dustin
/
sshca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ci: Build CLI RPMs for aarch64
dustin/sshca/pipeline/pr-master There was a failure building this commit Details 

In order to automate certificate issuance and renewal for Raspberry Pi
devices, we need aarch64 builds of the `sshca` tool.  Using the `matrix`
feature of Jenkins pipelines lets us reuse the same stage definition for
building the client on both platforms.  Unfortunately, the `matrix`
block has to encompass the server stage as well, as `matrix` cannot be
nested below `parallel`, and we don't want to build the server and
clients sequentially.  This makes the code a bit less clear, as the
server and client stages are now conditional based on the matrix
intersection, but it is cleaner than duplicating the entire client
stage.
Dustin 2023-11-10 15:59:07 -06:00
parent eec0bfc83c
commit 54bd97105b
3 changed files with 126 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
ci/Jenkinsfile vendored
View File

@ -3,106 +3,141 @@ pipeline {
stages { stages {
stage('SSHCA') { stage('SSHCA') {
parallel { matrix {
stage('Server') { axes {
agent { axis {
kubernetes { name 'COMPONENT'
yamlFile 'ci/serverPodTemplate.yaml' values 'client', 'server'
yamlMergeStrategy merge()
defaultContainer 'buildah'
}
} }
stages { axis {
stage('Build - Server') { name 'ARCH'
steps { values 'amd64', 'arm64'
sh '. ci/build-server.sh' }
}
excludes {
axis {
name 'COMPONENT'
values 'server'
}
axis {
name 'ARCH'
values 'arm64'
}
}
stages {
stage('Server') {
when {
expression {
env.COMPONENT == 'server'
} }
} }
agent {
kubernetes {
yamlFile 'ci/serverPodTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'buildah'
}
}
stages {
stage('Build - Server') {
steps {
sh '. ci/build-server.sh'
}
}
stage('Publish - Server') { stage('Publish - Server') {
steps { steps {
withEnv([ withEnv([
"REGISTRY_AUTH_FILE=${env.WORKSPACE_TMP}/auth.json" "REGISTRY_AUTH_FILE=${env.WORKSPACE_TMP}/auth.json"
]) { ]) {
withCredentials([usernamePassword( withCredentials([usernamePassword(
credentialsId: 'jenkins-packages', credentialsId: 'jenkins-packages',
usernameVariable: 'BUILDAH_USERNAME', usernameVariable: 'BUILDAH_USERNAME',
passwordVariable: 'BUILDAH_PASSWORD', passwordVariable: 'BUILDAH_PASSWORD',
)]) { )]) {
sh """ sh """
buildah login \ buildah login \
--username \${BUILDAH_USERNAME} \ --username \${BUILDAH_USERNAME} \
--password \${BUILDAH_PASSWORD} \ --password \${BUILDAH_PASSWORD} \
git.pyrocufflink.net git.pyrocufflink.net
""" """
}
sh '. ci/publish-server.sh'
} }
sh '. ci/publish-server.sh'
} }
} }
} }
} }
}
stage('CLI') { stage('CLI') {
agent { when {
kubernetes { expression {
yamlFile 'ci/clientPodTemplate.yaml' env.COMPONENT = 'client'
yamlMergeStrategy merge()
defaultContainer 'fedora'
}
}
environment {
GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
}
stages {
stage('Prepare - CLI') {
steps {
sh '. ci/prepare-client.sh'
} }
} }
agent {
kubernetes {
yamlFile 'ci/clientPodTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'fedora'
nodeSelector "kubernetes.io/arch=${ARCH}"
}
}
environment {
GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
}
stages {
stage('Prepare - CLI') {
steps {
sh '. ci/prepare-client.sh'
}
}
stage('Build - CLI') { stage('Build - CLI') {
steps { steps {
sh '. ci/build-client.sh' sh '. ci/build-client.sh'
script { script {
if (env.BRANCH_NAME == 'master') { if (env.BRANCH_NAME == 'master') {
withCredentials([ withCredentials([
file( file(
credentialsId: 'rpm-gpg-key', credentialsId: 'rpm-gpg-key',
variable: 'RPM_GPG_PRIVATE_KEY', variable: 'RPM_GPG_PRIVATE_KEY',
), ),
file( file(
credentialsId: 'rpm-gpg-key-passphrase', credentialsId: 'rpm-gpg-key-passphrase',
variable: 'RPM_GPG_KEY_PASSPHRASE', variable: 'RPM_GPG_KEY_PASSPHRASE',
), ),
]) { ]) {
sh '. ci/sign-rpms.sh' sh '. ci/sign-rpms.sh'
}
}
}
}
post {
success {
dir('cli') {
archiveArtifacts '*.rpm'
} }
} }
} }
} }
post {
success { stage('Publish - CLI') {
dir('cli') { when {
archiveArtifacts '*.rpm' branch 'master'
}
steps {
sshagent(['jenkins-repohost']) {
sh '. ci/publish-client.sh'
} }
} }
} }
} }
stage('Publish - CLI') {
when {
branch 'master'
}
steps {
sshagent(['jenkins-repohost']) {
sh '. ci/publish-client.sh'
}
}
}
} }
} }
} }
} }
} }

3
ci/clientPodTemplate.yaml
View File

@ -11,6 +11,9 @@ spec:
name: ssh-known-hosts name: ssh-known-hosts
subPath: ssh_known_hosts subPath: ssh_known_hosts
hostUsers: false hostUsers: false
tolerations:
- key: du5t1n.me/machine
value: raspberrypi
volumes: volumes:
- name: ssh-known-hosts - name: ssh-known-hosts
configMap: configMap:

12
ci/publish-client.sh
View File

@ -6,9 +6,19 @@ REPO_PATH=/srv/www/repohost/repos/dch/fedora/$(rpm --eval %fedora)
ssh-add -l ssh-add -l
ssh-add -L ssh-add -L
case "$(uname -m)" in
x86_64)
# only include the SRPM once
include='*.rpm'
;;
*)
include="*.${ARCH}.rpm"
;;
esac
rsync -rtiO \ rsync -rtiO \
--chmod=ugo=rwX \ --chmod=ugo=rwX \
--include '*.rpm' \ --include "${include}" \
--exclude '*' \ --exclude '*' \
cli/ \ cli/ \
"${REPO_HOST}:${REPO_PATH}/" "${REPO_HOST}:${REPO_PATH}/"