Add on-tag RPM build (nfpm) and upload to artifactapi
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful

Publish the plugin as an installable RPM so hosts can drop it into the Vault/
OpenBao plugin directory. On a tag, build the binary, package it with nfpm
(mirroring the rpmbuilder approach), and upload the RPM to artifactapi's local
rpm-internal repository.

- Add packaging/nfpm.yaml installing the binary to /opt/vault-plugins/ plus a
  preinstall script that creates the directory
- Add scripts/build-rpm.sh and make rpm / rpm-package targets
- Add .woodpecker/release.yml (event: tag): build -> nfpm package -> PUT to
  artifactapi remotes/rpm-internal/files/
This commit is contained in:
2026-07-03 12:43:07 +10:00
parent 51e8681731
commit f388709c78
5 changed files with 110 additions and 1 deletions
+28
View File
@@ -0,0 +1,28 @@
when:
- event: tag
steps:
- name: build
image: git.unkin.net/unkin/almalinux9-gobuilder:20260606
commands:
- make build VERSION=${CI_COMMIT_TAG}
- name: package
image: git.unkin.net/unkin/almalinux9-rpmbuilder:latest
commands:
- ./scripts/build-rpm.sh ${CI_COMMIT_TAG}
depends_on: [build]
- name: upload
image: git.unkin.net/unkin/almalinux9-base:20260606
commands:
- |
for rpm in dist/*.rpm; do
FILE=$$(basename "$$rpm")
echo "Uploading $${FILE} to artifactapi rpm-internal"
curl -f -X PUT \
"https://artifactapi3.k8s.syd1.au.unkin.net/api/v2/remotes/rpm-internal/files/$${FILE}" \
-H "Content-Type: application/x-rpm" \
--data-binary @"$$rpm"
done
depends_on: [package]
+8 -1
View File
@@ -1,4 +1,4 @@
.PHONY: build install test lint fmt clean tidy e2e e2e-vault e2e-openbao e2e-up e2e-down patch minor major check-go
.PHONY: build install test lint fmt clean tidy e2e e2e-vault e2e-openbao e2e-up e2e-down rpm rpm-package patch minor major check-go
BINARY := vault-plugin-secrets-litellm
PKG := ./cmd/vault-plugin-secrets-litellm
@@ -36,6 +36,13 @@ tidy:
clean:
rm -rf $(PLUGIN_DIR)
# Build the plugin binary then package it into an RPM with nfpm.
rpm: build rpm-package
# Package an already-built binary into an RPM (used by CI after the build step).
rpm-package:
./scripts/build-rpm.sh $(VERSION)
# End-to-end tests spin up LiteLLM + Postgres and both Vault and OpenBao in
# Docker, then exercise the full lifecycle (configure, create role, generate,
# use, revoke) against each engine using the same plugin binary.
+36
View File
@@ -0,0 +1,36 @@
---
# nfpm config for building the vault-plugin-secrets-litellm RPM.
# Rendered through envsubst (see scripts/build-rpm.sh) then fed to `nfpm pkg`.
name: ${PACKAGE_NAME}
version: ${PACKAGE_VERSION}
release: ${PACKAGE_RELEASE}
arch: ${PACKAGE_ARCH}
platform: ${PACKAGE_PLATFORM}
section: default
priority: extra
description: "${PACKAGE_DESCRIPTION}"
maintainer: ${PACKAGE_MAINTAINER}
homepage: ${PACKAGE_HOMEPAGE}
license: ${PACKAGE_LICENSE}
disable_globbing: false
replaces:
- vault-plugin-secrets-litellm
provides:
- vault-plugin-secrets-litellm
# Install the plugin binary into the Vault/OpenBao plugin directory. Point the
# server's plugin_directory at /opt/vault-plugins to pick it up.
contents:
- src: dist/vault-plugin-secrets-litellm
dst: /opt/vault-plugins/vault-plugin-secrets-litellm
file_info:
mode: 0755
owner: root
group: root
scripts:
preinstall: packaging/scripts/preinstall.sh
+3
View File
@@ -0,0 +1,3 @@
#!/usr/bin/env bash
# Ensure the plugin directory exists before the binary is laid down.
mkdir -p /opt/vault-plugins
+35
View File
@@ -0,0 +1,35 @@
#!/usr/bin/env bash
#
# Package the (already built) plugin binary into an RPM with nfpm.
# Usage: scripts/build-rpm.sh [version] (version defaults to $CI_COMMIT_TAG)
#
set -euo pipefail
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "${ROOT_DIR}"
VERSION="${1:-${CI_COMMIT_TAG:-0.0.0-dev}}"
VERSION="${VERSION#v}" # strip a leading v
BINARY="vault-plugin-secrets-litellm"
DIST="dist"
if [ ! -f "${DIST}/${BINARY}" ]; then
echo "ERROR: ${DIST}/${BINARY} not found; run 'make build' first" >&2
exit 1
fi
export PACKAGE_NAME="${BINARY}"
export PACKAGE_VERSION="${VERSION}"
export PACKAGE_RELEASE="1"
export PACKAGE_ARCH="amd64"
export PACKAGE_PLATFORM="linux"
export PACKAGE_DESCRIPTION="Vault/OpenBao dynamic secrets engine for LiteLLM virtual keys"
export PACKAGE_MAINTAINER="Ben Vincent <ben@unkin.net>"
export PACKAGE_HOMEPAGE="https://git.unkin.net/unkin/vault-plugin-secrets-litellm"
export PACKAGE_LICENSE="MIT"
envsubst < packaging/nfpm.yaml > "${DIST}/nfpm.yaml"
nfpm pkg --config "${DIST}/nfpm.yaml" --target "${DIST}" --packager rpm
echo "Built:"
ls -1 "${DIST}"/*.rpm