diff --git a/.drone.yml b/.drone.yml index 66af7871e2d7b..6f32d59c52446 100644 --- a/.drone.yml +++ b/.drone.yml @@ -573,9 +573,9 @@ steps: commands: - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -timeout 2h30m0s -workflow release-linux-arm64.yml -workflow-ref=${DRONE_BRANCH} + -tag-workflow -timeout 2h30m0s -workflow release-linux.yaml -workflow-ref=${DRONE_BRANCH} -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_COMMIT} - -input "upload-artifacts=false" ' + -input "build-connect=false" -input "release-target=release-arm64" ' environment: GHA_APP_KEY: from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY @@ -848,15 +848,12 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPipeline) +# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) ################################################ kind: pipeline type: kubernetes -name: build-linux-amd64-centos7 -environment: - BUILDBOX_VERSION: teleport15 - RUNTIME: go1.21.4 +name: build-linux-amd64 trigger: event: include: @@ -871,185 +868,50 @@ workspace: path: /go clone: disable: true -depends_on: -- clean-up-previous-build steps: - name: Check out code image: docker:git pull: if-not-exists commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - git submodule update --init e + - mkdir -pv /go/cache - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt environment: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Build artifacts - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make - - chown -R $UID:$GID /go - - cd /go/src/github.com/gravitational/teleport - - make -C build.assets release-amd64-centos7 - environment: - ARCH: amd64 - GID: "1000" - GOCACHE: /go/cache - GOPATH: /go - OS: linux - UID: "1000" - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Copy artifacts - image: docker - pull: if-not-exists - commands: - - cd /go/src/github.com/gravitational/teleport - - find . -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - export VERSION=$(cat /go/.version.txt) - - mv /go/artifacts/teleport-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/teleport-v$${VERSION}-linux-amd64-centos7-bin.tar.gz - - mv /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-centos7-bin.tar.gz - - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; - done && ls -l -- name: Assume AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker +- name: Delegate build to GitHub + image: golang:1.18-alpine pull: if-not-exists commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux 64-bit (RHEL/CentOS 7.x compatible)" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 2h30m0s -workflow release-linux.yaml -workflow-ref=${DRONE_TAG} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input + "build-connect=true" -input "build-os-packages=true" -input "release-artifacts=true" + -input "release-target=release-amd64-centos7" ' environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +- name: Send Slack notification + image: plugins/slack:1.4.1 + settings: + template: |- + *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}> + Author: Repo: Branch: Commit: + webhook: + from_secret: SLACK_WEBHOOK_DEV_TELEPORT + when: + status: + - failure image_pull_secrets: - DOCKERHUB_CREDENTIALS @@ -1057,15 +919,12 @@ image_pull_secrets: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPipeline) +# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) ################################################ kind: pipeline type: kubernetes -name: build-linux-amd64-centos7-fips -environment: - BUILDBOX_VERSION: teleport15 - RUNTIME: go1.21.4 +name: build-linux-amd64-fips trigger: event: include: @@ -1080,184 +939,50 @@ workspace: path: /go clone: disable: true -depends_on: -- clean-up-previous-build steps: - name: Check out code image: docker:git pull: if-not-exists commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - git submodule update --init e + - mkdir -pv /go/cache - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt environment: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Build artifacts - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make - - chown -R $UID:$GID /go - - cd /go/src/github.com/gravitational/teleport - - export VERSION=$(cat /go/.version.txt) - - make -C build.assets release-amd64-centos7-fips - environment: - ARCH: amd64 - FIPS: "yes" - GID: "1000" - GOCACHE: /go/cache - GOPATH: /go - OS: linux - UID: "1000" - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Copy artifacts - image: docker - pull: if-not-exists - commands: - - cd /go/src/github.com/gravitational/teleport - - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - export VERSION=$(cat /go/.version.txt) - - mv /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-centos7-fips-bin.tar.gz - - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; - done && ls -l -- name: Assume AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker +- name: Delegate build to GitHub + image: golang:1.18-alpine pull: if-not-exists commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux 64-bit (RHEL/CentOS 7.x compatible, FedRAMP/FIPS)" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 2h30m0s -workflow release-linux.yaml -workflow-ref=${DRONE_TAG} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input + "build-connect=false" -input "build-os-packages=true" -input "release-artifacts=true" + -input "release-target=release-amd64-centos7-fips" ' environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +- name: Send Slack notification + image: plugins/slack:1.4.1 + settings: + template: |- + *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}> + Author: Repo: Branch: Commit: + webhook: + from_secret: SLACK_WEBHOOK_DEV_TELEPORT + when: + status: + - failure image_pull_secrets: - DOCKERHUB_CREDENTIALS @@ -1265,15 +990,12 @@ image_pull_secrets: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPipeline) +# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) ################################################ kind: pipeline type: kubernetes -name: build-linux-amd64 -environment: - BUILDBOX_VERSION: teleport15 - RUNTIME: go1.21.4 +name: build-linux-386 trigger: event: include: @@ -1288,191 +1010,50 @@ workspace: path: /go clone: disable: true -depends_on: -- clean-up-previous-build steps: - name: Check out code image: docker:git pull: if-not-exists commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa + - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts + - git submodule update --init e + - mkdir -pv /go/cache + - rm -f /root/.ssh/id_rsa environment: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Build artifacts - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make - - chown -R $UID:$GID /go - - cd /go/src/github.com/gravitational/teleport - - export VERSION=$(cat /go/.version.txt) - - make -C build.assets release-amd64-centos7 - - make -C build.assets teleterm - environment: - ARCH: amd64 - GID: "1000" - GOCACHE: /go/cache - GOPATH: /go - OS: linux - UID: "1000" - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Copy artifacts - image: docker - pull: if-not-exists - commands: - - cd /go/src/github.com/gravitational/teleport - - find . -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - find /go/src/github.com/gravitational/teleport/web/packages/teleterm/build/release - -maxdepth 1 \( -iname "teleport-connect*.tar.gz" -o -iname "teleport-connect*.rpm" - -o -iname "teleport-connect*.deb" \) -print -exec cp {} /go/artifacts/ \; - - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; - done && ls -l - - |- - cd /go/artifacts && for FILE in teleport-connect*.deb teleport-connect*.rpm; do - sha256sum $FILE > $FILE.sha256; - done && ls -l -- name: Assume AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker +- name: Delegate build to GitHub + image: golang:1.18-alpine pull: if-not-exists commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux 64-bit" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 2h30m0s -workflow release-linux.yaml -workflow-ref=${DRONE_TAG} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input + "build-connect=false" -input "build-os-packages=true" -input "release-artifacts=true" + -input "release-target=release-386" ' environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +- name: Send Slack notification + image: plugins/slack:1.4.1 + settings: + template: |- + *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}> + Author: Repo: Branch: Commit: + webhook: + from_secret: SLACK_WEBHOOK_DEV_TELEPORT + when: + status: + - failure image_pull_secrets: - DOCKERHUB_CREDENTIALS @@ -1480,15 +1061,12 @@ image_pull_secrets: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPipeline) +# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) ################################################ kind: pipeline type: kubernetes -name: build-linux-amd64-fips -environment: - BUILDBOX_VERSION: teleport15 - RUNTIME: go1.21.4 +name: build-darwin-amd64 trigger: event: include: @@ -1503,182 +1081,49 @@ workspace: path: /go clone: disable: true -depends_on: -- clean-up-previous-build steps: - name: Check out code image: docker:git pull: if-not-exists commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - git submodule update --init e + - mkdir -pv /go/cache - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt environment: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Build artifacts - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make - - chown -R $UID:$GID /go - - cd /go/src/github.com/gravitational/teleport - - export VERSION=$(cat /go/.version.txt) - - make -C build.assets release-amd64-centos7-fips - environment: - ARCH: amd64 - FIPS: "yes" - GID: "1000" - GOCACHE: /go/cache - GOPATH: /go - OS: linux - UID: "1000" - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Copy artifacts - image: docker - pull: if-not-exists - commands: - - cd /go/src/github.com/gravitational/teleport - - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; - done && ls -l -- name: Assume AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker +- name: Delegate build to GitHub + image: golang:1.18-alpine pull: if-not-exists commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux 64-bit (FedRAMP/FIPS)" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 2h30m0s -workflow release-mac.yaml -workflow-ref=${DRONE_TAG} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input + "build-packages=true" -input "release-artifacts=true" ' environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +- name: Send Slack notification + image: plugins/slack:1.4.1 + settings: + template: |- + *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}> + Author: Repo: Branch: Commit: + webhook: + from_secret: SLACK_WEBHOOK_DEV_TELEPORT + when: + status: + - failure image_pull_secrets: - DOCKERHUB_CREDENTIALS @@ -1686,12 +1131,12 @@ image_pull_secrets: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPackagePipeline) +# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) ################################################ kind: pipeline type: kubernetes -name: build-linux-amd64-centos7-rpm +name: build-linux-arm trigger: event: include: @@ -1706,261 +1151,121 @@ workspace: path: /go clone: disable: true -depends_on: -- build-linux-amd64-centos7 -- clean-up-previous-build steps: - name: Check out code image: docker:git + pull: if-not-exists commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Assume Download AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Download artifacts from S3 - image: amazon/aws-cli - commands: - - export VERSION=$(cat /go/.version.txt) - - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else - export S3_PATH="tag/"; fi - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-amd64-centos7-bin.tar.gz - /go/artifacts/ - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-centos7-bin.tar.gz - /go/artifacts/ + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa + - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts + - git submodule update --init e + - mkdir -pv /go/cache + - rm -f /root/.ssh/id_rsa environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Assume Build AWS Role - image: amazon/aws-cli + GITHUB_PRIVATE_KEY: + from_secret: GITHUB_PRIVATE_KEY +- name: Delegate build to GitHub + image: golang:1.18-alpine pull: if-not-exists commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 2h30m0s -workflow release-linux.yaml -workflow-ref=${DRONE_TAG} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input + "build-connect=false" -input "build-os-packages=true" -input "release-artifacts=true" + -input "release-target=release-arm" ' environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_ROLE: - from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET - volumes: - - name: awsconfig - path: /root/.aws -- name: Build artifacts - image: docker - commands: - - apk add --no-cache bash curl gzip make tar go - - apk add --no-cache aws-cli - - cd /go/src/github.com/gravitational/teleport - - export VERSION=$(cat /go/.version.txt) - - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - mkdir -m0700 $GNUPG_DIR - - echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR - - chown -R root:root $GNUPG_DIR - - make rpm - - rm -rf $GNUPG_DIR - environment: - ARCH: amd64 - ENT_TARBALL_PATH: /go/artifacts - GNUPG_DIR: /tmpfs/gnupg - GPG_RPM_SIGNING_ARCHIVE: - from_secret: GPG_RPM_SIGNING_ARCHIVE - OSS_TARBALL_PATH: /go/artifacts - TMPDIR: /go - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker - - name: awsconfig - path: /root/.aws - - name: tmpfs - path: /tmpfs -- name: Copy artifacts - image: docker - commands: - - cd /go/src/github.com/gravitational/teleport - - find build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts - \; - - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts - \; -- name: Assume Upload AWS Role - image: amazon/aws-cli + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +- name: Send Slack notification + image: plugins/slack:1.4.1 + settings: + template: |- + *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}> + Author: Repo: Branch: Commit: + webhook: + from_secret: SLACK_WEBHOOK_DEV_TELEPORT + when: + status: + - failure +image_pull_secrets: +- DOCKERHUB_CREDENTIALS + +--- +################################################ +# Generated using dronegen, do not edit by hand! +# Use 'make dronegen' to update. +# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) +################################################ + +kind: pipeline +type: kubernetes +name: build-linux-arm64 +trigger: + event: + include: + - tag + ref: + include: + - refs/tags/v* + repo: + include: + - gravitational/* +workspace: + path: /go +clone: + disable: true +steps: +- name: Check out code + image: docker:git pull: if-not-exists commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa + - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts + - git submodule update --init e + - mkdir -pv /go/cache + - rm -f /root/.ssh/id_rsa environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli + GITHUB_PRIVATE_KEY: + from_secret: GITHUB_PRIVATE_KEY +- name: Delegate build to GitHub + image: golang:1.18-alpine pull: if-not-exists commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux 64-bit RPM (RHEL/CentOS 7.x compatible)" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 2h30m0s -workflow release-linux.yaml -workflow-ref=${DRONE_TAG} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input + "build-connect=false" -input "build-os-packages=true" -input "release-artifacts=true" + -input "release-target=release-arm64" ' environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: tmpfs - path: /tmpfs - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} -- name: tmpfs - temp: - medium: memory + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +- name: Send Slack notification + image: plugins/slack:1.4.1 + settings: + template: |- + *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}> + Author: Repo: Branch: Commit: + webhook: + from_secret: SLACK_WEBHOOK_DEV_TELEPORT + when: + status: + - failure image_pull_secrets: - DOCKERHUB_CREDENTIALS @@ -1968,12 +1273,12 @@ image_pull_secrets: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPackagePipeline) +# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) ################################################ kind: pipeline type: kubernetes -name: build-linux-amd64-centos7-fips-rpm +name: tag-build-windows-amd64 trigger: event: include: @@ -1988,35 +1293,213 @@ workspace: path: /go clone: disable: true -depends_on: -- build-linux-amd64-centos7-fips -- clean-up-previous-build steps: - name: Check out code image: docker:git + pull: if-not-exists commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - git submodule update --init e + - mkdir -pv /go/cache - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt environment: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker +- name: Delegate build to GitHub + image: golang:1.18-alpine + pull: if-not-exists + commands: + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 30m0s -workflow release-windows.yaml -workflow-ref=${DRONE_TAG} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} ' + environment: + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +- name: Send Slack notification + image: plugins/slack:1.4.1 + settings: + template: |- + *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}> + Author: Repo: Branch: Commit: + webhook: + from_secret: SLACK_WEBHOOK_DEV_TELEPORT + when: + status: + - failure +image_pull_secrets: +- DOCKERHUB_CREDENTIALS + +--- +################################################ +# Generated using dronegen, do not edit by hand! +# Use 'make dronegen' to update. +# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) +################################################ + +kind: pipeline +type: kubernetes +name: build-legacy-amis +trigger: + event: + include: + - tag + ref: + include: + - refs/tags/v* + repo: + include: + - gravitational/* +workspace: + path: /go +clone: + disable: true +depends_on: +- build-linux-amd64 +- build-linux-amd64-fips +steps: +- name: Check out code + image: docker:git + pull: if-not-exists + commands: + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa + - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts + - git submodule update --init e + - mkdir -pv /go/cache + - rm -f /root/.ssh/id_rsa + environment: + GITHUB_PRIVATE_KEY: + from_secret: GITHUB_PRIVATE_KEY +- name: Delegate build to GitHub + image: golang:1.18-alpine + pull: if-not-exists + commands: + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 2h30m0s -workflow release-teleport-legacy-amis.yaml -workflow-ref=${DRONE_TAG} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} ' + environment: + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +image_pull_secrets: +- DOCKERHUB_CREDENTIALS + +--- +################################################ +# Generated using dronegen, do not edit by hand! +# Use 'make dronegen' to update. +# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) +################################################ + +kind: pipeline +type: kubernetes +name: build-oci +trigger: + event: + include: + - tag + ref: + include: + - refs/tags/v* + repo: + include: + - gravitational/* +workspace: + path: /go +clone: + disable: true +depends_on: +- build-linux-amd64 +- build-linux-amd64-fips +- build-linux-arm64 +- build-linux-arm +steps: +- name: Check out code + image: docker:git + pull: if-not-exists + commands: + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa + - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts + - git submodule update --init e + - mkdir -pv /go/cache + - rm -f /root/.ssh/id_rsa + environment: + GITHUB_PRIVATE_KEY: + from_secret: GITHUB_PRIVATE_KEY +- name: Delegate build to GitHub + image: golang:1.18-alpine + pull: if-not-exists + commands: + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 2h30m0s -workflow release-teleport-oci.yaml -workflow-ref=${DRONE_TAG} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} ' + environment: + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +image_pull_secrets: +- DOCKERHUB_CREDENTIALS + +--- +################################################ +# Generated using dronegen, do not edit by hand! +# Use 'make dronegen' to update. +# Generated at dronegen/buildbox.go (main.buildboxPipeline) +################################################ + +kind: pipeline +type: kubernetes +name: build-buildboxes +environment: + BUILDBOX_VERSION: teleport15 + GID: "1000" + UID: "1000" +trigger: + event: + include: + - push + repo: + include: + - gravitational/teleport + branch: + include: + - master + - branch/* +workspace: + path: /go/src/github.com/gravitational/teleport +clone: + disable: true +steps: +- name: Check out code + image: docker:git + commands: + - git clone --depth 1 --single-branch --branch ${DRONE_SOURCE_BRANCH:-master} https://github.com/gravitational/${DRONE_REPO_NAME}.git + . + - git checkout ${DRONE_COMMIT} +- name: Wait for docker + image: docker pull: if-not-exists commands: - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' @@ -2031,13 +1514,13 @@ steps: path: /var/run - name: dockerconfig path: /root/.docker -- name: Assume Download AWS Role +- name: Configure Staging AWS Profile image: amazon/aws-cli pull: if-not-exists commands: - aws sts get-caller-identity - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + printf "[staging]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ $(aws sts assume-role \ --role-arn "$AWS_ROLE" \ --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ @@ -2045,189 +1528,138 @@ steps: --output text) \ > /root/.aws/credentials - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default + - aws sts get-caller-identity --profile staging environment: AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID + from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY AWS_ROLE: - from_secret: AWS_ROLE + from_secret: STAGING_BUILDBOX_DRONE_ECR_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Download artifacts from S3 - image: amazon/aws-cli - commands: - - export VERSION=$(cat /go/.version.txt) - - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else - export S3_PATH="tag/"; fi - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-centos7-fips-bin.tar.gz - /go/artifacts/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET + from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET volumes: - name: awsconfig path: /root/.aws -- name: Assume Build AWS Role +- name: Configure Production AWS Profile image: amazon/aws-cli pull: if-not-exists commands: - aws sts get-caller-identity - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + printf "[production]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ $(aws sts assume-role \ --role-arn "$AWS_ROLE" \ --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ --output text) \ - > /root/.aws/credentials + >> /root/.aws/credentials - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default + - aws sts get-caller-identity --profile production environment: AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY AWS_ROLE: - from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + from_secret: PRODUCTION_BUILDBOX_DRONE_ECR_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET volumes: - name: awsconfig path: /root/.aws -- name: Build artifacts +- name: Build and push buildbox image: docker + pull: if-not-exists commands: - - apk add --no-cache bash curl gzip make tar go - - apk add --no-cache aws-cli - - cd /go/src/github.com/gravitational/teleport - - export VERSION=$(cat /go/.version.txt) - - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - mkdir -m0700 $GNUPG_DIR - - echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR - - chown -R root:root $GNUPG_DIR - - make -C e rpm - - rm -rf $GNUPG_DIR - environment: - ARCH: amd64 - ENT_TARBALL_PATH: /go/artifacts - FIPS: "yes" - GNUPG_DIR: /tmpfs/gnupg - GPG_RPM_SIGNING_ARCHIVE: - from_secret: GPG_RPM_SIGNING_ARCHIVE - RUNTIME: fips - TMPDIR: /go + - apk add --no-cache make aws-cli + - chown -R $UID:$GID /go + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login + -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + - make -C build.assets buildbox + - docker tag public.ecr.aws/gravitational/teleport-buildbox:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA + - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA + - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker + login -u="AWS" --password-stdin public.ecr.aws + - docker push public.ecr.aws/gravitational/teleport-buildbox:$BUILDBOX_VERSION volumes: + - name: awsconfig + path: /root/.aws - name: dockersock path: /var/run - name: dockerconfig path: /root/.docker - - name: awsconfig - path: /root/.aws - - name: tmpfs - path: /tmpfs -- name: Copy artifacts +- name: Build and push buildbox-arm image: docker - commands: - - cd /go/src/github.com/gravitational/teleport - - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts - \; -- name: Assume Upload AWS Role - image: amazon/aws-cli pull: if-not-exists commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + - apk add --no-cache make aws-cli + - chown -R $UID:$GID /go + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login + -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + - make -C build.assets buildbox-arm + - docker tag public.ecr.aws/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION + 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA + - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA + - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker + login -u="AWS" --password-stdin public.ecr.aws + - docker push public.ecr.aws/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION volumes: - name: awsconfig path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli + - name: dockersock + path: /var/run + - name: dockerconfig + path: /root/.docker +- name: Build and push buildbox-centos7 + image: docker pull: if-not-exists commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET + - apk add --no-cache make aws-cli + - chown -R $UID:$GID /go + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login + -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + - make -C build.assets buildbox-centos7 + - docker tag public.ecr.aws/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION + 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA + - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA + - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker + login -u="AWS" --password-stdin public.ecr.aws + - docker push public.ecr.aws/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION volumes: - name: awsconfig path: /root/.aws -- name: Register artifacts + - name: dockersock + path: /var/run + - name: dockerconfig + path: /root/.docker +- name: Build and push buildbox-centos7-fips image: docker + pull: if-not-exists commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux 64-bit RPM (RHEL/CentOS 7.x compatible, FedRAMP/FIPS)" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY + - apk add --no-cache make aws-cli + - chown -R $UID:$GID /go + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login + -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + - make -C build.assets buildbox-centos7-fips + - docker tag public.ecr.aws/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION + 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA + - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA + - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker + login -u="AWS" --password-stdin public.ecr.aws + - docker push public.ecr.aws/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION + volumes: + - name: awsconfig + path: /root/.aws + - name: dockersock + path: /var/run + - name: dockerconfig + path: /root/.docker services: - name: Start Docker image: docker:dind privileged: true volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run volumes: @@ -2237,9 +1669,6 @@ volumes: temp: {} - name: dockerconfig temp: {} -- name: tmpfs - temp: - medium: memory image_pull_secrets: - DOCKERHUB_CREDENTIALS @@ -2247,19 +1676,19 @@ image_pull_secrets: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPackagePipeline) +# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) ################################################ kind: pipeline type: kubernetes -name: build-linux-amd64-deb +name: publish-os-package-repos trigger: event: include: - - tag - ref: + - promote + target: include: - - refs/tags/v* + - production repo: include: - gravitational/* @@ -2267,738 +1696,481 @@ workspace: path: /go clone: disable: true -depends_on: -- build-linux-amd64 -- clean-up-previous-build steps: - name: Check out code image: docker:git + pull: if-not-exists commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - git submodule update --init e + - mkdir -pv /go/cache - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt environment: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker +- name: Determine if release should go to development or production + image: golang:1.18-alpine + commands: + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - mkdir -pv "/go/vars" + - (CGO_ENABLED=0 go run ./cmd/check -tag ${DRONE_TAG} -check prerelease && echo + "promote" || echo "build") > "/go/vars/release-environment.txt" + depends_on: + - Check out code +- name: Publish Teleport to stable/${DRONE_TAG} apt repo + image: golang:1.18-alpine pull: if-not-exists commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -series-run -series-run-filter .*apt.* -timeout 12h0m0s -workflow + deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}" + -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent" + -input "release-channel=stable" -input "repo-type=apt" -input "version-channel=${DRONE_TAG}" ' environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Assume Download AWS Role - image: amazon/aws-cli + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY + depends_on: + - Determine if release should go to development or production +- name: Wait - Publish Teleport to stable/${DRONE_TAG} yum repo + image: alpine:latest + commands: + - sleep 10 + depends_on: + - Determine if release should go to development or production +- name: Publish Teleport to stable/${DRONE_TAG} yum repo + image: golang:1.18-alpine pull: if-not-exists commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -series-run -series-run-filter .*yum.* -timeout 12h0m0s -workflow + deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}" + -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent" + -input "release-channel=stable" -input "repo-type=yum" -input "version-channel=${DRONE_TAG}" ' environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Download artifacts from S3 - image: amazon/aws-cli + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY + depends_on: + - Wait - Publish Teleport to stable/${DRONE_TAG} yum repo +- name: Wait - Publish teleport-ent-updater to stable/cloud apt repo + image: alpine:latest commands: - - export VERSION=$(cat /go/.version.txt) - - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else - export S3_PATH="tag/"; fi - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-amd64-bin.tar.gz - /go/artifacts/ - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz - /go/artifacts/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Assume Build AWS Role - image: amazon/aws-cli + - sleep 20 + depends_on: + - Determine if release should go to development or production +- name: Publish teleport-ent-updater to stable/cloud apt repo + image: golang:1.18-alpine pull: if-not-exists commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -series-run -series-run-filter .*apt.* -timeout 12h0m0s -workflow + deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}" + -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-name-filter=teleport-ent-updater*" + -input "release-channel=stable" -input "repo-type=apt" -input "version-channel=cloud" ' environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_ROLE: - from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET - volumes: - - name: awsconfig - path: /root/.aws -- name: Build artifacts - image: docker + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY + depends_on: + - Wait - Publish teleport-ent-updater to stable/cloud apt repo +- name: Wait - Publish teleport-ent-updater to stable/cloud yum repo + image: alpine:latest commands: - - apk add --no-cache bash curl gzip make tar - - apk add --no-cache aws-cli - - cd /go/src/github.com/gravitational/teleport - - export VERSION=$(cat /go/.version.txt) - - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - make deb + - sleep 30 + depends_on: + - Determine if release should go to development or production +- name: Publish teleport-ent-updater to stable/cloud yum repo + image: golang:1.18-alpine + pull: if-not-exists + commands: + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -series-run -series-run-filter .*yum.* -timeout 12h0m0s -workflow + deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}" + -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-name-filter=teleport-ent-updater*" + -input "release-channel=stable" -input "repo-type=yum" -input "version-channel=cloud" ' environment: - ARCH: amd64 - ENT_TARBALL_PATH: /go/artifacts - OSS_TARBALL_PATH: /go/artifacts - TMPDIR: /go - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker - - name: awsconfig - path: /root/.aws -- name: Copy artifacts - image: docker + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY + depends_on: + - Wait - Publish teleport-ent-updater to stable/cloud yum repo +- name: Wait - Publish Teleport to stable/rolling apt repo + image: alpine:latest commands: - - cd /go/src/github.com/gravitational/teleport - - find build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts - \; - - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts - \; -- name: Assume Upload AWS Role - image: amazon/aws-cli + - sleep 40 + depends_on: + - Determine if release should go to development or production +- name: Publish Teleport to stable/rolling apt repo + image: golang:1.18-alpine pull: if-not-exists commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -series-run -series-run-filter .*apt.* -timeout 12h0m0s -workflow + deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}" + -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent" + -input "release-channel=stable" -input "repo-type=apt" -input "version-channel=rolling" ' environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY + depends_on: + - Wait - Publish Teleport to stable/rolling apt repo +- name: Wait - Publish Teleport to stable/rolling yum repo + image: alpine:latest commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker + - sleep 50 + depends_on: + - Determine if release should go to development or production +- name: Publish Teleport to stable/rolling yum repo + image: golang:1.18-alpine + pull: if-not-exists commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux 64-bit DEB" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -series-run -series-run-filter .*yum.* -timeout 12h0m0s -workflow + deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}" + -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent" + -input "release-channel=stable" -input "repo-type=yum" -input "version-channel=rolling" ' environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY + depends_on: + - Wait - Publish Teleport to stable/rolling yum repo image_pull_secrets: - DOCKERHUB_CREDENTIALS --- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPackagePipeline) -################################################ - kind: pipeline type: kubernetes -name: build-linux-amd64-fips-deb +name: promote-build + trigger: event: - include: - - tag - ref: - include: - - refs/tags/v* + - promote + target: + - production repo: include: - - gravitational/* + - gravitational/* + workspace: path: /go + clone: disable: true -depends_on: -- build-linux-amd64-fips -- clean-up-previous-build -steps: -- name: Check out code - image: docker:git - commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Assume Download AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Download artifacts from S3 - image: amazon/aws-cli - commands: - - export VERSION=$(cat /go/.version.txt) - - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else - export S3_PATH="tag/"; fi - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz - /go/artifacts/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Assume Build AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_ROLE: - from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET - volumes: - - name: awsconfig - path: /root/.aws -- name: Build artifacts - image: docker - commands: - - apk add --no-cache bash curl gzip make tar - - apk add --no-cache aws-cli - - cd /go/src/github.com/gravitational/teleport - - export VERSION=$(cat /go/.version.txt) - - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - make -C e deb - environment: - ARCH: amd64 - ENT_TARBALL_PATH: /go/artifacts - FIPS: "yes" - RUNTIME: fips - TMPDIR: /go - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker - - name: awsconfig - path: /root/.aws -- name: Copy artifacts - image: docker - commands: - - cd /go/src/github.com/gravitational/teleport - - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts - \; -- name: Assume Upload AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux 64-bit DEB (FedRAMP/FIPS)" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done +steps: + - name: Check if commit is tagged + image: alpine + commands: + - "[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)" - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} -image_pull_secrets: -- DOCKERHUB_CREDENTIALS + - name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPipeline) -################################################ + - name: Download artifacts from S3 + image: amazon/aws-cli + commands: + - mkdir -p /go/artifacts + - aws s3 sync s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}/ /go/artifacts/ + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws -kind: pipeline -type: kubernetes -name: build-linux-386 -environment: - BUILDBOX_VERSION: teleport15 - RUNTIME: go1.21.4 -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -depends_on: -- clean-up-previous-build -steps: -- name: Check out code - image: docker:git - pull: if-not-exists - commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Build artifacts - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make - - chown -R $UID:$GID /go - - cd /go/src/github.com/gravitational/teleport - - make -C build.assets release-386 - environment: - ARCH: "386" - GID: "1000" - GOCACHE: /go/cache - GOPATH: /go - OS: linux - UID: "1000" - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Copy artifacts - image: docker - pull: if-not-exists - commands: - - cd /go/src/github.com/gravitational/teleport - - find . -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; - done && ls -l -- name: Assume AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker - pull: if-not-exists - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue + - name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: PRODUCTION_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux 32-bit" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" + # Uploads to Houston + - name: Upload artifacts to production S3 + image: amazon/aws-cli + environment: + AWS_REGION: us-east-1 + AWS_S3_BUCKET: + from_secret: PRODUCTION_AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + commands: + - cd /go/artifacts/ + - aws s3 sync --acl public-read . s3://$AWS_S3_BUCKET/teleport/${DRONE_TAG##v} - release_params="" # List of "-F releaseId=XXX" parameters to curl + - name: Check out code + image: docker:git + commands: + - | + mkdir -p /go/src/github.com/gravitational/teleport + cd /go/src/github.com/gravitational/teleport + git init && git remote add origin ${DRONE_REMOTE_URL} + git fetch origin +refs/tags/${DRONE_TAG}: + git checkout -qf FETCH_HEAD - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi + - name: Assume AMI Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws - release_params="$release_params -F releaseId=$product@$VERSION" - done + - name: Download AMI timestamps + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + commands: + - mkdir -p /go/src/github.com/gravitational/teleport/assets/aws/files/build + - aws s3 sync s3://$AWS_S3_BUCKET/teleport/ami/${DRONE_TAG##v}/ /go/src/github.com/gravitational/teleport/assets/aws/files/build - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="386" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} -image_pull_secrets: -- DOCKERHUB_CREDENTIALS + - name: Assume AMI Publish AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: PRODUCTION_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Make AMIs public + image: docker + volumes: + - name: awsconfig + path: /root/.aws + commands: + - apk add --no-cache aws-cli bash jq make + - cd /go/src/github.com/gravitational/teleport/assets/aws + - | + make change-amis-to-public-oss + make change-amis-to-public-ent + make change-amis-to-public-ent-fips + + - name: "Helm: Assume Download AWS Role" + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: PRODUCTION_CHARTS_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + # Download all previously packaged charts. This is needed to rebuild the + # index and re-publish the repository. + - name: "Helm: Download chart repository" + image: amazon/aws-cli + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + commands: + - mkdir -p /go/chart + - aws s3 sync s3://$AWS_S3_BUCKET/ /go/chart + + - name: "Helm: Package chart repository" + image: alpine/helm:latest + commands: + - cd /go/chart + - helm package /go/src/github.com/gravitational/teleport/examples/chart/teleport-cluster + - helm package /go/src/github.com/gravitational/teleport/examples/chart/teleport-kube-agent + # copy index.html to root of the S3 bucket. + - cp /go/src/github.com/gravitational/teleport/examples/chart/index.html /go/chart + # this will index all previous versions of the charts downloaded from the S3 bucket, + # plus the just-packaged charts listed above + - helm repo index /go/chart + - ls /go/chart + + - name: "Helm: Assume Upload AWS Role" + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: PRODUCTION_CHARTS_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: "Helm: Publish chart repository to S3" + image: amazon/aws-cli + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + commands: + - cd /go/chart/ + - aws s3 sync . s3://$AWS_S3_BUCKET/ +services: + - name: Start Docker + image: docker:dind + privileged: true + volumes: + - name: dockersock + path: /var/run + - name: tmpfs + path: /tmpfs + +volumes: + - name: awsconfig + temp: {} + - name: dockersock + temp: {} + - name: tmpfs + temp: + medium: memory + # these persistent volumes cache RPMs/DEBs near Drone so that we don't need to download the + # entire repo contents from S3 every time to build the repo, we just sync any differences + - name: rpmrepo + claim: + name: drone-s3-rpmrepo-pvc + - name: debrepo + claim: + name: drone-s3-debrepo-pvc --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPackagePipeline) +# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) ################################################ kind: pipeline type: kubernetes -name: build-linux-386-rpm +name: promote-teleport-oci-distroless-images trigger: event: include: - - tag - ref: + - promote + target: include: - - refs/tags/v* + - production + - promote-distroless repo: include: - gravitational/* @@ -3006,4513 +2178,156 @@ workspace: path: /go clone: disable: true -depends_on: -- build-linux-386 -- clean-up-previous-build steps: - name: Check out code image: docker:git + pull: if-not-exists commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - git submodule update --init e + - mkdir -pv /go/cache - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt environment: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Assume Download AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Download artifacts from S3 - image: amazon/aws-cli - commands: - - export VERSION=$(cat /go/.version.txt) - - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else - export S3_PATH="tag/"; fi - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-386-bin.tar.gz - /go/artifacts/ - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-386-bin.tar.gz - /go/artifacts/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Assume Build AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_ROLE: - from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET - volumes: - - name: awsconfig - path: /root/.aws -- name: Build artifacts - image: docker - commands: - - apk add --no-cache bash curl gzip make tar go - - apk add --no-cache aws-cli - - cd /go/src/github.com/gravitational/teleport - - export VERSION=$(cat /go/.version.txt) - - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - mkdir -m0700 $GNUPG_DIR - - echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR - - chown -R root:root $GNUPG_DIR - - make rpm - - rm -rf $GNUPG_DIR - environment: - ARCH: "386" - ENT_TARBALL_PATH: /go/artifacts - GNUPG_DIR: /tmpfs/gnupg - GPG_RPM_SIGNING_ARCHIVE: - from_secret: GPG_RPM_SIGNING_ARCHIVE - OSS_TARBALL_PATH: /go/artifacts - TMPDIR: /go - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker - - name: awsconfig - path: /root/.aws - - name: tmpfs - path: /tmpfs -- name: Copy artifacts - image: docker - commands: - - cd /go/src/github.com/gravitational/teleport - - find build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts - \; - - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts - \; -- name: Assume Upload AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux 32-bit RPM" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="386" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: tmpfs - path: /tmpfs - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} -- name: tmpfs - temp: - medium: memory -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPackagePipeline) -################################################ - -kind: pipeline -type: kubernetes -name: build-linux-386-deb -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -depends_on: -- build-linux-386 -- clean-up-previous-build -steps: -- name: Check out code - image: docker:git - commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Assume Download AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Download artifacts from S3 - image: amazon/aws-cli - commands: - - export VERSION=$(cat /go/.version.txt) - - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else - export S3_PATH="tag/"; fi - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-386-bin.tar.gz - /go/artifacts/ - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-386-bin.tar.gz - /go/artifacts/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Assume Build AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_ROLE: - from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET - volumes: - - name: awsconfig - path: /root/.aws -- name: Build artifacts - image: docker - commands: - - apk add --no-cache bash curl gzip make tar - - apk add --no-cache aws-cli - - cd /go/src/github.com/gravitational/teleport - - export VERSION=$(cat /go/.version.txt) - - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - make deb - environment: - ARCH: "386" - ENT_TARBALL_PATH: /go/artifacts - OSS_TARBALL_PATH: /go/artifacts - TMPDIR: /go - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker - - name: awsconfig - path: /root/.aws -- name: Copy artifacts - image: docker - commands: - - cd /go/src/github.com/gravitational/teleport - - find build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts - \; - - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts - \; -- name: Assume Upload AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux 32-bit DEB" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="386" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) -################################################ - -kind: pipeline -type: kubernetes -name: build-darwin-amd64 -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -steps: -- name: Check out code - image: docker:git - pull: if-not-exists - commands: - - mkdir -pv "/go/src/github.com/gravitational/teleport" - - cd "/go/src/github.com/gravitational/teleport" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "${DRONE_COMMIT_SHA}" - - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && - chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - mkdir -pv /go/cache - - rm -f /root/.ssh/id_rsa - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Delegate build to GitHub - image: golang:1.18-alpine - pull: if-not-exists - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -timeout 2h30m0s -workflow release-mac.yaml -workflow-ref=${DRONE_TAG} - -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input - "build-packages=true" -input "release-artifacts=true" ' - environment: - GHA_APP_KEY: - from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY -- name: Send Slack notification - image: plugins/slack:1.4.1 - settings: - template: |- - *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}> - Author: Repo: Branch: Commit: - webhook: - from_secret: SLACK_WEBHOOK_DEV_TELEPORT - when: - status: - - failure -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPipeline) -################################################ - -kind: pipeline -type: kubernetes -name: build-linux-arm -environment: - BUILDBOX_VERSION: teleport15 - RUNTIME: go1.21.4 -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -depends_on: -- clean-up-previous-build -steps: -- name: Check out code - image: docker:git - pull: if-not-exists - commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Build artifacts - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make - - chown -R $UID:$GID /go - - cd /go/src/github.com/gravitational/teleport - - make -C build.assets release-arm - environment: - ARCH: arm - GID: "1000" - GOCACHE: /go/cache - GOPATH: /go - OS: linux - UID: "1000" - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Copy artifacts - image: docker - pull: if-not-exists - commands: - - cd /go/src/github.com/gravitational/teleport - - find . -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; - done && ls -l -- name: Assume AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker - pull: if-not-exists - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux ARMv7 (32-bit)" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) -################################################ - -kind: pipeline -type: kubernetes -name: build-linux-arm64 -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -depends_on: -- clean-up-previous-build -steps: -- name: Check out code - image: docker:git - pull: if-not-exists - commands: - - mkdir -pv "/go/src/github.com/gravitational/teleport" - - cd "/go/src/github.com/gravitational/teleport" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "${DRONE_COMMIT_SHA}" - - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && - chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - mkdir -pv /go/cache - - rm -f /root/.ssh/id_rsa - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Delegate build to GitHub - image: golang:1.18-alpine - pull: if-not-exists - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -timeout 2h30m0s -workflow release-linux-arm64.yml -workflow-ref=${DRONE_TAG} - -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input - "upload-artifacts=true" ' - environment: - GHA_APP_KEY: - from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPackagePipeline) -################################################ - -kind: pipeline -type: kubernetes -name: build-linux-arm64-deb -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -depends_on: - - build-linux-arm64 - - clean-up-previous-build -steps: - - name: Check out code - image: docker:git - commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - - name: Wait for docker - image: docker - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - volumes: - - name: dockersock - path: /var/run - - name: Assume Download AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws - - name: Download artifacts from S3 - image: amazon/aws-cli - commands: - - export VERSION=$(cat /go/.version.txt) - - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else - export S3_PATH="tag/"; fi - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-arm64-bin.tar.gz - /go/artifacts/ - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm64-bin.tar.gz - /go/artifacts/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - - name: Assume Build AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_ROLE: - from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET - volumes: - - name: awsconfig - path: /root/.aws - - name: Build artifacts - image: docker - commands: - - apk add --no-cache bash curl gzip make tar - - apk add --no-cache aws-cli - - cd /go/src/github.com/gravitational/teleport - - export VERSION=$(cat /go/.version.txt) - - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - make deb - environment: - ARCH: arm64 - ENT_TARBALL_PATH: /go/artifacts - OSS_TARBALL_PATH: /go/artifacts - TMPDIR: /go - volumes: - - name: dockersock - path: /var/run - - name: awsconfig - path: /root/.aws - - name: Copy artifacts - image: docker - commands: - - cd /go/src/github.com/gravitational/teleport - - find build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts - \; - - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts - \; - - name: Assume Upload AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws - - name: Upload to S3 - image: amazon/aws-cli - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - - name: Register artifacts - image: docker - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux ARM64/ARMv8 (64-bit) DEB" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: - - name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: - - name: dockersock - temp: {} - - name: awsconfig - temp: {} - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPackagePipeline) -################################################ - -kind: pipeline -type: kubernetes -name: build-linux-arm-deb -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -depends_on: -- build-linux-arm -- clean-up-previous-build -steps: -- name: Check out code - image: docker:git - commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Assume Download AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Download artifacts from S3 - image: amazon/aws-cli - commands: - - export VERSION=$(cat /go/.version.txt) - - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else - export S3_PATH="tag/"; fi - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-arm-bin.tar.gz - /go/artifacts/ - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm-bin.tar.gz - /go/artifacts/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Assume Build AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_ROLE: - from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET - volumes: - - name: awsconfig - path: /root/.aws -- name: Build artifacts - image: docker - commands: - - apk add --no-cache bash curl gzip make tar - - apk add --no-cache aws-cli - - cd /go/src/github.com/gravitational/teleport - - export VERSION=$(cat /go/.version.txt) - - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - make deb - environment: - ARCH: arm - ENT_TARBALL_PATH: /go/artifacts - OSS_TARBALL_PATH: /go/artifacts - TMPDIR: /go - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker - - name: awsconfig - path: /root/.aws -- name: Copy artifacts - image: docker - commands: - - cd /go/src/github.com/gravitational/teleport - - find build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts - \; - - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts - \; -- name: Assume Upload AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux ARMv7 (32-bit) DEB" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPackagePipeline) -################################################ - -kind: pipeline -type: kubernetes -name: build-linux-arm64-rpm -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -depends_on: - - build-linux-arm64 - - clean-up-previous-build -steps: - - name: Check out code - image: docker:git - commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - - name: Wait for docker - image: docker - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - volumes: - - name: dockersock - path: /var/run - - name: Assume Download AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws - - name: Download artifacts from S3 - image: amazon/aws-cli - commands: - - export VERSION=$(cat /go/.version.txt) - - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else - export S3_PATH="tag/"; fi - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-arm64-bin.tar.gz - /go/artifacts/ - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm64-bin.tar.gz - /go/artifacts/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - - name: Assume Build AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_ROLE: - from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET - volumes: - - name: awsconfig - path: /root/.aws - - name: Build artifacts - image: docker - commands: - - apk add --no-cache bash curl gzip make tar go - - apk add --no-cache aws-cli - - cd /go/src/github.com/gravitational/teleport - - export VERSION=$(cat /go/.version.txt) - - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - mkdir -m0700 $GNUPG_DIR - - echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR - - chown -R root:root $GNUPG_DIR - - make rpm - - rm -rf $GNUPG_DIR - environment: - ARCH: arm64 - ENT_TARBALL_PATH: /go/artifacts - GNUPG_DIR: /tmpfs/gnupg - GPG_RPM_SIGNING_ARCHIVE: - from_secret: GPG_RPM_SIGNING_ARCHIVE - OSS_TARBALL_PATH: /go/artifacts - TMPDIR: /go - volumes: - - name: dockersock - path: /var/run - - name: awsconfig - path: /root/.aws - - name: tmpfs - path: /tmpfs - - name: Copy artifacts - image: docker - commands: - - cd /go/src/github.com/gravitational/teleport - - find build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts - \; - - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts - \; - - name: Assume Upload AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws - - name: Upload to S3 - image: amazon/aws-cli - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - - name: Register artifacts - image: docker - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux ARM64/ARMv8 (64-bit) RPM" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: - - name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: tmpfs - path: /tmpfs - - name: dockersock - path: /var/run -volumes: - - name: dockersock - temp: {} - - name: awsconfig - temp: {} - - name: tmpfs - temp: - medium: memory - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPackagePipeline) -################################################ - -kind: pipeline -type: kubernetes -name: build-linux-arm-rpm -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -depends_on: -- build-linux-arm -- clean-up-previous-build -steps: -- name: Check out code - image: docker:git - commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Assume Download AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Download artifacts from S3 - image: amazon/aws-cli - commands: - - export VERSION=$(cat /go/.version.txt) - - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else - export S3_PATH="tag/"; fi - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-arm-bin.tar.gz - /go/artifacts/ - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm-bin.tar.gz - /go/artifacts/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Assume Build AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_ROLE: - from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET - volumes: - - name: awsconfig - path: /root/.aws -- name: Build artifacts - image: docker - commands: - - apk add --no-cache bash curl gzip make tar go - - apk add --no-cache aws-cli - - cd /go/src/github.com/gravitational/teleport - - export VERSION=$(cat /go/.version.txt) - - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - mkdir -m0700 $GNUPG_DIR - - echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR - - chown -R root:root $GNUPG_DIR - - make rpm - - rm -rf $GNUPG_DIR - environment: - ARCH: arm - ENT_TARBALL_PATH: /go/artifacts - GNUPG_DIR: /tmpfs/gnupg - GPG_RPM_SIGNING_ARCHIVE: - from_secret: GPG_RPM_SIGNING_ARCHIVE - OSS_TARBALL_PATH: /go/artifacts - TMPDIR: /go - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker - - name: awsconfig - path: /root/.aws - - name: tmpfs - path: /tmpfs -- name: Copy artifacts - image: docker - commands: - - cd /go/src/github.com/gravitational/teleport - - find build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts - \; - - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts - \; -- name: Assume Upload AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux ARMv7 (32-bit) RPM" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: tmpfs - path: /tmpfs - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} -- name: tmpfs - temp: - medium: memory -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) -################################################ - -kind: pipeline -type: kubernetes -name: tag-build-windows-amd64 -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -steps: -- name: Check out code - image: docker:git - pull: if-not-exists - commands: - - mkdir -pv "/go/src/github.com/gravitational/teleport" - - cd "/go/src/github.com/gravitational/teleport" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "${DRONE_COMMIT_SHA}" - - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && - chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - mkdir -pv /go/cache - - rm -f /root/.ssh/id_rsa - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Delegate build to GitHub - image: golang:1.18-alpine - pull: if-not-exists - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -timeout 30m0s -workflow release-windows.yaml -workflow-ref=${DRONE_TAG} - -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} ' - environment: - GHA_APP_KEY: - from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY -- name: Send Slack notification - image: plugins/slack:1.4.1 - settings: - template: |- - *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}> - Author: Repo: Branch: Commit: - webhook: - from_secret: SLACK_WEBHOOK_DEV_TELEPORT - when: - status: - - failure -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -kind: pipeline -type: kubernetes -name: build-oss-amis - -trigger: - event: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* - -depends_on: - - build-linux-amd64 - -workspace: - path: /go - -clone: - disable: true - -steps: - - name: Check out code - image: docker:git - commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - # set version - - if [[ "${DRONE_TAG}" != "" ]]; then echo "${DRONE_TAG##v}" > /go/.version.txt; else egrep ^VERSION Makefile | cut -d= -f2 > /go/.version.txt; fi; cat /go/.version.txt - - - name: Assume Download AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - AWS_ROLE: - from_secret: AWS_ROLE - volumes: - - name: awsconfig - path: /root/.aws - - - name: Download built tarball artifacts from S3 - image: amazon/aws-cli - environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_REGION: us-west-2 - volumes: - - name: awsconfig - path: /root/.aws - commands: - - export VERSION=$(cat /go/.version.txt) - - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else export S3_PATH="tag/"; fi - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-amd64-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files - - - name: Assume Packer AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_PACKER_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_PACKER_SECRET_ACCESS_KEY - AWS_ROLE: - from_secret: AWS_PACKER_ROLE - volumes: - - name: awsconfig - path: /root/.aws - - - name: Build OSS AMIs - image: hashicorp/packer:1.9.4 - volumes: - - name: dockersock - path: /var/run - - name: awsconfig - path: /root/.aws - commands: - - apk add --no-cache aws-cli jq make - - packer plugins install github.com/hashicorp/amazon - - cd /go/src/github.com/gravitational/teleport/assets/aws - - export TELEPORT_VERSION=$(cat /go/.version.txt) - - export PUBLIC_AMI_NAME=gravitational-teleport-ami-oss-$TELEPORT_VERSION - - | - if [ "${DRONE_BUILD_EVENT}" = "tag" ]; then - echo "---> Building production OSS AMIs" - echo "---> Note: these AMIs will not be made public until the 'promote' step is run" - make oss-ci-build - else - echo "---> Building debug OSS AMIs" - make oss - fi - - - name: Assume S3 Timestamp Sync AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - AWS_ROLE: - from_secret: AWS_ROLE - volumes: - - name: awsconfig - path: /root/.aws - - - name: Sync OSS build timestamp to S3 - image: amazon/aws-cli - environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_REGION: us-west-2 - volumes: - - name: awsconfig - path: /root/.aws - commands: - - export VERSION=$(cat /go/.version.txt) - - aws s3 cp /go/src/github.com/gravitational/teleport/assets/aws/files/build/oss_build_timestamp.txt s3://$AWS_S3_BUCKET/teleport/ami/$${VERSION}/ - -services: - - name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run - -volumes: - - name: dockersock - temp: {} - - name: awsconfig - temp: {} - ---- -kind: pipeline -type: kubernetes -name: build-ent-amis - -trigger: - event: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* - -depends_on: - - build-linux-amd64 - - build-linux-amd64-fips - -workspace: - path: /go - -clone: - disable: true - -steps: - - name: Check out code - image: docker:git - commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - # set version - - if [[ "${DRONE_TAG}" != "" ]]; then echo "${DRONE_TAG##v}" > /go/.version.txt; else egrep ^VERSION Makefile | cut -d= -f2 > /go/.version.txt; fi; cat /go/.version.txt - - - name: Assume Download AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - AWS_ROLE: - from_secret: AWS_ROLE - volumes: - - name: awsconfig - path: /root/.aws - - - name: Download built tarball artifacts from S3 - image: amazon/aws-cli - environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_REGION: us-west-2 - volumes: - - name: awsconfig - path: /root/.aws - commands: - - export VERSION=$(cat /go/.version.txt) - - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else export S3_PATH="tag/"; fi - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files - - - name: Assume Packer AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_PACKER_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_PACKER_SECRET_ACCESS_KEY - AWS_ROLE: - from_secret: AWS_PACKER_ROLE - volumes: - - name: awsconfig - path: /root/.aws - - - name: Build Enterprise AMIs - image: hashicorp/packer:1.9.4 - volumes: - - name: dockersock - path: /var/run - - name: awsconfig - path: /root/.aws - commands: - - apk add --no-cache aws-cli jq make - - packer plugins install github.com/hashicorp/amazon - - cd /go/src/github.com/gravitational/teleport/assets/aws - - export TELEPORT_VERSION=$(cat /go/.version.txt) - - export PUBLIC_AMI_NAME=gravitational-teleport-ami-ent-$TELEPORT_VERSION - - export FIPS_AMI_NAME=gravitational-teleport-ami-ent-$TELEPORT_VERSION-fips - - | - if [ "${DRONE_BUILD_EVENT}" = "tag" ]; then - echo "---> Building production Enterprise AMIs" - echo "---> Note: these AMIs will not be made public until the 'promote' step is run" - make ent-ci-build - else - echo "---> Building debug Enterprise AMIs" - make ent - fi - - - name: Assume S3 Timestamp Sync AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - AWS_ROLE: - from_secret: AWS_ROLE - volumes: - - name: awsconfig - path: /root/.aws - - - name: Sync Enterprise build timestamp to S3 - image: amazon/aws-cli - environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_REGION: us-west-2 - volumes: - - name: awsconfig - path: /root/.aws - commands: - - export VERSION=$(cat /go/.version.txt) - - aws s3 cp /go/src/github.com/gravitational/teleport/assets/aws/files/build/ent_build_timestamp.txt s3://$AWS_S3_BUCKET/teleport/ami/$${VERSION}/ - -services: - - name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run - -volumes: - - name: dockersock - temp: {} - - name: awsconfig - temp: {} - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/buildbox.go (main.buildboxPipeline) -################################################ - -kind: pipeline -type: kubernetes -name: build-buildboxes -environment: - BUILDBOX_VERSION: teleport15 - GID: "1000" - UID: "1000" -trigger: - event: - include: - - push - repo: - include: - - gravitational/teleport - branch: - include: - - master - - branch/* -workspace: - path: /go/src/github.com/gravitational/teleport -clone: - disable: true -steps: -- name: Check out code - image: docker:git - commands: - - git clone --depth 1 --single-branch --branch ${DRONE_SOURCE_BRANCH:-master} https://github.com/gravitational/${DRONE_REPO_NAME}.git - . - - git checkout ${DRONE_COMMIT} -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Configure Staging AWS Profile - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[staging]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile staging - environment: - AWS_ACCESS_KEY_ID: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY - AWS_ROLE: - from_secret: STAGING_BUILDBOX_DRONE_ECR_AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET - volumes: - - name: awsconfig - path: /root/.aws -- name: Configure Production AWS Profile - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[production]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - >> /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile production - environment: - AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY - AWS_ROLE: - from_secret: PRODUCTION_BUILDBOX_DRONE_ECR_AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET - volumes: - - name: awsconfig - path: /root/.aws -- name: Build and push buildbox - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make aws-cli - - chown -R $UID:$GID /go - - aws ecr get-login-password --profile staging --region=us-west-2 | docker login - -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - - make -C build.assets buildbox - - docker tag public.ecr.aws/gravitational/teleport-buildbox:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - aws ecr-public get-login-password --profile production --region=us-east-1 | docker - login -u="AWS" --password-stdin public.ecr.aws - - docker push public.ecr.aws/gravitational/teleport-buildbox:$BUILDBOX_VERSION - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Build and push buildbox-arm - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make aws-cli - - chown -R $UID:$GID /go - - aws ecr get-login-password --profile staging --region=us-west-2 | docker login - -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - - make -C build.assets buildbox-arm - - docker tag public.ecr.aws/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - aws ecr-public get-login-password --profile production --region=us-east-1 | docker - login -u="AWS" --password-stdin public.ecr.aws - - docker push public.ecr.aws/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Build and push buildbox-centos7 - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make aws-cli - - chown -R $UID:$GID /go - - aws ecr get-login-password --profile staging --region=us-west-2 | docker login - -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - - make -C build.assets buildbox-centos7 - - docker tag public.ecr.aws/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - aws ecr-public get-login-password --profile production --region=us-east-1 | docker - login -u="AWS" --password-stdin public.ecr.aws - - docker push public.ecr.aws/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Build and push buildbox-centos7-fips - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make aws-cli - - chown -R $UID:$GID /go - - aws ecr get-login-password --profile staging --region=us-west-2 | docker login - -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - - make -C build.assets buildbox-centos7-fips - - docker tag public.ecr.aws/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - aws ecr-public get-login-password --profile production --region=us-east-1 | docker - login -u="AWS" --password-stdin public.ecr.aws - - docker push public.ecr.aws/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) -################################################ - -kind: pipeline -type: kubernetes -name: publish-os-package-repos -trigger: - event: - include: - - promote - target: - include: - - production - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -steps: -- name: Check out code - image: docker:git - pull: if-not-exists - commands: - - mkdir -pv "/go/src/github.com/gravitational/teleport" - - cd "/go/src/github.com/gravitational/teleport" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "${DRONE_COMMIT_SHA}" - - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && - chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - mkdir -pv /go/cache - - rm -f /root/.ssh/id_rsa - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Determine if release should go to development or production - image: golang:1.18-alpine - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - mkdir -pv "/go/vars" - - (CGO_ENABLED=0 go run ./cmd/check -tag ${DRONE_TAG} -check prerelease && echo - "promote" || echo "build") > "/go/vars/release-environment.txt" - depends_on: - - Check out code -- name: Publish Teleport to stable/${DRONE_TAG} apt repo - image: golang:1.18-alpine - pull: if-not-exists - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -series-run -series-run-filter .*apt.* -timeout 12h0m0s -workflow - deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}" - -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent" - -input "release-channel=stable" -input "repo-type=apt" -input "version-channel=${DRONE_TAG}" ' - environment: - GHA_APP_KEY: - from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY - depends_on: - - Determine if release should go to development or production -- name: Wait - Publish Teleport to stable/${DRONE_TAG} yum repo - image: alpine:latest - commands: - - sleep 10 - depends_on: - - Determine if release should go to development or production -- name: Publish Teleport to stable/${DRONE_TAG} yum repo - image: golang:1.18-alpine - pull: if-not-exists - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -series-run -series-run-filter .*yum.* -timeout 12h0m0s -workflow - deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}" - -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent" - -input "release-channel=stable" -input "repo-type=yum" -input "version-channel=${DRONE_TAG}" ' - environment: - GHA_APP_KEY: - from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY - depends_on: - - Wait - Publish Teleport to stable/${DRONE_TAG} yum repo -- name: Wait - Publish teleport-ent-updater to stable/cloud apt repo - image: alpine:latest - commands: - - sleep 20 - depends_on: - - Determine if release should go to development or production -- name: Publish teleport-ent-updater to stable/cloud apt repo - image: golang:1.18-alpine - pull: if-not-exists - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -series-run -series-run-filter .*apt.* -timeout 12h0m0s -workflow - deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}" - -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-name-filter=teleport-ent-updater*" - -input "release-channel=stable" -input "repo-type=apt" -input "version-channel=cloud" ' - environment: - GHA_APP_KEY: - from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY - depends_on: - - Wait - Publish teleport-ent-updater to stable/cloud apt repo -- name: Wait - Publish teleport-ent-updater to stable/cloud yum repo - image: alpine:latest - commands: - - sleep 30 - depends_on: - - Determine if release should go to development or production -- name: Publish teleport-ent-updater to stable/cloud yum repo - image: golang:1.18-alpine - pull: if-not-exists - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -series-run -series-run-filter .*yum.* -timeout 12h0m0s -workflow - deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}" - -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-name-filter=teleport-ent-updater*" - -input "release-channel=stable" -input "repo-type=yum" -input "version-channel=cloud" ' - environment: - GHA_APP_KEY: - from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY - depends_on: - - Wait - Publish teleport-ent-updater to stable/cloud yum repo -- name: Wait - Publish Teleport to stable/rolling apt repo - image: alpine:latest - commands: - - sleep 40 - depends_on: - - Determine if release should go to development or production -- name: Publish Teleport to stable/rolling apt repo - image: golang:1.18-alpine - pull: if-not-exists - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -series-run -series-run-filter .*apt.* -timeout 12h0m0s -workflow - deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}" - -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent" - -input "release-channel=stable" -input "repo-type=apt" -input "version-channel=rolling" ' - environment: - GHA_APP_KEY: - from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY - depends_on: - - Wait - Publish Teleport to stable/rolling apt repo -- name: Wait - Publish Teleport to stable/rolling yum repo - image: alpine:latest - commands: - - sleep 50 - depends_on: - - Determine if release should go to development or production -- name: Publish Teleport to stable/rolling yum repo - image: golang:1.18-alpine - pull: if-not-exists - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -series-run -series-run-filter .*yum.* -timeout 12h0m0s -workflow - deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}" - -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent" - -input "release-channel=stable" -input "repo-type=yum" -input "version-channel=rolling" ' - environment: - GHA_APP_KEY: - from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY - depends_on: - - Wait - Publish Teleport to stable/rolling yum repo -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -kind: pipeline -type: kubernetes -name: promote-build - -trigger: - event: - - promote - target: - - production - repo: - include: - - gravitational/* - -workspace: - path: /go - -clone: - disable: true - -steps: - - name: Check if commit is tagged - image: alpine - commands: - - "[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)" - - - name: Assume Download AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - AWS_ROLE: - from_secret: AWS_ROLE - volumes: - - name: awsconfig - path: /root/.aws - - - name: Download artifacts from S3 - image: amazon/aws-cli - commands: - - mkdir -p /go/artifacts - - aws s3 sync s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}/ /go/artifacts/ - environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_REGION: us-west-2 - volumes: - - name: awsconfig - path: /root/.aws - - - name: Assume Upload AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY - AWS_ROLE: - from_secret: PRODUCTION_AWS_ROLE - volumes: - - name: awsconfig - path: /root/.aws - - # Uploads to Houston - - name: Upload artifacts to production S3 - image: amazon/aws-cli - environment: - AWS_REGION: us-east-1 - AWS_S3_BUCKET: - from_secret: PRODUCTION_AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - commands: - - cd /go/artifacts/ - - aws s3 sync --acl public-read . s3://$AWS_S3_BUCKET/teleport/${DRONE_TAG##v} - - - name: Check out code - image: docker:git - commands: - - | - mkdir -p /go/src/github.com/gravitational/teleport - cd /go/src/github.com/gravitational/teleport - git init && git remote add origin ${DRONE_REMOTE_URL} - git fetch origin +refs/tags/${DRONE_TAG}: - git checkout -qf FETCH_HEAD - - - name: Assume AMI Download AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - AWS_ROLE: - from_secret: AWS_ROLE - volumes: - - name: awsconfig - path: /root/.aws - - - name: Download AMI timestamps - image: amazon/aws-cli - environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - commands: - - mkdir -p /go/src/github.com/gravitational/teleport/assets/aws/files/build - - aws s3 sync s3://$AWS_S3_BUCKET/teleport/ami/${DRONE_TAG##v}/ /go/src/github.com/gravitational/teleport/assets/aws/files/build - - - name: Assume AMI Publish AWS Role - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY - AWS_ROLE: - from_secret: PRODUCTION_AWS_ROLE - volumes: - - name: awsconfig - path: /root/.aws - - - name: Make AMIs public - image: docker - volumes: - - name: awsconfig - path: /root/.aws - commands: - - apk add --no-cache aws-cli bash jq make - - cd /go/src/github.com/gravitational/teleport/assets/aws - - | - make change-amis-to-public-oss - make change-amis-to-public-ent - make change-amis-to-public-ent-fips - - - name: "Helm: Assume Download AWS Role" - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY - AWS_ROLE: - from_secret: PRODUCTION_CHARTS_AWS_ROLE - volumes: - - name: awsconfig - path: /root/.aws - - # Download all previously packaged charts. This is needed to rebuild the - # index and re-publish the repository. - - name: "Helm: Download chart repository" - image: amazon/aws-cli - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - commands: - - mkdir -p /go/chart - - aws s3 sync s3://$AWS_S3_BUCKET/ /go/chart - - - name: "Helm: Package chart repository" - image: alpine/helm:latest - commands: - - cd /go/chart - - helm package /go/src/github.com/gravitational/teleport/examples/chart/teleport-cluster - - helm package /go/src/github.com/gravitational/teleport/examples/chart/teleport-kube-agent - # copy index.html to root of the S3 bucket. - - cp /go/src/github.com/gravitational/teleport/examples/chart/index.html /go/chart - # this will index all previous versions of the charts downloaded from the S3 bucket, - # plus the just-packaged charts listed above - - helm repo index /go/chart - - ls /go/chart - - - name: "Helm: Assume Upload AWS Role" - image: amazon/aws-cli - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY - AWS_ROLE: - from_secret: PRODUCTION_CHARTS_AWS_ROLE - volumes: - - name: awsconfig - path: /root/.aws - - - name: "Helm: Publish chart repository to S3" - image: amazon/aws-cli - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - commands: - - cd /go/chart/ - - aws s3 sync . s3://$AWS_S3_BUCKET/ - -services: - - name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run - - name: tmpfs - path: /tmpfs - -volumes: - - name: awsconfig - temp: {} - - name: dockersock - temp: {} - - name: tmpfs - temp: - medium: memory - # these persistent volumes cache RPMs/DEBs near Drone so that we don't need to download the - # entire repo contents from S3 every time to build the repo, we just sync any differences - - name: rpmrepo - claim: - name: drone-s3-rpmrepo-pvc - - name: debrepo - claim: - name: drone-s3-debrepo-pvc ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) -################################################ - -kind: pipeline -type: kubernetes -name: promote-teleport-oci-distroless-images -trigger: - event: - include: - - promote - target: - include: - - production - - promote-distroless - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -steps: -- name: Check out code - image: docker:git - pull: if-not-exists - commands: - - mkdir -pv "/go/src/github.com/gravitational/teleport" - - cd "/go/src/github.com/gravitational/teleport" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "${DRONE_COMMIT_SHA}" - - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && - chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - mkdir -pv /go/cache - - rm -f /root/.ssh/id_rsa - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Delegate build to GitHub - image: golang:1.18-alpine - pull: if-not-exists - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -timeout 2h30m0s -workflow promote-teleport-oci-distroless.yml -workflow-ref=${DRONE_TAG} - -input "release-source-tag=${DRONE_TAG}" ' - environment: - GHA_APP_KEY: - from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) -################################################ - -kind: pipeline -type: kubernetes -name: promote-teleport-hardened-amis -trigger: - event: - include: - - promote - target: - include: - - production - - promote-hardened-amis - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -steps: -- name: Check out code - image: docker:git - pull: if-not-exists - commands: - - mkdir -pv "/go/src/github.com/gravitational/teleport" - - cd "/go/src/github.com/gravitational/teleport" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "${DRONE_COMMIT_SHA}" - - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && - chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - mkdir -pv /go/cache - - rm -f /root/.ssh/id_rsa - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Delegate build to GitHub - image: golang:1.18-alpine - pull: if-not-exists - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -timeout 2h30m0s -workflow promote-teleport-hardened-amis.yaml -workflow-ref=${DRONE_TAG} - -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input - "release-source-tag=${DRONE_TAG}" ' - environment: - GHA_APP_KEY: - from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) -################################################ - -kind: pipeline -type: kubernetes -name: promote-teleport-kube-agent-updater-oci-images -trigger: - event: - include: - - promote - target: - include: - - production - - promote-updater - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -steps: -- name: Check out code - image: docker:git - pull: if-not-exists - commands: - - mkdir -pv "/go/src/github.com/gravitational/teleport" - - cd "/go/src/github.com/gravitational/teleport" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "${DRONE_COMMIT_SHA}" - - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && - chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - mkdir -pv /go/cache - - rm -f /root/.ssh/id_rsa - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Delegate build to GitHub - image: golang:1.18-alpine - pull: if-not-exists - commands: - - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" - - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e - -tag-workflow -timeout 2h30m0s -workflow promote-teleport-kube-agent-updater-oci.yml - -workflow-ref=${DRONE_TAG} -input "release-source-tag=${DRONE_TAG}" ' - environment: - GHA_APP_KEY: - from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/container_images_release_version.go (main.(*ReleaseVersion).buildVersionPipeline) -################################################ - -kind: pipeline -type: kubernetes -name: teleport-container-images-branch-tag -environment: - DEBIAN_FRONTEND: noninteractive -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -depends_on: -- clean-up-previous-build -steps: -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Wait for docker registry - image: alpine - pull: if-not-exists - commands: - - apk add curl - - timeout 30s /bin/sh -c 'while [ "$(curl -s -o /dev/null -w %{http_code} http://drone-docker-registry:5000/)" - != "200" ]; do sleep 1; done' -- name: Check out code - image: alpine/git:latest - pull: if-not-exists - commands: - - mkdir -pv "/go/src/github.com/gravitational/teleport" - - cd "/go/src/github.com/gravitational/teleport" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "$DRONE_TAG" -- name: Build full semver - image: alpine - commands: - - mkdir -pv $(dirname "/go/var/full-version") - - echo $DRONE_TAG | sed 's/v//' > "/go/var/full-version" - - echo $(cat "/go/var/full-version") -- name: Assume ECR - staging AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[ecr-staging]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - >> /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile ecr-staging - environment: - AWS_ACCESS_KEY_ID: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY - AWS_ROLE: - from_secret: STAGING_TELEPORT_DRONE_ECR_AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET - volumes: - - name: awsconfig - path: /root/.aws -- name: Assume ECR - authenticated-pull AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[ecr-authenticated-pull]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - >> /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile ecr-authenticated-pull - environment: - AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY - AWS_ROLE: - from_secret: PRODUCTION_TELEPORT_DRONE_ECR_AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET - volumes: - - name: awsconfig - path: /root/.aws - depends_on: - - Assume ECR - staging AWS Role -- name: Assume S3 Download AWS Role for teleport - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[s3-download-teleport]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - >> /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile s3-download-teleport - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws - depends_on: - - Wait for docker - - Wait for docker registry - - Check out code - - Build full semver - - Assume ECR - staging AWS Role - - Assume ECR - authenticated-pull AWS Role -- name: Download Teleport Dockerfile to "/go/build/Dockerfile-teleport" for teleport - image: alpine/git:latest - commands: - - mkdir -pv "/tmp/repo" - - cd "/tmp/repo" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "$DRONE_TAG" - - mkdir -pv $(dirname "/go/build/Dockerfile-teleport") - - cp "/tmp/repo/build.assets/charts/Dockerfile" "/go/build/Dockerfile-teleport" - depends_on: - - Wait for docker - - Wait for docker registry - - Check out code - - Build full semver - - Assume ECR - staging AWS Role - - Assume ECR - authenticated-pull AWS Role -- name: Download "teleport_v15-tag_amd64.deb" artifacts from S3 - image: amazon/aws-cli - commands: - - END_TIME=$(( $(date +%s) + 3600 )) - - TIMED_OUT=true - - while [ $(date +%s) -lt $${END_TIME?} ]; do - - SUCCESS=true - - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr - -s ' ' | cut -d' ' -f 4 | grep -x teleport_$(cat "/go/var/full-version")_amd64.deb - || SUCCESS=false - - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;' - - echo 'Condition not met yet, waiting another 60 seconds...' - - sleep 60 - - done - - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [ - "$SUCCESS" = "true" ]'' && exit 1' - - mkdir -pv "/go/build" - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport_$(cat - "/go/var/full-version")_amd64.deb /go/build/teleport_$(cat "/go/var/full-version")_amd64.deb - environment: - AWS_PROFILE: s3-download-teleport - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - depends_on: - - Assume S3 Download AWS Role for teleport - - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport" for teleport -- name: Build teleport image "teleport:v15-amd64" - image: docker - commands: - - docker run --privileged --rm tonistiigi/binfmt --install all - - mkdir -pv "/go/build" && cd "/go/build" - - mkdir -pv "/tmp/teleport-v15-amd64-builder" - - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-v15-amd64-builder/buildkitd.toml" - - echo ' http = true' >> "/tmp/teleport-v15-amd64-builder/buildkitd.toml" - - docker buildx create --driver "docker-container" --driver-opt "network=host" --name - "teleport-v15-amd64-builder" --config "/tmp/teleport-v15-amd64-builder/buildkitd.toml" - - apk add --no-cache aws-cli - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker buildx build --push --builder "teleport-v15-amd64-builder" --target "teleport" - --platform "linux/amd64" --tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-amd64 - --file "/go/build/Dockerfile-teleport" --build-arg DEB_PATH=teleport_$(cat "/go/var/full-version")_amd64.deb - /go/build - - docker logout "public.ecr.aws" - - docker buildx rm "teleport-v15-amd64-builder" - - rm -rf "/tmp/teleport-v15-amd64-builder" - environment: - AWS_PROFILE: ecr-authenticated-pull - DOCKER_BUILDKIT: "1" - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Assume ECR - authenticated-pull AWS Role - - Download "teleport_v15-tag_amd64.deb" artifacts from S3 -- name: Download "teleport_v15-tag_arm.deb" artifacts from S3 - image: amazon/aws-cli - commands: - - END_TIME=$(( $(date +%s) + 3600 )) - - TIMED_OUT=true - - while [ $(date +%s) -lt $${END_TIME?} ]; do - - SUCCESS=true - - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr - -s ' ' | cut -d' ' -f 4 | grep -x teleport_$(cat "/go/var/full-version")_arm.deb - || SUCCESS=false - - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;' - - echo 'Condition not met yet, waiting another 60 seconds...' - - sleep 60 - - done - - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [ - "$SUCCESS" = "true" ]'' && exit 1' - - mkdir -pv "/go/build" - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport_$(cat - "/go/var/full-version")_arm.deb /go/build/teleport_$(cat "/go/var/full-version")_arm.deb - environment: - AWS_PROFILE: s3-download-teleport - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - depends_on: - - Assume S3 Download AWS Role for teleport - - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport" for teleport -- name: Build teleport image "teleport:v15-arm" - image: docker - commands: - - docker run --privileged --rm tonistiigi/binfmt --install all - - mkdir -pv "/go/build" && cd "/go/build" - - mkdir -pv "/tmp/teleport-v15-arm-builder" - - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-v15-arm-builder/buildkitd.toml" - - echo ' http = true' >> "/tmp/teleport-v15-arm-builder/buildkitd.toml" - - docker buildx create --driver "docker-container" --driver-opt "network=host" --name - "teleport-v15-arm-builder" --config "/tmp/teleport-v15-arm-builder/buildkitd.toml" - - apk add --no-cache aws-cli - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker buildx build --push --builder "teleport-v15-arm-builder" --target "teleport" - --platform "linux/arm" --tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm - --file "/go/build/Dockerfile-teleport" --build-arg DEB_PATH=teleport_$(cat "/go/var/full-version")_arm.deb - /go/build - - docker logout "public.ecr.aws" - - docker buildx rm "teleport-v15-arm-builder" - - rm -rf "/tmp/teleport-v15-arm-builder" - environment: - AWS_PROFILE: ecr-authenticated-pull - DOCKER_BUILDKIT: "1" - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Assume ECR - authenticated-pull AWS Role - - Download "teleport_v15-tag_arm.deb" artifacts from S3 -- name: Download "teleport_v15-tag_arm64.deb" artifacts from S3 - image: amazon/aws-cli - commands: - - END_TIME=$(( $(date +%s) + 3600 )) - - TIMED_OUT=true - - while [ $(date +%s) -lt $${END_TIME?} ]; do - - SUCCESS=true - - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr - -s ' ' | cut -d' ' -f 4 | grep -x teleport_$(cat "/go/var/full-version")_arm64.deb - || SUCCESS=false - - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;' - - echo 'Condition not met yet, waiting another 60 seconds...' - - sleep 60 - - done - - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [ - "$SUCCESS" = "true" ]'' && exit 1' - - mkdir -pv "/go/build" - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport_$(cat - "/go/var/full-version")_arm64.deb /go/build/teleport_$(cat "/go/var/full-version")_arm64.deb - environment: - AWS_PROFILE: s3-download-teleport - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - depends_on: - - Assume S3 Download AWS Role for teleport - - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport" for teleport -- name: Build teleport image "teleport:v15-arm64" - image: docker - commands: - - docker run --privileged --rm tonistiigi/binfmt --install all - - mkdir -pv "/go/build" && cd "/go/build" - - mkdir -pv "/tmp/teleport-v15-arm64-builder" - - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-v15-arm64-builder/buildkitd.toml" - - echo ' http = true' >> "/tmp/teleport-v15-arm64-builder/buildkitd.toml" - - docker buildx create --driver "docker-container" --driver-opt "network=host" --name - "teleport-v15-arm64-builder" --config "/tmp/teleport-v15-arm64-builder/buildkitd.toml" - - apk add --no-cache aws-cli - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker buildx build --push --builder "teleport-v15-arm64-builder" --target "teleport" - --platform "linux/arm64" --tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm64 - --file "/go/build/Dockerfile-teleport" --build-arg DEB_PATH=teleport_$(cat "/go/var/full-version")_arm64.deb - /go/build - - docker logout "public.ecr.aws" - - docker buildx rm "teleport-v15-arm64-builder" - - rm -rf "/tmp/teleport-v15-arm64-builder" - environment: - AWS_PROFILE: ecr-authenticated-pull - DOCKER_BUILDKIT: "1" - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Assume ECR - authenticated-pull AWS Role - - Download "teleport_v15-tag_arm64.deb" artifacts from S3 -- name: Tag and push image "teleport:v15-amd64" to ECR - staging - image: docker - commands: - - docker pull --platform "linux/amd64" drone-docker-registry:5000/teleport:$(cat - "/go/var/full-version")-amd64 - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat - "/go/var/full-version")-amd64 > /dev/null 2>&1 && echo 'Found existing image, - skipping' || (docker tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-amd64 - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat "/go/var/full-version")-amd64 - && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat - "/go/var/full-version")-amd64) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" - environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Build teleport image "teleport:v15-amd64" -- name: Tag and push image "teleport:v15-arm" to ECR - staging - image: docker - commands: - - docker pull --platform "linux/arm" drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat - "/go/var/full-version")-arm > /dev/null 2>&1 && echo 'Found existing image, skipping' - || (docker tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat "/go/var/full-version")-arm - && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat - "/go/var/full-version")-arm) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" - environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Build teleport image "teleport:v15-arm" -- name: Tag and push image "teleport:v15-arm64" to ECR - staging - image: docker - commands: - - docker pull --platform "linux/arm64" drone-docker-registry:5000/teleport:$(cat - "/go/var/full-version")-arm64 - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat - "/go/var/full-version")-arm64 > /dev/null 2>&1 && echo 'Found existing image, - skipping' || (docker tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm64 - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat "/go/var/full-version")-arm64 - && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat - "/go/var/full-version")-arm64) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" - environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Build teleport image "teleport:v15-arm64" -- name: Create manifest and push "teleport:full" to ECR - staging - image: docker - commands: - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat - "/go/var/full-version") > /dev/null 2>&1 && echo 'Found existing image, skipping' - || (docker manifest create 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat - "/go/var/full-version") --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat - "/go/var/full-version")-amd64 --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat - "/go/var/full-version")-arm --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat - "/go/var/full-version")-arm64 && docker manifest push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat - "/go/var/full-version")) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" - environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Tag and push image "teleport:v15-amd64" to ECR - staging - - Tag and push image "teleport:v15-arm" to ECR - staging - - Tag and push image "teleport:v15-arm64" to ECR - staging -- name: Assume S3 Download AWS Role for teleport-ent - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[s3-download-teleport-ent]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - >> /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile s3-download-teleport-ent - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws - depends_on: - - Wait for docker - - Wait for docker registry - - Check out code - - Build full semver - - Assume ECR - staging AWS Role - - Assume ECR - authenticated-pull AWS Role -- name: Download Teleport Dockerfile to "/go/build/Dockerfile-teleport-ent" for teleport-ent - image: alpine/git:latest - commands: - - mkdir -pv "/tmp/repo" - - cd "/tmp/repo" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "$DRONE_TAG" - - mkdir -pv $(dirname "/go/build/Dockerfile-teleport-ent") - - cp "/tmp/repo/build.assets/charts/Dockerfile" "/go/build/Dockerfile-teleport-ent" - depends_on: - - Wait for docker - - Wait for docker registry - - Check out code - - Build full semver - - Assume ECR - staging AWS Role - - Assume ECR - authenticated-pull AWS Role -- name: Download "teleport-ent_v15-tag_amd64.deb" artifacts from S3 - image: amazon/aws-cli - commands: - - END_TIME=$(( $(date +%s) + 3600 )) - - TIMED_OUT=true - - while [ $(date +%s) -lt $${END_TIME?} ]; do - - SUCCESS=true - - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr - -s ' ' | cut -d' ' -f 4 | grep -x teleport-ent_$(cat "/go/var/full-version")_amd64.deb - || SUCCESS=false - - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;' - - echo 'Condition not met yet, waiting another 60 seconds...' - - sleep 60 - - done - - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [ - "$SUCCESS" = "true" ]'' && exit 1' - - mkdir -pv "/go/build" - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport-ent_$(cat - "/go/var/full-version")_amd64.deb /go/build/teleport-ent_$(cat "/go/var/full-version")_amd64.deb - environment: - AWS_PROFILE: s3-download-teleport-ent - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - depends_on: - - Assume S3 Download AWS Role for teleport-ent - - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport-ent" for teleport-ent -- name: Build teleport-ent image "teleport-ent:v15-amd64" - image: docker - commands: - - docker run --privileged --rm tonistiigi/binfmt --install all - - mkdir -pv "/go/build" && cd "/go/build" - - mkdir -pv "/tmp/teleport-ent-v15-amd64-builder" - - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-ent-v15-amd64-builder/buildkitd.toml" - - echo ' http = true' >> "/tmp/teleport-ent-v15-amd64-builder/buildkitd.toml" - - docker buildx create --driver "docker-container" --driver-opt "network=host" --name - "teleport-ent-v15-amd64-builder" --config "/tmp/teleport-ent-v15-amd64-builder/buildkitd.toml" - - apk add --no-cache aws-cli - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker buildx build --push --builder "teleport-ent-v15-amd64-builder" --target - "teleport" --platform "linux/amd64" --tag drone-docker-registry:5000/teleport-ent:$(cat - "/go/var/full-version")-amd64 --file "/go/build/Dockerfile-teleport-ent" --build-arg - DEB_PATH=teleport-ent_$(cat "/go/var/full-version")_amd64.deb /go/build - - docker logout "public.ecr.aws" - - docker buildx rm "teleport-ent-v15-amd64-builder" - - rm -rf "/tmp/teleport-ent-v15-amd64-builder" - environment: - AWS_PROFILE: ecr-authenticated-pull - DOCKER_BUILDKIT: "1" - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Assume ECR - authenticated-pull AWS Role - - Download "teleport-ent_v15-tag_amd64.deb" artifacts from S3 -- name: Download "teleport-ent_v15-tag_arm.deb" artifacts from S3 - image: amazon/aws-cli - commands: - - END_TIME=$(( $(date +%s) + 3600 )) - - TIMED_OUT=true - - while [ $(date +%s) -lt $${END_TIME?} ]; do - - SUCCESS=true - - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr - -s ' ' | cut -d' ' -f 4 | grep -x teleport-ent_$(cat "/go/var/full-version")_arm.deb - || SUCCESS=false - - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;' - - echo 'Condition not met yet, waiting another 60 seconds...' - - sleep 60 - - done - - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [ - "$SUCCESS" = "true" ]'' && exit 1' - - mkdir -pv "/go/build" - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport-ent_$(cat - "/go/var/full-version")_arm.deb /go/build/teleport-ent_$(cat "/go/var/full-version")_arm.deb - environment: - AWS_PROFILE: s3-download-teleport-ent - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - depends_on: - - Assume S3 Download AWS Role for teleport-ent - - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport-ent" for teleport-ent -- name: Build teleport-ent image "teleport-ent:v15-arm" - image: docker - commands: - - docker run --privileged --rm tonistiigi/binfmt --install all - - mkdir -pv "/go/build" && cd "/go/build" - - mkdir -pv "/tmp/teleport-ent-v15-arm-builder" - - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-ent-v15-arm-builder/buildkitd.toml" - - echo ' http = true' >> "/tmp/teleport-ent-v15-arm-builder/buildkitd.toml" - - docker buildx create --driver "docker-container" --driver-opt "network=host" --name - "teleport-ent-v15-arm-builder" --config "/tmp/teleport-ent-v15-arm-builder/buildkitd.toml" - - apk add --no-cache aws-cli - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker buildx build --push --builder "teleport-ent-v15-arm-builder" --target "teleport" - --platform "linux/arm" --tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-arm - --file "/go/build/Dockerfile-teleport-ent" --build-arg DEB_PATH=teleport-ent_$(cat - "/go/var/full-version")_arm.deb /go/build - - docker logout "public.ecr.aws" - - docker buildx rm "teleport-ent-v15-arm-builder" - - rm -rf "/tmp/teleport-ent-v15-arm-builder" - environment: - AWS_PROFILE: ecr-authenticated-pull - DOCKER_BUILDKIT: "1" - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Assume ECR - authenticated-pull AWS Role - - Download "teleport-ent_v15-tag_arm.deb" artifacts from S3 -- name: Download "teleport-ent_v15-tag_arm64.deb" artifacts from S3 - image: amazon/aws-cli - commands: - - END_TIME=$(( $(date +%s) + 3600 )) - - TIMED_OUT=true - - while [ $(date +%s) -lt $${END_TIME?} ]; do - - SUCCESS=true - - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr - -s ' ' | cut -d' ' -f 4 | grep -x teleport-ent_$(cat "/go/var/full-version")_arm64.deb - || SUCCESS=false - - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;' - - echo 'Condition not met yet, waiting another 60 seconds...' - - sleep 60 - - done - - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [ - "$SUCCESS" = "true" ]'' && exit 1' - - mkdir -pv "/go/build" - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport-ent_$(cat - "/go/var/full-version")_arm64.deb /go/build/teleport-ent_$(cat "/go/var/full-version")_arm64.deb - environment: - AWS_PROFILE: s3-download-teleport-ent - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - depends_on: - - Assume S3 Download AWS Role for teleport-ent - - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport-ent" for teleport-ent -- name: Build teleport-ent image "teleport-ent:v15-arm64" - image: docker - commands: - - docker run --privileged --rm tonistiigi/binfmt --install all - - mkdir -pv "/go/build" && cd "/go/build" - - mkdir -pv "/tmp/teleport-ent-v15-arm64-builder" - - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-ent-v15-arm64-builder/buildkitd.toml" - - echo ' http = true' >> "/tmp/teleport-ent-v15-arm64-builder/buildkitd.toml" - - docker buildx create --driver "docker-container" --driver-opt "network=host" --name - "teleport-ent-v15-arm64-builder" --config "/tmp/teleport-ent-v15-arm64-builder/buildkitd.toml" - - apk add --no-cache aws-cli - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker buildx build --push --builder "teleport-ent-v15-arm64-builder" --target - "teleport" --platform "linux/arm64" --tag drone-docker-registry:5000/teleport-ent:$(cat - "/go/var/full-version")-arm64 --file "/go/build/Dockerfile-teleport-ent" --build-arg - DEB_PATH=teleport-ent_$(cat "/go/var/full-version")_arm64.deb /go/build - - docker logout "public.ecr.aws" - - docker buildx rm "teleport-ent-v15-arm64-builder" - - rm -rf "/tmp/teleport-ent-v15-arm64-builder" - environment: - AWS_PROFILE: ecr-authenticated-pull - DOCKER_BUILDKIT: "1" - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Assume ECR - authenticated-pull AWS Role - - Download "teleport-ent_v15-tag_arm64.deb" artifacts from S3 -- name: Tag and push image "teleport-ent:v15-amd64" to ECR - staging - image: docker - commands: - - docker pull --platform "linux/amd64" drone-docker-registry:5000/teleport-ent:$(cat - "/go/var/full-version")-amd64 - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-amd64 > /dev/null 2>&1 && echo 'Found existing image, - skipping' || (docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-amd64 - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-amd64 && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-amd64) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" - environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Build teleport-ent image "teleport-ent:v15-amd64" -- name: Tag and push image "teleport-ent:v15-arm" to ECR - staging - image: docker - commands: - - docker pull --platform "linux/arm" drone-docker-registry:5000/teleport-ent:$(cat - "/go/var/full-version")-arm - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-arm > /dev/null 2>&1 && echo 'Found existing image, skipping' - || (docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-arm - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-arm && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-arm) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" - environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Build teleport-ent image "teleport-ent:v15-arm" -- name: Tag and push image "teleport-ent:v15-arm64" to ECR - staging - image: docker - commands: - - docker pull --platform "linux/arm64" drone-docker-registry:5000/teleport-ent:$(cat - "/go/var/full-version")-arm64 - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-arm64 > /dev/null 2>&1 && echo 'Found existing image, - skipping' || (docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-arm64 - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-arm64 && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-arm64) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" - environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Build teleport-ent image "teleport-ent:v15-arm64" -- name: Create manifest and push "teleport-ent:full" to ECR - staging - image: docker - commands: - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version") > /dev/null 2>&1 && echo 'Found existing image, skipping' - || (docker manifest create 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version") --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-amd64 --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-arm --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-arm64 && docker manifest push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" - environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Tag and push image "teleport-ent:v15-amd64" to ECR - staging - - Tag and push image "teleport-ent:v15-arm" to ECR - staging - - Tag and push image "teleport-ent:v15-arm64" to ECR - staging -- name: Assume S3 Download AWS Role for teleport-ent-fips - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[s3-download-teleport-ent-fips]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - >> /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile s3-download-teleport-ent-fips - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws - depends_on: - - Wait for docker - - Wait for docker registry - - Check out code - - Build full semver - - Assume ECR - staging AWS Role - - Assume ECR - authenticated-pull AWS Role -- name: Download Teleport Dockerfile to "/go/build/Dockerfile-teleport-ent-fips" for - teleport-ent-fips - image: alpine/git:latest - commands: - - mkdir -pv "/tmp/repo" - - cd "/tmp/repo" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "$DRONE_TAG" - - mkdir -pv $(dirname "/go/build/Dockerfile-teleport-ent-fips") - - cp "/tmp/repo/build.assets/charts/Dockerfile" "/go/build/Dockerfile-teleport-ent-fips" - depends_on: - - Wait for docker - - Wait for docker registry - - Check out code - - Build full semver - - Assume ECR - staging AWS Role - - Assume ECR - authenticated-pull AWS Role -- name: Download "teleport-ent_v15-tag-fips_amd64.deb" artifacts from S3 - image: amazon/aws-cli - commands: - - END_TIME=$(( $(date +%s) + 3600 )) - - TIMED_OUT=true - - while [ $(date +%s) -lt $${END_TIME?} ]; do - - SUCCESS=true - - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr - -s ' ' | cut -d' ' -f 4 | grep -x teleport-ent_$(cat "/go/var/full-version")-fips_amd64.deb - || SUCCESS=false - - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;' - - echo 'Condition not met yet, waiting another 60 seconds...' - - sleep 60 - - done - - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [ - "$SUCCESS" = "true" ]'' && exit 1' - - mkdir -pv "/go/build" - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport-ent_$(cat - "/go/var/full-version")-fips_amd64.deb /go/build/teleport-ent_$(cat "/go/var/full-version")-fips_amd64.deb - environment: - AWS_PROFILE: s3-download-teleport-ent-fips - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws - depends_on: - - Assume S3 Download AWS Role for teleport-ent-fips - - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport-ent-fips" for teleport-ent-fips -- name: Build teleport-ent-fips image "teleport-ent:v15-fips-amd64" - image: docker - commands: - - docker run --privileged --rm tonistiigi/binfmt --install all - - mkdir -pv "/go/build" && cd "/go/build" - - mkdir -pv "/tmp/teleport-ent-v15-fips-amd64-builder" - - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-ent-v15-fips-amd64-builder/buildkitd.toml" - - echo ' http = true' >> "/tmp/teleport-ent-v15-fips-amd64-builder/buildkitd.toml" - - docker buildx create --driver "docker-container" --driver-opt "network=host" --name - "teleport-ent-v15-fips-amd64-builder" --config "/tmp/teleport-ent-v15-fips-amd64-builder/buildkitd.toml" - - apk add --no-cache aws-cli - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker buildx build --push --builder "teleport-ent-v15-fips-amd64-builder" --target - "teleport-fips" --platform "linux/amd64" --tag drone-docker-registry:5000/teleport-ent:$(cat - "/go/var/full-version")-fips-amd64 --file "/go/build/Dockerfile-teleport-ent-fips" - --build-arg DEB_PATH=teleport-ent_$(cat "/go/var/full-version")-fips_amd64.deb - /go/build - - docker logout "public.ecr.aws" - - docker buildx rm "teleport-ent-v15-fips-amd64-builder" - - rm -rf "/tmp/teleport-ent-v15-fips-amd64-builder" - environment: - AWS_PROFILE: ecr-authenticated-pull - DOCKER_BUILDKIT: "1" - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Assume ECR - authenticated-pull AWS Role - - Download "teleport-ent_v15-tag-fips_amd64.deb" artifacts from S3 -- name: Tag and push image "teleport-ent:v15-fips-amd64" to ECR - staging - image: docker - commands: - - docker pull --platform "linux/amd64" drone-docker-registry:5000/teleport-ent:$(cat - "/go/var/full-version")-fips-amd64 - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-fips-amd64 > /dev/null 2>&1 && echo 'Found existing image, - skipping' || (docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-fips-amd64 - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-fips-amd64 && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-fips-amd64) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" - environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Build teleport-ent-fips image "teleport-ent:v15-fips-amd64" -- name: Create manifest and push "teleport-ent:full-fips" to ECR - staging - image: docker - commands: - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-fips > /dev/null 2>&1 && echo 'Found existing image, skipping' - || (docker manifest create 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-fips --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-fips-amd64 && docker manifest push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat - "/go/var/full-version")-fips) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" - environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Tag and push image "teleport-ent:v15-fips-amd64" to ECR - staging -- name: Build teleport-operator image "teleport-operator:v15-amd64" - image: docker - commands: - - docker run --privileged --rm tonistiigi/binfmt --install all - - mkdir -pv "/go/src/github.com/gravitational/teleport" && cd "/go/src/github.com/gravitational/teleport" - - mkdir -pv "/tmp/teleport-operator-v15-amd64-builder" - - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-operator-v15-amd64-builder/buildkitd.toml" - - echo ' http = true' >> "/tmp/teleport-operator-v15-amd64-builder/buildkitd.toml" - - docker buildx create --driver "docker-container" --driver-opt "network=host" --name - "teleport-operator-v15-amd64-builder" --config "/tmp/teleport-operator-v15-amd64-builder/buildkitd.toml" - - apk add --no-cache aws-cli - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker buildx build --push --builder "teleport-operator-v15-amd64-builder" --platform - "linux/amd64" --tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-amd64 - --file "/go/src/github.com/gravitational/teleport/integrations/operator/Dockerfile" - --build-arg BUILDBOX=public.ecr.aws/gravitational/teleport-buildbox:teleport15 - --build-arg COMPILER_NAME=x86_64-linux-gnu-gcc --build-arg GOLANG_VERSION=go1.21.4 - --build-arg PROTOC_VERSION=3.20.3 --build-arg TARGETARCH=amd64 --build-arg BUILD_ARCH=amd64 - /go/src/github.com/gravitational/teleport - - docker logout "public.ecr.aws" - - docker buildx rm "teleport-operator-v15-amd64-builder" - - rm -rf "/tmp/teleport-operator-v15-amd64-builder" - environment: - AWS_PROFILE: ecr-authenticated-pull - DOCKER_BUILDKIT: "1" - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Assume ECR - authenticated-pull AWS Role - - Wait for docker - - Wait for docker registry - - Check out code - - Build full semver - - Assume ECR - staging AWS Role - - Assume ECR - authenticated-pull AWS Role -- name: Build teleport-operator image "teleport-operator:v15-arm" - image: docker - commands: - - docker run --privileged --rm tonistiigi/binfmt --install all - - mkdir -pv "/go/src/github.com/gravitational/teleport" && cd "/go/src/github.com/gravitational/teleport" - - mkdir -pv "/tmp/teleport-operator-v15-arm-builder" - - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-operator-v15-arm-builder/buildkitd.toml" - - echo ' http = true' >> "/tmp/teleport-operator-v15-arm-builder/buildkitd.toml" - - docker buildx create --driver "docker-container" --driver-opt "network=host" --name - "teleport-operator-v15-arm-builder" --config "/tmp/teleport-operator-v15-arm-builder/buildkitd.toml" - - apk add --no-cache aws-cli - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker buildx build --push --builder "teleport-operator-v15-arm-builder" --platform - "linux/arm" --tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-arm - --file "/go/src/github.com/gravitational/teleport/integrations/operator/Dockerfile" - --build-arg BUILDBOX=public.ecr.aws/gravitational/teleport-buildbox-arm:teleport15 - --build-arg COMPILER_NAME=arm-linux-gnueabihf-gcc --build-arg GOLANG_VERSION=go1.21.4 - --build-arg PROTOC_VERSION=3.20.3 --build-arg TARGETARCH=arm --build-arg BUILD_ARCH=amd64 - /go/src/github.com/gravitational/teleport - - docker logout "public.ecr.aws" - - docker buildx rm "teleport-operator-v15-arm-builder" - - rm -rf "/tmp/teleport-operator-v15-arm-builder" - environment: - AWS_PROFILE: ecr-authenticated-pull - DOCKER_BUILDKIT: "1" - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Assume ECR - authenticated-pull AWS Role - - Wait for docker - - Wait for docker registry - - Check out code - - Build full semver - - Assume ECR - staging AWS Role - - Assume ECR - authenticated-pull AWS Role -- name: Build teleport-operator image "teleport-operator:v15-arm64" - image: docker +- name: Delegate build to GitHub + image: golang:1.18-alpine + pull: if-not-exists commands: - - docker run --privileged --rm tonistiigi/binfmt --install all - - mkdir -pv "/go/src/github.com/gravitational/teleport" && cd "/go/src/github.com/gravitational/teleport" - - mkdir -pv "/tmp/teleport-operator-v15-arm64-builder" - - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-operator-v15-arm64-builder/buildkitd.toml" - - echo ' http = true' >> "/tmp/teleport-operator-v15-arm64-builder/buildkitd.toml" - - docker buildx create --driver "docker-container" --driver-opt "network=host" --name - "teleport-operator-v15-arm64-builder" --config "/tmp/teleport-operator-v15-arm64-builder/buildkitd.toml" - - apk add --no-cache aws-cli - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker buildx build --push --builder "teleport-operator-v15-arm64-builder" --platform - "linux/arm64" --tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-arm64 - --file "/go/src/github.com/gravitational/teleport/integrations/operator/Dockerfile" - --build-arg BUILDBOX=public.ecr.aws/gravitational/teleport-buildbox-arm:teleport15 - --build-arg COMPILER_NAME=aarch64-linux-gnu-gcc --build-arg GOLANG_VERSION=go1.21.4 - --build-arg PROTOC_VERSION=3.20.3 --build-arg TARGETARCH=arm64 --build-arg BUILD_ARCH=amd64 - /go/src/github.com/gravitational/teleport - - docker logout "public.ecr.aws" - - docker buildx rm "teleport-operator-v15-arm64-builder" - - rm -rf "/tmp/teleport-operator-v15-arm64-builder" + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 2h30m0s -workflow promote-teleport-oci-distroless.yml -workflow-ref=${DRONE_TAG} + -input "release-source-tag=${DRONE_TAG}" ' environment: - AWS_PROFILE: ecr-authenticated-pull - DOCKER_BUILDKIT: "1" - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Assume ECR - authenticated-pull AWS Role - - Wait for docker - - Wait for docker registry - - Check out code - - Build full semver - - Assume ECR - staging AWS Role - - Assume ECR - authenticated-pull AWS Role -- name: Tag and push image "teleport-operator:v15-amd64" to ECR - staging - image: docker + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +image_pull_secrets: +- DOCKERHUB_CREDENTIALS + +--- +################################################ +# Generated using dronegen, do not edit by hand! +# Use 'make dronegen' to update. +# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) +################################################ + +kind: pipeline +type: kubernetes +name: promote-teleport-hardened-amis +trigger: + event: + include: + - promote + target: + include: + - production + - promote-hardened-amis + repo: + include: + - gravitational/* +workspace: + path: /go +clone: + disable: true +steps: +- name: Check out code + image: docker:git + pull: if-not-exists commands: - - docker pull --platform "linux/amd64" drone-docker-registry:5000/teleport-operator:$(cat - "/go/var/full-version")-amd64 - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version")-amd64 > /dev/null 2>&1 && echo 'Found existing image, - skipping' || (docker tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-amd64 - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version")-amd64 && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version")-amd64) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa + - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts + - git submodule update --init e + - mkdir -pv /go/cache + - rm -f /root/.ssh/id_rsa environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Build teleport-operator image "teleport-operator:v15-amd64" -- name: Tag and push image "teleport-operator:v15-arm" to ECR - staging - image: docker + GITHUB_PRIVATE_KEY: + from_secret: GITHUB_PRIVATE_KEY +- name: Delegate build to GitHub + image: golang:1.18-alpine + pull: if-not-exists commands: - - docker pull --platform "linux/arm" drone-docker-registry:5000/teleport-operator:$(cat - "/go/var/full-version")-arm - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version")-arm > /dev/null 2>&1 && echo 'Found existing image, skipping' - || (docker tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-arm - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version")-arm && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version")-arm) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 2h30m0s -workflow promote-teleport-hardened-amis.yaml -workflow-ref=${DRONE_TAG} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input + "release-source-tag=${DRONE_TAG}" ' environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Build teleport-operator image "teleport-operator:v15-arm" -- name: Tag and push image "teleport-operator:v15-arm64" to ECR - staging - image: docker + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +image_pull_secrets: +- DOCKERHUB_CREDENTIALS + +--- +################################################ +# Generated using dronegen, do not edit by hand! +# Use 'make dronegen' to update. +# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline) +################################################ + +kind: pipeline +type: kubernetes +name: promote-teleport-kube-agent-updater-oci-images +trigger: + event: + include: + - promote + target: + include: + - production + - promote-updater + repo: + include: + - gravitational/* +workspace: + path: /go +clone: + disable: true +steps: +- name: Check out code + image: docker:git + pull: if-not-exists commands: - - docker pull --platform "linux/arm64" drone-docker-registry:5000/teleport-operator:$(cat - "/go/var/full-version")-arm64 - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version")-arm64 > /dev/null 2>&1 && echo 'Found existing image, - skipping' || (docker tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-arm64 - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version")-arm64 && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version")-arm64) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa + - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts + - git submodule update --init e + - mkdir -pv /go/cache + - rm -f /root/.ssh/id_rsa environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Build teleport-operator image "teleport-operator:v15-arm64" -- name: Create manifest and push "teleport-operator:full" to ECR - staging - image: docker + GITHUB_PRIVATE_KEY: + from_secret: GITHUB_PRIVATE_KEY +- name: Delegate build to GitHub + image: golang:1.18-alpine + pull: if-not-exists commands: - - apk add --no-cache aws-cli - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version") > /dev/null 2>&1 && echo 'Found existing image, skipping' - || (docker manifest create 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version") --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version")-amd64 --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version")-arm --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version")-arm64 && docker manifest push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat - "/go/var/full-version")) - - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com" + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 2h30m0s -workflow promote-teleport-kube-agent-updater-oci.yml + -workflow-ref=${DRONE_TAG} -input "release-source-tag=${DRONE_TAG}" ' environment: - AWS_PROFILE: ecr-staging - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - depends_on: - - Tag and push image "teleport-operator:v15-amd64" to ECR - staging - - Tag and push image "teleport-operator:v15-arm" to ECR - staging - - Tag and push image "teleport-operator:v15-arm64" to ECR - staging -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -- name: drone-docker-registry - image: registry:2 - privileged: false - volumes: [] -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY image_pull_secrets: - DOCKERHUB_CREDENTIALS @@ -7542,10 +2357,10 @@ clone: disable: true depends_on: - clean-up-previous-build -- build-linux-amd64-deb -- build-linux-amd64-fips-deb -- build-linux-arm64-deb -- build-linux-arm-deb +- build-linux-amd64 +- build-linux-amd64-fips +- build-linux-arm64 +- build-linux-arm steps: - name: Check out code image: docker:git @@ -7606,8 +2421,8 @@ clone: disable: true depends_on: - clean-up-previous-build -- build-linux-amd64-deb -- build-linux-amd64-fips-deb +- build-linux-amd64 +- build-linux-amd64-fips steps: - name: Check out code image: docker:git @@ -16391,6 +11206,6 @@ image_pull_secrets: - DOCKERHUB_CREDENTIALS --- kind: signature -hmac: 1b4e51f6e9336c6ed109964655c1b5f6f79bb4b9d5095cf6390563eaaafc3d55 +hmac: c8f97aa5eed9b5b5bece97e6f9f79beea090b5ddd2b890dd8a7c4c9790f31f80 ...