diff --git a/pkgs/servers/http/pomerium/common.nix b/pkgs/servers/http/pomerium/common.nix index 87b9b98a72e8..d7a0814f1315 100644 --- a/pkgs/servers/http/pomerium/common.nix +++ b/pkgs/servers/http/pomerium/common.nix @@ -2,10 +2,10 @@ , lib }: let - version = "0.17.1"; - srcHash = "sha256:0b9mdzyfn7c6gwgslqk787yyrrcmdjf3282vx2zvhcr3psz0xqwx"; - vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig"; - yarnSha256 = "sha256-dLkn9xvQ3gixU63g1xvzbY+YI+9YnaGa3D0uGrrpGvI="; + version = "0.18.0"; + srcSha256 = "sha256-sM4kM8CqbZjl+RIsezWYVCmjoDKfGl+EQcdEaPKvVHs="; + vendorSha256 = "sha256-1EWcjfrO3FEypUUKwNwDisogERCuKOvtC7z0mC2JZn4="; + yarnSha256 = "sha256-Uh0y2Zmy6bSoyL5WMTce01hoH7EvSIniHyIBMxfMvhg="; in { inherit version vendorSha256 yarnSha256; @@ -14,7 +14,7 @@ in owner = "pomerium"; repo = "pomerium"; rev = "v${version}"; - hash = srcHash; + sha256 = srcSha256; }; meta = with lib; { diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix index 7b115d6d694a..31f9a7e59e0c 100644 --- a/pkgs/servers/http/pomerium/default.nix +++ b/pkgs/servers/http/pomerium/default.nix @@ -20,6 +20,9 @@ buildGoModule rec { "cmd/pomerium" ]; + # patch pomerium to allow use of external envoy + patches = [ ./external-envoy.diff ]; + ldflags = let # Set a variety of useful meta variables for stamping the build with. setVars = { @@ -29,7 +32,7 @@ buildGoModule rec { ProjectName = "pomerium"; ProjectURL = "github.com/pomerium/pomerium"; }; - "github.com/pomerium/pomerium/internal/envoy" = { + "github.com/pomerium/pomerium/pkg/envoy" = { OverrideEnvoyPath = "${envoy}/bin/envoy"; }; }; @@ -49,8 +52,8 @@ buildGoModule rec { # Replace embedded envoy with nothing. # We set OverrideEnvoyPath above, so rawBinary should never get looked at # but we still need to set a checksum/version. - rm internal/envoy/files/files_{darwin,linux}*.go - cat <internal/envoy/files/files_generic.go + rm pkg/envoy/files/files_{darwin,linux}*.go + cat <pkg/envoy/files/files_external.go package files import _ "embed" // embed @@ -63,8 +66,8 @@ buildGoModule rec { //go:embed envoy.version var rawVersion string EOF - sha256sum '${envoy}/bin/envoy' > internal/envoy/files/envoy.sha256 - echo '${envoy.version}' > internal/envoy/files/envoy.version + sha256sum '${envoy}/bin/envoy' > pkg/envoy/files/envoy.sha256 + echo '${envoy.version}' > pkg/envoy/files/envoy.version # put the built UI files where they will be picked up as part of binary build cp -r ${pomerium-ui} ui diff --git a/pkgs/servers/http/pomerium/external-envoy.diff b/pkgs/servers/http/pomerium/external-envoy.diff new file mode 100644 index 000000000000..49f4985ad77c --- /dev/null +++ b/pkgs/servers/http/pomerium/external-envoy.diff @@ -0,0 +1,48 @@ +diff --git a/pkg/envoy/envoy.go b/pkg/envoy/envoy.go +index e32cfc29..9d32c057 100644 +--- a/pkg/envoy/envoy.go ++++ b/pkg/envoy/envoy.go +@@ -8,9 +8,9 @@ import ( + "errors" + "fmt" + "io" ++ "io/fs" + "os" + "os/exec" +- "path" + "path/filepath" + "regexp" + "strconv" +@@ -36,8 +36,12 @@ import ( + + const ( + configFileName = "envoy-config.yaml" ++ workingDirectoryName = ".pomerium-envoy" ++ embeddedEnvoyPermissions fs.FileMode = 0o700 + ) + ++var OverrideEnvoyPath = "" ++ + type serverOptions struct { + services string + logLevel string +@@ -60,13 +64,16 @@ type Server struct { + + // NewServer creates a new server with traffic routed by envoy. + func NewServer(ctx context.Context, src config.Source, builder *envoyconfig.Builder) (*Server, error) { +- envoyPath, err := Extract() ++ envoyPath := OverrideEnvoyPath ++ wd := filepath.Join(os.TempDir(), workingDirectoryName) ++ ++ err := os.MkdirAll(wd, embeddedEnvoyPermissions) + if err != nil { +- return nil, fmt.Errorf("extracting envoy: %w", err) ++ return nil, fmt.Errorf("error creating temporary working directory for envoy: %w", err) + } + + srv := &Server{ +- wd: path.Dir(envoyPath), ++ wd: wd, + builder: builder, + grpcPort: src.GetConfig().GRPCPort, + httpPort: src.GetConfig().HTTPPort,