dustin/sshca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ci: Build CLI RPMs for aarch64
All checks were successful
dustin/sshca/pipeline/pr-master This commit looks good
Details
dustin/sshca/pipeline/head This commit looks good
Details

Browse Source 
In order to automate certificate issuance and renewal for Raspberry Pi
devices, we need aarch64 builds of the `sshca` tool.  Using the `matrix`
feature of Jenkins pipelines lets us reuse the same stage definition for
building the client on both platforms.  Unfortunately, the `matrix`
block has to encompass the server stage as well, as `matrix` cannot be
nested below `parallel`, and we don't want to build the server and
clients sequentially.  This makes the code a bit less clear, as the
server and client stages are now conditional based on the matrix
intersection, but it is cleaner than duplicating the entire client
stage.
This commit is contained in:
Dustin
2023-11-10 15:59:07 -06:00
parent eec0bfc83c
commit 5f85a5a4fe
3 changed files with 132 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

199
ci/Jenkinsfile vendored
View File

@@ -3,106 +3,143 @@ pipeline {
stages {
stage('SSHCA') {
parallel {
stage('Server') {
agent {
kubernetes {
yamlFile 'ci/serverPodTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'buildah'
}
matrix {
axes {
axis {
name 'COMPONENT'
values 'client', 'server'
}
stages {
stage('Build - Server') {
steps {
sh '. ci/build-server.sh'
}
}
axis {
name 'ARCH'
values 'amd64', 'arm64'
}
}
stage('Publish - Server') {
steps {
withEnv([
"REGISTRY_AUTH_FILE=${env.WORKSPACE_TMP}/auth.json"
]) {
withCredentials([usernamePassword(
credentialsId: 'jenkins-packages',
usernameVariable: 'BUILDAH_USERNAME',
passwordVariable: 'BUILDAH_PASSWORD',
)]) {
sh """
buildah login \
--username \${BUILDAH_USERNAME} \
--password \${BUILDAH_PASSWORD} \
git.pyrocufflink.net
"""
}
sh '. ci/publish-server.sh'
}
}
excludes {
exclude {
axis {
name 'COMPONENT'
values 'server'
}
axis {
name 'ARCH'
values 'arm64'
}
}
}
stage('CLI') {
agent {
kubernetes {
yamlFile 'ci/clientPodTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'fedora'
}
}
environment {
GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
}
stages {
stage('Prepare - CLI') {
steps {
sh '. ci/prepare-client.sh'
stages {
stage('Server') {
when {
expression {
env.COMPONENT == 'server'
}
}
agent {
kubernetes {
yamlFile 'ci/serverPodTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'buildah'
}
}
stages {
stage('Build - Server') {
steps {
sh '. ci/build-server.sh'
}
}
stage('Build - CLI') {
steps {
sh '. ci/build-client.sh'
script {
if (env.BRANCH_NAME == 'master') {
withCredentials([
file(
credentialsId: 'rpm-gpg-key',
variable: 'RPM_GPG_PRIVATE_KEY',
),
file(
credentialsId: 'rpm-gpg-key-passphrase',
variable: 'RPM_GPG_KEY_PASSPHRASE',
),
]) {
sh '. ci/sign-rpms.sh'
stage('Publish - Server') {
steps {
withEnv([
"REGISTRY_AUTH_FILE=${env.WORKSPACE_TMP}/auth.json"
]) {
withCredentials([usernamePassword(
credentialsId: 'jenkins-packages',
usernameVariable: 'BUILDAH_USERNAME',
passwordVariable: 'BUILDAH_PASSWORD',
)]) {
sh """
buildah login \
--username \${BUILDAH_USERNAME} \
--password \${BUILDAH_PASSWORD} \
git.pyrocufflink.net
"""
}
sh '. ci/publish-server.sh'
}
}
}
}
}
stage('CLI') {
when {
expression {
env.COMPONENT = 'client'
}
}
agent {
kubernetes {
yamlFile 'ci/clientPodTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'fedora'
nodeSelector "kubernetes.io/arch=${ARCH}"
}
}
environment {
GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
}
stages {
stage('Prepare - CLI') {
steps {
sh '. ci/prepare-client.sh'
}
}
stage('Build - CLI') {
steps {
sh '. ci/build-client.sh'
script {
if (env.BRANCH_NAME == 'master') {
withCredentials([
file(
credentialsId: 'rpm-gpg-key',
variable: 'RPM_GPG_PRIVATE_KEY',
),
file(
credentialsId: 'rpm-gpg-key-passphrase',
variable: 'RPM_GPG_KEY_PASSPHRASE',
),
]) {
sh '. ci/sign-rpms.sh'
}
}
}
}
post {
success {
dir('cli') {
archiveArtifacts '*.rpm'
}
}
}
}
post {
success {
dir('cli') {
archiveArtifacts '*.rpm'
stage('Publish - CLI') {
when {
branch 'master'
}
steps {
sshagent(['jenkins-repohost']) {
sh '. ci/publish-client.sh'
}
}
}
}
stage('Publish - CLI') {
when {
branch 'master'
}
steps {
sshagent(['jenkins-repohost']) {
sh '. ci/publish-client.sh'
}
}
}
}
}
}
}
}

3
ci/clientPodTemplate.yaml
View File

@@ -11,6 +11,9 @@ spec:
name: ssh-known-hosts
subPath: ssh_known_hosts
hostUsers: false
tolerations:
- key: du5t1n.me/machine
value: raspberrypi
volumes:
- name: ssh-known-hosts
configMap:

12
ci/publish-client.sh
View File

@@ -6,9 +6,19 @@ REPO_PATH=/srv/www/repohost/repos/dch/fedora/$(rpm --eval %fedora)
ssh-add -l
ssh-add -L
case "$(uname -m)" in
x86_64)
# only include the SRPM once
include='*.rpm'
;;
*)
include="*.${ARCH}.rpm"
;;
esac
rsync -rtiO \
--chmod=ugo=rwX \
--include '*.rpm' \
--include "${include}" \
--exclude '*' \
cli/ \
"${REPO_HOST}:${REPO_PATH}/"