dustin
/
sshca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ci: Build CLI RPMs for aarch64
dustin/sshca/pipeline/pr-master This commit looks good Details
dustin/sshca/pipeline/head This commit looks good Details 

In order to automate certificate issuance and renewal for Raspberry Pi
devices, we need aarch64 builds of the `sshca` tool.  Using the `matrix`
feature of Jenkins pipelines lets us reuse the same stage definition for
building the client on both platforms.  Unfortunately, the `matrix`
block has to encompass the server stage as well, as `matrix` cannot be
nested below `parallel`, and we don't want to build the server and
clients sequentially.  This makes the code a bit less clear, as the
server and client stages are now conditional based on the matrix
intersection, but it is cleaner than duplicating the entire client
stage.
Dustin 2023-11-10 15:59:07 -06:00
parent eec0bfc83c
commit 5f85a5a4fe
3 changed files with 132 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

199
ci/Jenkinsfile vendored
View File

@ -3,106 +3,143 @@ pipeline {
stages {
stage('SSHCA') {
parallel {
stage('Server') {
agent {
kubernetes {
yamlFile 'ci/serverPodTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'buildah'
}
matrix {
axes {
axis {
name 'COMPONENT'
values 'client', 'server'
}
stages {
stage('Build - Server') {
steps {
sh '. ci/build-server.sh'
}
}
axis {
name 'ARCH'
values 'amd64', 'arm64'
}
}
stage('Publish - Server') {
steps {
withEnv([
"REGISTRY_AUTH_FILE=${env.WORKSPACE_TMP}/auth.json"
]) {
withCredentials([usernamePassword(
credentialsId: 'jenkins-packages',
usernameVariable: 'BUILDAH_USERNAME',
passwordVariable: 'BUILDAH_PASSWORD',
)]) {
sh """
buildah login \
--username \${BUILDAH_USERNAME} \
--password \${BUILDAH_PASSWORD} \
git.pyrocufflink.net
"""
}
sh '. ci/publish-server.sh'
}
}
excludes {
exclude {
axis {
name 'COMPONENT'
values 'server'
}
axis {
name 'ARCH'
values 'arm64'
}
}
}
stage('CLI') {
agent {
kubernetes {
yamlFile 'ci/clientPodTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'fedora'
}
}
environment {
GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
}
stages {
stage('Prepare - CLI') {
steps {
sh '. ci/prepare-client.sh'
stages {
stage('Server') {
when {
expression {
env.COMPONENT == 'server'
}
}
agent {
kubernetes {
yamlFile 'ci/serverPodTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'buildah'
}
}
stages {
stage('Build - Server') {
steps {
sh '. ci/build-server.sh'
}
}
stage('Build - CLI') {
steps {
sh '. ci/build-client.sh'
script {
if (env.BRANCH_NAME == 'master') {
withCredentials([
file(
credentialsId: 'rpm-gpg-key',
variable: 'RPM_GPG_PRIVATE_KEY',
),
file(
credentialsId: 'rpm-gpg-key-passphrase',
variable: 'RPM_GPG_KEY_PASSPHRASE',
),
]) {
sh '. ci/sign-rpms.sh'
stage('Publish - Server') {
steps {
withEnv([
"REGISTRY_AUTH_FILE=${env.WORKSPACE_TMP}/auth.json"
]) {
withCredentials([usernamePassword(
credentialsId: 'jenkins-packages',
usernameVariable: 'BUILDAH_USERNAME',
passwordVariable: 'BUILDAH_PASSWORD',
)]) {
sh """
buildah login \
--username \${BUILDAH_USERNAME} \
--password \${BUILDAH_PASSWORD} \
git.pyrocufflink.net
"""
}
sh '. ci/publish-server.sh'
}
}
}
}
}
stage('CLI') {
when {
expression {
env.COMPONENT = 'client'
}
}
agent {
kubernetes {
yamlFile 'ci/clientPodTemplate.yaml'
yamlMergeStrategy merge()
defaultContainer 'fedora'
nodeSelector "kubernetes.io/arch=${ARCH}"
}
}
environment {
GNUPGHOME = "${env.WORKSPACE_TMP}/gnupg"
}
stages {
stage('Prepare - CLI') {
steps {
sh '. ci/prepare-client.sh'
}
}
stage('Build - CLI') {
steps {
sh '. ci/build-client.sh'
script {
if (env.BRANCH_NAME == 'master') {
withCredentials([
file(
credentialsId: 'rpm-gpg-key',
variable: 'RPM_GPG_PRIVATE_KEY',
),
file(
credentialsId: 'rpm-gpg-key-passphrase',
variable: 'RPM_GPG_KEY_PASSPHRASE',
),
]) {
sh '. ci/sign-rpms.sh'
}
}
}
}
post {
success {
dir('cli') {
archiveArtifacts '*.rpm'
}
}
}
}
post {
success {
dir('cli') {
archiveArtifacts '*.rpm'
stage('Publish - CLI') {
when {
branch 'master'
}
steps {
sshagent(['jenkins-repohost']) {
sh '. ci/publish-client.sh'
}
}
}
}
stage('Publish - CLI') {
when {
branch 'master'
}
steps {
sshagent(['jenkins-repohost']) {
sh '. ci/publish-client.sh'
}
}
}
}
}
}
}
}

3
ci/clientPodTemplate.yaml
View File

@ -11,6 +11,9 @@ spec:
name: ssh-known-hosts
subPath: ssh_known_hosts
hostUsers: false
tolerations:
- key: du5t1n.me/machine
value: raspberrypi
volumes:
- name: ssh-known-hosts
configMap:

12
ci/publish-client.sh
View File

@ -6,9 +6,19 @@ REPO_PATH=/srv/www/repohost/repos/dch/fedora/$(rpm --eval %fedora)
ssh-add -l
ssh-add -L
case "$(uname -m)" in
x86_64)
# only include the SRPM once
include='*.rpm'
;;
*)
include="*.${ARCH}.rpm"
;;
esac
rsync -rtiO \
--chmod=ugo=rwX \
--include '*.rpm' \
--include "${include}" \
--exclude '*' \
cli/ \
"${REPO_HOST}:${REPO_PATH}/"