feat: migrate to woodpeckerci
Build / build-9 (pull_request) Successful in 11s
Build / build-8 (pull_request) Successful in 13s
ci/woodpecker/pr/build-almalinux9 Pipeline failed
ci/woodpecker/pr/build-almalinux8 Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline failed

- update build tool for kubernetes auth
- add woodpecker pre-commit and build jobs
This commit is contained in:
2026-03-07 11:19:13 +11:00
parent b585cca9f0
commit fd38529382
5 changed files with 90 additions and 16 deletions
+15
View File
@@ -0,0 +1,15 @@
when:
- event: pull_request
steps:
- name: build rpms
image: woodpeckerci/plugin-docker-buildx:latest-insecure
commands:
- ./tools/build build-all --distro almalinux/el8
backend_options:
kubernetes:
serviceAccountName: default
- name: show rpms
image: git.unkin.net/unkin/almalinux8-base:latest
commands:
- find /workspace -type f -name "*.rpm"
+15
View File
@@ -0,0 +1,15 @@
when:
- event: pull_request
steps:
- name: build rpms
image: woodpeckerci/plugin-docker-buildx:latest-insecure
commands:
- ./tools/build build-all --distro almalinux/el8
backend_options:
kubernetes:
serviceAccountName: default
- name: show rpms
image: git.unkin.net/unkin/almalinux8-base:latest
commands:
- find /workspace -type f -name "*.rpm"
+9
View File
@@ -0,0 +1,9 @@
when:
- event: pull_request
steps:
- name: pre-commit
image: git.unkin.net/unkin/almalinux9-base:latest
commands:
- dnf install uv make -y
- uvx pre-commit run --all-files
+4
View File
@@ -3,6 +3,10 @@ ROOT_DIR := $(PWD)
BUILD_TOOL := $(ROOT_DIR)/tools/build BUILD_TOOL := $(ROOT_DIR)/tools/build
DISTRO ?= almalinux/el9 DISTRO ?= almalinux/el9
# Authentication variables (optional)
# VAULT_ROLE_ID - Use AppRole authentication if set
# VAULT_ROLE - Kubernetes role for service account authentication (default: rpmbuilder)
# Automatically find all packages with metadata.yaml # Automatically find all packages with metadata.yaml
PACKAGES := $(shell find $(ROOT_DIR)/rpms -mindepth 1 -maxdepth 1 -type d -exec test -f {}/metadata.yaml \; -print | xargs -n1 basename | sort) PACKAGES := $(shell find $(ROOT_DIR)/rpms -mindepth 1 -maxdepth 1 -type d -exec test -f {}/metadata.yaml \; -print | xargs -n1 basename | sort)
+41 -10
View File
@@ -156,7 +156,7 @@ class PackageMetadata:
def get_vault_client() -> hvac.Client: def get_vault_client() -> hvac.Client:
""" """
Initialize and authenticate Vault client using AppRole authentication. Initialize and authenticate Vault client using AppRole or Kubernetes authentication.
Returns: Returns:
Authenticated HVAC client Authenticated HVAC client
@@ -166,10 +166,7 @@ def get_vault_client() -> hvac.Client:
# Get required environment variables # Get required environment variables
vault_addr = os.getenv('VAULT_ADDR', 'https://vault.service.consul:8200') vault_addr = os.getenv('VAULT_ADDR', 'https://vault.service.consul:8200')
vault_role_id = os.getenv('VAULT_ROLE_ID') vault_role_id = os.getenv('VAULT_ROLE_ID')
vault_role = os.getenv('VAULT_ROLE', 'rpmbuilder')
if not vault_role_id:
logger.error("VAULT_ROLE_ID environment variable is required")
sys.exit(1)
# Initialize Vault client with CA certificate # Initialize Vault client with CA certificate
client = hvac.Client( client = hvac.Client(
@@ -177,20 +174,54 @@ def get_vault_client() -> hvac.Client:
verify='/etc/pki/tls/cert.pem' verify='/etc/pki/tls/cert.pem'
) )
# Authenticate using AppRole # Use AppRole authentication if VAULT_ROLE_ID is available
if vault_role_id:
try: try:
logger.debug(f"Authenticating to Vault at {vault_addr}") logger.debug(f"Authenticating to Vault at {vault_addr} using AppRole")
client.auth.approle.login(role_id=vault_role_id) client.auth.approle.login(role_id=vault_role_id)
if not client.is_authenticated(): if not client.is_authenticated():
logger.error("Failed to authenticate with Vault") logger.error("Failed to authenticate with Vault using AppRole")
sys.exit(1) sys.exit(1)
logger.debug("Successfully authenticated with Vault") logger.debug("Successfully authenticated with Vault using AppRole")
return client return client
except Exception as e: except Exception as e:
logger.error(f"Vault authentication failed: {e}") logger.error(f"AppRole authentication failed: {e}")
sys.exit(1)
# Fallback to Kubernetes authentication if service account token is available
service_account_token_path = '/var/run/secrets/kubernetes.io/serviceaccount/token'
if os.path.exists(service_account_token_path):
try:
logger.debug(f"Attempting Kubernetes authentication to Vault at {vault_addr}")
# Read the service account token
with open(service_account_token_path, 'r') as f:
jwt_token = f.read().strip()
# Authenticate using Kubernetes auth method
client.auth.kubernetes.login(
role=vault_role,
jwt=jwt_token,
mount_point='k8s/au/syd1'
)
if not client.is_authenticated():
logger.error("Failed to authenticate with Vault using Kubernetes auth")
sys.exit(1)
logger.debug("Successfully authenticated with Vault using Kubernetes auth")
return client
except Exception as e:
logger.error(f"Kubernetes authentication failed: {e}")
sys.exit(1)
# No authentication method available
logger.error("Neither VAULT_ROLE_ID environment variable nor Kubernetes service account token is available")
sys.exit(1) sys.exit(1)