diff --git a/.containerignore b/.containerignore new file mode 100644 index 0000000..3ab56d6 --- /dev/null +++ b/.containerignore @@ -0,0 +1,4 @@ +* +!src +!Cargo.lock +!Cargo.toml diff --git a/Containerfile b/Containerfile new file mode 100644 index 0000000..50f98f7 --- /dev/null +++ b/Containerfile @@ -0,0 +1,18 @@ +FROM docker.io/library/rust:1.73-alpine AS build + +COPY . /build + +WORKDIR /build + +RUN --mount=type=cache,target=/var/cache \ + apk add --no-cache g++ \ + && : + +RUN cargo build --release --no-default-features --features rustls \ + && strip target/release/sshca-cli + +FROM scratch + +COPY --from=build /build/target/release/sshca-cli / + +ENTRYPOINT ["/sshca-cli"] diff --git a/ci/Jenkinsfile b/ci/Jenkinsfile index 9aa02b1..f5ae5c5 100644 --- a/ci/Jenkinsfile +++ b/ci/Jenkinsfile @@ -16,7 +16,7 @@ pipeline { } stages { - stage('CLI') { + stage('RPM') { agent { kubernetes { yamlFile 'ci/podTemplate.yaml' @@ -78,6 +78,52 @@ pipeline { } } } + + stage('Container') { + agent { + kubernetes { + yamlFile 'ci/podTemplate.yaml' + yamlMergeStrategy merge() + defaultContainer 'buildah' + nodeSelector "kubernetes.io/arch=${ARCH}" + } + } + + stages { + stage('Build') { + steps { + sh '. ci/build-container.sh' + } + post { + success { + archiveArtifacts "${ARCH}/*" + } + } + } + + stage('Publish') { + environment { + REGISTRY_AUTH_FILE = "${env.WORKSPACE_TMP}/auth.json" + } + steps { + withCredentials([usernamePassword( + credentialsId: 'jenkins-packages', + usernameVariable: 'BUILDAH_USERNAME', + passwordVariable: 'BUILDAH_PASSWORD', + )]) { + sh """ + buildah login \ + --username \${BUILDAH_USERNAME} \ + --password \${BUILDAH_PASSWORD} \ + git.pyrocufflink.net + """ + } + sh '. ci/publish-container.sh' + } + } + } + } + } } diff --git a/ci/build-container.sh b/ci/build-container.sh new file mode 100644 index 0000000..3d79218 --- /dev/null +++ b/ci/build-container.sh @@ -0,0 +1,3 @@ +. ci/common.sh + +buildah build -t "${IMAGE_NAME}:${TAG}" . diff --git a/ci/common.sh b/ci/common.sh new file mode 100644 index 0000000..060e8cb --- /dev/null +++ b/ci/common.sh @@ -0,0 +1,13 @@ +escape_name() { + echo "$1" \ + | tr A-Z a-z \ + | sed -e 's/[^a-zA-Z0-9._-]/-/g' -e 's/^[.-]/_/' +} + +REGISTRY_URL=git.pyrocufflink.net +NAMESPACE=containerimages +NAME="${JOB_NAME#*/}" +NAME=$(escape_name "${NAME%/*}") +TAG=$(escape_name "${BRANCH_NAME}") + +IMAGE_NAME="${REGISTRY_URL}/${NAMESPACE}/${NAME}" diff --git a/ci/podTemplate.yaml b/ci/podTemplate.yaml index 898b9b8..bd0377d 100644 --- a/ci/podTemplate.yaml +++ b/ci/podTemplate.yaml @@ -12,6 +12,22 @@ spec: - mountPath: /etc/ssh/ssh_known_hosts name: ssh-known-hosts subPath: ssh_known_hosts + - name: buildah + image: quay.io/containers/buildah:v1 + command: + - cat + stdin: true + tty: true + securityContext: + capabilities: + add: + - SYS_ADMIN + - MKNOD + - SYS_CHROOT + - SETFCAP + resources: + limits: + github.com/fuse: 1 hostUsers: false volumes: - name: ssh-known-hosts diff --git a/ci/publish-container.sh b/ci/publish-container.sh new file mode 100644 index 0000000..db774c9 --- /dev/null +++ b/ci/publish-container.sh @@ -0,0 +1,7 @@ +. ci/common.sh + +buildah push "${IMAGE_NAME}:${TAG}" +buildah push "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:${TAG}-${BUILD_NUMBER}" +if [ ${BRANCH_NAME} = master ]; then + buildah push "${IMAGE_NAME}:${TAG}" "${IMAGE_NAME}:latest" +fi