feat: migrate to woodpeckerci
Build / build-9 (pull_request) Successful in 11s
Build / build-8 (pull_request) Successful in 13s
ci/woodpecker/pr/build-almalinux9 Pipeline failed
ci/woodpecker/pr/build-almalinux8 Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline failed

- update build tool for kubernetes auth
- add woodpecker pre-commit and build jobs
This commit is contained in:
2026-03-07 11:19:13 +11:00
parent b585cca9f0
commit fd38529382
5 changed files with 90 additions and 16 deletions
+47 -16
View File
@@ -156,7 +156,7 @@ class PackageMetadata:
def get_vault_client() -> hvac.Client:
"""
Initialize and authenticate Vault client using AppRole authentication.
Initialize and authenticate Vault client using AppRole or Kubernetes authentication.
Returns:
Authenticated HVAC client
@@ -166,10 +166,7 @@ def get_vault_client() -> hvac.Client:
# Get required environment variables
vault_addr = os.getenv('VAULT_ADDR', 'https://vault.service.consul:8200')
vault_role_id = os.getenv('VAULT_ROLE_ID')
if not vault_role_id:
logger.error("VAULT_ROLE_ID environment variable is required")
sys.exit(1)
vault_role = os.getenv('VAULT_ROLE', 'rpmbuilder')
# Initialize Vault client with CA certificate
client = hvac.Client(
@@ -177,21 +174,55 @@ def get_vault_client() -> hvac.Client:
verify='/etc/pki/tls/cert.pem'
)
# Authenticate using AppRole
try:
logger.debug(f"Authenticating to Vault at {vault_addr}")
client.auth.approle.login(role_id=vault_role_id)
# Use AppRole authentication if VAULT_ROLE_ID is available
if vault_role_id:
try:
logger.debug(f"Authenticating to Vault at {vault_addr} using AppRole")
client.auth.approle.login(role_id=vault_role_id)
if not client.is_authenticated():
logger.error("Failed to authenticate with Vault")
if not client.is_authenticated():
logger.error("Failed to authenticate with Vault using AppRole")
sys.exit(1)
logger.debug("Successfully authenticated with Vault using AppRole")
return client
except Exception as e:
logger.error(f"AppRole authentication failed: {e}")
sys.exit(1)
logger.debug("Successfully authenticated with Vault")
return client
# Fallback to Kubernetes authentication if service account token is available
service_account_token_path = '/var/run/secrets/kubernetes.io/serviceaccount/token'
except Exception as e:
logger.error(f"Vault authentication failed: {e}")
sys.exit(1)
if os.path.exists(service_account_token_path):
try:
logger.debug(f"Attempting Kubernetes authentication to Vault at {vault_addr}")
# Read the service account token
with open(service_account_token_path, 'r') as f:
jwt_token = f.read().strip()
# Authenticate using Kubernetes auth method
client.auth.kubernetes.login(
role=vault_role,
jwt=jwt_token,
mount_point='k8s/au/syd1'
)
if not client.is_authenticated():
logger.error("Failed to authenticate with Vault using Kubernetes auth")
sys.exit(1)
logger.debug("Successfully authenticated with Vault using Kubernetes auth")
return client
except Exception as e:
logger.error(f"Kubernetes authentication failed: {e}")
sys.exit(1)
# No authentication method available
logger.error("Neither VAULT_ROLE_ID environment variable nor Kubernetes service account token is available")
sys.exit(1)
def get_gitea_token() -> str: