides the NVME drive you can also install a 2.5 inch SATA SSD as well. One thing that was not clear to me when ordering this machine is the fact that when you purchase this system with an NVME disk it will arrive <em>without</em> the 2.5 inch SATA Drive Bay kit.</p> <p>So, if you are planning on installing a 2.5 inch SATA disk you will need to order the <a href="https://www.hp.com/ie-en/products/accessories/product-details/38000177">HP Desktop Mini 2.5” SATA Drive Bay kit v2 (13L70AA)</a> separately. I got my brand new 2.5 inch SATA drive bay from <a href="https://www.ebay.de/itm/205496237120">eBay</a>.</p> <p><a href="/images/hp-13l70aa-1.jpg" class="glightbox"><img src="/images/hp-13l70aa-1.jpg" alt="" /></a></p> <p><a href="/images/hp-13l70aa-2.jpg" class="glightbox"><img src="/images/hp-13l70aa-2.jpg" alt="" /></a></p> <p><a href="/images/hp-13l70aa-3.jpg" class="glightbox"><img src="/images/hp-13l70aa-3.jpg" alt="" /></a></p> <p>I’ve also got two <a href="https://www.solidigm.com/products/data-center/d3/s4520.html#form=2.5%22%207mm&amp;cap=1.92%20TB">SOLIDIGM D3-S4520 SATA SSD</a> disks. These are enterprise SATA SSD disks with Power Loss Protection (PLP) and should serve me well for the coming years.</p> <p><a href="/images/solidigm-d3-s4520.jpg" class="glightbox"><img src="/images/solidigm-d3-s4520.jpg" alt="" /></a></p> <p>As the system only has a single drive bay one of these disks goes into the drive bay, and the other one will be connected to the machine via a USB Type C enclosure. Then both disks will be part of a ZFS mirror pool. The NVME disk will be added to a separate ZFS pool and will be used for workloads which have faster I/O needs.</p> <p>Another nice thing about this system is how easy it is to access the mainboard, throw some RAM in it, replace an SSD or fan, which makes maintenance an easy and hassle-free job. The installation of the drive bay was easy and nicely fits into the chassis.</p> <p><a href="/images/hp-13l70aa-4.jpg" class="glightbox"><img src="/images/hp-13l70aa-4.jpg" alt="" /></a></p> <p>One thing I really like about the HP Pro Mini 400 G9 is how quite it actually is, even under load.</p> <p>I’ve installed <a href="https://www.proxmox.com/en/">Proxmox VE</a> on this system with <a href="https://openzfs.org/wiki/Main_Page">OpenZFS </a> and have already migrated my workloads from the Intel NUC systems to it.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">sudo </span>zpool status pool: rpool state: ONLINE scan: resilvered 38.3G <span class="k">in </span>00:01:42 with 0 errors on Mon Jul 14 21:43:27 2025 config: NAME STATE READ WRITE CKSUM rpool ONLINE 0 0 0 mirror-0 ONLINE 0 0 0 ata-SOLIDIGM_SSDSC2KB019TZ_PHYI513202JB1P9DGN-part2 ONLINE 0 0 0 ata-SOLIDIGM_SSDSC2KB019TZ_PHYI513202F91P9DGN-part2 ONLINE 0 0 0 errors: No known data errors </code></pre></div></div> <p>And here’s the system installed in the homelab rack.</p> <p><a href="/images/hp-pro-mini-400-g9-rack.jpg" class="glightbox"><img src="/images/hp-pro-mini-400-g9-rack.jpg" alt="" /></a></p> <p>In the picture above you will see one of the Intel NUCs, the new HP Pro Mini 400 G9 next to it, a <a href="https://mikrotik.com/products/compare/RB3011UiAS-RM">MikroTik RouterBOARD RB3011 UIAS-RM</a>, <a href="https://jetkvm.com/">JetKVM</a> currently connected to the Intel NUC and my old Synology DS213j storage server, which needs an upgrade as well.</p> Mon, 07 Jul 2025 00:00:00 +0000 https://dnaeon.github.io/hp-pro-mini-400-g9/ https://dnaeon.github.io/hp-pro-mini-400-g9/ Using JWT Authentication Method with the Go SDK for Vault <p>In the <a href="https://dnaeon.github.io/kubernetes-vault-oidc/">Setting up a Kubernetes cluster with Vault and OIDC trust</a> post we’ve seen how to configure identity federation between a Kubernetes cluster and Vault.</p> <p>Once you have the <a href="https://developer.hashicorp.com/vault/docs/auth/jwt">JWT Authentication Method</a> configured properly in Vault, we can get access to Vault by first authenticating against the auth method’s <code class="language-plaintext highlighter-rouge">/login</code> endpoint. This is how you would do it when using the Vault CLI.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vault write auth/jwt/login <span class="nv">role</span><span class="o">=</span>my-role-name <span class="nv">jwt</span><span class="o">=</span>@/path/to/my/token </code></pre></div></div> <p>On successful authentication Vault will give us back a token, which we can use in subsequent calls to Vault, e.g. for retrieving secrets, adding new secrets, etc.</p> <p>And what about the SDK? How do authenticate against our JWT/OIDC Auth Method when using the Go SDK?</p> <p>The Vault SDK for Go can be found in the <a href="https://github.com/hashicorp/vault/tree/main/api">github.com/hashicorp/vault/api</a> package. There’s also a <a href="https://github.com/hashicorp/vault-examples/blob/main/examples/_quick-start/go/example.go">quick start example for Go</a> in the <a href="https://github.com/hashicorp/vault-examples/tree/main">github.com/hashicorp/vault-examples</a> repo. And in the same repo there’s also an <a href="https://github.com/hashicorp/vault-examples/blob/main/examples/auth-methods/kubernetes/go/example.go">example of using JWT Auth Method from a Kubernetes cluster</a>.</p> <p>But what about a more generic JWT/OIDC Auth Method support in the Go SDK? You know, one that doesn’t actually rely on <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery">Kubernetes Service Account Tokens</a>.</p> <p>Well, it turns out that a more generic <a href="https://github.com/hashicorp/vault/issues/28912">JWT Auth Method does not exist in the SDK yet</a>.</p> <p>Technically speaking the <a href="https://github.com/hashicorp/vault/blob/0ee8d99d9c7d5ce0e1a4638e26c05a716032b3c5/api/auth/kubernetes/kubernetes.go#L14-L18">auth.KubernetesAuth</a> implementation of the <a href="https://github.com/hashicorp/vault/blob/0ee8d99d9c7d5ce0e1a4638e26c05a716032b3c5/api/auth.go#L16-L18">vault.AuthMethod</a> interface does that already, and you could use it outside of Kubernetes by tweaking the various options such as <code class="language-plaintext highlighter-rouge">WithServiceAccountToken</code>, <code class="language-plaintext highlighter-rouge">WithServiceAccountTokenPath</code>, etc., but at the same time this implementation contains too much Kubernetes details such as service accounts, default token path in a Kubernetes pod, etc.</p> <p>Besides, the name of the Auth Method implementation might confuse people when reading your code making them think that Kubernetes is a requirement, while actually it is not.</p> <p>So, what can we do? Well, we can implement our own <a href="https://github.com/hashicorp/vault/blob/0ee8d99d9c7d5ce0e1a4638e26c05a716032b3c5/api/auth.go#L16-L18">vault.AuthMethod</a> based on the existing <code class="language-plaintext highlighter-rouge">auth.KubernetesAuth</code> implementation. And this is what we are going to do in this post.</p> <p>Will start off by creating a new Go module for our JWT Auth Method implementation.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">mkdir </span>vault-jwt-auth-method <span class="nb">cd </span>vault-jwt-auth-method go mod init vault-jwt-auth-method go get <span class="nt">-v</span> github.com/hashicorp/vault/api </code></pre></div></div> <p>Our JWT Auth Method implementation will reside in the <code class="language-plaintext highlighter-rouge">auth/jwt</code> package, similar to the way how the existing Auth Method implementations reside in the upstream Vault SDK repo.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">mkdir</span> <span class="nt">-p</span> pkg/auth/jwt </code></pre></div></div> <p>Open up <code class="language-plaintext highlighter-rouge">pkg/auth/jwt/jwt.go</code> in your favorite <code class="language-plaintext highlighter-rouge">$EDITOR</code>. And this is what the JWT Auth Method implementation looks like.</p> <div class="language-go highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">package</span> <span class="n">jwt</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"context"</span> <span class="s">"errors"</span> <span class="s">"fmt"</span> <span class="s">"os"</span> <span class="s">"strings"</span> <span class="n">vault</span> <span class="s">"github.com/hashicorp/vault/api"</span> <span class="p">)</span> <span class="c">// DefaultMountPath specifies the default mount path for the JWT</span> <span class="c">// Authentication Method.</span> <span class="k">const</span> <span class="n">DefaultMountPath</span> <span class="o">=</span> <span class="s">"jwt"</span> <span class="c">// ErrNoToken is an error, which is returned when [JWTAuth] is configured</span> <span class="c">// with an empty token.</span> <span class="k">var</span> <span class="n">ErrNoToken</span> <span class="o">=</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"no token specified"</span><span class="p">)</span> <span class="c">// ErrInvalidMountPath is an error, which is returned when configuring [JWTAuth]</span> <span class="c">// to use an invalid mount path for a Vault Authentication Method.</span> <span class="k">var</span> <span class="n">ErrInvalidMountPath</span> <span class="o">=</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"invalid auth method mount path specified"</span><span class="p">)</span> <span class="c">// JWTAuth implements support for the [JWT Authentication Method].</span> <span class="c">//</span> <span class="c">// [JWT Authentication Method]: https://developer.hashicorp.com/vault/docs/auth/jwt</span> <span class="k">type</span> <span class="n">JWTAuth</span> <span class="k">struct</span> <span class="p">{</span> <span class="c">// roleName specifies the name of the role to use.</span> <span class="n">roleName</span> <span class="kt">string</span> <span class="c">// mountPath specifies the mount path for the JWT Authentication Method.</span> <span class="n">mountPath</span> <span class="kt">string</span> <span class="c">// token specifies the JWT token which will be used for authenticating</span> <span class="c">// against the Vault Authentication Method endpoint.</span> <span class="n">token</span> <span class="kt">string</span> <span class="p">}</span> <span class="k">var</span> <span class="n">_</span> <span class="n">vault</span><span class="o">.</span><span class="n">AuthMethod</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">JWTAuth</span><span class="p">{}</span> <span class="c">// Option is a function which configures [JWTAuth].</span> <span class="k">type</span> <span class="n">Option</span> <span class="k">func</span><span class="p">(</span><span class="n">a</span> <span class="o">*</span><span class="n">JWTAuth</span><span class="p">)</span> <span class="kt">error</span> <span class="c">// New creates a new [JWTAuth] and configures it with the given options.</span> <span class="c">//</span> <span class="c">// The default mount path for the JWT Authentication Method is</span> <span class="c">// [DefaultMountPath]. In order to configure a different mount path for the</span> <span class="c">// Authentication Method you can use the [WithMountPath] option.</span> <span class="c">//</span> <span class="c">// The JWT token which will be used for authentication against the Vault</span> <span class="c">// Authentication Method login endpoint may be specified either as a string,</span> <span class="c">// from path, or via an environment variable. In order to configure the token</span> <span class="c">// for authentication use the [WithToken], [WithTokenFromPath] or</span> <span class="c">// [WithTokenFromEnv] options.</span> <span class="k">func</span> <span class="n">New</span><span class="p">(</span><span class="n">roleName</span> <span class="kt">string</span><span class="p">,</span> <span class="n">opts</span> <span class="o">...</span><span class="n">Option</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">JWTAuth</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">jwtAuth</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">JWTAuth</span><span class="p">{</span> <span class="n">roleName</span><span class="o">:</span> <span class="n">roleName</span><span class="p">,</span> <span class="n">mountPath</span><span class="o">:</span> <span class="n">DefaultMountPath</span><span class="p">,</span> <span class="p">}</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">opt</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">opts</span> <span class="p">{</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">opt</span><span class="p">(</span><span class="n">jwtAuth</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="n">jwtAuth</span><span class="o">.</span><span class="n">token</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">ErrNoToken</span> <span class="p">}</span> <span class="k">if</span> <span class="n">jwtAuth</span><span class="o">.</span><span class="n">mountPath</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">ErrInvalidMountPath</span> <span class="p">}</span> <span class="k">return</span> <span class="n">jwtAuth</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// Login implements the [vault.AuthMethod] interface.</span> <span class="k">func</span> <span class="p">(</span><span class="n">a</span> <span class="o">*</span><span class="n">JWTAuth</span><span class="p">)</span> <span class="n">Login</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">client</span> <span class="o">*</span><span class="n">vault</span><span class="o">.</span><span class="n">Client</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">vault</span><span class="o">.</span><span class="n">Secret</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">path</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"auth/%s/login"</span><span class="p">,</span> <span class="n">a</span><span class="o">.</span><span class="n">mountPath</span><span class="p">)</span> <span class="n">data</span> <span class="o">:=</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="n">any</span><span class="p">{</span> <span class="s">"jwt"</span><span class="o">:</span> <span class="n">a</span><span class="o">.</span><span class="n">token</span><span class="p">,</span> <span class="s">"role"</span><span class="o">:</span> <span class="n">a</span><span class="o">.</span><span class="n">roleName</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="n">client</span><span class="o">.</span><span class="n">Logical</span><span class="p">()</span><span class="o">.</span><span class="n">WriteWithContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> <span class="p">}</span> <span class="c">// WithToken is an [Option], which configures [JWTAuth] to use the given token</span> <span class="c">// when authenticating against the Vault JWT Authentication Method.</span> <span class="k">func</span> <span class="n">WithToken</span><span class="p">(</span><span class="n">token</span> <span class="kt">string</span><span class="p">)</span> <span class="n">Option</span> <span class="p">{</span> <span class="n">opt</span> <span class="o">:=</span> <span class="k">func</span><span class="p">(</span><span class="n">a</span> <span class="o">*</span><span class="n">JWTAuth</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">a</span><span class="o">.</span><span class="n">token</span> <span class="o">=</span> <span class="n">token</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">return</span> <span class="n">opt</span> <span class="p">}</span> <span class="c">// WithTokenFromPath is an [Option], which configures [JWTAuth] to read the</span> <span class="c">// token from the given path.</span> <span class="k">func</span> <span class="n">WithTokenFromPath</span><span class="p">(</span><span class="n">path</span> <span class="kt">string</span><span class="p">)</span> <span class="n">Option</span> <span class="p">{</span> <span class="n">opt</span> <span class="o">:=</span> <span class="k">func</span><span class="p">(</span><span class="n">a</span> <span class="o">*</span><span class="n">JWTAuth</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">token</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">ReadFile</span><span class="p">(</span><span class="n">path</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">a</span><span class="o">.</span><span class="n">token</span> <span class="o">=</span> <span class="kt">string</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">return</span> <span class="n">opt</span> <span class="p">}</span> <span class="c">// WithTokenFromEnv is an [Option], which configures [JWTAuth] to read the token</span> <span class="c">// from the given environment variable.</span> <span class="k">func</span> <span class="n">WithTokenFromEnv</span><span class="p">(</span><span class="n">env</span> <span class="kt">string</span><span class="p">)</span> <span class="n">Option</span> <span class="p">{</span> <span class="n">opt</span> <span class="o">:=</span> <span class="k">func</span><span class="p">(</span><span class="n">a</span> <span class="o">*</span><span class="n">JWTAuth</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">value</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="n">env</span><span class="p">)</span> <span class="n">a</span><span class="o">.</span><span class="n">token</span> <span class="o">=</span> <span class="n">value</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">return</span> <span class="n">opt</span> <span class="p">}</span> <span class="c">// WithMountPath is an [Option], which configures [JWTAuth] to use the given</span> <span class="c">// mount path for the Vault Authentication Method.</span> <span class="k">func</span> <span class="n">WithMountPath</span><span class="p">(</span><span class="n">mountPath</span> <span class="kt">string</span><span class="p">)</span> <span class="n">Option</span> <span class="p">{</span> <span class="n">opt</span> <span class="o">:=</span> <span class="k">func</span><span class="p">(</span><span class="n">a</span> <span class="o">*</span><span class="n">JWTAuth</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// Remove any trailing slashes from the given mount path</span> <span class="n">a</span><span class="o">.</span><span class="n">mountPath</span> <span class="o">=</span> <span class="n">strings</span><span class="o">.</span><span class="n">TrimRight</span><span class="p">(</span><span class="n">mountPath</span><span class="p">,</span> <span class="s">"/"</span><span class="p">)</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">return</span> <span class="n">opt</span> <span class="p">}</span> </code></pre></div></div> <p>And here is a simple example of how we can use our JWT Auth Method in Go.</p> <div class="language-go highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"context"</span> <span class="s">"errors"</span> <span class="s">"fmt"</span> <span class="s">"os"</span> <span class="n">vault</span> <span class="s">"github.com/hashicorp/vault/api"</span> <span class="n">jwtauth</span> <span class="s">"vault-jwt-auth-method/pkg/auth/jwt"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">printErr</span><span class="p">(</span><span class="n">err</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">ctx</span> <span class="o">:=</span> <span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">()</span> <span class="c">// Create a JWT Authentication Method using the token from the following</span> <span class="c">// role and token stored in the path</span> <span class="n">authMethod</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">jwtauth</span><span class="o">.</span><span class="n">New</span><span class="p">(</span> <span class="s">"my-role-name"</span><span class="p">,</span> <span class="n">jwtauth</span><span class="o">.</span><span class="n">WithTokenFromPath</span><span class="p">(</span><span class="s">"/path/to/my/token"</span><span class="p">),</span> <span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">printErr</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Create Vault client and authenticate using our JWT Authentication</span> <span class="c">// Method implementation</span> <span class="n">config</span> <span class="o">:=</span> <span class="n">vault</span><span class="o">.</span><span class="n">DefaultConfig</span><span class="p">()</span> <span class="n">client</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">vault</span><span class="o">.</span><span class="n">NewClient</span><span class="p">(</span><span class="n">config</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">printErr</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Login using our Auth Method</span> <span class="n">authSecret</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">client</span><span class="o">.</span><span class="n">Auth</span><span class="p">()</span><span class="o">.</span><span class="n">Login</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">authMethod</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">printErr</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">authSecret</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">printErr</span><span class="p">(</span><span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"no auth info returned after login"</span><span class="p">))</span> <span class="p">}</span> <span class="c">// Read a sample KV v2 secret</span> <span class="n">kvv2</span> <span class="o">:=</span> <span class="n">client</span><span class="o">.</span><span class="n">KVv2</span><span class="p">(</span><span class="s">"kvv2"</span><span class="p">)</span> <span class="n">secret</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">kvv2</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"my/test/secret"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">printErr</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="n">secret</span><span class="o">.</span><span class="n">Data</span><span class="p">)</span> <span class="p">}</span> </code></pre></div></div> <p>Additional improvement to the example code above would be to renew the auth secret using a <a href="https://pkg.go.dev/github.com/hashicorp/vault/api#LifetimeWatcher">vault.LifetimeWatcher</a>, so that our API client is kept authenticated, especially if we are working on a service, which is supposed to be long-running.</p> <p>Btw, in case you have missed this one, just want to remind the readers that Hashicorp Vault got forked a couple of years ago as a response to Hashicorp relicensing their OSS projects.</p> <p>The new OSS friendly fork is now known as <a href="https://openbao.org/">OpenBao</a>. The code from this post has been adapted and <a href="https://github.com/openbao/openbao/pull/1526">submitted to OpenBao as a feature</a>.</p> Thu, 03 Jul 2025 00:00:00 +0000 https://dnaeon.github.io/vault-sdk-jwt-auth-method/ https://dnaeon.github.io/vault-sdk-jwt-auth-method/ Setting up a Kubernetes cluster with Vault and OIDC trust <p>In this post we will see how to create and configure a development Kubernetes cluster with Vault running in it and setup <a href="https://en.wikipedia.org/wiki/OpenID">OpenID Connect</a> trust between Vault and Kubernetes workloads.</p> <h2 id="create-the-kubernetes-cluster">Create the Kubernetes cluster</h2> <p>First, create a new Kubernetes cluster using <a href="https://minikube.sigs.k8s.io/docs/">minikube</a>.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">env </span><span class="nv">KUBECONFIG</span><span class="o">=</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span>/kubeconfig minikube start <span class="nt">--profile</span> vault-k8s-dev </code></pre></div></div> <p>If you are using <a href="https://direnv.net/">direnv</a>, you can also create a local <code class="language-plaintext highlighter-rouge">.envrc</code> file to point to our cluster and kubeconfig when you enter the directory where your development cluster <code class="language-plaintext highlighter-rouge">kubeconfig</code> is stored.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">export </span><span class="nv">KUBECONFIG</span><span class="o">=</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span>/kubeconfig minikube profile vault-k8s-dev </code></pre></div></div> <p>Enable and reload the config.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>direnv allow direnv reload </code></pre></div></div> <p>Once the cluster is up and running, verify that it runs with enabled <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery">Service account issuer discovery</a>.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl get <span class="nt">--raw</span> <span class="s1">'/.well-known/openid-configuration'</span> | jq </code></pre></div></div> <p>The command above will print output similar to the one below. The <code class="language-plaintext highlighter-rouge">/.well-known/openid-configuration</code> endpoint provides the <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID Connect Provider Metadata</a>. It includes information about the issuer, where to find the public keys for verifying JWT tokens, the supported signing algorithms, etc.</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="nl">"issuer"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://kubernetes.default.svc.cluster.local"</span><span class="p">,</span><span class="w"> </span><span class="nl">"jwks_uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://10.0.2.15:8443/openid/v1/jwks"</span><span class="p">,</span><span class="w"> </span><span class="nl">"response_types_supported"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"id_token"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"subject_types_supported"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"public"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"id_token_signing_alg_values_supported"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"RS256"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <p>Alternatively, simply check the options, which are used to start the <code class="language-plaintext highlighter-rouge">kube-apiserver</code> static pod, e.g.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl <span class="nt">--namespace</span> kube-system describe pod kube-apiserver-vault-k8s-dev | <span class="nb">grep </span>service-account </code></pre></div></div> <p>Above command should print the following output.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">--service-account-issuer</span><span class="o">=</span>https://kubernetes.default.svc.cluster.local <span class="nt">--service-account-key-file</span><span class="o">=</span>/var/lib/minikube/certs/sa.pub <span class="nt">--service-account-signing-key-file</span><span class="o">=</span>/var/lib/minikube/certs/sa.key </code></pre></div></div> <p>We will also enable anonymous access to the API endpoints related to OpenID Connect, since these API endpoints don’t serve any sensitive data and should be public.</p> <p>In order to do that we will bind the <code class="language-plaintext highlighter-rouge">system:service-account-issuer-discovery</code> cluster role to the <code class="language-plaintext highlighter-rouge">system:anonymous</code> user. This is what the cluster role represents.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">&gt;</span> kubectl describe clusterrole system:service-account-issuer-discovery Name: system:service-account-issuer-discovery Labels: kubernetes.io/bootstrapping<span class="o">=</span>rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: <span class="nb">true </span>PolicyRule: Resources Non-Resource URLs Resource Names Verbs <span class="nt">---------</span> <span class="nt">-----------------</span> <span class="nt">--------------</span> <span class="nt">-----</span> <span class="o">[</span>/.well-known/openid-configuration/] <span class="o">[]</span> <span class="o">[</span>get] <span class="o">[</span>/.well-known/openid-configuration] <span class="o">[]</span> <span class="o">[</span>get] <span class="o">[</span>/openid/v1/jwks/] <span class="o">[]</span> <span class="o">[</span>get] <span class="o">[</span>/openid/v1/jwks] <span class="o">[]</span> <span class="o">[</span>get] </code></pre></div></div> <p>Create the cluster role binding.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl create clusterrolebinding system:anonymous-service-account-issuer-discovery <span class="se">\</span> <span class="nt">--clusterrole</span> system:service-account-issuer-discovery <span class="se">\</span> <span class="nt">--user</span><span class="o">=</span>system:anonymous </code></pre></div></div> <p>Start a test pod in the cluster and verify that you can access the OpenID Discovery endpoint, e.g.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl <span class="nt">-X</span> GET https://kubernetes.default.svc.cluster.local/.well-known/openid-configuration </code></pre></div></div> <h2 id="deploy-vault-in-the-kubernetes-cluster">Deploy Vault in the Kubernetes Cluster</h2> <p>Next, we will create the Kubernetes resources, which describe our Vault configuration, service and statefulset. There are many different ways to get Vault installed in your Kubernetes, but in order to keep things simple and straight forward we will use these simple resources.</p> <p>This is the <code class="language-plaintext highlighter-rouge">ConfigMap</code> providing the Vault config.</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">config.json</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">{</span> <span class="s">"storage": {</span> <span class="s">"file": {</span> <span class="s">"path": "/vault/file"</span> <span class="s">}</span> <span class="s">},</span> <span class="s">"listener": [</span> <span class="s">{</span> <span class="s">"tcp": {</span> <span class="s">"address": "0.0.0.0:8200",</span> <span class="s">"tls_disable": true</span> <span class="s">}</span> <span class="s">}</span> <span class="s">],</span> <span class="s">"default_lease_ttl": "168h",</span> <span class="s">"max_lease_ttl": "720h",</span> <span class="s">"ui": true</span> <span class="s">}</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">creationTimestamp</span><span class="pi">:</span> <span class="no">null</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-config</span> </code></pre></div></div> <p>The <code class="language-plaintext highlighter-rouge">Service</code> resource.</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">vault</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8200</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">vault</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> </code></pre></div></div> <p>And the <code class="language-plaintext highlighter-rouge">StatefulSet</code> resource.</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StatefulSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">vault"</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">vault</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">vault</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault</span> <span class="na">image</span><span class="pi">:</span> <span class="s">hashicorp/vault:1.20</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">server'</span><span class="pi">]</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">capabilities</span><span class="pi">:</span> <span class="na">add</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">IPC_LOCK"</span><span class="pi">]</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/ui/sys/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8200</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/ui/sys/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8200</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8200</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/vault/file</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/vault/config</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-config</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-config</span> <span class="na">volumeClaimTemplates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-data</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">ReadWriteOnce"</span> <span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">5Gi</span> </code></pre></div></div> <p>Apply these resources and confirm that Vault is up and running.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">&gt;</span> kubectl get pods,services NAME READY STATUS RESTARTS AGE pod/vault-0 1/1 Running 0 24m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE service/kubernetes ClusterIP 10.96.0.1 &lt;none&gt; 443/TCP 64m service/vault ClusterIP 10.108.56.80 &lt;none&gt; 8200/TCP 48m </code></pre></div></div> <h2 id="initialize-and-unseal-vault">Initialize and unseal Vault</h2> <p>Once Vault is up and running we need to initialize it. In order to make things simpler when interfacing with Vault we will port-forward it’s port to our local system.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">export </span><span class="nv">VAULT_ADDR</span><span class="o">=</span>http://localhost:8200/ kubectl port-forward service/vault 8200:8200 </code></pre></div></div> <p>And now, we can initialize it.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vault operator init </code></pre></div></div> <p>Above command will print the unseal keys, e.g.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Unseal Key 1: 2K/... Unseal Key 2: xEKFbr... Unseal Key 3: VFiwfbI43... Unseal Key 4: 8Je/INW6lQOI... Unseal Key 5: /1AFwxmvgw7UnFa... Initial Root Token: hvs... Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests. Vault does not store the generated root key. Without at least 3 keys to reconstruct the root key, Vault will remain permanently sealed! It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See <span class="s2">"vault operator rekey"</span> <span class="k">for </span>more information. </code></pre></div></div> <p>Now, we can unseal the Vault. Repeat the command below at least 3 times in order to unseal it.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vault operator unseal </code></pre></div></div> <p>We will also mount the KV v2 secrets engine, which we’ll later use.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vault secrets <span class="nb">enable</span> <span class="nt">--version</span><span class="o">=</span>2 <span class="nt">--path</span> kvv2 kv </code></pre></div></div> <p>List the enabled secret engines and we should see our <code class="language-plaintext highlighter-rouge">kvv2</code> mount.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">&gt;</span> vault secrets list Path Type Accessor Description <span class="nt">----</span> <span class="nt">----</span> <span class="nt">--------</span> <span class="nt">-----------</span> cubbyhole/ cubbyhole cubbyhole_f86afe98 per-token private secret storage identity/ identity identity_fa281c9c identity store kvv2/ kv kv_7e911817 n/a sys/ system system_f6068170 system endpoints used <span class="k">for </span>control, policy and debugging </code></pre></div></div> <h2 id="enable-jwtoidc-authentication-method-in-vault">Enable JWT/OIDC authentication method in Vault</h2> <p>Now, we can continue with enabling the <code class="language-plaintext highlighter-rouge">jwt</code> authentication method.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vault auth <span class="nb">enable </span>jwt </code></pre></div></div> <p>List the enabled authentication methods.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">&gt;</span> vault auth list Path Type Accessor Description Version <span class="nt">----</span> <span class="nt">----</span> <span class="nt">--------</span> <span class="nt">-----------</span> <span class="nt">-------</span> jwt/ jwt auth_jwt_cbaae747 n/a n/a token/ token auth_token_468286d4 token based credentials n/a </code></pre></div></div> <p>Configure the authentication method for <code class="language-plaintext highlighter-rouge">jwt</code> by using the <code class="language-plaintext highlighter-rouge">/auth/&lt;auth-method&gt;/config</code> endpoint.</p> <p>You can check the additional parameters, which can be set in the <a href="https://developer.hashicorp.com/vault/api-docs/auth/jwt">JWT/OIDC auth method (API)</a> documentation.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vault write auth/jwt/config <span class="se">\</span> <span class="nv">oidc_discovery_ca_pem</span><span class="o">=</span><span class="s2">"&lt;Kubernetes-API-Server-CA&gt;"</span> <span class="se">\</span> <span class="nv">oidc_client_id</span><span class="o">=</span><span class="s2">""</span> <span class="se">\</span> <span class="nv">oidc_client_secret</span><span class="o">=</span><span class="s2">""</span> <span class="se">\</span> <span class="nv">default_role</span><span class="o">=</span><span class="s2">"k8s-dev"</span> </code></pre></div></div> <blockquote> <p>The Kubernetes API Server CA bundle can also be obtained from the running <code class="language-plaintext highlighter-rouge">vault-0</code> pod and the location where the service account token is mounted, which is <code class="language-plaintext highlighter-rouge">/var/run/secrets/kubernetes.io/serviceaccount/ca.crt</code>. Since we are running our development Kubernetes cluster in <code class="language-plaintext highlighter-rouge">minikube</code> the CA bundle can also be found in <code class="language-plaintext highlighter-rouge">~/.minikube/ca.crt</code> on your local system.</p> </blockquote> <p>If your Kubernetes cluster uses a certificate signed an official Certificate Authority such as DigiCert, Let’s Encrypt, etc. then you don’t need to specify the <code class="language-plaintext highlighter-rouge">oidc_discovery_ca_pem</code> parameter, but since this is a development cluster it comes with self-signed certificate and it’s own CA, which is why we need to specify it here.</p> <p>The previous command can also be executed against the running pod container like this.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl <span class="nb">exec </span>vault-0 <span class="nt">--</span> vault write auth/jwt/config <span class="se">\</span> <span class="nv">oidc_discovery_ca_pem</span><span class="o">=</span>@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt <span class="se">\</span> <span class="nv">oidc_client_id</span><span class="o">=</span><span class="s2">""</span> <span class="se">\</span> <span class="nv">oidc_client_secret</span><span class="o">=</span><span class="s2">""</span> <span class="se">\</span> <span class="nv">default_role</span><span class="o">=</span><span class="s2">"k8s-dev"</span> </code></pre></div></div> <p>Verify that the authentication method has been correctly configured.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">&gt;</span> vault <span class="nb">read </span>auth/jwt/config Key Value <span class="nt">---</span> <span class="nt">-----</span> bound_issuer n/a default_role k8s-dev jwks_ca_pem n/a jwks_pairs <span class="o">[]</span> jwks_url n/a jwt_supported_algs <span class="o">[]</span> jwt_validation_pubkeys <span class="o">[]</span> namespace_in_state <span class="nb">true </span>oidc_client_id n/a oidc_discovery_ca_pem <span class="nt">-----BEGIN</span> CERTIFICATE-----... oidc_discovery_url https://kubernetes.default.svc.cluster.local oidc_response_mode n/a oidc_response_types <span class="o">[]</span> provider_config map[] unsupported_critical_cert_extensions <span class="o">[]</span> </code></pre></div></div> <p>Next thing we need to do is to create the <code class="language-plaintext highlighter-rouge">k8s-dev</code> role, which we’ve specified in the previous step. This role will be associated with the <code class="language-plaintext highlighter-rouge">k8s-dev-writer</code> policy, allowing Kubernetes workloads read/write access to Vault for a given path.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vault write auth/jwt/role/k8s-dev <span class="se">\</span> <span class="nv">bound_subject</span><span class="o">=</span><span class="s2">"system:serviceaccount:default:vault-writer"</span> <span class="se">\</span> <span class="nv">bound_audiences</span><span class="o">=</span><span class="s2">"vault-dev"</span> <span class="se">\</span> <span class="nv">user_claim</span><span class="o">=</span><span class="s2">"sub"</span> <span class="se">\</span> <span class="nv">policies</span><span class="o">=</span>k8s-dev-writer <span class="se">\</span> <span class="nv">role_type</span><span class="o">=</span>jwt <span class="se">\</span> <span class="nv">ttl</span><span class="o">=</span>1h </code></pre></div></div> <p>The <code class="language-plaintext highlighter-rouge">bound_subject</code> parameter from the command above specifies a Kubernetes service account named <code class="language-plaintext highlighter-rouge">vault-writer</code> from the <code class="language-plaintext highlighter-rouge">default</code> namespace. Kubernetes workloads, which will access Vault should be running with this service account, and also the service account token should be issued with the <code class="language-plaintext highlighter-rouge">vault-dev</code> audience.</p> <p>Finally, we need to create the <code class="language-plaintext highlighter-rouge">k8s-dev-writer</code> policy, which will give our Kubernetes workloads read/write access to Vault. This is what our simple policy looks like.</p> <div class="language-hcl highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">path</span> <span class="s2">"kvv2/metadata/k8s-dev/*"</span> <span class="p">{</span> <span class="nx">capabilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"list"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">path</span> <span class="s2">"kvv2/data/k8s-dev/*"</span> <span class="p">{</span> <span class="nx">capabilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"create"</span><span class="p">,</span> <span class="s2">"update"</span><span class="p">,</span> <span class="s2">"patch"</span><span class="p">,</span> <span class="s2">"read"</span><span class="p">,</span> <span class="s2">"delete"</span><span class="p">]</span> <span class="p">}</span> </code></pre></div></div> <p>We can now apply this policy.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vault policy write k8s-dev-writer /path/to/k8s-dev-writer-policy.hcl </code></pre></div></div> <p>Time to test things out. Let’s create the <code class="language-plaintext highlighter-rouge">vault-writer</code> Kubernetes service account.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl create sa vault-writer </code></pre></div></div> <p>We can now create a test token for our <code class="language-plaintext highlighter-rouge">vault-writer</code> service account and test accessing Vault using this token.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl create token vault-writer <span class="nt">--audience</span><span class="o">=</span>vault-dev </code></pre></div></div> <p>Save the token somewhere, because we will need it a bit later. This is what the payload of our JWT token looks like when decoded.</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"vault-dev"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1751300275</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1751296675</span><span class="p">,</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://kubernetes.default.svc.cluster.local"</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"066083b5-1219-4c91-8338-728365776f22"</span><span class="p">,</span><span class="w"> </span><span class="nl">"kubernetes.io"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"namespace"</span><span class="p">:</span><span class="w"> </span><span class="s2">"default"</span><span class="p">,</span><span class="w"> </span><span class="nl">"serviceaccount"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vault-writer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"uid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bc5cffb5-65e6-4921-835c-a0a8cdaa69db"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"nbf"</span><span class="p">:</span><span class="w"> </span><span class="mi">1751296675</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"system:serviceaccount:default:vault-writer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <p>In order to access Vault using our Kubernetes service account token, first we need to get a Vault token. This step is similar to what <a href="https://datatracker.ietf.org/doc/html/rfc8693">OAuth 2.0 Token Exchange</a> does. We use our Kubernetes service account token in order to get a Vault token. And this is how we do it.</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="err">vault</span><span class="w"> </span><span class="err">write</span><span class="w"> </span><span class="err">auth/jwt/login</span><span class="w"> </span><span class="err">role=k</span><span class="mi">8</span><span class="err">s-dev</span><span class="w"> </span><span class="err">jwt=</span><span class="s2">"&lt;k8s-sa-token&gt;"</span><span class="w"> </span></code></pre></div></div> <p>On successful authentication we should see a similar output.</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="err">Key</span><span class="w"> </span><span class="err">Value</span><span class="w"> </span><span class="err">---</span><span class="w"> </span><span class="err">-----</span><span class="w"> </span><span class="err">token</span><span class="w"> </span><span class="err">hvs...</span><span class="w"> </span><span class="err">token_accessor</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">token_duration</span><span class="w"> </span><span class="mi">1</span><span class="err">h</span><span class="w"> </span><span class="err">token_renewable</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="err">token_policies</span><span class="w"> </span><span class="p">[</span><span class="s2">"default"</span><span class="w"> </span><span class="s2">"k8s-dev-writer"</span><span class="p">]</span><span class="w"> </span><span class="err">identity_policies</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span><span class="err">policies</span><span class="w"> </span><span class="p">[</span><span class="s2">"default"</span><span class="w"> </span><span class="s2">"k8s-dev-writer"</span><span class="p">]</span><span class="w"> </span><span class="err">token_meta_role</span><span class="w"> </span><span class="err">k</span><span class="mi">8</span><span class="err">s-dev</span><span class="w"> </span></code></pre></div></div> <p>And now we can use the <code class="language-plaintext highlighter-rouge">token</code> from the output above in order to access Vault and write a sample secret.</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="err">export</span><span class="w"> </span><span class="err">VAULT_TOKEN=</span><span class="s2">"&lt;vault-token-goes-here&gt;"</span><span class="w"> </span><span class="err">vault</span><span class="w"> </span><span class="err">kv</span><span class="w"> </span><span class="err">put</span><span class="w"> </span><span class="err">kvv</span><span class="mi">2</span><span class="err">/k</span><span class="mi">8</span><span class="err">s-dev/foo</span><span class="w"> </span><span class="err">bar=baz</span><span class="w"> </span></code></pre></div></div> <p>Read back the secret we’ve just created.</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="err">&gt;</span><span class="w"> </span><span class="err">vault</span><span class="w"> </span><span class="err">kv</span><span class="w"> </span><span class="err">get</span><span class="w"> </span><span class="err">kvv</span><span class="mi">2</span><span class="err">/k</span><span class="mi">8</span><span class="err">s-dev/foo</span><span class="w"> </span><span class="err">====</span><span class="w"> </span><span class="err">Secret</span><span class="w"> </span><span class="err">Path</span><span class="w"> </span><span class="err">====</span><span class="w"> </span><span class="err">kvv</span><span class="mi">2</span><span class="err">/data/k</span><span class="mi">8</span><span class="err">s-dev/foo</span><span class="w"> </span><span class="err">=======</span><span class="w"> </span><span class="err">Metadata</span><span class="w"> </span><span class="err">=======</span><span class="w"> </span><span class="err">Key</span><span class="w"> </span><span class="err">Value</span><span class="w"> </span><span class="err">---</span><span class="w"> </span><span class="err">-----</span><span class="w"> </span><span class="err">created_time</span><span class="w"> </span><span class="mi">2025-06-30</span><span class="err">T</span><span class="mi">15</span><span class="err">:</span><span class="mi">42</span><span class="err">:</span><span class="mf">46.718550078</span><span class="err">Z</span><span class="w"> </span><span class="err">custom_metadata</span><span class="w"> </span><span class="err">&lt;nil&gt;</span><span class="w"> </span><span class="err">deletion_time</span><span class="w"> </span><span class="err">n/a</span><span class="w"> </span><span class="err">destroyed</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="err">version</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="err">===</span><span class="w"> </span><span class="err">Data</span><span class="w"> </span><span class="err">===</span><span class="w"> </span><span class="err">Key</span><span class="w"> </span><span class="err">Value</span><span class="w"> </span><span class="err">---</span><span class="w"> </span><span class="err">-----</span><span class="w"> </span><span class="err">bar</span><span class="w"> </span><span class="err">baz</span><span class="w"> </span></code></pre></div></div> <p>Since our policy allows read/write access to the <code class="language-plaintext highlighter-rouge">kvv2/data/k8s-dev/*</code> path only we should not be able to read or write anything else, so let’s try that out.</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="err">&gt;</span><span class="w"> </span><span class="err">vault</span><span class="w"> </span><span class="err">kv</span><span class="w"> </span><span class="err">put</span><span class="w"> </span><span class="err">kvv</span><span class="mi">2</span><span class="err">/some-secret</span><span class="w"> </span><span class="err">bar=baz</span><span class="w"> </span><span class="err">Error</span><span class="w"> </span><span class="err">writing</span><span class="w"> </span><span class="err">data</span><span class="w"> </span><span class="err">to</span><span class="w"> </span><span class="err">kvv</span><span class="mi">2</span><span class="err">/data/some-secret:</span><span class="w"> </span><span class="err">Error</span><span class="w"> </span><span class="err">making</span><span class="w"> </span><span class="err">API</span><span class="w"> </span><span class="err">request.</span><span class="w"> </span><span class="err">URL:</span><span class="w"> </span><span class="err">PUT</span><span class="w"> </span><span class="err">http://localhost:</span><span class="mi">8200</span><span class="err">/v</span><span class="mi">1</span><span class="err">/kvv</span><span class="mi">2</span><span class="err">/data/some-secret</span><span class="w"> </span><span class="err">Code:</span><span class="w"> </span><span class="mi">403</span><span class="err">.</span><span class="w"> </span><span class="err">Errors:</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="err">error</span><span class="w"> </span><span class="err">occurred:</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="err">permission</span><span class="w"> </span><span class="err">denied</span><span class="w"> </span></code></pre></div></div> <p>Looks good. Finally, we can create a test pod which uses our <code class="language-plaintext highlighter-rouge">vault-writer</code> service account and access Vault from it. The following example Kubernetes manifest can be used to start a test pod using the <code class="language-plaintext highlighter-rouge">vault-writer</code> service account.</p> <p>This example uses <a href="https://kubernetes.io/docs/concepts/storage/projected-volumes/#serviceaccounttoken">Service Account Token projection</a> in order to inject a token into the running pod, using an <code class="language-plaintext highlighter-rouge">audience</code>, which Vault expects our clients to have as part of their JWT claims.</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">creationTimestamp</span><span class="pi">:</span> <span class="no">null</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="s">vault-client</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-client</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sleep</span> <span class="pi">-</span> <span class="s">infinity</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">VAULT_ADDR</span> <span class="na">value</span><span class="pi">:</span> <span class="s">http://vault:8200/</span> <span class="na">image</span><span class="pi">:</span> <span class="s">hashicorp/vault:1.20</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-client</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">token-vol</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/service-account</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="no">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">token-vol</span> <span class="na">projected</span><span class="pi">:</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">serviceAccountToken</span><span class="pi">:</span> <span class="na">audience</span><span class="pi">:</span> <span class="s">vault-dev</span> <span class="na">expirationSeconds</span><span class="pi">:</span> <span class="m">3600</span> <span class="na">path</span><span class="pi">:</span> <span class="s">token</span> <span class="na">dnsPolicy</span><span class="pi">:</span> <span class="s">ClusterFirst</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">vault-writer</span> </code></pre></div></div> <p>Create the test pod and log into it.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl apply <span class="nt">-f</span> /path/to/vault-client.yaml kubectl <span class="nb">exec</span> <span class="nt">-it</span> vault-client <span class="nt">--</span> /bin/sh </code></pre></div></div> <p>Once you get a shell in the running pod, simply exchange the Kubernetes service account token for Vault token, similar to the way it was done in the previous examples.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vault write auth/jwt/login <span class="nv">role</span><span class="o">=</span>k8s-dev <span class="nv">jwt</span><span class="o">=</span>@/service-account/token </code></pre></div></div> <h1 id="references">References</h1> <p>Make sure to check the following documents for additional information on the topic.</p> <ul> <li><a href="https://developer.hashicorp.com/vault/docs/get-started/developer-qs">Vault: Developer quick start guide</a></li> <li><a href="https://developer.hashicorp.com/vault/docs/auth/jwt">Vault: Use JWT/OIDC authentication</a></li> <li><a href="https://developer.hashicorp.com/vault/api-docs/auth/jwt">Vault: JWT/OIDC auth method (API)</a></li> <li><a href="https://developer.hashicorp.com/vault/docs/auth/jwt/oidc-providers">Vault: OIDC provider list</a></li> <li><a href="https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth">Vault: Secure workflows with OIDC authentication</a></li> <li><a href="https://developer.hashicorp.com/vault/tutorials/get-started/introduction-policies">Vault: Introduction to policies</a></li> <li><a href="https://developer.hashicorp.com/vault/docs/auth/jwt/oidc-providers/kubernetes">Vault: Use Kubernetes for OIDC authentication</a></li> </ul> Tue, 01 Jul 2025 00:00:00 +0000 https://dnaeon.github.io/kubernetes-vault-oidc/ https://dnaeon.github.io/kubernetes-vault-oidc/ Making Emacs and consult-imenu better with tree-sitter <p>Not long ago I have switched from <a href="https://github.com/emacs-lsp/lsp-mode">lsp-mode</a> to <a href="https://github.com/joaotavora/eglot">eglot</a> and <a href="https://www.masteringemacs.org/article/how-to-get-started-tree-sitter">tree-sitter</a>.</p> <p>Approximately at the same time I’ve also moved from <a href="https://github.com/emacs-helm/helm">helm</a> to <a href="https://github.com/minad/vertico">vertico</a> and the complementary packages for it such as <a href="https://github.com/minad/marginalia">marginalia</a>, <a href="https://github.com/minad/consult">consult</a> and <a href="https://github.com/oantolin/orderless">orderless</a>.</p> <p>So far I’ve been pretty happy with the transition. <code class="language-plaintext highlighter-rouge">eglot</code> and <code class="language-plaintext highlighter-rouge">vertico</code> feel snappy and more responsive than <code class="language-plaintext highlighter-rouge">lsp-mode</code> and <code class="language-plaintext highlighter-rouge">helm</code>. And <code class="language-plaintext highlighter-rouge">marginalia</code> is great as well, because it provides nice annotations next to your completion candidates.</p> <p>Also, <code class="language-plaintext highlighter-rouge">eglot</code> is part of Emacs for quite some time already, and <code class="language-plaintext highlighter-rouge">vertico</code> (and it’s complementary packages) build on top of the standard Emacs APIs such as <code class="language-plaintext highlighter-rouge">completing-read</code>, which is another good reason to stick with them.</p> <p><a href="https://github.com/minad/consult">consult</a> provides search and navigation commands, and also comes with support for (amongst other things) <a href="https://www.gnu.org/software/emacs/manual/html_node/elisp/Imenu.html">imenu</a> via <code class="language-plaintext highlighter-rouge">M-x consult-imenu</code>.</p> <p><code class="language-plaintext highlighter-rouge">consult</code> and <code class="language-plaintext highlighter-rouge">marginalia</code> pair nicely together. Here’s an example of <code class="language-plaintext highlighter-rouge">M-x consult-imenu</code> displaying the symbols for an Elisp buffer, which look great. The extra annotations next to each completion candidate are provided by <code class="language-plaintext highlighter-rouge">marginalia</code> itself.</p> <p><a href="/images/consult-imenu-elisp.png" class="glightbox"><img src="/images/consult-imenu-elisp.png" alt="" /></a></p> <p>You get a nice menu with entries grouped by <code class="language-plaintext highlighter-rouge">Types</code>, <code class="language-plaintext highlighter-rouge">Functions</code>, <code class="language-plaintext highlighter-rouge">Variables</code>, etc. You can also narrow down the search for entries of specific kind, e.g. when you want to browse the <code class="language-plaintext highlighter-rouge">functions</code> only, simply type <code class="language-plaintext highlighter-rouge">f SPC</code> in the <code class="language-plaintext highlighter-rouge">consult-imenu</code> prompt and it will give you the function definitions only.</p> <p>At <code class="language-plaintext highlighter-rouge">$WORK</code> I’m primary working on Go code these days, and one thing I’ve noticed when using <code class="language-plaintext highlighter-rouge">M-x consult-imenu</code> is that the results are less impressive when compared to the Elisp code.</p> <p><a href="/images/consult-imenu-eglot-imenu.png" class="glightbox"><img src="/images/consult-imenu-eglot-imenu.png" alt="" /></a></p> <p>As you can see the results are nowhere near to what <code class="language-plaintext highlighter-rouge">M-x consult-imenu</code> (enriched by <code class="language-plaintext highlighter-rouge">marginalia</code>) displays for Elisp code.</p> <p>In this post we will see how to make <code class="language-plaintext highlighter-rouge">M-x consult-imenu</code> look better when working with Go code (or any other language with <code class="language-plaintext highlighter-rouge">tree-sitter</code> support).</p> <p>After some time spent on reading documentation and manuals I was not able to fix it myself, so I made a <a href="https://www.reddit.com/r/emacs/comments/1ld119l/imenu_with_gomode/">post at r/emacs</a> asking whether someone else was having the same issues as I do. In the meantime I kept digging.</p> <p>So, what turned out to be the issue for me, is that <code class="language-plaintext highlighter-rouge">eglot</code> provides it’s own <a href="https://www.gnu.org/software/emacs/manual/html_node/elisp/Imenu.html#index-imenu_002dcreate_002dindex_002dfunction">imenu-create-index-function</a> called <code class="language-plaintext highlighter-rouge">eglot-imenu</code>, which actually wraps <code class="language-plaintext highlighter-rouge">treesit-simple-imenu</code>, and <code class="language-plaintext highlighter-rouge">treesit-simple-imenu</code> is tree-sitter’s approach to building the <code class="language-plaintext highlighter-rouge">imenu</code> index.</p> <p>Here’s what the value of <code class="language-plaintext highlighter-rouge">imenu-create-index-function</code> looks like, when set by <code class="language-plaintext highlighter-rouge">eglot</code>.</p> <p>Use <code class="language-plaintext highlighter-rouge">C-h v imenu-create-index-function</code> (or <code class="language-plaintext highlighter-rouge">M-x describe-variable imenu-create-index-function</code>).</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">imenu-create-index-function</span> <span class="nv">is</span> <span class="nv">a</span> <span class="nv">variable</span> <span class="nv">defined</span> <span class="nv">in</span> <span class="err">‘</span><span class="nv">imenu.el</span><span class="err">’</span><span class="o">.</span> <span class="nv">Its</span> <span class="nv">value</span> <span class="nv">is</span> <span class="err">#</span><span class="nv">f</span><span class="p">(</span><span class="nv">advice</span> <span class="nv">eglot-imenu</span> <span class="ss">:before-until</span> <span class="nv">treesit-simple-imenu</span><span class="p">)</span> <span class="nv">Local</span> <span class="nv">in</span> <span class="nv">buffer</span> <span class="nv">main.go</span><span class="c1">; global value is</span> <span class="nv">imenu-default-create-index-function</span> <span class="nv">The</span> <span class="k">function</span> <span class="nv">to</span> <span class="nv">use</span> <span class="nv">for</span> <span class="nv">creating</span> <span class="nv">an</span> <span class="nv">index</span> <span class="nv">alist</span> <span class="nv">of</span> <span class="k">the</span> <span class="nv">current</span> <span class="nv">buffer.</span> <span class="nv">It</span> <span class="nv">should</span> <span class="nv">be</span> <span class="nv">a</span> <span class="k">function</span> <span class="nv">that</span> <span class="nv">takes</span> <span class="nv">no</span> <span class="nv">arguments</span> <span class="nb">and</span> <span class="nv">returns</span> <span class="nv">an</span> <span class="nv">index</span> <span class="nv">alist</span> <span class="nv">of</span> <span class="k">the</span> <span class="nv">current</span> <span class="nv">buffer.</span> <span class="nv">The</span> <span class="k">function</span> <span class="nv">is</span> <span class="nv">called</span> <span class="nv">within</span> <span class="nv">a</span> <span class="err">‘</span><span class="nv">save-excursion</span><span class="err">’</span><span class="o">.</span> <span class="nv">See</span> <span class="err">‘</span><span class="nv">imenu--index-alist</span><span class="err">’</span> <span class="nv">for</span> <span class="k">the</span> <span class="nb">format</span> <span class="nv">of</span> <span class="k">the</span> <span class="nv">buffer</span> <span class="nv">index</span> <span class="nv">alist.</span> <span class="nv">Automatically</span> <span class="nv">becomes</span> <span class="nv">buffer-local</span> <span class="nb">when</span> <span class="nv">set.</span> <span class="nv">This</span> <span class="nv">variable</span> <span class="nv">may</span> <span class="nv">be</span> <span class="nv">risky</span> <span class="k">if</span> <span class="nv">used</span> <span class="nv">as</span> <span class="nv">a</span> <span class="nv">file-local</span> <span class="nv">variable.</span> </code></pre></div></div> <p>My current tree-sitter configuration looks like this. Make sure to check <a href="https://www.masteringemacs.org/article/how-to-get-started-tree-sitter">How to Get Started with Tree-Sitter</a> if you are just starting out with tree-sitter.</p> <p>After configuring tree-sitter you should also install the language grammars using <code class="language-plaintext highlighter-rouge">M-x treesit-install-language-grammar</code>.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">;; tree-sitter settings</span> <span class="p">(</span><span class="nb">use-package</span> <span class="nv">treesit</span> <span class="ss">:config</span> <span class="c1">;; Language grammars and sources</span> <span class="p">(</span><span class="k">setq</span> <span class="nv">treesit-language-source-alist</span> <span class="o">'</span><span class="p">((</span><span class="nv">bash</span> <span class="s">"https://github.com/tree-sitter/tree-sitter-bash"</span><span class="p">)</span> <span class="p">(</span><span class="nv">c</span> <span class="s">"https://github.com/tree-sitter/tree-sitter-c"</span><span class="p">)</span> <span class="p">(</span><span class="k">go</span> <span class="s">"https://github.com/tree-sitter/tree-sitter-go"</span><span class="p">)</span> <span class="p">(</span><span class="nv">go-mod</span> <span class="s">"https://github.com/camdencheek/tree-sitter-go-mod"</span><span class="p">)</span> <span class="p">(</span><span class="nv">json</span> <span class="s">"https://github.com/tree-sitter/tree-sitter-json"</span><span class="p">)</span> <span class="p">(</span><span class="nv">python</span> <span class="s">"https://github.com/tree-sitter/tree-sitter-python"</span><span class="p">)))</span> <span class="c1">;; Remap major modes to treesitter modes</span> <span class="p">(</span><span class="k">setq</span> <span class="nv">major-mode-remap-alist</span> <span class="o">'</span><span class="p">((</span><span class="nv">go-mode</span> <span class="o">.</span> <span class="nv">go-ts-mode</span><span class="p">)</span> <span class="p">(</span><span class="nv">python-mode</span> <span class="o">.</span> <span class="nv">python-ts-mode</span><span class="p">)</span> <span class="p">(</span><span class="nv">js-json-mode</span> <span class="o">.</span> <span class="nv">json-ts-mode</span><span class="p">)</span> <span class="p">(</span><span class="nv">json-mode</span> <span class="o">.</span> <span class="nv">json-ts-mode</span><span class="p">)</span> <span class="p">(</span><span class="nv">sh-mode</span> <span class="o">.</span> <span class="nv">bash-ts-mode</span><span class="p">))))</span> </code></pre></div></div> <p>In order to make <code class="language-plaintext highlighter-rouge">eglot</code> stop messing with <code class="language-plaintext highlighter-rouge">imenu</code> we need to tell it so. My current (simplified) <code class="language-plaintext highlighter-rouge">eglot</code> config looks like this.</p> <p>Note that we are configuring <code class="language-plaintext highlighter-rouge">eglot-stay-out-of</code> in the <code class="language-plaintext highlighter-rouge">:config</code> section, so that <code class="language-plaintext highlighter-rouge">eglot</code> doesn’t interfere with <code class="language-plaintext highlighter-rouge">imenu</code> index generation.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">;; eglot settings</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">eglot-format-buffer-before-save</span> <span class="p">()</span> <span class="p">(</span><span class="nv">add-hook</span> <span class="ss">'before-save-hook</span> <span class="nf">#'</span><span class="nv">eglot-format-buffer</span> <span class="mi">-10</span> <span class="no">t</span><span class="p">))</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">eglot-organize-imports-before-save</span> <span class="p">()</span> <span class="p">(</span><span class="nv">add-hook</span> <span class="ss">'before-save-hook</span> <span class="p">(</span><span class="k">lambda</span> <span class="p">()</span> <span class="p">(</span><span class="nv">call-interactively</span> <span class="nf">#'</span><span class="nv">eglot-code-action-organize-imports</span><span class="p">))</span> <span class="no">nil</span> <span class="no">t</span><span class="p">))</span> <span class="p">(</span><span class="nb">use-package</span> <span class="nv">eglot</span> <span class="ss">:ensure</span> <span class="no">t</span> <span class="ss">:init</span> <span class="p">(</span><span class="nb">require</span> <span class="ss">'company</span><span class="p">)</span> <span class="p">(</span><span class="nb">require</span> <span class="ss">'yasnippet</span><span class="p">)</span> <span class="p">(</span><span class="nb">require</span> <span class="ss">'go-mode</span><span class="p">)</span> <span class="ss">:config</span> <span class="c1">;; We want to use treesit-simple-imenu for imenu index creation</span> <span class="p">(</span><span class="nv">add-to-list</span> <span class="ss">'eglot-stay-out-of</span> <span class="ss">'imenu</span><span class="p">)</span> <span class="c1">;; Shutdown LSP server when last project buffer is closed as well</span> <span class="p">(</span><span class="k">setq</span> <span class="nv">eglot-autoshutdown</span> <span class="no">t</span><span class="p">)</span> <span class="c1">;; Enable eglot for the following modes</span> <span class="p">(</span><span class="nb">dolist</span> <span class="p">(</span><span class="nv">mode</span> <span class="o">'</span><span class="p">(</span><span class="nv">go-mode-hook</span> <span class="nv">go-ts-mode-hook</span><span class="p">))</span> <span class="p">(</span><span class="nv">add-hook</span> <span class="nv">mode</span> <span class="ss">'eglot-ensure</span><span class="p">))</span> <span class="c1">;; Buffer-local hooks which install before-save hooks</span> <span class="p">(</span><span class="nv">add-hook</span> <span class="ss">'go-ts-mode-hook</span> <span class="nf">#'</span><span class="nv">eglot-format-buffer-before-save</span><span class="p">)</span> <span class="p">(</span><span class="nv">add-hook</span> <span class="ss">'go-ts-mode-hook</span> <span class="nf">#'</span><span class="nv">eglot-organize-imports-before-save</span><span class="p">))</span> <span class="c1">;; eglot-booster requires that `emacs-lsp-booster' is installed [1]</span> <span class="c1">;; [1]: https://github.com/blahgeek/emacs-lsp-booster</span> <span class="p">(</span><span class="nb">use-package</span> <span class="nv">eglot-booster</span> <span class="ss">:ensure</span> <span class="no">t</span> <span class="ss">:after</span> <span class="p">(</span><span class="nv">eglot</span><span class="p">)</span> <span class="ss">:config</span> <span class="p">(</span><span class="nv">eglot-booster-mode</span> <span class="mi">1</span><span class="p">))</span> </code></pre></div></div> <p>And my (simplified) settings for <code class="language-plaintext highlighter-rouge">go-ts-mode</code> look like this.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">;; Go specific settings</span> <span class="c1">;; Help out the builtin project find the Go module path</span> <span class="p">(</span><span class="nb">require</span> <span class="ss">'project</span><span class="p">)</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">project-find-go-module</span> <span class="p">(</span><span class="nv">dir</span><span class="p">)</span> <span class="p">(</span><span class="nv">when-let</span> <span class="p">((</span><span class="nv">root</span> <span class="p">(</span><span class="nv">locate-dominating-file</span> <span class="nv">dir</span> <span class="s">"go.mod"</span><span class="p">)))</span> <span class="p">(</span><span class="nb">cons</span> <span class="ss">'go-module</span> <span class="nv">root</span><span class="p">)))</span> <span class="p">(</span><span class="nv">cl-defmethod</span> <span class="nv">project-root</span> <span class="p">((</span><span class="nv">project</span> <span class="p">(</span><span class="nv">head</span> <span class="nv">go-module</span><span class="p">)))</span> <span class="p">(</span><span class="nb">cdr</span> <span class="nv">project</span><span class="p">))</span> <span class="p">(</span><span class="nv">add-hook</span> <span class="ss">'project-find-functions</span> <span class="nf">#'</span><span class="nv">project-find-go-module</span><span class="p">)</span> <span class="p">(</span><span class="nb">use-package</span> <span class="nv">go-ts-mode</span> <span class="ss">:ensure</span> <span class="no">t</span> <span class="ss">:config</span> <span class="p">(</span><span class="nv">add-hook</span> <span class="ss">'go-ts-mode-hook</span> <span class="nf">#'</span><span class="nv">company-mode</span><span class="p">))</span> </code></pre></div></div> <p>Instead of using <code class="language-plaintext highlighter-rouge">eglot-imenu</code> we will configure a hook for our <code class="language-plaintext highlighter-rouge">go-ts-mode</code> which sets <code class="language-plaintext highlighter-rouge">imenu-index-create-function</code> to <code class="language-plaintext highlighter-rouge">treesit-simple-imenu</code>.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">(</span><span class="nv">add-hook</span> <span class="ss">'go-ts-mode</span> <span class="p">(</span><span class="k">lambda</span> <span class="p">()</span> <span class="p">(</span><span class="nv">setq-local</span> <span class="nv">imenu-index-create-function</span> <span class="nf">#'</span><span class="nv">treesit-simple-imenu</span><span class="p">)))</span> </code></pre></div></div> <p>Later we will move this hook to the <code class="language-plaintext highlighter-rouge">use-package</code> definition for <code class="language-plaintext highlighter-rouge">go-ts-mode</code>.</p> <p>Next, we need to tell <code class="language-plaintext highlighter-rouge">treesit-simple-imenu</code> how to generate the imenu index. <code class="language-plaintext highlighter-rouge">treesit-simple-imenu</code> relies on <code class="language-plaintext highlighter-rouge">treesit-simple-imenu-settings</code> variable when generating the imenu index.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">treesit-simple-imenu-settings</span> <span class="nv">is</span> <span class="nv">a</span> <span class="nv">variable</span> <span class="nv">defined</span> <span class="nv">in</span> <span class="err">‘</span><span class="nv">treesit.el</span><span class="err">’</span><span class="o">.</span> <span class="nv">Its</span> <span class="nv">value</span> <span class="nv">is</span> <span class="no">nil</span> <span class="nv">Settings</span> <span class="nv">that</span> <span class="nv">configure</span> <span class="err">‘</span><span class="nv">treesit-simple-imenu</span><span class="err">’</span><span class="o">.</span> <span class="nv">It</span> <span class="nv">should</span> <span class="nv">be</span> <span class="nv">a</span> <span class="nb">list</span> <span class="nv">of</span> <span class="p">(</span><span class="nv">CATEGORY</span> <span class="nv">REGEXP</span> <span class="nv">PRED</span> <span class="nv">NAME-FN</span><span class="p">)</span><span class="o">.</span> <span class="nv">CATEGORY</span> <span class="nv">is</span> <span class="k">the</span> <span class="nv">name</span> <span class="nv">of</span> <span class="nv">a</span> <span class="nv">category,</span> <span class="nv">like</span> <span class="s">"Function"</span><span class="o">,</span> <span class="s">"Class"</span><span class="o">,</span> <span class="nv">etc.</span> <span class="nv">REGEXP</span> <span class="nv">should</span> <span class="nv">be</span> <span class="nv">a</span> <span class="nv">regexp</span> <span class="nv">matching</span> <span class="k">the</span> <span class="k">type</span> <span class="nv">of</span> <span class="nv">nodes</span> <span class="nv">that</span> <span class="nv">belong</span> <span class="nv">to</span> <span class="nv">CATEGORY.</span> <span class="nv">PRED</span> <span class="nv">should</span> <span class="nv">be</span> <span class="nv">either</span> <span class="no">nil</span> <span class="nb">or</span> <span class="nv">a</span> <span class="k">function</span> <span class="nv">that</span> <span class="nv">takes</span> <span class="nv">a</span> <span class="nv">node</span> <span class="nv">an</span> <span class="k">the</span> <span class="nv">argument.</span> <span class="nv">It</span> <span class="nv">should</span> <span class="nb">return</span> <span class="nv">non-nil</span> <span class="k">if</span> <span class="k">the</span> <span class="nv">node</span> <span class="nv">is</span> <span class="nv">a</span> <span class="nv">valid</span> <span class="nv">node</span> <span class="nv">for</span> <span class="nv">CATEGORY,</span> <span class="nb">or</span> <span class="no">nil</span> <span class="k">if</span> <span class="nv">not.</span> <span class="nv">CATEGORY</span> <span class="nv">could</span> <span class="nv">also</span> <span class="nv">be</span> <span class="nv">nil.</span> <span class="nv">In</span> <span class="nv">that</span> <span class="nb">case</span> <span class="k">the</span> <span class="nv">entries</span> <span class="nv">matched</span> <span class="nv">by</span> <span class="nv">REGEXP</span> <span class="nb">and</span> <span class="nv">PRED</span> <span class="nv">are</span> <span class="nb">not</span> <span class="nv">grouped</span> <span class="nv">under</span> <span class="nv">CATEGORY.</span> <span class="nv">NAME-FN</span> <span class="nv">should</span> <span class="nv">be</span> <span class="nv">either</span> <span class="no">nil</span> <span class="nb">or</span> <span class="nv">a</span> <span class="k">function</span> <span class="nv">that</span> <span class="nv">takes</span> <span class="nv">a</span> <span class="nb">defun</span> <span class="nv">node</span> <span class="nb">and</span> <span class="nv">returns</span> <span class="k">the</span> <span class="nv">name</span> <span class="nv">of</span> <span class="nv">that</span> <span class="nb">defun</span> <span class="nv">node.</span> <span class="nv">If</span> <span class="nv">NAME-FN</span> <span class="nv">is</span> <span class="no">nil</span><span class="o">,</span> <span class="err">‘</span><span class="nv">treesit-defun-name</span><span class="err">’</span> <span class="nv">is</span> <span class="nv">used.</span> <span class="err">‘</span><span class="nv">treesit-major-mode-setup</span><span class="err">’</span> <span class="nv">automatically</span> <span class="nv">sets</span> <span class="nv">up</span> <span class="nv">Imenu</span> <span class="k">if</span> <span class="nv">this</span> <span class="nv">variable</span> <span class="nv">is</span> <span class="nv">non-nil.</span> <span class="nv">Probably</span> <span class="nv">introduced</span> <span class="nv">at</span> <span class="nb">or</span> <span class="nv">before</span> <span class="nv">Emacs</span> <span class="nv">version</span> <span class="nv">30.1.</span> </code></pre></div></div> <p>By default the <code class="language-plaintext highlighter-rouge">go-ts-mode.el</code> defines <code class="language-plaintext highlighter-rouge">treesit-simple-imenu-settings</code> like this.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c1">;; Imenu.</span> <span class="p">(</span><span class="nv">setq-local</span> <span class="nv">treesit-simple-imenu-settings</span> <span class="o">`</span><span class="p">((</span><span class="s">"Function"</span> <span class="s">"\\`function_declaration\\'"</span> <span class="no">nil</span> <span class="no">nil</span><span class="p">)</span> <span class="p">(</span><span class="s">"Method"</span> <span class="s">"\\`method_declaration\\'"</span> <span class="no">nil</span> <span class="no">nil</span><span class="p">)</span> <span class="p">(</span><span class="s">"Struct"</span> <span class="s">"\\`type_declaration\\'"</span> <span class="nv">go-ts-mode--struct-node-p</span> <span class="no">nil</span><span class="p">)</span> <span class="p">(</span><span class="s">"Interface"</span> <span class="s">"\\`type_declaration\\'"</span> <span class="nv">go-ts-mode--interface-node-p</span> <span class="no">nil</span><span class="p">)</span> <span class="p">(</span><span class="s">"Type"</span> <span class="s">"\\`type_declaration\\'"</span> <span class="nv">go-ts-mode--other-type-node-p</span> <span class="no">nil</span><span class="p">)</span> <span class="p">(</span><span class="s">"Alias"</span> <span class="s">"\\`type_declaration\\'"</span> <span class="nv">go-ts-mode--alias-node-p</span> <span class="no">nil</span><span class="p">)))</span> </code></pre></div></div> <p>The docstring of <code class="language-plaintext highlighter-rouge">treesit-simple-imenu-settings</code> shown above shows the structure of the list. The second item in the each list as mentioned there is a regexp which matches the type of the tree-sitter node.</p> <p>When making any changes to <code class="language-plaintext highlighter-rouge">treesit-simple-imenu-settings</code> it is best that you review the AST tree as you go by using <code class="language-plaintext highlighter-rouge">M-x treesit-explore-mode</code>.</p> <p>This is what the AST looks like for our sample Go program.</p> <p><a href="/images/treesit-explore-mode.png" class="glightbox"><img src="/images/treesit-explore-mode.png" alt="" /></a></p> <p>So, after spending some time configuring <code class="language-plaintext highlighter-rouge">treesit-simple-imenu-settings</code> with the help of <code class="language-plaintext highlighter-rouge">M-x treesit-explore-mode</code> here’s what my current config looks like.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">;; Treesitter helpers to extract node names for various symbols such as consts,</span> <span class="c1">;; vars, imports, etc.</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">my/go-ts-var-is-global-p</span> <span class="p">(</span><span class="nv">node</span><span class="p">)</span> <span class="s">"Predicate which tests whether a `var_spec' node belongs to the global scope"</span> <span class="c1">;; The parent node for `var_spec' which is `var_declaration' belongs to the</span> <span class="c1">;; global scope, if the `var_declaration' node belongs to a parent node of</span> <span class="c1">;; type `source_file'.</span> <span class="p">(</span><span class="k">let*</span> <span class="p">((</span><span class="nv">var-declaration</span> <span class="p">(</span><span class="nv">treesit-parent-until</span> <span class="nv">node</span> <span class="p">(</span><span class="k">lambda</span> <span class="p">(</span><span class="nv">item</span><span class="p">)</span> <span class="p">(</span><span class="nb">string-equal</span> <span class="p">(</span><span class="nv">treesit-node-type</span> <span class="nv">item</span><span class="p">)</span> <span class="s">"var_declaration"</span><span class="p">))</span> <span class="no">t</span><span class="p">))</span> <span class="p">(</span><span class="nv">var-declaration-parent</span> <span class="p">(</span><span class="nv">treesit-node-parent</span> <span class="nv">var-declaration</span><span class="p">)))</span> <span class="p">(</span><span class="nb">string-equal</span> <span class="p">(</span><span class="nv">treesit-node-type</span> <span class="nv">var-declaration-parent</span><span class="p">)</span> <span class="s">"source_file"</span><span class="p">)))</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">my/go-ts-const-is-global-p</span> <span class="p">(</span><span class="nv">node</span><span class="p">)</span> <span class="s">"Predicate which tests whether a `const_spec' node belongs to the global scope"</span> <span class="c1">;; The parent node for `const_spec' which is `const_declaration' belongs to the</span> <span class="c1">;; global scope, if the `const_declaration' node belongs to a parent node of</span> <span class="c1">;; type `source_file'.</span> <span class="p">(</span><span class="k">let*</span> <span class="p">((</span><span class="nv">const-declaration</span> <span class="p">(</span><span class="nv">treesit-parent-until</span> <span class="nv">node</span> <span class="p">(</span><span class="k">lambda</span> <span class="p">(</span><span class="nv">item</span><span class="p">)</span> <span class="p">(</span><span class="nb">string-equal</span> <span class="p">(</span><span class="nv">treesit-node-type</span> <span class="nv">item</span><span class="p">)</span> <span class="s">"const_declaration"</span><span class="p">))</span> <span class="no">t</span><span class="p">))</span> <span class="p">(</span><span class="nv">const-declaration-parent</span> <span class="p">(</span><span class="nv">treesit-node-parent</span> <span class="nv">const-declaration</span><span class="p">)))</span> <span class="p">(</span><span class="nb">string-equal</span> <span class="p">(</span><span class="nv">treesit-node-type</span> <span class="nv">const-declaration-parent</span><span class="p">)</span> <span class="s">"source_file"</span><span class="p">)))</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">my/go-ts-const-spec-node-name</span> <span class="p">(</span><span class="nv">node</span><span class="p">)</span> <span class="s">"Returns the name of a `const_spec' node"</span> <span class="p">(</span><span class="k">let</span> <span class="p">((</span><span class="nv">const-name</span> <span class="p">(</span><span class="nv">treesit-node-child-by-field-name</span> <span class="nv">node</span> <span class="s">"name"</span><span class="p">)))</span> <span class="p">(</span><span class="nv">treesit-node-text</span> <span class="nv">const-name</span><span class="p">)))</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">my/go-ts-var-spec-node-name</span> <span class="p">(</span><span class="nv">node</span><span class="p">)</span> <span class="s">"Returns the name of a `var_spec' node"</span> <span class="p">(</span><span class="k">let</span> <span class="p">((</span><span class="nv">var-name</span> <span class="p">(</span><span class="nv">treesit-node-child-by-field-name</span> <span class="nv">node</span> <span class="s">"name"</span><span class="p">)))</span> <span class="p">(</span><span class="nv">treesit-node-text</span> <span class="nv">var-name</span><span class="p">)))</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">my/go-ts-import-node-name</span> <span class="p">(</span><span class="nv">node</span><span class="p">)</span> <span class="s">"Returns the name of a `import_spec' node"</span> <span class="p">(</span><span class="k">let*</span> <span class="p">((</span><span class="nv">import-path</span> <span class="p">(</span><span class="nv">treesit-node-child-by-field-name</span> <span class="nv">node</span> <span class="s">"path"</span><span class="p">))</span> <span class="p">(</span><span class="nv">import-alias</span> <span class="p">(</span><span class="nv">treesit-node-child-by-field-name</span> <span class="nv">node</span> <span class="s">"name"</span><span class="p">))</span> <span class="p">(</span><span class="nb">package-name</span> <span class="p">(</span><span class="nv">treesit-search-subtree</span> <span class="nv">import-path</span> <span class="s">"interpreted_string_literal_content"</span><span class="p">)))</span> <span class="p">(</span><span class="nb">cond</span> <span class="p">(</span><span class="nv">import-alias</span> <span class="p">(</span><span class="nb">format</span> <span class="s">"%s (%s)"</span> <span class="p">(</span><span class="nv">treesit-node-text</span> <span class="nb">package-name</span><span class="p">)</span> <span class="p">(</span><span class="nv">treesit-node-text</span> <span class="nv">import-alias</span><span class="p">)))</span> <span class="p">(</span><span class="no">t</span> <span class="p">(</span><span class="nv">treesit-node-text</span> <span class="nb">package-name</span><span class="p">)))))</span> <span class="p">(</span><span class="nb">defun</span> <span class="nv">my/treesit-simple-imenu-settings</span> <span class="p">()</span> <span class="p">(</span><span class="nv">setq-local</span> <span class="nv">imenu-max-item-length</span> <span class="mi">200</span><span class="p">)</span> <span class="p">(</span><span class="nv">setq-local</span> <span class="nv">imenu-index-create-function</span> <span class="nf">#'</span><span class="nv">treesit-simple-imenu</span><span class="p">)</span> <span class="p">(</span><span class="nv">setq-local</span> <span class="nv">treesit-simple-imenu-settings</span> <span class="o">'</span><span class="p">((</span><span class="s">"Imports"</span> <span class="s">"\\`import_spec\\'"</span> <span class="no">nil</span> <span class="nv">my/go-ts-import-node-name</span><span class="p">)</span> <span class="p">(</span><span class="s">"Functions"</span> <span class="s">"\\`function_declaration\\'"</span> <span class="no">nil</span> <span class="no">nil</span><span class="p">)</span> <span class="p">(</span><span class="s">"Constants"</span> <span class="s">"\\`const_spec\\'"</span> <span class="nv">my/go-ts-const-is-global-p</span> <span class="nv">my/go-ts-const-spec-node-name</span><span class="p">)</span> <span class="p">(</span><span class="s">"Variables"</span> <span class="s">"\\`var_spec\\'"</span> <span class="nv">my/go-ts-var-is-global-p</span> <span class="nv">my/go-ts-var-spec-node-name</span><span class="p">)</span> <span class="p">(</span><span class="s">"Interfaces"</span> <span class="s">"\\`type_declaration\\'"</span> <span class="nv">go-ts-mode--interface-node-p</span> <span class="no">nil</span><span class="p">)</span> <span class="p">(</span><span class="s">"Types"</span> <span class="s">"\\`type_declaration\\'"</span> <span class="nv">go-ts-mode--other-type-node-p</span> <span class="no">nil</span><span class="p">)</span> <span class="p">(</span><span class="s">"Aliases"</span> <span class="s">"\\`type_declaration\\'"</span> <span class="nv">go-ts-mode--alias-node-p</span> <span class="no">nil</span><span class="p">)</span> <span class="p">(</span><span class="s">"Structs"</span> <span class="s">"\\`type_declaration\\'"</span> <span class="nv">go-ts-mode--struct-node-p</span> <span class="no">nil</span><span class="p">)</span> <span class="p">(</span><span class="s">"Methods"</span> <span class="s">"\\`method_declaration\\'"</span> <span class="no">nil</span> <span class="no">nil</span><span class="p">)))</span> <span class="p">(</span><span class="nv">setq-local</span> <span class="nv">consult-imenu-config</span> <span class="o">'</span><span class="p">((</span><span class="nv">go-ts-mode</span> <span class="ss">:toplevel</span> <span class="s">"Imports"</span> <span class="ss">:types</span> <span class="p">((</span><span class="nv">?I</span> <span class="s">"Imports"</span> <span class="nv">font-lock-constant-face</span><span class="p">)</span> <span class="p">(</span><span class="nv">?f</span> <span class="s">"Functions"</span> <span class="nv">font-lock-function-name-face</span><span class="p">)</span> <span class="p">(</span><span class="nv">?c</span> <span class="s">"Constants"</span> <span class="nv">font-lock-constant-face</span><span class="p">)</span> <span class="p">(</span><span class="nv">?v</span> <span class="s">"Variables"</span> <span class="nv">font-lock-variable-name-face</span><span class="p">)</span> <span class="p">(</span><span class="nv">?i</span> <span class="s">"Interfaces"</span> <span class="nv">font-lock-type-face</span><span class="p">)</span> <span class="p">(</span><span class="nv">?t</span> <span class="s">"Types"</span> <span class="nv">font-lock-type-face</span><span class="p">)</span> <span class="p">(</span><span class="nv">?a</span> <span class="s">"Aliases"</span> <span class="nv">font-lock-type-face</span><span class="p">)</span> <span class="p">(</span><span class="nv">?s</span> <span class="s">"Structs"</span> <span class="nv">font-lock-type-face</span><span class="p">)</span> <span class="p">(</span><span class="nv">?m</span> <span class="s">"Methods"</span> <span class="nv">font-lock-function-name-face</span><span class="p">))))))</span> </code></pre></div></div> <p>What is left now is to add a hook for <code class="language-plaintext highlighter-rouge">go-ts-mode</code>, which configures everything for us.</p> <p>My updated <code class="language-plaintext highlighter-rouge">go-ts-mode</code> config looks like this.</p> <div class="language-emacs-lisp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">(</span><span class="nb">use-package</span> <span class="nv">go-ts-mode</span> <span class="ss">:ensure</span> <span class="no">t</span> <span class="ss">:config</span> <span class="p">(</span><span class="nv">add-hook</span> <span class="ss">'go-ts-mode-hook</span> <span class="nf">#'</span><span class="nv">my/treesit-simple-imenu-settings</span><span class="p">)</span> <span class="p">(</span><span class="nv">add-hook</span> <span class="ss">'go-ts-mode-hook</span> <span class="nf">#'</span><span class="nv">company-mode</span><span class="p">))</span> </code></pre></div></div> <p>Here’s how it looks like with the sample Go program shown before.</p> <p><a href="/images/consult-imenu-treesit.png" class="glightbox"><img src="/images/consult-imenu-treesit.png" alt="" /></a></p> <p>Things look much better now. We have various categories such as <code class="language-plaintext highlighter-rouge">Imports</code>, <code class="language-plaintext highlighter-rouge">Functions</code>, <code class="language-plaintext highlighter-rouge">Variables</code>, etc. And the index generation happens much faster now, because it relies on <code class="language-plaintext highlighter-rouge">tree-sitter</code> only.</p> Tue, 17 Jun 2025 00:00:00 +0000 https://dnaeon.github.io/eglot-treesitter-imenu/ https://dnaeon.github.io/eglot-treesitter-imenu/ makefile-graph with Apache Echarts support <p>In a <a href="https://dnaeon.github.io/makefile-graph/">previous post</a> I’ve talked about <a href="https://github.com/dnaeon/makefile">makefile-graph</a> - a tool which lets you visualize your Makefile targets so you can better understand how targets relate to others.</p> <p>The <code class="language-plaintext highlighter-rouge">makefile-graph</code> tool initially supported two output formats - <code class="language-plaintext highlighter-rouge">dot</code> and <code class="language-plaintext highlighter-rouge">tsort</code>. The <code class="language-plaintext highlighter-rouge">tsort</code> format prints the topological order after performing a <a href="https://en.wikipedia.org/wiki/Topological_sorting">topological sort</a> of the graph, and the <code class="language-plaintext highlighter-rouge">dot</code> format outputs a representation of the graph in the <a href="https://graphviz.org/doc/info/lang.html">Dot language</a>.</p> <p>Starting with version <code class="language-plaintext highlighter-rouge">v0.1.4</code> of <code class="language-plaintext highlighter-rouge">makefile-graph</code> we can now render a graph of the Makefile targets using <a href="https://echarts.apache.org/en/index.html">Apache Echarts</a>, which provides a better interactive experience when inspecting your Makefile targets.</p> <p>In order to install the latest version of <code class="language-plaintext highlighter-rouge">makefile-graph</code> execute the following command.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>go <span class="nb">install </span>github.com/dnaeon/makefile-graph/cmd/makefile-graph@latest </code></pre></div></div> <p>In order to render a graph using Apache Echarts we need to specify the <code class="language-plaintext highlighter-rouge">--format echarts</code> option, e.g.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>makefile-graph <span class="se">\</span> <span class="nt">--makefile</span> examples/Makefile <span class="se">\</span> <span class="nt">--direction</span> LR <span class="se">\</span> <span class="nt">--format</span> echarts </code></pre></div></div> <p>The command above will generate an HTML document, which you can save and open.</p> <p><a href="/images/makefile-graph-echarts-white.gif" class="glightbox"><img src="/images/makefile-graph-echarts-white.gif" alt="" /></a></p> <p>If you want to use a different theme (e.g. <code class="language-plaintext highlighter-rouge">dark</code>, <code class="language-plaintext highlighter-rouge">vintage</code>, etc.) you can specify the Echarts theme using the <code class="language-plaintext highlighter-rouge">--theme</code> option. The font size and style can be controlled via the <code class="language-plaintext highlighter-rouge">--font-size</code> and <code class="language-plaintext highlighter-rouge">--font-style</code> options respectively. For example this command will render the graph using the <code class="language-plaintext highlighter-rouge">dark</code> theme of Echarts.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>makefile-graph <span class="se">\</span> <span class="nt">--makefile</span> examples/Makefile <span class="se">\</span> <span class="nt">--direction</span> LR <span class="se">\</span> <span class="nt">--theme</span> dark <span class="se">\</span> <span class="nt">--format</span> echarts </code></pre></div></div> <p><a href="/images/makefile-graph-echarts-dark.gif" class="glightbox"><img src="/images/makefile-graph-echarts-dark.gif" alt="" /></a></p> <p>For additional information and examples, please refer to the <a href="https://github.com/dnaeon/makefile-graph">dnaeon/makefile-graph</a> repo.</p> Sat, 24 May 2025 00:00:00 +0000 https://dnaeon.github.io/makefile-graph-echarts/ https://dnaeon.github.io/makefile-graph-echarts/ Tracking Kubernetes resource origin with kustomize <p><a href="https://kustomize.io/">kustomize</a> is a configuration management tool, which allows you to manage Kubernetes resources in a template-free way.</p> <p>With <code class="language-plaintext highlighter-rouge">kustomize</code> you can define a base set of resources describing the desired state of an application, and then customize the configuration for a specific environment by leveraging <a href="https://kubectl.docs.kubernetes.io/guides/introduction/kustomize/#2-create-variants-using-overlays">overlays</a>.</p> <p>You can also use <code class="language-plaintext highlighter-rouge">kustomize</code> to <a href="https://kubectl.docs.kubernetes.io/guides/config_management/secrets_configmaps/">generate secrets and configmaps</a>.</p> <p>The template-free approach of <code class="language-plaintext highlighter-rouge">kustomize</code> is something which I like, because it keeps the whole configuration more explicit, and does not introduce complexity via some magic template expansion. Another nice thing about <code class="language-plaintext highlighter-rouge">kustomize</code> is that it is already integrated into <code class="language-plaintext highlighter-rouge">kubectl</code>.</p> <p>In order to get familiar with <code class="language-plaintext highlighter-rouge">kustomize</code> and the concepts it uses, please make sure to check the <a href="https://kubectl.docs.kubernetes.io/guides/introduction/kustomize/">Introduction to Kustomize</a>.</p> <p>In this post we are going to see how we can track the origin of Kubernetes resources produced by <code class="language-plaintext highlighter-rouge">kustomize</code>, and then visualize them.</p> <p>Let’s create a sample kustomization based on the <a href="https://github.com/kubernetes-sigs/kustomize/tree/master/examples/helloWorld">kustomize helloWorld</a> example.</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello-world</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://github.com/kubernetes-sigs/kustomize//examples/helloWorld/?timeout=120</span> </code></pre></div></div> <p>Now, let’s build it.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kustomize build </code></pre></div></div> <p>The output from the command above is this.</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">altGreeting</span><span class="pi">:</span> <span class="s">Good Morning!</span> <span class="na">enableRisky</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">name</span><span class="pi">:</span> <span class="s">the-map</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">name</span><span class="pi">:</span> <span class="s">the-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8666</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">deployment</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">name</span><span class="pi">:</span> <span class="s">the-deployment</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">deployment</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">deployment</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/hello</span> <span class="pi">-</span> <span class="s">--port=8080</span> <span class="pi">-</span> <span class="s">--enableRiskyFeature=$(ENABLE_RISKY)</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ALT_GREETING</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">altGreeting</span> <span class="na">name</span><span class="pi">:</span> <span class="s">the-map</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ENABLE_RISKY</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">enableRisky</span> <span class="na">name</span><span class="pi">:</span> <span class="s">the-map</span> <span class="na">image</span><span class="pi">:</span> <span class="s">monopole/hello:1</span> <span class="na">name</span><span class="pi">:</span> <span class="s">the-container</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre></div></div> <p>This fairly simple example shows how to create a new <code class="language-plaintext highlighter-rouge">kustomization.yaml</code>, which is based on a remote repo. The result of our kustomization is just three resources - a <code class="language-plaintext highlighter-rouge">Deployment</code>, a <code class="language-plaintext highlighter-rouge">Service</code> and a <code class="language-plaintext highlighter-rouge">ConfigMap</code>.</p> <p>Where things may become complicated is when your <code class="language-plaintext highlighter-rouge">kustomization.yaml</code> builds on top of multiple bases, each of which provides a lot of resources.</p> <p>In these situations understanding where a given resource comes from becomes a challenge. Fortunately, in kustomize we can enable <a href="https://github.com/kubernetes-sigs/kustomize/blob/master/api/types/kustomization.go#L17-L30">originAnnotations</a>, which helps in this regard.</p> <p>When we enable <code class="language-plaintext highlighter-rouge">originAnnotations</code> in our <code class="language-plaintext highlighter-rouge">kustomization.yaml</code> kustomize will add annotations to each resource it produces, which describes where the resources originate from.</p> <p>Let’s try it out.</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello-world</span> <span class="na">buildMetadata</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">originAnnotations</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://github.com/kubernetes-sigs/kustomize//examples/helloWorld/?timeout=120</span> </code></pre></div></div> <p>This time when we <code class="language-plaintext highlighter-rouge">kustomize build</code> we get this output instead. Notice the newly added <code class="language-plaintext highlighter-rouge">config.kubernetes.io/origin</code> annotation by <code class="language-plaintext highlighter-rouge">kustomize</code>.</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">altGreeting</span><span class="pi">:</span> <span class="s">Good Morning!</span> <span class="na">enableRisky</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">config.kubernetes.io/origin</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">path: examples/helloWorld/configMap.yaml</span> <span class="s">repo: https://github.com/kubernetes-sigs/kustomize</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">name</span><span class="pi">:</span> <span class="s">the-map</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">config.kubernetes.io/origin</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">path: examples/helloWorld/service.yaml</span> <span class="s">repo: https://github.com/kubernetes-sigs/kustomize</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">name</span><span class="pi">:</span> <span class="s">the-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8666</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">deployment</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">config.kubernetes.io/origin</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">path: examples/helloWorld/deployment.yaml</span> <span class="s">repo: https://github.com/kubernetes-sigs/kustomize</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">name</span><span class="pi">:</span> <span class="s">the-deployment</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">deployment</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">deployment</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/hello</span> <span class="pi">-</span> <span class="s">--port=8080</span> <span class="pi">-</span> <span class="s">--enableRiskyFeature=$(ENABLE_RISKY)</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ALT_GREETING</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">altGreeting</span> <span class="na">name</span><span class="pi">:</span> <span class="s">the-map</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ENABLE_RISKY</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">enableRisky</span> <span class="na">name</span><span class="pi">:</span> <span class="s">the-map</span> <span class="na">image</span><span class="pi">:</span> <span class="s">monopole/hello:1</span> <span class="na">name</span><span class="pi">:</span> <span class="s">the-container</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre></div></div> <p>Now, this is much better as we can clearly see where a given resource came from. However, when having lots of resources it’s still a challenge to visually parse these annotations, but we can do better than that.</p> <p>Some time ago I’ve worked on creating a tool which parses the origin annotations produced by <code class="language-plaintext highlighter-rouge">kustomize</code> and renders a graph of the resources and their origins.</p> <p>You can find the code at the <a href="https://github.com/dnaeon/kustomize-dot">dnaeon/kustomize-dot</a> repo.</p> <p><a href="/images/kustomize-dot-1.svg" class="glightbox"><img src="/images/kustomize-dot-1.svg" alt="" /></a></p> <p><a href="https://github.com/dnaeon/kustomize-dot">dnaeon/kustomize-dot</a> can operate in two modes - as a standalone CLI application, or as a <a href="https://kubectl.docs.kubernetes.io/guides/extending_kustomize/containerized_krm_functions/">KRM Function plugin</a>.</p> <p>In order to generate a graph of the Kubernetes resources and their origin when building a kustomization target we need to enable the <code class="language-plaintext highlighter-rouge">originAnnotations</code> build option in our <code class="language-plaintext highlighter-rouge">kustomization.yaml</code> file, just like we did for the <code class="language-plaintext highlighter-rouge">helloWorld</code> example.</p> <p>The tool is flexible and supports filtering of resources, highlighting of resources or whole namespaces, setting graph layout direction, etc. This is useful when we want to get a more focused view of the resulting graph.</p> <p>This here is the representation of all the resources for <a href="https://github.com/prometheus-operator/kube-prometheus">kube-prometheus operator</a>.</p> <p><a href="/images/kustomize-dot-kube-prometheus-full.svg" class="glightbox"><img src="/images/kustomize-dot-kube-prometheus-full.svg" alt="" /></a></p> <p>The resulting graph is big, and could be confusing as well. In order to focus on specific resources (or namespaces) we can ask <code class="language-plaintext highlighter-rouge">kustomize-dot</code> to filter out the things we do (or don’t) need.</p> <p>This command here for example will keep only resources from the <code class="language-plaintext highlighter-rouge">default</code> and <code class="language-plaintext highlighter-rouge">kube-system</code> namespaces.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kustomize-dot generate <span class="nt">-f</span> kube-prometheus.yaml <span class="se">\</span> <span class="nt">--keep-namespace</span> default <span class="se">\</span> <span class="nt">--keep-namespace</span> kube-system </code></pre></div></div> <p>The <code class="language-plaintext highlighter-rouge">kube-prometheus.yaml</code> file can be found in <a href="https://github.com/dnaeon/kustomize-dot/blob/v1/pkg/fixtures/kube-prometheus.yaml">pkg/fixtures/kube-prometheus.yaml</a>.</p> <p>This is what the result looks like.</p> <p><a href="/images/kustomize-dot-kube-prometheus-1.svg" class="glightbox"><img src="/images/kustomize-dot-kube-prometheus-1.svg" alt="" /></a></p> <p>We can also apply some highlighting, if needed.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kustomize-dot generate <span class="nt">-f</span> kube-prometheus.yaml <span class="se">\</span> <span class="nt">--keep-namespace</span> default <span class="se">\</span> <span class="nt">--keep-namespace</span> kube-system <span class="se">\</span> <span class="nt">--highlight-namespace</span> <span class="nv">default</span><span class="o">=</span>pink <span class="se">\</span> <span class="nt">--highlight-namespace</span> kube-system<span class="o">=</span>yellow </code></pre></div></div> <p><a href="/images/kustomize-dot-kube-prometheus-2.svg" class="glightbox"><img src="/images/kustomize-dot-kube-prometheus-2.svg" alt="" /></a></p> <p>And here’s another example, which drops all <code class="language-plaintext highlighter-rouge">ConfigMap</code> resources, and keeps everything else.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kustomize-dot generate <span class="nt">-f</span> kube-prometheus.yaml <span class="se">\</span> <span class="nt">--keep-namespace</span> monitoring <span class="se">\</span> <span class="nt">--drop-kind</span> ConfigMap <span class="se">\</span> <span class="nt">--highlight-kind</span> <span class="nv">service</span><span class="o">=</span>yellow <span class="se">\</span> <span class="nt">--highlight-kind</span> <span class="nv">servicemonitor</span><span class="o">=</span>orange <span class="se">\</span> <span class="nt">--highlight-kind</span> <span class="nv">serviceaccount</span><span class="o">=</span>lightgray <span class="se">\</span> <span class="nt">--highlight-kind</span> <span class="nv">deployment</span><span class="o">=</span>magenta <span class="se">\</span> <span class="nt">--highlight-kind</span> <span class="nv">prometheusrule</span><span class="o">=</span>lightgreen <span class="se">\</span> <span class="nt">--highlight-kind</span> <span class="nv">networkpolicy</span><span class="o">=</span>cyan </code></pre></div></div> <p>The result looks like this.</p> <p><a href="/images/kustomize-dot-kube-prometheus-3.svg" class="glightbox"><img src="/images/kustomize-dot-kube-prometheus-3.svg" alt="" /></a></p> <p>For additional information and examples, please refer to the <a href="https://github.com/dnaeon/kustomize-dot">dnaeon/kustomize-dot</a> repo.</p> Fri, 15 Nov 2024 00:00:00 +0000 https://dnaeon.github.io/kustomize-dot/ https://dnaeon.github.io/kustomize-dot/ Generating graphs from your Makefiles <p>Anyone who has done any kind of programming at some point comes across <a href="https://www.gnu.org/software/make/">GNU Make</a> and <code class="language-plaintext highlighter-rouge">Makefile</code>.</p> <p>So what is <code class="language-plaintext highlighter-rouge">make(1)</code> and what are these <code class="language-plaintext highlighter-rouge">Makefile</code>s?</p> <p>Instead of trying to explain this I’ll simply quote here the official <a href="https://www.gnu.org/software/make/">GNU Make documentation</a>.</p> <blockquote> <p>GNU Make is a tool which controls the generation of executables and other non-source files of a program from the program’s source files.</p> <p>Make gets its knowledge of how to build your program from a file called the makefile, which lists each of the non-source files and how to compute it from other files. When you write a program, you should write a makefile for it, so that it is possible to use Make to build and install the program.</p> </blockquote> <p>If you haven’t heard or used <code class="language-plaintext highlighter-rouge">make(1)</code> before, I’d recommend that you go and check the <a href="https://www.gnu.org/software/make/">GNU Make documentation</a> for introduction and a tutorial on creating your first Makefile.</p> <p>In the rest of this post I assume that you have already used <code class="language-plaintext highlighter-rouge">make(1)</code> and know what it does.</p> <p>Okay, with that out of the way it’s time to focus on the topic of this post. Working with Makefiles can sometimes be challenging, especially if your project is large enough to contain lots of <a href="https://www.gnu.org/software/make/manual/make.html#Makefile-Contents">targets</a> and lots of dependencies between each of them.</p> <p>Navigating through these targets and their dependencies may not be an easy task. For example <a href="https://www.gnu.org/software/make/manual/html_node/Include.html">including other Makefiles</a> while it helps keeping things logically separated introduces additional complexity when a person needs to understand the additional targets and additional dependencies from the included Makefile.</p> <p>Okay, so what can we do about that? How to navigate through large Makefiles and get a better understanding of all the targets and their dependencies?</p> <p>Internally, GNU Make (and other make implementations) are building a <a href="https://en.wikipedia.org/wiki/Dependency_graph">dependency graph</a>, where the targets represent the <em>vertices</em> and the <em>edges</em> which connect them are represented by the target <a href="https://www.gnu.org/software/make/manual/make.html#Prerequisite-Types">prerequisite</a>.</p> <p>Knowing this we can actually build a graph from our Makefiles and visualize them, which will help us navigate through the jungle of targets and their dependencies.</p> <p>Okay, first things first. How do we get the graph representation which <code class="language-plaintext highlighter-rouge">make(1)</code> is using? This one is easy with GNU Make.</p> <p>All you have to do in order to dump make’s internal database is call <code class="language-plaintext highlighter-rouge">make(1)</code> with these flags.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>make <span class="nt">--print-data-base</span> <span class="se">\</span> <span class="nt">--no-builtin-rules</span> <span class="se">\</span> <span class="nt">--no-builtin-variables</span> <span class="se">\</span> <span class="nt">--dry-run</span> <span class="se">\</span> <span class="nt">--always-make</span> <span class="se">\</span> <span class="nt">--question</span> </code></pre></div></div> <p>Calling this <code class="language-plaintext highlighter-rouge">make(1)</code> command inside a directory with a Makefile will dump the internal database of GNU Make.</p> <p>Here’s a sample output from one of my Makefiles.</p> <div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code># GNU Make 4.4.1 # Built for x86_64-pc-linux-gnu # Copyright (C) 1988-2023 Free Software Foundation, Inc. # License GPLv3+: GNU GPL version 3 or later &lt;https://gnu.org/licenses/gpl.html&gt; # This is free software: you are free to change and redistribute it. # There is NO WARRANTY, to the extent permitted by law. # Make data base, printed on Sun Apr 28 16:38:33 2024 # Variables # environment TMUX_PANE = %0 # environment GO111MODULE = on # environment QT_WAYLAND_RECONNECT = 1 # variable set hash-table stats: # Load=109/1024=11%, Rehash=0, Collisions=6/141=4% # Pattern-specific Variable Values # No pattern-specific variable values. # Directories # . (device 65041, inode 3154786): 17 files, no impossibilities. # 17 files, no impossibilities in 1 directories. # Implicit Rules # No implicit rules. # Files test_cover: # Phony target (prerequisite of .PHONY). # Implicit rule search has not been done. # File does not exist. # File has not been updated. # recipe to execute (from 'Makefile', line 8): go test -v -race -coverprofile=coverage.txt -covermode=atomic ./... # Not a target: Makefile: # Implicit rule search has been done. # File is secondary (prerequisite of .SECONDARY). # Last modified 2022-08-19 12:15:43.700764449 # File has been updated. # Successfully updated. # Not a target: .DEFAULT: # Implicit rule search has not been done. # Modification time never checked. # File has not been updated. test: # Phony target (prerequisite of .PHONY). # Implicit rule search has not been done. # File does not exist. # File has not been updated. # recipe to execute (from 'Makefile', line 5): go test -v -race ./... get: # Phony target (prerequisite of .PHONY). # Implicit rule search has not been done. # Implicit/static pattern stem: '' # File does not exist. # File has been updated. # Needs to be updated (-q is set). # automatic # @ := get # automatic # * := # automatic # &lt; := # automatic # + := # automatic # % := # automatic # ^ := # automatic # ? := # automatic # | := # variable set hash-table stats: # Load=8/32=25%, Rehash=0, Collisions=1/11=9% # recipe to execute (from 'Makefile', line 2): go get -v -t -d ./... # Not a target: .SUFFIXES: # Implicit rule search has not been done. # Modification time never checked. # File has not been updated. .PHONY: get test test_cover # Implicit rule search has not been done. # Modification time never checked. # File has not been updated. # files hash-table stats: # Load=7/1024=1%, Rehash=0, Collisions=0/23=0% # VPATH Search Paths # No 'vpath' search paths. # No general ('VPATH' variable) search path. # strcache buffers: 1 (0) / strings = 26 / storage = 226 B / avg = 8 B # current buf: size = 8162 B / used = 226 B / count = 26 / avg = 8 B # strcache performance: lookups = 36 / hit rate = 27% # hash-table stats: # Load=26/8192=0%, Rehash=0, Collisions=0/36=0% # Finished Make data base on Sun Apr 28 16:38:33 2024 </code></pre></div></div> <p>If you look closely you will see that this output contains multiple sections:</p> <ul> <li>A header describing the version of the make tool</li> <li>A section containing the environment variables</li> <li>Pattern-specific Variable Values</li> <li>No pattern-specific variable values</li> <li>etc.</li> </ul> <p>Within the <code class="language-plaintext highlighter-rouge">Files</code> section we can also see our targets and this is exactly what we need and what we are going to be parsing.</p> <p>The good news is that I’ve already implemented the parser and you can install it as a CLI tool, or use it as a Go package in case you want to implement different graph representations.</p> <p>You can find the code in the <a href="https://github.com/dnaeon/makefile-graph">dnaeon/makefile-graph</a> and here’s how you can install it.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>go <span class="nb">install </span>github.com/dnaeon/makefile-graph/cmd/makefile-graph@latest </code></pre></div></div> <p>If you want to use the parser and do whatever you want to do with the parsed graph you can install the <code class="language-plaintext highlighter-rouge">parser</code> package.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>go get <span class="nt">-v</span> github.com/dnaeon/makefile-graph/pkg/parser </code></pre></div></div> <p>Here are some screenshots of <code class="language-plaintext highlighter-rouge">makefile-graph</code> in action. The commands below are using the following Makefile, from which we will be generating the graph representation in <a href="https://graphviz.org/doc/info/lang.html">dot format</a>.</p> <div class="language-makefile highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nl">edit </span><span class="o">:</span> <span class="nf">main.o kbd.o command.o display.o </span>\ <span class="nf"> insert.o search.o files.o utils.o</span> cc <span class="nt">-o</span> edit main.o kbd.o command.o display.o <span class="se">\</span> insert.o search.o files.o utils.o <span class="nl">main.o </span><span class="o">:</span> <span class="nf">main.c defs.h</span> cc <span class="nt">-c</span> main.c <span class="nl">kbd.o </span><span class="o">:</span> <span class="nf">kbd.c defs.h command.h</span> cc <span class="nt">-c</span> kbd.c <span class="nl">command.o </span><span class="o">:</span> <span class="nf">command.c defs.h command.h</span> cc <span class="nt">-c</span> command.c <span class="nl">display.o </span><span class="o">:</span> <span class="nf">display.c defs.h buffer.h</span> cc <span class="nt">-c</span> display.c <span class="nl">insert.o </span><span class="o">:</span> <span class="nf">insert.c defs.h buffer.h</span> cc <span class="nt">-c</span> insert.c <span class="nl">search.o </span><span class="o">:</span> <span class="nf">search.c defs.h buffer.h</span> cc <span class="nt">-c</span> search.c <span class="nl">files.o </span><span class="o">:</span> <span class="nf">files.c defs.h buffer.h command.h</span> cc <span class="nt">-c</span> files.c <span class="nl">utils.o </span><span class="o">:</span> <span class="nf">utils.c defs.h</span> cc <span class="nt">-c</span> utils.c <span class="nl">clean </span><span class="o">:</span> <span class="nb">rm </span>edit main.o kbd.o command.o display.o <span class="se">\</span> insert.o search.o files.o utils.o </code></pre></div></div> <p>Here’s how to render the graph for all targets from our sample Makefile.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>makefile-graph <span class="nt">--makefile</span> examples/Makefile <span class="nt">--direction</span> TB | dot <span class="nt">-Tsvg</span> <span class="nt">-o</span> graph.svg </code></pre></div></div> <p>And this is what it looks like.</p> <p><a href="/images/makefile-graph-1.svg" class="glightbox"><img src="/images/makefile-graph-1.svg" alt="" /></a></p> <p>In large enough Makefiles the generated graph may not be easy to understand as well, and for that reason <code class="language-plaintext highlighter-rouge">makefile-graph</code> supports highlighting specific targets and their dependencies.</p> <p>For example this command will highlight the <code class="language-plaintext highlighter-rouge">files.o</code> target and it’s dependencies.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>makefile-graph <span class="se">\</span> <span class="nt">--makefile</span> examples/Makefile <span class="se">\</span> <span class="nt">--direction</span> TB <span class="se">\</span> <span class="nt">--target</span> files.o <span class="se">\</span> <span class="nt">--highlight</span> <span class="se">\</span> <span class="nt">--highlight-color</span> lightgreen </code></pre></div></div> <p>The results look like this.</p> <p><a href="/images/makefile-graph-2.svg" class="glightbox"><img src="/images/makefile-graph-2.svg" alt="" /></a></p> <p>And if that is not good enough, we can always focus on a specific target and it’s dependencies only.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>makefile-graph <span class="se">\</span> <span class="nt">--makefile</span> examples/Makefile <span class="se">\</span> <span class="nt">--direction</span> TB <span class="se">\</span> <span class="nt">--target</span> files.o <span class="se">\</span> <span class="nt">--related-only</span> </code></pre></div></div> <p>The results look like this.</p> <p><a href="/images/makefile-graph-3.svg" class="glightbox"><img src="/images/makefile-graph-3.svg" alt="" /></a></p> <p>For additional information and examples, please refer to the <a href="https://github.com/dnaeon/makefile-graph">dnaeon/makefile-graph</a> repo.</p> Sun, 28 Apr 2024 00:00:00 +0000 https://dnaeon.github.io/makefile-graph/ https://dnaeon.github.io/makefile-graph/