Merge pull request #138359 from lukegb/pomerium

pomerium: 0.14.7 -> 0.15.7

2 files changed, 43 insertions, 38 deletions

diff --git a/pkgs/servers/http/envoy/default.nix b/pkgs/servers/http/envoy/default.nix
index d26782560a4..c81d79dbb24 100644
--- a/pkgs/servers/http/envoy/default.nix
+++ b/pkgs/servers/http/envoy/default.nix
@@ -17,8 +17,8 @@ let
     # However, the version string is more useful for end-users.
     # These are contained in a attrset of their own to make it obvious that
     # people should update both.
-    version = "1.17.3";
-    commit = "46bf743b97d0d3f01ff437b2f10cc0bd9cdfe6e4";
+    version = "1.19.1";
+    commit = "a2a1e3eed4214a38608ec223859fcfa8fb679b14";
   };
 in
 buildBazelPackage rec {
@@ -28,7 +28,7 @@ buildBazelPackage rec {
     owner = "envoyproxy";
     repo = "envoy";
     rev = srcVer.commit;
-    hash = "sha256:09zzr4h3zjsb2rkxrvlazpx0jy33yn9j65ilxiqbvv0ckaralqfc";
+    hash = "sha256:1v1hv4blrppnhllsxd9d3k2wl6nhd59r4ydljy389na3bb41jwf9";
 
     extraPostFetch = ''
       chmod -R +w $out
@@ -58,7 +58,7 @@ buildBazelPackage rec {
   ];
 
   fetchAttrs = {
-    sha256 = "sha256:1cy2b73x8jzczq9z9c1kl7zrg5iasvsakb50zxn4mswpmajkbj5h";
+    sha256 = "sha256:0vnl0gq6nhvyzz39jg1bvvna0xyhxalg71bp1jbxib7ql026004r";
     dontUseCmakeConfigure = true;
     dontUseGnConfigure = true;
     preInstall = ''
@@ -75,12 +75,6 @@ buildBazelPackage rec {
         $bazelOut/external/local_config_sh/BUILD
       rm -r $bazelOut/external/go_sdk
 
-      # Replace some wheels which are only used for tests with empty files;
-      # they're nondeterministically built and packed.
-      >$bazelOut/external/config_validation_pip3/PyYAML-5.3.1-cp38-cp38-linux_x86_64.whl
-      >$bazelOut/external/protodoc_pip3/PyYAML-5.3.1-cp38-cp38-linux_x86_64.whl
-      >$bazelOut/external/thrift_pip3/thrift-0.13.0-cp38-cp38-linux_x86_64.whl
-
       # Remove Unix timestamps from go cache.
       rm -rf $bazelOut/external/bazel_gazelle_go_repository_cache/{gocache,pkg/mod/cache,pkg/sumdb}
     '';
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
index 7b28200b284..cbf2fe19435 100644
--- a/pkgs/servers/http/pomerium/default.nix
+++ b/pkgs/servers/http/pomerium/default.nix
@@ -7,19 +7,19 @@
 }:
 
 let
-  inherit (lib) concatStringsSep mapAttrsToList;
+  inherit (lib) concatStringsSep concatMap id mapAttrsToList;
 in
 buildGoModule rec {
   pname = "pomerium";
-  version = "0.14.7";
+  version = "0.15.7";
   src = fetchFromGitHub {
     owner = "pomerium";
     repo = "pomerium";
     rev = "v${version}";
-    hash = "sha256:1jb96jk5qmary4fi1z9zwmppdyskj0qb6qii8s8mwazjjxqj1z2s";
+    hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr";
   };
 
-  vendorSha256 = "sha256:1daabi9qc9nx8bafn26iw6rv4vx2xpd0nnk06265aqaksx26db0s";
+  vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv";
   subPackages = [
     "cmd/pomerium"
     "cmd/pomerium-cli"
@@ -28,38 +28,49 @@ buildGoModule rec {
   ldflags = let
     # Set a variety of useful meta variables for stamping the build with.
     setVars = {
-      Version = "v${version}";
-      BuildMeta = "nixpkgs";
-      ProjectName = "pomerium";
-      ProjectURL = "github.com/pomerium/pomerium";
+      "github.com/pomerium/pomerium/internal/version" = {
+        Version = "v${version}";
+        BuildMeta = "nixpkgs";
+        ProjectName = "pomerium";
+        ProjectURL = "github.com/pomerium/pomerium";
+      };
+      "github.com/pomerium/pomerium/internal/envoy" = {
+        OverrideEnvoyPath = "${envoy}/bin/envoy";
+      };
     };
-    varFlags = concatStringsSep " " (mapAttrsToList (name: value: "-X github.com/pomerium/pomerium/internal/version.${name}=${value}") setVars);
+    concatStringsSpace = list: concatStringsSep " " list;
+    mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
+    varFlags = concatStringsSpace (
+      mapAttrsToFlatList (package: packageVars:
+        mapAttrsToList (variable: value:
+          "-X ${package}.${variable}=${value}"
+        ) packageVars
+      ) setVars);
   in [
     "${varFlags}"
   ];
 
-  nativeBuildInputs = [
-    zip
-  ];
+  preBuild = ''
+    # Replace embedded envoy with nothing.
+    # We set OverrideEnvoyPath above, so rawBinary should never get looked at
+    # but we still need to set a checksum/version.
+    rm internal/envoy/files/files_{darwin,linux}*.go
+    cat <<EOF >internal/envoy/files/files_generic.go
+    package files
 
-  # Pomerium expects to have envoy append to it in a zip.
-  # We use a store-only (-0) zip, so that the Nix scanner can find any store references we had in the envoy binary.
-  postBuild = ''
-    # Append Envoy
-    pushd $NIX_BUILD_TOP
-    mkdir -p envoy
-    cd envoy
-    cp ${envoy}/bin/envoy envoy
-    zip -0 envoy.zip envoy
-    popd
+    import _ "embed" // embed
 
-    mv $GOPATH/bin/pomerium $GOPATH/bin/pomerium.old
-    cat $GOPATH/bin/pomerium.old $NIX_BUILD_TOP/envoy/envoy.zip >$GOPATH/bin/pomerium
-    zip --adjust-sfx $GOPATH/bin/pomerium
-  '';
+    var rawBinary []byte
 
-  # We also need to set dontStrip to avoid having the envoy ZIP stripped off the end.
-  dontStrip = true;
+    //go:embed envoy.sha256
+    var rawChecksum string
+
+    //go:embed envoy.version
+    var rawVersion string
+    EOF
+    sha256sum '${envoy}/bin/envoy' > internal/envoy/files/envoy.sha256
+    echo '${envoy.version}' > internal/envoy/files/envoy.version
+  '';
 
   installPhase = ''
     install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium