Add on-tag RPM build (nfpm) and upload to artifactapi
Publish the plugin as an installable RPM so hosts can drop it into the Vault/ OpenBao plugin directory. On a tag, build the binary, package it with nfpm (mirroring the rpmbuilder approach), and upload the RPM to artifactapi's local rpm-internal repository. - Add packaging/nfpm.yaml installing the binary to /opt/vault-plugins/ plus a preinstall script that creates the directory - Add scripts/build-rpm.sh and make rpm / rpm-package targets - Add .woodpecker/release.yml (event: tag): build -> nfpm package -> PUT to artifactapi remotes/rpm-internal/files/
This commit is contained in:
@@ -0,0 +1,28 @@
|
|||||||
|
when:
|
||||||
|
- event: tag
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: build
|
||||||
|
image: git.unkin.net/unkin/almalinux9-gobuilder:20260606
|
||||||
|
commands:
|
||||||
|
- make build VERSION=${CI_COMMIT_TAG}
|
||||||
|
|
||||||
|
- name: package
|
||||||
|
image: git.unkin.net/unkin/almalinux9-rpmbuilder:latest
|
||||||
|
commands:
|
||||||
|
- ./scripts/build-rpm.sh ${CI_COMMIT_TAG}
|
||||||
|
depends_on: [build]
|
||||||
|
|
||||||
|
- name: upload
|
||||||
|
image: git.unkin.net/unkin/almalinux9-base:20260606
|
||||||
|
commands:
|
||||||
|
- |
|
||||||
|
for rpm in dist/*.rpm; do
|
||||||
|
FILE=$$(basename "$$rpm")
|
||||||
|
echo "Uploading $${FILE} to artifactapi rpm-internal"
|
||||||
|
curl -f -X PUT \
|
||||||
|
"https://artifactapi3.k8s.syd1.au.unkin.net/api/v2/remotes/rpm-internal/files/$${FILE}" \
|
||||||
|
-H "Content-Type: application/x-rpm" \
|
||||||
|
--data-binary @"$$rpm"
|
||||||
|
done
|
||||||
|
depends_on: [package]
|
||||||
@@ -1,4 +1,4 @@
|
|||||||
.PHONY: build install test lint fmt clean tidy e2e e2e-vault e2e-openbao e2e-up e2e-down patch minor major check-go
|
.PHONY: build install test lint fmt clean tidy e2e e2e-vault e2e-openbao e2e-up e2e-down rpm rpm-package patch minor major check-go
|
||||||
|
|
||||||
BINARY := vault-plugin-secrets-litellm
|
BINARY := vault-plugin-secrets-litellm
|
||||||
PKG := ./cmd/vault-plugin-secrets-litellm
|
PKG := ./cmd/vault-plugin-secrets-litellm
|
||||||
@@ -36,6 +36,13 @@ tidy:
|
|||||||
clean:
|
clean:
|
||||||
rm -rf $(PLUGIN_DIR)
|
rm -rf $(PLUGIN_DIR)
|
||||||
|
|
||||||
|
# Build the plugin binary then package it into an RPM with nfpm.
|
||||||
|
rpm: build rpm-package
|
||||||
|
|
||||||
|
# Package an already-built binary into an RPM (used by CI after the build step).
|
||||||
|
rpm-package:
|
||||||
|
./scripts/build-rpm.sh $(VERSION)
|
||||||
|
|
||||||
# End-to-end tests spin up LiteLLM + Postgres and both Vault and OpenBao in
|
# End-to-end tests spin up LiteLLM + Postgres and both Vault and OpenBao in
|
||||||
# Docker, then exercise the full lifecycle (configure, create role, generate,
|
# Docker, then exercise the full lifecycle (configure, create role, generate,
|
||||||
# use, revoke) against each engine using the same plugin binary.
|
# use, revoke) against each engine using the same plugin binary.
|
||||||
|
|||||||
@@ -0,0 +1,36 @@
|
|||||||
|
---
|
||||||
|
# nfpm config for building the vault-plugin-secrets-litellm RPM.
|
||||||
|
# Rendered through envsubst (see scripts/build-rpm.sh) then fed to `nfpm pkg`.
|
||||||
|
|
||||||
|
name: ${PACKAGE_NAME}
|
||||||
|
version: ${PACKAGE_VERSION}
|
||||||
|
release: ${PACKAGE_RELEASE}
|
||||||
|
arch: ${PACKAGE_ARCH}
|
||||||
|
platform: ${PACKAGE_PLATFORM}
|
||||||
|
section: default
|
||||||
|
priority: extra
|
||||||
|
description: "${PACKAGE_DESCRIPTION}"
|
||||||
|
|
||||||
|
maintainer: ${PACKAGE_MAINTAINER}
|
||||||
|
homepage: ${PACKAGE_HOMEPAGE}
|
||||||
|
license: ${PACKAGE_LICENSE}
|
||||||
|
|
||||||
|
disable_globbing: false
|
||||||
|
|
||||||
|
replaces:
|
||||||
|
- vault-plugin-secrets-litellm
|
||||||
|
provides:
|
||||||
|
- vault-plugin-secrets-litellm
|
||||||
|
|
||||||
|
# Install the plugin binary into the Vault/OpenBao plugin directory. Point the
|
||||||
|
# server's plugin_directory at /opt/vault-plugins to pick it up.
|
||||||
|
contents:
|
||||||
|
- src: dist/vault-plugin-secrets-litellm
|
||||||
|
dst: /opt/vault-plugins/vault-plugin-secrets-litellm
|
||||||
|
file_info:
|
||||||
|
mode: 0755
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
scripts:
|
||||||
|
preinstall: packaging/scripts/preinstall.sh
|
||||||
Executable
+3
@@ -0,0 +1,3 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
# Ensure the plugin directory exists before the binary is laid down.
|
||||||
|
mkdir -p /opt/vault-plugins
|
||||||
Executable
+35
@@ -0,0 +1,35 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
#
|
||||||
|
# Package the (already built) plugin binary into an RPM with nfpm.
|
||||||
|
# Usage: scripts/build-rpm.sh [version] (version defaults to $CI_COMMIT_TAG)
|
||||||
|
#
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||||
|
cd "${ROOT_DIR}"
|
||||||
|
|
||||||
|
VERSION="${1:-${CI_COMMIT_TAG:-0.0.0-dev}}"
|
||||||
|
VERSION="${VERSION#v}" # strip a leading v
|
||||||
|
BINARY="vault-plugin-secrets-litellm"
|
||||||
|
DIST="dist"
|
||||||
|
|
||||||
|
if [ ! -f "${DIST}/${BINARY}" ]; then
|
||||||
|
echo "ERROR: ${DIST}/${BINARY} not found; run 'make build' first" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
export PACKAGE_NAME="${BINARY}"
|
||||||
|
export PACKAGE_VERSION="${VERSION}"
|
||||||
|
export PACKAGE_RELEASE="1"
|
||||||
|
export PACKAGE_ARCH="amd64"
|
||||||
|
export PACKAGE_PLATFORM="linux"
|
||||||
|
export PACKAGE_DESCRIPTION="Vault/OpenBao dynamic secrets engine for LiteLLM virtual keys"
|
||||||
|
export PACKAGE_MAINTAINER="Ben Vincent <ben@unkin.net>"
|
||||||
|
export PACKAGE_HOMEPAGE="https://git.unkin.net/unkin/vault-plugin-secrets-litellm"
|
||||||
|
export PACKAGE_LICENSE="MIT"
|
||||||
|
|
||||||
|
envsubst < packaging/nfpm.yaml > "${DIST}/nfpm.yaml"
|
||||||
|
nfpm pkg --config "${DIST}/nfpm.yaml" --target "${DIST}" --packager rpm
|
||||||
|
|
||||||
|
echo "Built:"
|
||||||
|
ls -1 "${DIST}"/*.rpm
|
||||||
Reference in New Issue
Block a user