feat: migrate to woodpeckerci
- update build tool for kubernetes auth - add woodpecker pre-commit and build jobs
This commit is contained in:
@@ -0,0 +1,15 @@
|
|||||||
|
when:
|
||||||
|
- event: pull_request
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: build rpms
|
||||||
|
image: woodpeckerci/plugin-docker-buildx:latest-insecure
|
||||||
|
commands:
|
||||||
|
- ./tools/build build-all --distro almalinux/el8
|
||||||
|
backend_options:
|
||||||
|
kubernetes:
|
||||||
|
serviceAccountName: default
|
||||||
|
- name: show rpms
|
||||||
|
image: git.unkin.net/unkin/almalinux8-base:latest
|
||||||
|
commands:
|
||||||
|
- find /workspace -type f -name "*.rpm"
|
||||||
@@ -0,0 +1,15 @@
|
|||||||
|
when:
|
||||||
|
- event: pull_request
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: build rpms
|
||||||
|
image: woodpeckerci/plugin-docker-buildx:latest-insecure
|
||||||
|
commands:
|
||||||
|
- ./tools/build build-all --distro almalinux/el8
|
||||||
|
backend_options:
|
||||||
|
kubernetes:
|
||||||
|
serviceAccountName: default
|
||||||
|
- name: show rpms
|
||||||
|
image: git.unkin.net/unkin/almalinux8-base:latest
|
||||||
|
commands:
|
||||||
|
- find /workspace -type f -name "*.rpm"
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
when:
|
||||||
|
- event: pull_request
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: pre-commit
|
||||||
|
image: git.unkin.net/unkin/almalinux9-base:latest
|
||||||
|
commands:
|
||||||
|
- dnf install uv make -y
|
||||||
|
- uvx pre-commit run --all-files
|
||||||
@@ -3,6 +3,10 @@ ROOT_DIR := $(PWD)
|
|||||||
BUILD_TOOL := $(ROOT_DIR)/tools/build
|
BUILD_TOOL := $(ROOT_DIR)/tools/build
|
||||||
DISTRO ?= almalinux/el9
|
DISTRO ?= almalinux/el9
|
||||||
|
|
||||||
|
# Authentication variables (optional)
|
||||||
|
# VAULT_ROLE_ID - Use AppRole authentication if set
|
||||||
|
# VAULT_ROLE - Kubernetes role for service account authentication (default: rpmbuilder)
|
||||||
|
|
||||||
# Automatically find all packages with metadata.yaml
|
# Automatically find all packages with metadata.yaml
|
||||||
PACKAGES := $(shell find $(ROOT_DIR)/rpms -mindepth 1 -maxdepth 1 -type d -exec test -f {}/metadata.yaml \; -print | xargs -n1 basename | sort)
|
PACKAGES := $(shell find $(ROOT_DIR)/rpms -mindepth 1 -maxdepth 1 -type d -exec test -f {}/metadata.yaml \; -print | xargs -n1 basename | sort)
|
||||||
|
|
||||||
|
|||||||
+47
-16
@@ -156,7 +156,7 @@ class PackageMetadata:
|
|||||||
|
|
||||||
def get_vault_client() -> hvac.Client:
|
def get_vault_client() -> hvac.Client:
|
||||||
"""
|
"""
|
||||||
Initialize and authenticate Vault client using AppRole authentication.
|
Initialize and authenticate Vault client using AppRole or Kubernetes authentication.
|
||||||
|
|
||||||
Returns:
|
Returns:
|
||||||
Authenticated HVAC client
|
Authenticated HVAC client
|
||||||
@@ -166,10 +166,7 @@ def get_vault_client() -> hvac.Client:
|
|||||||
# Get required environment variables
|
# Get required environment variables
|
||||||
vault_addr = os.getenv('VAULT_ADDR', 'https://vault.service.consul:8200')
|
vault_addr = os.getenv('VAULT_ADDR', 'https://vault.service.consul:8200')
|
||||||
vault_role_id = os.getenv('VAULT_ROLE_ID')
|
vault_role_id = os.getenv('VAULT_ROLE_ID')
|
||||||
|
vault_role = os.getenv('VAULT_ROLE', 'rpmbuilder')
|
||||||
if not vault_role_id:
|
|
||||||
logger.error("VAULT_ROLE_ID environment variable is required")
|
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
# Initialize Vault client with CA certificate
|
# Initialize Vault client with CA certificate
|
||||||
client = hvac.Client(
|
client = hvac.Client(
|
||||||
@@ -177,21 +174,55 @@ def get_vault_client() -> hvac.Client:
|
|||||||
verify='/etc/pki/tls/cert.pem'
|
verify='/etc/pki/tls/cert.pem'
|
||||||
)
|
)
|
||||||
|
|
||||||
# Authenticate using AppRole
|
# Use AppRole authentication if VAULT_ROLE_ID is available
|
||||||
try:
|
if vault_role_id:
|
||||||
logger.debug(f"Authenticating to Vault at {vault_addr}")
|
try:
|
||||||
client.auth.approle.login(role_id=vault_role_id)
|
logger.debug(f"Authenticating to Vault at {vault_addr} using AppRole")
|
||||||
|
client.auth.approle.login(role_id=vault_role_id)
|
||||||
|
|
||||||
if not client.is_authenticated():
|
if not client.is_authenticated():
|
||||||
logger.error("Failed to authenticate with Vault")
|
logger.error("Failed to authenticate with Vault using AppRole")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
logger.debug("Successfully authenticated with Vault using AppRole")
|
||||||
|
return client
|
||||||
|
|
||||||
|
except Exception as e:
|
||||||
|
logger.error(f"AppRole authentication failed: {e}")
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
logger.debug("Successfully authenticated with Vault")
|
# Fallback to Kubernetes authentication if service account token is available
|
||||||
return client
|
service_account_token_path = '/var/run/secrets/kubernetes.io/serviceaccount/token'
|
||||||
|
|
||||||
except Exception as e:
|
if os.path.exists(service_account_token_path):
|
||||||
logger.error(f"Vault authentication failed: {e}")
|
try:
|
||||||
sys.exit(1)
|
logger.debug(f"Attempting Kubernetes authentication to Vault at {vault_addr}")
|
||||||
|
|
||||||
|
# Read the service account token
|
||||||
|
with open(service_account_token_path, 'r') as f:
|
||||||
|
jwt_token = f.read().strip()
|
||||||
|
|
||||||
|
# Authenticate using Kubernetes auth method
|
||||||
|
client.auth.kubernetes.login(
|
||||||
|
role=vault_role,
|
||||||
|
jwt=jwt_token,
|
||||||
|
mount_point='k8s/au/syd1'
|
||||||
|
)
|
||||||
|
|
||||||
|
if not client.is_authenticated():
|
||||||
|
logger.error("Failed to authenticate with Vault using Kubernetes auth")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
logger.debug("Successfully authenticated with Vault using Kubernetes auth")
|
||||||
|
return client
|
||||||
|
|
||||||
|
except Exception as e:
|
||||||
|
logger.error(f"Kubernetes authentication failed: {e}")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
# No authentication method available
|
||||||
|
logger.error("Neither VAULT_ROLE_ID environment variable nor Kubernetes service account token is available")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
|
||||||
def get_gitea_token() -> str:
|
def get_gitea_token() -> str:
|
||||||
|
|||||||
Reference in New Issue
Block a user