From f388709c78bd5fc791770130be40ed08a82f039b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 3 Jul 2026 12:43:07 +1000 Subject: [PATCH] Add on-tag RPM build (nfpm) and upload to artifactapi Publish the plugin as an installable RPM so hosts can drop it into the Vault/ OpenBao plugin directory. On a tag, build the binary, package it with nfpm (mirroring the rpmbuilder approach), and upload the RPM to artifactapi's local rpm-internal repository. - Add packaging/nfpm.yaml installing the binary to /opt/vault-plugins/ plus a preinstall script that creates the directory - Add scripts/build-rpm.sh and make rpm / rpm-package targets - Add .woodpecker/release.yml (event: tag): build -> nfpm package -> PUT to artifactapi remotes/rpm-internal/files/ --- .woodpecker/release.yml | 28 +++++++++++++++++++++++++ Makefile | 9 ++++++++- packaging/nfpm.yaml | 36 +++++++++++++++++++++++++++++++++ packaging/scripts/preinstall.sh | 3 +++ scripts/build-rpm.sh | 35 ++++++++++++++++++++++++++++++++ 5 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 .woodpecker/release.yml create mode 100644 packaging/nfpm.yaml create mode 100755 packaging/scripts/preinstall.sh create mode 100755 scripts/build-rpm.sh diff --git a/.woodpecker/release.yml b/.woodpecker/release.yml new file mode 100644 index 0000000..33d76d7 --- /dev/null +++ b/.woodpecker/release.yml @@ -0,0 +1,28 @@ +when: + - event: tag + +steps: + - name: build + image: git.unkin.net/unkin/almalinux9-gobuilder:20260606 + commands: + - make build VERSION=${CI_COMMIT_TAG} + + - name: package + image: git.unkin.net/unkin/almalinux9-rpmbuilder:latest + commands: + - ./scripts/build-rpm.sh ${CI_COMMIT_TAG} + depends_on: [build] + + - name: upload + image: git.unkin.net/unkin/almalinux9-base:20260606 + commands: + - | + for rpm in dist/*.rpm; do + FILE=$$(basename "$$rpm") + echo "Uploading $${FILE} to artifactapi rpm-internal" + curl -f -X PUT \ + "https://artifactapi3.k8s.syd1.au.unkin.net/api/v2/remotes/rpm-internal/files/$${FILE}" \ + -H "Content-Type: application/x-rpm" \ + --data-binary @"$$rpm" + done + depends_on: [package] diff --git a/Makefile b/Makefile index 51792d4..0399ead 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: build install test lint fmt clean tidy e2e e2e-vault e2e-openbao e2e-up e2e-down patch minor major check-go +.PHONY: build install test lint fmt clean tidy e2e e2e-vault e2e-openbao e2e-up e2e-down rpm rpm-package patch minor major check-go BINARY := vault-plugin-secrets-litellm PKG := ./cmd/vault-plugin-secrets-litellm @@ -36,6 +36,13 @@ tidy: clean: rm -rf $(PLUGIN_DIR) +# Build the plugin binary then package it into an RPM with nfpm. +rpm: build rpm-package + +# Package an already-built binary into an RPM (used by CI after the build step). +rpm-package: + ./scripts/build-rpm.sh $(VERSION) + # End-to-end tests spin up LiteLLM + Postgres and both Vault and OpenBao in # Docker, then exercise the full lifecycle (configure, create role, generate, # use, revoke) against each engine using the same plugin binary. diff --git a/packaging/nfpm.yaml b/packaging/nfpm.yaml new file mode 100644 index 0000000..8809a8a --- /dev/null +++ b/packaging/nfpm.yaml @@ -0,0 +1,36 @@ +--- +# nfpm config for building the vault-plugin-secrets-litellm RPM. +# Rendered through envsubst (see scripts/build-rpm.sh) then fed to `nfpm pkg`. + +name: ${PACKAGE_NAME} +version: ${PACKAGE_VERSION} +release: ${PACKAGE_RELEASE} +arch: ${PACKAGE_ARCH} +platform: ${PACKAGE_PLATFORM} +section: default +priority: extra +description: "${PACKAGE_DESCRIPTION}" + +maintainer: ${PACKAGE_MAINTAINER} +homepage: ${PACKAGE_HOMEPAGE} +license: ${PACKAGE_LICENSE} + +disable_globbing: false + +replaces: + - vault-plugin-secrets-litellm +provides: + - vault-plugin-secrets-litellm + +# Install the plugin binary into the Vault/OpenBao plugin directory. Point the +# server's plugin_directory at /opt/vault-plugins to pick it up. +contents: + - src: dist/vault-plugin-secrets-litellm + dst: /opt/vault-plugins/vault-plugin-secrets-litellm + file_info: + mode: 0755 + owner: root + group: root + +scripts: + preinstall: packaging/scripts/preinstall.sh diff --git a/packaging/scripts/preinstall.sh b/packaging/scripts/preinstall.sh new file mode 100755 index 0000000..9ec17d6 --- /dev/null +++ b/packaging/scripts/preinstall.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Ensure the plugin directory exists before the binary is laid down. +mkdir -p /opt/vault-plugins diff --git a/scripts/build-rpm.sh b/scripts/build-rpm.sh new file mode 100755 index 0000000..80396dc --- /dev/null +++ b/scripts/build-rpm.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +# +# Package the (already built) plugin binary into an RPM with nfpm. +# Usage: scripts/build-rpm.sh [version] (version defaults to $CI_COMMIT_TAG) +# +set -euo pipefail + +ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +cd "${ROOT_DIR}" + +VERSION="${1:-${CI_COMMIT_TAG:-0.0.0-dev}}" +VERSION="${VERSION#v}" # strip a leading v +BINARY="vault-plugin-secrets-litellm" +DIST="dist" + +if [ ! -f "${DIST}/${BINARY}" ]; then + echo "ERROR: ${DIST}/${BINARY} not found; run 'make build' first" >&2 + exit 1 +fi + +export PACKAGE_NAME="${BINARY}" +export PACKAGE_VERSION="${VERSION}" +export PACKAGE_RELEASE="1" +export PACKAGE_ARCH="amd64" +export PACKAGE_PLATFORM="linux" +export PACKAGE_DESCRIPTION="Vault/OpenBao dynamic secrets engine for LiteLLM virtual keys" +export PACKAGE_MAINTAINER="Ben Vincent " +export PACKAGE_HOMEPAGE="https://git.unkin.net/unkin/vault-plugin-secrets-litellm" +export PACKAGE_LICENSE="MIT" + +envsubst < packaging/nfpm.yaml > "${DIST}/nfpm.yaml" +nfpm pkg --config "${DIST}/nfpm.yaml" --target "${DIST}" --packager rpm + +echo "Built:" +ls -1 "${DIST}"/*.rpm