feat: migrate to woodpeckerci
- update build tool for kubernetes auth - add woodpecker pre-commit and build jobs
This commit is contained in:
@@ -0,0 +1,15 @@
|
||||
when:
|
||||
- event: pull_request
|
||||
|
||||
steps:
|
||||
- name: build-rpms
|
||||
image: git.unkin.net/unkin/almalinux8-actionsdind:latest
|
||||
commands:
|
||||
- ./tools/build build-all --distro almalinux/el8
|
||||
backend_options:
|
||||
kubernetes:
|
||||
serviceAccountName: default
|
||||
- name: build-rpms
|
||||
image: git.unkin.net/unkin/almalinux8-base:latest
|
||||
commands:
|
||||
- find /workspace -type f -name "*.rpm"
|
||||
@@ -0,0 +1,15 @@
|
||||
when:
|
||||
- event: pull_request
|
||||
|
||||
steps:
|
||||
- name: build-rpms
|
||||
image: git.unkin.net/unkin/almalinux9-actionsdind:latest
|
||||
commands:
|
||||
- ./tools/build build-all --distro almalinux/el8
|
||||
backend_options:
|
||||
kubernetes:
|
||||
serviceAccountName: default
|
||||
- name: build-rpms
|
||||
image: git.unkin.net/unkin/almalinux8-base:latest
|
||||
commands:
|
||||
- find /workspace -type f -name "*.rpm"
|
||||
@@ -0,0 +1,9 @@
|
||||
when:
|
||||
- event: pull_request
|
||||
|
||||
steps:
|
||||
- name: pre-commit
|
||||
image: git.unkin.net/unkin/almalinux9-base:latest
|
||||
commands:
|
||||
- dnf install uv make -y
|
||||
- uvx pre-commit run --all-files
|
||||
@@ -3,6 +3,10 @@ ROOT_DIR := $(PWD)
|
||||
BUILD_TOOL := $(ROOT_DIR)/tools/build
|
||||
DISTRO ?= almalinux/el9
|
||||
|
||||
# Authentication variables (optional)
|
||||
# VAULT_ROLE_ID - Use AppRole authentication if set
|
||||
# VAULT_ROLE - Kubernetes role for service account authentication (default: rpmbuilder)
|
||||
|
||||
# Automatically find all packages with metadata.yaml
|
||||
PACKAGES := $(shell find $(ROOT_DIR)/rpms -mindepth 1 -maxdepth 1 -type d -exec test -f {}/metadata.yaml \; -print | xargs -n1 basename | sort)
|
||||
|
||||
|
||||
+47
-16
@@ -156,7 +156,7 @@ class PackageMetadata:
|
||||
|
||||
def get_vault_client() -> hvac.Client:
|
||||
"""
|
||||
Initialize and authenticate Vault client using AppRole authentication.
|
||||
Initialize and authenticate Vault client using AppRole or Kubernetes authentication.
|
||||
|
||||
Returns:
|
||||
Authenticated HVAC client
|
||||
@@ -166,10 +166,7 @@ def get_vault_client() -> hvac.Client:
|
||||
# Get required environment variables
|
||||
vault_addr = os.getenv('VAULT_ADDR', 'https://vault.service.consul:8200')
|
||||
vault_role_id = os.getenv('VAULT_ROLE_ID')
|
||||
|
||||
if not vault_role_id:
|
||||
logger.error("VAULT_ROLE_ID environment variable is required")
|
||||
sys.exit(1)
|
||||
vault_role = os.getenv('VAULT_ROLE', 'rpmbuilder')
|
||||
|
||||
# Initialize Vault client with CA certificate
|
||||
client = hvac.Client(
|
||||
@@ -177,21 +174,55 @@ def get_vault_client() -> hvac.Client:
|
||||
verify='/etc/pki/tls/cert.pem'
|
||||
)
|
||||
|
||||
# Authenticate using AppRole
|
||||
try:
|
||||
logger.debug(f"Authenticating to Vault at {vault_addr}")
|
||||
client.auth.approle.login(role_id=vault_role_id)
|
||||
# Use AppRole authentication if VAULT_ROLE_ID is available
|
||||
if vault_role_id:
|
||||
try:
|
||||
logger.debug(f"Authenticating to Vault at {vault_addr} using AppRole")
|
||||
client.auth.approle.login(role_id=vault_role_id)
|
||||
|
||||
if not client.is_authenticated():
|
||||
logger.error("Failed to authenticate with Vault")
|
||||
if not client.is_authenticated():
|
||||
logger.error("Failed to authenticate with Vault using AppRole")
|
||||
sys.exit(1)
|
||||
|
||||
logger.debug("Successfully authenticated with Vault using AppRole")
|
||||
return client
|
||||
|
||||
except Exception as e:
|
||||
logger.error(f"AppRole authentication failed: {e}")
|
||||
sys.exit(1)
|
||||
|
||||
logger.debug("Successfully authenticated with Vault")
|
||||
return client
|
||||
# Fallback to Kubernetes authentication if service account token is available
|
||||
service_account_token_path = '/var/run/secrets/kubernetes.io/serviceaccount/token'
|
||||
|
||||
except Exception as e:
|
||||
logger.error(f"Vault authentication failed: {e}")
|
||||
sys.exit(1)
|
||||
if os.path.exists(service_account_token_path):
|
||||
try:
|
||||
logger.debug(f"Attempting Kubernetes authentication to Vault at {vault_addr}")
|
||||
|
||||
# Read the service account token
|
||||
with open(service_account_token_path, 'r') as f:
|
||||
jwt_token = f.read().strip()
|
||||
|
||||
# Authenticate using Kubernetes auth method
|
||||
client.auth.kubernetes.login(
|
||||
role=vault_role,
|
||||
jwt=jwt_token,
|
||||
mount_point='k8s/au/syd1'
|
||||
)
|
||||
|
||||
if not client.is_authenticated():
|
||||
logger.error("Failed to authenticate with Vault using Kubernetes auth")
|
||||
sys.exit(1)
|
||||
|
||||
logger.debug("Successfully authenticated with Vault using Kubernetes auth")
|
||||
return client
|
||||
|
||||
except Exception as e:
|
||||
logger.error(f"Kubernetes authentication failed: {e}")
|
||||
sys.exit(1)
|
||||
|
||||
# No authentication method available
|
||||
logger.error("Neither VAULT_ROLE_ID environment variable nor Kubernetes service account token is available")
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
def get_gitea_token() -> str:
|
||||
|
||||
Reference in New Issue
Block a user