depot/docker-images.nix
Luke Granger-Brown 04c3a8431b go/openshiftauth: init
This is a small "library" for wrapping binaries with magic OAuth authentication based on the automatically-injected k8s service account tokens and OpenShift's OAuth service.

There's an example of this deployed at https://example-lukegb-openshiftauth-test.apps.k8s.lukegb.tech/.

The main pieces of setup that need to happen is:

* Set "serviceAccount" in pod definition
* Add Route for pod
* Edit serviceaccount and add metadata.annotations, e.g.:
    serviceaccounts.openshift.io/oauth-redirectreference.first: >-
      {"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"example"}}
2020-10-04 14:38:56 +01:00

30 lines
1 KiB
Nix

# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
let
depot = (import ./default.nix {});
pkgs = depot.third_party.nixpkgs;
lib = pkgs.lib;
images = {
"registry.apps.k8s.lukegb.tech/twitterchiver/archiver:latest" = depot.go.twitterchiver.archiver.dockerImage;
"registry.apps.k8s.lukegb.tech/lukegb-openshiftauth-test/example:latest" = depot.go.openshiftauth.example.dockerImage;
};
crane = "${depot.nix.pkgs.crane}/bin/crane";
decompress = drv: pkgs.runCommandNoCC "docker-image" {} ''
${pkgs.gzip}/bin/gunzip -c ${drv} > $out
'';
pushCommands = lib.mapAttrsToList (name: value: ''
${crane} push ${decompress value} ${name}
'') images;
authCommands = lib.mapAttrsToList (name: value: ''
${crane} auth login ${name} -u "${value.user}" -p "${value.password}"
'') depot.ops.secrets.deployer.dockerRegistryAuth;
in
pkgs.writeShellScript "push-images" ''
${lib.concatStringsSep "\n" authCommands}
${lib.concatStringsSep "\n" pushCommands}
''