cacheroach: Add OIDC user provisioning.

This change allows cacheroach use an OpenID Connect provider to automatically
provision users and removes password-based authentication from cacheroach.
OIDC-derived Principals will use the "offline" authentication flow, allowing
for ongoing revalidation of the upstream user account.

It is still possible to create principals that do not have a backing OIDC
account to use as role accounts for automation.

This change also allows email domains to be used as a means of granting access
to a group of users. This can be seen as an initial step towards #3.

Closes #2.

Dockerfile

@@ -9,14 +9,48 @@ RUN apt-get update && \
     unzip protoc-$PROTOVER-$PROTOARCH.zip -d /usr/
 WORKDIR /tmp/compile
 COPY . .
-RUN go mod download && \
-    go get google.golang.org/protobuf/cmd/protoc-gen-go \
-           google.golang.org/grpc/cmd/protoc-gen-go-grpc && \
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go \
+               google.golang.org/grpc/cmd/protoc-gen-go-grpc && \
     go generate -v tools.go && \
     CGO_ENABLED=0 go build -v -ldflags="-s -w" -o /usr/bin/cacheroach .
 
-FROM scratch
+# Create a single-binary docker image, including a set of core CA
+# certificates so that we can call out to any external APIs.
+FROM scratch AS cacheroach
 WORKDIR /data/
 ENTRYPOINT ["/usr/bin/cacheroach"]
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /usr/bin/cacheroach /usr/bin/
+
+# This is a default configuration for Google Cloud Run. It assumes that
+# you have the secret manager API installed. A named secret should
+# contain a tar.gz file that has files with the @filename values below.
+#
+# The OIDC integration is optional, but if you're already deploying
+# into GCR, you need only to create credentials for an OAuth2 webapp.
+FROM cacheroach AS cloudrun
+# Expect $PORT from Cloud Run environment.
+ENV CACHE_MEMORY="128" \
+    CONNECT="@connect" \
+    GCLOUD_SECRET_NAME="" \
+    HMAC="@hmac" \
+    OIDC_CLIENT_ID="@oidc_client_id" \
+    OIDC_CLIENT_SECRET="@oidc_client_secret" \
+    OIDC_DOMAINS="cockroachlabs.com" \
+    OIDC_ISSUER="https://accounts.google.com"
+ENTRYPOINT [ \
+  "/usr/bin/cacheroach", \
+  "start", \
+  "--assumeSecure", \
+  "--bindAddr", ":$PORT", \
+  "--cacheMemory", "$CACHE_MEMORY", \
+  "--connect", "$CONNECT", \
+  "--oidcClientID", "$OIDC_CLIENT_ID", \
+  "--oidcClientSecret", "$OIDC_CLIENT_SECRET", \
+  "--oidcDomains", "$OIDC_DOMAINS", \
+  "--oidcIssuer", "$OIDC_ISSUER", \
+  "--signingKey", "$HMAC" \
+]
+
+# Set a default target for e.g. DockerHub builds.
+FROM cacheroach

README.md

@@ -34,7 +34,7 @@ cacheroach -v -c root.cfg session delegate --for <PRINCIPAL> --on tenant --id <T
 cacheroach -v file ls -t <TENANT>
 # Set a default tenant id to minimize typing
 cacheroach tenant default <TENANT>
-# Upload the cacheroach binary
+# Upload a file
 echo "Hello World." > hello.txt
 cacheroach -v file put / hello.txt
 # Look at HTTP vhost mapping
@@ -82,8 +82,13 @@ Cacheroach uses a "capability, delegate, target" approach to authorization.
 A [Principal](./api/principal.proto) may have zero or more durable [Sessions](./api/session.proto)
 which grant the principal the permission to perform operations within the system.
 
-These sessions are exposed as signed [JWT tokens](https://jwt.io). Active sessions are maintained in
-a table to facilitate occasional invalidation checks.
+Automatic principal provisioning can be enabled through OIDC integration. Cacheroach will request
+OIDC credentials with an offline scope. Principals are periodically re-validated using the OIDC
+refresh token. A whitelist of email domains is provided as part of cacheroach's configuration to
+limit access to specified users.
+
+Sessions are exposed as signed [JWT tokens](https://jwt.io). Active sessions are maintained in a
+table to facilitate occasional invalidation checks.
 
 The API surface area uses a [declarative model](./api/capabilities.proto) to implement ACL checks in
 a [centralized](./pkg/enforcer) manner. All access checks will have been performed by the time an