Luke Granger-Brown
04c3a8431b
This is a small "library" for wrapping binaries with magic OAuth authentication based on the automatically-injected k8s service account tokens and OpenShift's OAuth service. There's an example of this deployed at https://example-lukegb-openshiftauth-test.apps.k8s.lukegb.tech/. The main pieces of setup that need to happen is: * Set "serviceAccount" in pod definition * Add Route for pod * Edit serviceaccount and add metadata.annotations, e.g.: serviceaccounts.openshift.io/oauth-redirectreference.first: >- {"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"example"}}
30 lines
1 KiB
Nix
30 lines
1 KiB
Nix
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
let
|
|
depot = (import ./default.nix {});
|
|
pkgs = depot.third_party.nixpkgs;
|
|
lib = pkgs.lib;
|
|
images = {
|
|
"registry.apps.k8s.lukegb.tech/twitterchiver/archiver:latest" = depot.go.twitterchiver.archiver.dockerImage;
|
|
"registry.apps.k8s.lukegb.tech/lukegb-openshiftauth-test/example:latest" = depot.go.openshiftauth.example.dockerImage;
|
|
};
|
|
|
|
crane = "${depot.nix.pkgs.crane}/bin/crane";
|
|
decompress = drv: pkgs.runCommandNoCC "docker-image" {} ''
|
|
${pkgs.gzip}/bin/gunzip -c ${drv} > $out
|
|
'';
|
|
pushCommands = lib.mapAttrsToList (name: value: ''
|
|
${crane} push ${decompress value} ${name}
|
|
'') images;
|
|
|
|
authCommands = lib.mapAttrsToList (name: value: ''
|
|
${crane} auth login ${name} -u "${value.user}" -p "${value.password}"
|
|
'') depot.ops.secrets.deployer.dockerRegistryAuth;
|
|
in
|
|
pkgs.writeShellScript "push-images" ''
|
|
${lib.concatStringsSep "\n" authCommands}
|
|
|
|
${lib.concatStringsSep "\n" pushCommands}
|
|
''
|