From fd385293829dfc8aba5a29443e9d1069f78f41bf Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 7 Mar 2026 11:19:13 +1100 Subject: [PATCH] feat: migrate to woodpeckerci - update build tool for kubernetes auth - add woodpecker pre-commit and build jobs --- .woodpecker/build-almalinux8.yaml | 15 ++++++++ .woodpecker/build-almalinux9.yaml | 15 ++++++++ .woodpecker/pre-commit.yaml | 9 +++++ Makefile | 4 ++ tools/build | 63 +++++++++++++++++++++++-------- 5 files changed, 90 insertions(+), 16 deletions(-) create mode 100644 .woodpecker/build-almalinux8.yaml create mode 100644 .woodpecker/build-almalinux9.yaml create mode 100644 .woodpecker/pre-commit.yaml diff --git a/.woodpecker/build-almalinux8.yaml b/.woodpecker/build-almalinux8.yaml new file mode 100644 index 0000000..ada34d2 --- /dev/null +++ b/.woodpecker/build-almalinux8.yaml @@ -0,0 +1,15 @@ +when: + - event: pull_request + +steps: + - name: build rpms + image: woodpeckerci/plugin-docker-buildx:latest-insecure + commands: + - ./tools/build build-all --distro almalinux/el8 + backend_options: + kubernetes: + serviceAccountName: default + - name: show rpms + image: git.unkin.net/unkin/almalinux8-base:latest + commands: + - find /workspace -type f -name "*.rpm" diff --git a/.woodpecker/build-almalinux9.yaml b/.woodpecker/build-almalinux9.yaml new file mode 100644 index 0000000..ada34d2 --- /dev/null +++ b/.woodpecker/build-almalinux9.yaml @@ -0,0 +1,15 @@ +when: + - event: pull_request + +steps: + - name: build rpms + image: woodpeckerci/plugin-docker-buildx:latest-insecure + commands: + - ./tools/build build-all --distro almalinux/el8 + backend_options: + kubernetes: + serviceAccountName: default + - name: show rpms + image: git.unkin.net/unkin/almalinux8-base:latest + commands: + - find /workspace -type f -name "*.rpm" diff --git a/.woodpecker/pre-commit.yaml b/.woodpecker/pre-commit.yaml new file mode 100644 index 0000000..bf6529f --- /dev/null +++ b/.woodpecker/pre-commit.yaml @@ -0,0 +1,9 @@ +when: + - event: pull_request + +steps: + - name: pre-commit + image: git.unkin.net/unkin/almalinux9-base:latest + commands: + - dnf install uv make -y + - uvx pre-commit run --all-files diff --git a/Makefile b/Makefile index 8c56409..ad08c27 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,10 @@ ROOT_DIR := $(PWD) BUILD_TOOL := $(ROOT_DIR)/tools/build DISTRO ?= almalinux/el9 +# Authentication variables (optional) +# VAULT_ROLE_ID - Use AppRole authentication if set +# VAULT_ROLE - Kubernetes role for service account authentication (default: rpmbuilder) + # Automatically find all packages with metadata.yaml PACKAGES := $(shell find $(ROOT_DIR)/rpms -mindepth 1 -maxdepth 1 -type d -exec test -f {}/metadata.yaml \; -print | xargs -n1 basename | sort) diff --git a/tools/build b/tools/build index ebc2c0a..a458003 100755 --- a/tools/build +++ b/tools/build @@ -156,7 +156,7 @@ class PackageMetadata: def get_vault_client() -> hvac.Client: """ - Initialize and authenticate Vault client using AppRole authentication. + Initialize and authenticate Vault client using AppRole or Kubernetes authentication. Returns: Authenticated HVAC client @@ -166,10 +166,7 @@ def get_vault_client() -> hvac.Client: # Get required environment variables vault_addr = os.getenv('VAULT_ADDR', 'https://vault.service.consul:8200') vault_role_id = os.getenv('VAULT_ROLE_ID') - - if not vault_role_id: - logger.error("VAULT_ROLE_ID environment variable is required") - sys.exit(1) + vault_role = os.getenv('VAULT_ROLE', 'rpmbuilder') # Initialize Vault client with CA certificate client = hvac.Client( @@ -177,21 +174,55 @@ def get_vault_client() -> hvac.Client: verify='/etc/pki/tls/cert.pem' ) - # Authenticate using AppRole - try: - logger.debug(f"Authenticating to Vault at {vault_addr}") - client.auth.approle.login(role_id=vault_role_id) + # Use AppRole authentication if VAULT_ROLE_ID is available + if vault_role_id: + try: + logger.debug(f"Authenticating to Vault at {vault_addr} using AppRole") + client.auth.approle.login(role_id=vault_role_id) - if not client.is_authenticated(): - logger.error("Failed to authenticate with Vault") + if not client.is_authenticated(): + logger.error("Failed to authenticate with Vault using AppRole") + sys.exit(1) + + logger.debug("Successfully authenticated with Vault using AppRole") + return client + + except Exception as e: + logger.error(f"AppRole authentication failed: {e}") sys.exit(1) - logger.debug("Successfully authenticated with Vault") - return client + # Fallback to Kubernetes authentication if service account token is available + service_account_token_path = '/var/run/secrets/kubernetes.io/serviceaccount/token' - except Exception as e: - logger.error(f"Vault authentication failed: {e}") - sys.exit(1) + if os.path.exists(service_account_token_path): + try: + logger.debug(f"Attempting Kubernetes authentication to Vault at {vault_addr}") + + # Read the service account token + with open(service_account_token_path, 'r') as f: + jwt_token = f.read().strip() + + # Authenticate using Kubernetes auth method + client.auth.kubernetes.login( + role=vault_role, + jwt=jwt_token, + mount_point='k8s/au/syd1' + ) + + if not client.is_authenticated(): + logger.error("Failed to authenticate with Vault using Kubernetes auth") + sys.exit(1) + + logger.debug("Successfully authenticated with Vault using Kubernetes auth") + return client + + except Exception as e: + logger.error(f"Kubernetes authentication failed: {e}") + sys.exit(1) + + # No authentication method available + logger.error("Neither VAULT_ROLE_ID environment variable nor Kubernetes service account token is available") + sys.exit(1) def get_gitea_token() -> str: