3 Commits

Author SHA1 Message Date
benvin 0edc93f6db Merge pull request 'Add LiteLLM dynamic secrets engine implementation' (#1) from benvin/initial-implementation into main
ci/woodpecker/tag/release Pipeline was successful
Reviewed-on: #1
2026-07-03 13:04:56 +10:00
unkinben 023a6f03e2 Probe for an existing RPM before uploading to artifactapi
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
Avoid a failed/confusing re-upload by checking whether the package is already
published before PUTting it. artifactapi has no HEAD route (returns 405), so the
guard uses a GET against the served path (RPMs are stored under Packages/): a
200 means it exists and the upload is skipped, anything else proceeds.

Also point at the reachable artifactapi host (artifactapi.k8s.syd1.au.unkin.net,
as used by rpmbuilder) instead of the unresolvable artifactapi3 name.
2026-07-03 12:51:09 +10:00
unkinben f388709c78 Add on-tag RPM build (nfpm) and upload to artifactapi
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
Publish the plugin as an installable RPM so hosts can drop it into the Vault/
OpenBao plugin directory. On a tag, build the binary, package it with nfpm
(mirroring the rpmbuilder approach), and upload the RPM to artifactapi's local
rpm-internal repository.

- Add packaging/nfpm.yaml installing the binary to /opt/vault-plugins/ plus a
  preinstall script that creates the directory
- Add scripts/build-rpm.sh and make rpm / rpm-package targets
- Add .woodpecker/release.yml (event: tag): build -> nfpm package -> PUT to
  artifactapi remotes/rpm-internal/files/
2026-07-03 12:43:07 +10:00
5 changed files with 120 additions and 1 deletions
+38
View File
@@ -0,0 +1,38 @@
when:
- event: tag
steps:
- name: build
image: git.unkin.net/unkin/almalinux9-gobuilder:20260606
commands:
- make build VERSION=${CI_COMMIT_TAG}
- name: package
image: git.unkin.net/unkin/almalinux9-rpmbuilder:latest
commands:
- ./scripts/build-rpm.sh ${CI_COMMIT_TAG}
depends_on: [build]
- name: upload
image: git.unkin.net/unkin/almalinux9-base:20260606
commands:
- |
HOST="https://artifactapi.k8s.syd1.au.unkin.net"
REPO="rpm-internal"
for rpm in dist/*.rpm; do
FILE=$$(basename "$$rpm")
# Verify the package isn't already published before uploading.
# artifactapi has no HEAD route (returns 405), so probe with GET
# against the served path (RPMs are stored under Packages/).
code=$$(curl -s -o /dev/null -w '%{http_code}' "$$HOST/api/v2/remotes/$$REPO/files/Packages/$$FILE" || true)
if [ "$$code" = "200" ]; then
echo "$$FILE already exists in $$REPO (HTTP $$code); skipping upload"
continue
fi
echo "Uploading $$FILE to $$REPO (existence probe returned $$code)"
curl -f -X PUT \
"$$HOST/api/v2/remotes/$$REPO/files/$$FILE" \
-H "Content-Type: application/x-rpm" \
--data-binary @"$$rpm"
done
depends_on: [package]
+8 -1
View File
@@ -1,4 +1,4 @@
.PHONY: build install test lint fmt clean tidy e2e e2e-vault e2e-openbao e2e-up e2e-down patch minor major check-go
.PHONY: build install test lint fmt clean tidy e2e e2e-vault e2e-openbao e2e-up e2e-down rpm rpm-package patch minor major check-go
BINARY := vault-plugin-secrets-litellm
PKG := ./cmd/vault-plugin-secrets-litellm
@@ -36,6 +36,13 @@ tidy:
clean:
rm -rf $(PLUGIN_DIR)
# Build the plugin binary then package it into an RPM with nfpm.
rpm: build rpm-package
# Package an already-built binary into an RPM (used by CI after the build step).
rpm-package:
./scripts/build-rpm.sh $(VERSION)
# End-to-end tests spin up LiteLLM + Postgres and both Vault and OpenBao in
# Docker, then exercise the full lifecycle (configure, create role, generate,
# use, revoke) against each engine using the same plugin binary.
+36
View File
@@ -0,0 +1,36 @@
---
# nfpm config for building the vault-plugin-secrets-litellm RPM.
# Rendered through envsubst (see scripts/build-rpm.sh) then fed to `nfpm pkg`.
name: ${PACKAGE_NAME}
version: ${PACKAGE_VERSION}
release: ${PACKAGE_RELEASE}
arch: ${PACKAGE_ARCH}
platform: ${PACKAGE_PLATFORM}
section: default
priority: extra
description: "${PACKAGE_DESCRIPTION}"
maintainer: ${PACKAGE_MAINTAINER}
homepage: ${PACKAGE_HOMEPAGE}
license: ${PACKAGE_LICENSE}
disable_globbing: false
replaces:
- vault-plugin-secrets-litellm
provides:
- vault-plugin-secrets-litellm
# Install the plugin binary into the Vault/OpenBao plugin directory. Point the
# server's plugin_directory at /opt/vault-plugins to pick it up.
contents:
- src: dist/vault-plugin-secrets-litellm
dst: /opt/vault-plugins/vault-plugin-secrets-litellm
file_info:
mode: 0755
owner: root
group: root
scripts:
preinstall: packaging/scripts/preinstall.sh
+3
View File
@@ -0,0 +1,3 @@
#!/usr/bin/env bash
# Ensure the plugin directory exists before the binary is laid down.
mkdir -p /opt/vault-plugins
+35
View File
@@ -0,0 +1,35 @@
#!/usr/bin/env bash
#
# Package the (already built) plugin binary into an RPM with nfpm.
# Usage: scripts/build-rpm.sh [version] (version defaults to $CI_COMMIT_TAG)
#
set -euo pipefail
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "${ROOT_DIR}"
VERSION="${1:-${CI_COMMIT_TAG:-0.0.0-dev}}"
VERSION="${VERSION#v}" # strip a leading v
BINARY="vault-plugin-secrets-litellm"
DIST="dist"
if [ ! -f "${DIST}/${BINARY}" ]; then
echo "ERROR: ${DIST}/${BINARY} not found; run 'make build' first" >&2
exit 1
fi
export PACKAGE_NAME="${BINARY}"
export PACKAGE_VERSION="${VERSION}"
export PACKAGE_RELEASE="1"
export PACKAGE_ARCH="amd64"
export PACKAGE_PLATFORM="linux"
export PACKAGE_DESCRIPTION="Vault/OpenBao dynamic secrets engine for LiteLLM virtual keys"
export PACKAGE_MAINTAINER="Ben Vincent <ben@unkin.net>"
export PACKAGE_HOMEPAGE="https://git.unkin.net/unkin/vault-plugin-secrets-litellm"
export PACKAGE_LICENSE="MIT"
envsubst < packaging/nfpm.yaml > "${DIST}/nfpm.yaml"
nfpm pkg --config "${DIST}/nfpm.yaml" --target "${DIST}" --packager rpm
echo "Built:"
ls -1 "${DIST}"/*.rpm