dustin
/
sshca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ci: Build CLI RPMs for aarch64
dustin/sshca/pipeline/pr-master This commit looks good Details
dustin/sshca/pipeline/head This commit looks good Details 

In order to automate certificate issuance and renewal for Raspberry Pi
devices, we need aarch64 builds of the `sshca` tool.  Using the `matrix`
feature of Jenkins pipelines lets us reuse the same stage definition for
building the client on both platforms.  Unfortunately, the `matrix`
block has to encompass the server stage as well, as `matrix` cannot be
nested below `parallel`, and we don't want to build the server and
clients sequentially.  This makes the code a bit less clear, as the
server and client stages are now conditional based on the matrix
intersection, but it is cleaner than duplicating the entire client
stage.
Dustin 2023-11-10 15:59:07 -06:00
parent eec0bfc83c
commit 5f85a5a4fe
3 changed files with 132 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

199
ci/Jenkinsfile vendored
View File

@ -3,106 +3,143 @@ pipeline {
stages { stages {
stage('SSHCA') { stage('SSHCA') {
parallel { matrix {
stage('Server') { axes {
agent { axis {
kubernetes { name 'COMPONENT'
yamlFile 'ci/serverPodTemplate.yaml' values 'client', 'server'
yamlMergeStrategy merge()
defaultContainer 'buildah'
}
} }
stages { axis {
stage('Build - Server') { name 'ARCH'
steps { values 'amd64', 'arm64'
sh '. ci/build-server.sh' }
} }
}
stage('Publish - Server') { excludes {
steps { exclude {
withEnv([ axis {
"REGISTRY_AUTH_FILE=${env.WORKSPACE_TMP}/auth.json" name 'COMPONENT'
]) { values 'server'
withCredentials([usernamePassword( }
credentialsId: 'jenkins-packages', axis {
usernameVariable: 'BUILDAH_USERNAME', name 'ARCH'
passwordVariable: 'BUILDAH_PASSWORD', values 'arm64'
)]) {
sh """
buildah login \
--username \${BUILDAH_USERNAME} \
--password \${BUILDAH_PASSWORD} \
git.pyrocufflink.net
"""
}
sh '. ci/publish-server.sh'
}
}
} }
} }
} }
stage('CLI') { stages {
agent { stage('Server') {
kubernetes { when {
yamlFile 'ci/clientPodTemplate.yaml' expression {
yamlMergeStrategy merge() env.COMPONENT == 'server'
defaultContainer 'fedora'
}
}
environment {
GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
}
stages {
stage('Prepare - CLI') {
steps {
sh '. ci/prepare-client.sh'
} }
} }
agent {
kubernetes {
yamlFile 'ci/serverPodTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'buildah'
}
}
stages {
stage('Build - Server') {
steps {
sh '. ci/build-server.sh'
}
}
stage('Build - CLI') { stage('Publish - Server') {
steps { steps {
sh '. ci/build-client.sh' withEnv([
script { "REGISTRY_AUTH_FILE=${env.WORKSPACE_TMP}/auth.json"
if (env.BRANCH_NAME == 'master') { ]) {
withCredentials([ withCredentials([usernamePassword(
file( credentialsId: 'jenkins-packages',
credentialsId: 'rpm-gpg-key', usernameVariable: 'BUILDAH_USERNAME',
variable: 'RPM_GPG_PRIVATE_KEY', passwordVariable: 'BUILDAH_PASSWORD',
), )]) {
file( sh """
credentialsId: 'rpm-gpg-key-passphrase', buildah login \
variable: 'RPM_GPG_KEY_PASSPHRASE', --username \${BUILDAH_USERNAME} \
), --password \${BUILDAH_PASSWORD} \
]) { git.pyrocufflink.net
sh '. ci/sign-rpms.sh' """
}
sh '. ci/publish-server.sh'
}
}
}
}
}
stage('CLI') {
when {
expression {
env.COMPONENT = 'client'
}
}
agent {
kubernetes {
yamlFile 'ci/clientPodTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'fedora'
nodeSelector "kubernetes.io/arch=${ARCH}"
}
}
environment {
GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
}
stages {
stage('Prepare - CLI') {
steps {
sh '. ci/prepare-client.sh'
}
}
stage('Build - CLI') {
steps {
sh '. ci/build-client.sh'
script {
if (env.BRANCH_NAME == 'master') {
withCredentials([
file(
credentialsId: 'rpm-gpg-key',
variable: 'RPM_GPG_PRIVATE_KEY',
),
file(
credentialsId: 'rpm-gpg-key-passphrase',
variable: 'RPM_GPG_KEY_PASSPHRASE',
),
]) {
sh '. ci/sign-rpms.sh'
}
}
}
}
post {
success {
dir('cli') {
archiveArtifacts '*.rpm'
} }
} }
} }
} }
post {
success { stage('Publish - CLI') {
dir('cli') { when {
archiveArtifacts '*.rpm' branch 'master'
}
steps {
sshagent(['jenkins-repohost']) {
sh '. ci/publish-client.sh'
} }
} }
} }
} }
stage('Publish - CLI') {
when {
branch 'master'
}
steps {
sshagent(['jenkins-repohost']) {
sh '. ci/publish-client.sh'
}
}
}
} }
} }
} }
} }
} }

3
ci/clientPodTemplate.yaml
View File

@ -11,6 +11,9 @@ spec:
name: ssh-known-hosts name: ssh-known-hosts
subPath: ssh_known_hosts subPath: ssh_known_hosts
hostUsers: false hostUsers: false
tolerations:
- key: du5t1n.me/machine
value: raspberrypi
volumes: volumes:
- name: ssh-known-hosts - name: ssh-known-hosts
configMap: configMap:

12
ci/publish-client.sh
View File

@ -6,9 +6,19 @@ REPO_PATH=/srv/www/repohost/repos/dch/fedora/$(rpm --eval %fedora)
ssh-add -l ssh-add -l
ssh-add -L ssh-add -L
case "$(uname -m)" in
x86_64)
# only include the SRPM once
include='*.rpm'
;;
*)
include="*.${ARCH}.rpm"
;;
esac
rsync -rtiO \ rsync -rtiO \
--chmod=ugo=rwX \ --chmod=ugo=rwX \
--include '*.rpm' \ --include "${include}" \
--exclude '*' \ --exclude '*' \
cli/ \ cli/ \
"${REPO_HOST}:${REPO_PATH}/" "${REPO_HOST}:${REPO_PATH}/"