pomerium: 0.17.1 -> 0.18.0

2022-08-23 20:08:34 -05:00 · 2022-08-23 20:08:34 -05:00 · 4dfa0d2324
commit 4dfa0d2324
parent 9677d8a7a5
3 changed files with 61 additions and 10 deletions
--- a/pkgs/servers/http/pomerium/common.nix
+++ b/pkgs/servers/http/pomerium/common.nix
@ -2,10 +2,10 @@
 , lib
 }:
 let
-  version = "0.17.1";
-  srcHash = "sha256:0b9mdzyfn7c6gwgslqk787yyrrcmdjf3282vx2zvhcr3psz0xqwx";
-  vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig";
-  yarnSha256 = "sha256-dLkn9xvQ3gixU63g1xvzbY+YI+9YnaGa3D0uGrrpGvI=";
+  version = "0.18.0";
+  srcSha256 = "sha256-sM4kM8CqbZjl+RIsezWYVCmjoDKfGl+EQcdEaPKvVHs=";
+  vendorSha256 = "sha256-1EWcjfrO3FEypUUKwNwDisogERCuKOvtC7z0mC2JZn4=";
+  yarnSha256 = "sha256-Uh0y2Zmy6bSoyL5WMTce01hoH7EvSIniHyIBMxfMvhg=";
 in
 {
  inherit version vendorSha256 yarnSha256;
@ -14,7 +14,7 @@ in
    owner = "pomerium";
    repo = "pomerium";
    rev = "v${version}";
-    hash = srcHash;
+    sha256 = srcSha256;
  };

  meta = with lib; {
--- a/pkgs/servers/http/pomerium/default.nix
+++ b/pkgs/servers/http/pomerium/default.nix
@ -20,6 +20,9 @@ buildGoModule rec {
    "cmd/pomerium"
  ];

+  # patch pomerium to allow use of external envoy
+  patches = [ ./external-envoy.diff ];
+
  ldflags = let
    # Set a variety of useful meta variables for stamping the build with.
    setVars = {
@ -29,7 +32,7 @@ buildGoModule rec {
        ProjectName = "pomerium";
        ProjectURL = "github.com/pomerium/pomerium";
      };
-      "github.com/pomerium/pomerium/internal/envoy" = {
+      "github.com/pomerium/pomerium/pkg/envoy" = {
        OverrideEnvoyPath = "${envoy}/bin/envoy";
      };
    };
@ -49,8 +52,8 @@ buildGoModule rec {
    # Replace embedded envoy with nothing.
    # We set OverrideEnvoyPath above, so rawBinary should never get looked at
    # but we still need to set a checksum/version.
-    rm internal/envoy/files/files_{darwin,linux}*.go
-    cat <<EOF >internal/envoy/files/files_generic.go
+    rm pkg/envoy/files/files_{darwin,linux}*.go
+    cat <<EOF >pkg/envoy/files/files_external.go
    package files

    import _ "embed" // embed
@ -63,8 +66,8 @@ buildGoModule rec {
    //go:embed envoy.version
    var rawVersion string
    EOF
-    sha256sum '${envoy}/bin/envoy' > internal/envoy/files/envoy.sha256
-    echo '${envoy.version}' > internal/envoy/files/envoy.version
+    sha256sum '${envoy}/bin/envoy' > pkg/envoy/files/envoy.sha256
+    echo '${envoy.version}' > pkg/envoy/files/envoy.version

    # put the built UI files where they will be picked up as part of binary build
    cp -r ${pomerium-ui} ui
--- a/pkgs/servers/http/pomerium/external-envoy.diff
+++ b/pkgs/servers/http/pomerium/external-envoy.diff
@ -0,0 +1,48 @@
+diff --git a/pkg/envoy/envoy.go b/pkg/envoy/envoy.go
+index e32cfc29..9d32c057 100644
+--- a/pkg/envoy/envoy.go
+++ b/pkg/envoy/envoy.go
+@@ -8,9 +8,9 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"io"
+	"io/fs"
+ 	"os"
+ 	"os/exec"
+-	"path"
+ 	"path/filepath"
+ 	"regexp"
+ 	"strconv"
+@@ -36,8 +36,12 @@ import (
+ 
+ const (
+ 	configFileName = "envoy-config.yaml"
+	workingDirectoryName = ".pomerium-envoy"
+	embeddedEnvoyPermissions     fs.FileMode = 0o700
+ )
+ 
+var OverrideEnvoyPath = ""
+
+ type serverOptions struct {
+ 	services string
+ 	logLevel string
+@@ -60,13 +64,16 @@ type Server struct {
+ 
+ // NewServer creates a new server with traffic routed by envoy.
+ func NewServer(ctx context.Context, src config.Source, builder *envoyconfig.Builder) (*Server, error) {
+-	envoyPath, err := Extract()
+	envoyPath := OverrideEnvoyPath
+	wd := filepath.Join(os.TempDir(), workingDirectoryName)
+
+	err := os.MkdirAll(wd, embeddedEnvoyPermissions)
+ 	if err != nil {
+-		return nil, fmt.Errorf("extracting envoy: %w", err)
+		return nil, fmt.Errorf("error creating temporary working directory for envoy: %w", err)
+ 	}
+ 
+ 	srv := &Server{
+-		wd:        path.Dir(envoyPath),
+		wd:        wd,
+ 		builder:   builder,
+ 		grpcPort:  src.GetConfig().GRPCPort,
+ 		httpPort:  src.GetConfig().HTTPPort,