From 6a3f802e38aec3e94253e3373d9114ddee628607 Mon Sep 17 00:00:00 2001 From: Walt Della Date: Mon, 10 Oct 2022 13:10:17 -0700 Subject: [PATCH 1/2] Flip the order of the quay and ecr pipelines These are reversed in master/v11 (ecr first, and then quay) and having the order consisten across branches will make future ports easier. --- .drone.yml | 68 +++++++++++++++++++++++++++--------------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/.drone.yml b/.drone.yml index 6c6f0a4990697..77f33ace612d8 100644 --- a/.drone.yml +++ b/.drone.yml @@ -6249,12 +6249,12 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/promote.go (main.buildDockerPromotionPipelineQuay) +# Generated at dronegen/promote.go (main.buildDockerPromotionPipelineECR) ################################################ kind: pipeline type: kubernetes -name: promote-docker-quay +name: promote-docker-ecr trigger: event: include: @@ -6263,7 +6263,7 @@ trigger: include: - production - promote-docker - - promote-docker-quay + - promote-docker-ecr repo: include: - gravitational/* @@ -6298,29 +6298,26 @@ steps: - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$${VERSION} - echo "---> Tagging images for $${VERSION}" - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION} - quay.io/gravitational/teleport:$${VERSION} + public.ecr.aws/gravitational/teleport:$${VERSION} - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION} - quay.io/gravitational/teleport-ent:$${VERSION} + public.ecr.aws/gravitational/teleport-ent:$${VERSION} - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips - quay.io/gravitational/teleport-ent:$${VERSION}-fips + public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$${VERSION} - quay.io/gravitational/teleport-operator:$${VERSION} + public.ecr.aws/gravitational/teleport-operator:$${VERSION} - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io + - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin + public.ecr.aws - echo "---> Pushing images for $${VERSION}" - - docker push quay.io/gravitational/teleport:$${VERSION} - - docker push quay.io/gravitational/teleport-ent:$${VERSION} - - docker push quay.io/gravitational/teleport-ent:$${VERSION}-fips - - docker push quay.io/gravitational/teleport-operator:$${VERSION} + - docker push public.ecr.aws/gravitational/teleport:$${VERSION} + - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION} + - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips + - docker push public.ecr.aws/gravitational/teleport-operator:$${VERSION} environment: AWS_ACCESS_KEY_ID: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET - QUAY_PASSWORD: - from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD - QUAY_USERNAME: - from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run @@ -6339,12 +6336,12 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/promote.go (main.buildDockerPromotionPipelineECR) +# Generated at dronegen/promote.go (main.buildDockerPromotionPipelineQuay) ################################################ kind: pipeline type: kubernetes -name: promote-docker-ecr +name: promote-docker-quay trigger: event: include: @@ -6353,7 +6350,7 @@ trigger: include: - production - promote-docker - - promote-docker-ecr + - promote-docker-quay repo: include: - gravitational/* @@ -6388,26 +6385,29 @@ steps: - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$${VERSION} - echo "---> Tagging images for $${VERSION}" - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION} - public.ecr.aws/gravitational/teleport:$${VERSION} + quay.io/gravitational/teleport:$${VERSION} - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION} - public.ecr.aws/gravitational/teleport-ent:$${VERSION} + quay.io/gravitational/teleport-ent:$${VERSION} - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips - public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips + quay.io/gravitational/teleport-ent:$${VERSION}-fips - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$${VERSION} - public.ecr.aws/gravitational/teleport-operator:$${VERSION} + quay.io/gravitational/teleport-operator:$${VERSION} - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws + - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io - echo "---> Pushing images for $${VERSION}" - - docker push public.ecr.aws/gravitational/teleport:$${VERSION} - - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION} - - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips - - docker push public.ecr.aws/gravitational/teleport-operator:$${VERSION} + - docker push quay.io/gravitational/teleport:$${VERSION} + - docker push quay.io/gravitational/teleport-ent:$${VERSION} + - docker push quay.io/gravitational/teleport-ent:$${VERSION}-fips + - docker push quay.io/gravitational/teleport-operator:$${VERSION} environment: AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET + QUAY_PASSWORD: + from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD + QUAY_USERNAME: + from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME volumes: - name: dockersock path: /var/run @@ -7085,6 +7085,6 @@ steps: WORKSPACE_DIR: /tmp/build-darwin-amd64-connect --- kind: signature -hmac: bec18a0a480759e7187aee70e923cc41243841e22b690466946a66b480749494 +hmac: 8be241fd9eec8e795af521e656e0fa089c9a0b18b70c9ac193e11bacaa0f5e88 ... From 5dcce822d0716ceb25e1bb1a7b2f1d21ba78bab8 Mon Sep 17 00:00:00 2001 From: Walt Della Date: Tue, 4 Oct 2022 22:42:50 -0700 Subject: [PATCH 2/2] Add AWS roles to Drone pipelines Backports #17201 Contributes to gravitational/SecOps#213 --- .drone.yml | 2135 ++++++++++++++++++++++++-------- build.assets/windows/build.ps1 | 22 +- dronegen/apt.go | 3 +- dronegen/aws.go | 112 ++ dronegen/buildbox.go | 4 +- dronegen/common.go | 28 +- dronegen/mac.go | 48 +- dronegen/mac_pkg.go | 29 +- dronegen/os_repos.go | 61 +- dronegen/promote.go | 44 +- dronegen/push.go | 4 +- dronegen/relcli.go | 38 +- dronegen/tag.go | 85 +- dronegen/windows.go | 27 +- dronegen/yum.go | 3 +- 15 files changed, 2005 insertions(+), 638 deletions(-) create mode 100644 dronegen/aws.go diff --git a/.drone.yml b/.drone.yml index 77f33ace612d8..44b22c242532b 100644 --- a/.drone.yml +++ b/.drone.yml @@ -813,6 +813,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Pull relcli image: docker:cli commands: @@ -820,14 +844,12 @@ steps: - aws ecr get-login-password | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - docker pull $RELCLI_IMAGE environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY AWS_DEFAULT_REGION: us-west-2 - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Clean up previously built artifacts image: docker:git commands: @@ -848,10 +870,12 @@ steps: RELEASES_KEY: from_secret: RELEASES_KEY volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: tmpfs + path: /tmpfs + - name: awsconfig + path: /root/.aws services: - name: Start Docker image: docker:dind @@ -862,10 +886,12 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock +- name: awsconfig temp: {} --- @@ -994,12 +1020,33 @@ steps: CSC_LINK: from_secret: WINDOWS_SIGNING_CERT WORKSPACE_DIR: C:/Drone/Workspace/build-native-windows-amd64 +- name: Assume AWS Role + commands: + - $Workspace = "$Env:WORKSPACE_DIR/$Env:DRONE_BUILD_NUMBER" + - $TeleportSrc = "$Workspace/go/src/github.com/gravitational/teleport" + - $AwsSharedCredentialsFile = "$Workspace/credentials" + - $SessionName = "drone-$Env:DRONE_REPO-$Env:DRONE_BUILD_NUMBER".replace("/", "-") + - . "$TeleportSrc/build.assets/windows/build.ps1" + - Get-STSCallerIdentity + - Save-Role -RoleArn $Env:AWS_ROLE -RoleSessionName $SessionName -FilePath $AwsSharedCredentialsFile + - 'Get-ChildItem -Path Env: | Where-Object {($_.Name -Like "AWS_SECRET_ACCESS_KEY") + -or ($_.Name -Like "AWS_ACCESS_KEY_ID") } | Remove-Item' + - Get-STSCallerIdentity -ProfileLocation $AwsSharedCredentialsFile + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + WORKSPACE_DIR: C:/Drone/Workspace/build-native-windows-amd64 - name: Upload Artifacts commands: - $Workspace = "$Env:WORKSPACE_DIR/$Env:DRONE_BUILD_NUMBER" - $TeleportSrc = "$Workspace/go/src/github.com/gravitational/teleport" - $WebappsSrc = "$Workspace/go/src/github.com/gravitational/webapps" - $TeleportVersion=$Env:DRONE_TAG.TrimStart('v') + - $AwsSharedCredentialsFile = "$Workspace/credentials" - $OutputsDir="$Workspace/outputs" - New-Item -Path "$OutputsDir" -ItemType 'Directory' | Out-Null - Get-ChildItem "$WebappsSrc/packages/teleterm/build/release @@ -1007,15 +1054,12 @@ steps: Setup*.exe" -Destination $OutputsDir - . "$TeleportSrc/build.assets/windows/build.ps1" - Format-FileHashes -PathGlob "$OutputsDir/*.exe" - - Copy-Artifacts -Path $OutputsDir -Bucket $Env:AWS_S3_BUCKET -DstRoot "/teleport/tag/$TeleportVersion" + - Copy-Artifacts -ProfileLocation $AwsSharedCredentialsFile -Path $OutputsDir -Bucket + $Env:AWS_S3_BUCKET -DstRoot "/teleport/tag/$TeleportVersion" environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY WORKSPACE_DIR: C:/Drone/Workspace/build-native-windows-amd64 - name: Register artifacts commands: @@ -1385,33 +1429,6 @@ steps: - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build - docker push $ENT_FIPS_IMAGE_NAME - - name: Build/push Teleport Lab Docker image - image: docker:git - environment: - OS: linux - ARCH: amd64 - settings: - username: - from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME - password: - from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD - volumes: - - name: dockersock - path: /var/run - commands: - - export TELEPORT_TAG=$(cat /go/build/CURRENT_VERSION_TAG.txt | tr -d '^v') - - export TELEPORT_LAB_IMAGE_NAME="quay.io/gravitational/teleport-lab:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)" - # Check out code - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git init && git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin - - git checkout -qf ${DRONE_COMMIT_SHA} - # Build and push Teleport lab image - - docker login -u="$PLUGIN_USERNAME" -p="$PLUGIN_PASSWORD" quay.io - - docker build --build-arg TELEPORT_TAG=$TELEPORT_TAG -t $TELEPORT_LAB_IMAGE_NAME /go/src/github.com/gravitational/teleport/docker/sshd - - docker push $TELEPORT_LAB_IMAGE_NAME - services: - name: Start Docker image: docker:dind @@ -1472,22 +1489,66 @@ steps: # wait for Docker to be ready - sleep 3 - - name: Build and push Teleport containers (CURRENT_VERSION) - image: docker + - name: Configure Staging AWS Profile + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[staging]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile staging environment: - OS: linux - ARCH: amd64 - STAGING_AWS_ACCESS_KEY_ID: + AWS_ACCESS_KEY_ID: from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: + AWS_SECRET_ACCESS_KEY: from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET - PROD_AWS_ACCESS_KEY_ID: + AWS_ROLE: + from_secret: STAGING_TELEPORT_DRONE_ECR_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Configure Production AWS Profile + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[production]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + >> /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile production + environment: + AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: + AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET + AWS_ROLE: + from_secret: PRODUCTION_TELEPORT_DRONE_ECR_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Build and push Teleport containers (CURRENT_VERSION) + image: docker + environment: + OS: linux + ARCH: amd64 volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli - export VERSION_TAG=$(cat /go/build/CURRENT_VERSION_TAG.txt) @@ -1501,9 +1562,7 @@ steps: - export ENT_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)" - export ENT_FIPS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-fips" # Authenticate to staging registry - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com # OSS - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build - docker push $OSS_IMAGE_NAME_STAGE @@ -1515,9 +1574,7 @@ steps: - docker push $ENT_FIPS_IMAGE_NAME_STAGE # Authenticate to production registry - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws # Retag images - docker tag $OSS_IMAGE_NAME_STAGE $OSS_IMAGE_NAME_PROD - docker tag $ENT_IMAGE_NAME_STAGE $ENT_IMAGE_NAME_PROD @@ -1532,17 +1589,11 @@ steps: environment: OS: linux ARCH: amd64 - STAGING_AWS_ACCESS_KEY_ID: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET - PROD_AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_ONE_TAG.txt) @@ -1556,9 +1607,7 @@ steps: - export ENT_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)" - export ENT_FIPS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-fips" # Authenticate to staging registry - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com # OSS - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build - docker push $OSS_IMAGE_NAME_STAGE @@ -1570,9 +1619,7 @@ steps: - docker push $ENT_FIPS_IMAGE_NAME_STAGE # Authenticate to production registry - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws # Retag images - docker tag $OSS_IMAGE_NAME_STAGE $OSS_IMAGE_NAME_PROD - docker tag $ENT_IMAGE_NAME_STAGE $ENT_IMAGE_NAME_PROD @@ -1587,17 +1634,11 @@ steps: environment: OS: linux ARCH: amd64 - STAGING_AWS_ACCESS_KEY_ID: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET - PROD_AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli - export CURRENT_DATE=$(date '+%Y%m%d%H%M') @@ -1611,9 +1652,7 @@ steps: - export ENT_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)" - export ENT_FIPS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips" # Authenticate to staging registry - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com # OSS - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron-v8 /go/build - docker push $OSS_IMAGE_NAME_STAGE @@ -1625,9 +1664,7 @@ steps: - docker push $ENT_FIPS_IMAGE_NAME_STAGE # Authenticate to production registry - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws # Retag images - docker tag $OSS_IMAGE_NAME_STAGE $OSS_IMAGE_NAME_PROD - docker tag $ENT_IMAGE_NAME_STAGE $ENT_IMAGE_NAME_PROD @@ -1637,6 +1674,40 @@ steps: - docker push $OSS_IMAGE_NAME_PROD - docker push $ENT_FIPS_IMAGE_NAME_PROD + - name: Build/push Teleport Lab Docker image + image: docker:git + environment: + OS: linux + ARCH: amd64 + volumes: + - name: dockersock + path: /var/run + - name: awsconfig + path: /root/.aws + commands: + - apk add --no-cache aws-cli + - export CURRENT_DATE=$(date '+%Y%m%d%H%M') + - export TELEPORT_TAG=$(cat /go/build/CURRENT_VERSION_TAG.txt | tr -d '^v') + - export TELEPORT_LAB_IMAGE_NAME_STAGING="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-lab:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-$CURRENT_DATE" + - export TELEPORT_LAB_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-lab:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)" + # Check out code + - mkdir -p /go/src/github.com/gravitational/teleport + - cd /go/src/github.com/gravitational/teleport + - git init && git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin + - git checkout -qf ${DRONE_COMMIT_SHA} + # Authenticate to staging registry + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + # Build and push image + - docker build --build-arg TELEPORT_TAG=$TELEPORT_TAG -t $TELEPORT_LAB_IMAGE_NAME_STAGING /go/src/github.com/gravitational/teleport/docker/sshd + - docker push $TELEPORT_LAB_IMAGE_NAME_STAGING + # Authenticate to production registry + - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws + # Push to production registry + - docker tag $TELEPORT_LAB_IMAGE_NAME_STAGING $TELEPORT_LAB_IMAGE_NAME_PROD + - docker push $TELEPORT_LAB_IMAGE_NAME_PROD + services: - name: Start Docker image: docker:dind @@ -1648,6 +1719,8 @@ services: volumes: - name: dockersock temp: {} + - name: awsconfig + temp: {} --- kind: pipeline @@ -1678,15 +1751,39 @@ steps: - mkdir -p /go/chart - cd /go/chart - - name: Download chart repo contents + - name: Assume AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - AWS_S3_BUCKET: - from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: PRODUCTION_CHARTS_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download chart repo contents + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws commands: - mkdir -p /go/chart # download all previously packaged chart versions from the S3 bucket @@ -1705,19 +1802,17 @@ steps: - helm repo index /go/chart - name: Upload to S3 - image: plugins/s3 - settings: - bucket: + image: amazon/aws-cli + commands: + - cd /go/chart + - aws s3 sync --acl public-read . s3://$AWS_S3_BUCKET/ + environment: + AWS_REGION: us-east-2 + AWS_S3_BUCKET: from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET - access_key: - from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID - secret_key: - from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY - region: us-east-2 - acl: public-read - source: /go/chart/* - target: / - strip_prefix: /go/chart + volumes: + - name: awsconfig + path: /root/.aws - name: Send Slack notification image: plugins/slack @@ -1734,6 +1829,9 @@ steps: when: status: [failure] +volumes: + - name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! @@ -1825,19 +1923,42 @@ steps: - mv /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-centos7-bin.tar.gz - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -1892,6 +2013,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -1985,19 +2108,42 @@ steps: - mv /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-centos7-fips-bin.tar.gz - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2052,6 +2198,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -2158,19 +2306,42 @@ steps: cd /go/artifacts && for FILE in teleport-connect*.deb teleport-connect*.rpm; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2225,6 +2396,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -2316,19 +2489,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2383,6 +2579,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -2445,6 +2643,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -2456,13 +2678,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-centos7-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -2490,10 +2711,12 @@ steps: OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: @@ -2503,18 +2726,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2571,11 +2793,13 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ @@ -2636,6 +2860,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -2645,13 +2893,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-centos7-fips-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -2680,10 +2927,12 @@ steps: RUNTIME: fips TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: @@ -2691,18 +2940,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2759,11 +3007,13 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ @@ -2830,6 +3080,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -2841,13 +3115,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -2870,6 +3143,8 @@ steps: volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -2879,18 +3154,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2947,6 +3221,8 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ @@ -3007,6 +3283,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -3016,13 +3316,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -3046,6 +3345,8 @@ steps: volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -3053,18 +3354,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -3121,6 +3421,8 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ @@ -3210,19 +3512,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -3277,6 +3602,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -3339,6 +3666,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -3350,13 +3701,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-386-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -3384,10 +3734,12 @@ steps: OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: @@ -3397,18 +3749,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -3465,11 +3816,13 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ @@ -3530,6 +3883,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -3541,13 +3918,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-386-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -3570,6 +3946,8 @@ steps: volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -3579,18 +3957,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -3647,6 +4024,8 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ @@ -3769,19 +4148,37 @@ steps: $FILE > $FILE.sha256; done && ls -l environment: WORKSPACE_DIR: /tmp/build-darwin-amd64 +- name: Assume AWS Role + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /tmp/build-darwin-amd64/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64/credentials - name: Upload to S3 commands: - set -u - cd $WORKSPACE_DIR/go/artifacts - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64/credentials WORKSPACE_DIR: /tmp/build-darwin-amd64 - name: Register artifacts commands: @@ -3920,6 +4317,27 @@ steps: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg +- name: Assume AWS Role + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /tmp/build-darwin-amd64-pkg/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials - name: Download built tarball artifacts from S3 commands: - set -u @@ -3930,13 +4348,10 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-darwin-amd64-bin.tar.gz $WORKSPACE_DIR/go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg @@ -3977,13 +4392,10 @@ steps: - cd $WORKSPACE_DIR/go/artifacts - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg - name: Register artifacts commands: @@ -4103,6 +4515,27 @@ steps: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh +- name: Assume AWS Role + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /tmp/build-darwin-amd64-pkg-tsh/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials - name: Download built tarball artifacts from S3 commands: - set -u @@ -4113,13 +4546,10 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-darwin-amd64-bin.tar.gz $WORKSPACE_DIR/go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh @@ -4160,13 +4590,10 @@ steps: - cd $WORKSPACE_DIR/go/artifacts - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh - name: Register artifacts commands: @@ -4310,19 +4737,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -4377,6 +4827,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -4468,19 +4920,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -4535,6 +5010,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -4597,6 +5074,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -4608,13 +5109,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm64-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -4637,6 +5137,8 @@ steps: volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -4646,18 +5148,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -4714,6 +5215,8 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ @@ -4774,10 +5277,34 @@ steps: volumes: - name: dockersock path: /var/run -- name: Download artifacts from S3 +- name: Assume AWS Role image: amazon/aws-cli commands: - - export VERSION=$(cat /go/.version.txt) + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws +- name: Download artifacts from S3 + image: amazon/aws-cli + commands: + - export VERSION=$(cat /go/.version.txt) - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else export S3_PATH="tag/"; fi - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-arm-bin.tar.gz @@ -4785,13 +5312,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -4814,6 +5340,8 @@ steps: volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -4823,18 +5351,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -4891,6 +5418,8 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ @@ -4951,6 +5480,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -4962,13 +5515,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm64-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -4996,10 +5548,12 @@ steps: OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: @@ -5009,18 +5563,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -5077,11 +5630,13 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ @@ -5142,6 +5697,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -5153,13 +5732,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -5187,10 +5765,12 @@ steps: OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: @@ -5200,18 +5780,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -5268,11 +5847,13 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ @@ -5365,19 +5946,42 @@ steps: - cp /go/artifacts/teleport-v$${VERSION}-windows-amd64-bin.zip /go/artifacts/teleport-ent-v$${VERSION}-windows-amd64-bin.zip - cd /go/artifacts && for FILE in teleport*.zip; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -5432,6 +6036,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -5484,6 +6090,31 @@ steps: # set version - if [[ "${DRONE_TAG}" != "" ]]; then echo "${DRONE_TAG##v}" > /go/.version.txt; else egrep ^VERSION Makefile | cut -d= -f2 > /go/.version.txt; fi; cat /go/.version.txt + - name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY + AWS_ROLE: + from_secret: STAGING_TELEPORT_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws + - name: Build/push OSS/Enterprise Docker images image: docker environment: @@ -5493,13 +6124,11 @@ steps: GOPATH: /go OS: linux ARCH: amd64 - AWS_ACCESS_KEY_ID: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache make bash aws-cli - chown -R $UID:$GID /go @@ -5546,6 +6175,8 @@ services: volumes: - name: dockersock temp: {} + - name: awsconfig + temp: {} --- kind: pipeline @@ -5582,31 +6213,77 @@ steps: # set version - if [[ "${DRONE_TAG}" != "" ]]; then echo "${DRONE_TAG##v}" > /go/.version.txt; else egrep ^VERSION Makefile | cut -d= -f2 > /go/.version.txt; fi; cat /go/.version.txt - - name: Download built tarball artifacts from S3 + - name: Assume Download AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download built tarball artifacts from S3 + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws commands: - export VERSION=$(cat /go/.version.txt) - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else export S3_PATH="tag/"; fi - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-amd64-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files - - name: Build OSS AMIs - image: hashicorp/packer:1.7.6 + - name: Assume Packer AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: AWS_ACCESS_KEY_ID: from_secret: AWS_PACKER_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_PACKER_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_PACKER_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Build OSS AMIs + image: hashicorp/packer:1.7.6 volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli jq make - cd /go/src/github.com/gravitational/teleport/assets/aws @@ -5622,16 +6299,40 @@ steps: make oss fi - - name: Sync OSS build timestamp to S3 + - name: Assume S3 Timestamp Sync AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Sync OSS build timestamp to S3 + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws commands: - export VERSION=$(cat /go/.version.txt) - aws s3 cp /go/src/github.com/gravitational/teleport/assets/aws/files/build/oss_build_timestamp.txt s3://$AWS_S3_BUCKET/teleport/ami/$${VERSION}/ @@ -5647,6 +6348,8 @@ services: volumes: - name: dockersock temp: {} + - name: awsconfig + temp: {} --- kind: pipeline @@ -5684,32 +6387,78 @@ steps: # set version - if [[ "${DRONE_TAG}" != "" ]]; then echo "${DRONE_TAG##v}" > /go/.version.txt; else egrep ^VERSION Makefile | cut -d= -f2 > /go/.version.txt; fi; cat /go/.version.txt - - name: Download built tarball artifacts from S3 + - name: Assume Download AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download built tarball artifacts from S3 + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws commands: - export VERSION=$(cat /go/.version.txt) - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else export S3_PATH="tag/"; fi - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files - - name: Build Enterprise AMIs - image: hashicorp/packer:1.7.6 + - name: Assume Packer AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: AWS_ACCESS_KEY_ID: from_secret: AWS_PACKER_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_PACKER_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_PACKER_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Build Enterprise AMIs + image: hashicorp/packer:1.7.6 volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli jq make - cd /go/src/github.com/gravitational/teleport/assets/aws @@ -5726,16 +6475,40 @@ steps: make ent fi - - name: Sync Enterprise build timestamp to S3 + - name: Assume S3 Timestamp Sync AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Sync Enterprise build timestamp to S3 + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws commands: - export VERSION=$(cat /go/.version.txt) - aws s3 cp /go/src/github.com/gravitational/teleport/assets/aws/files/build/ent_build_timestamp.txt s3://$AWS_S3_BUCKET/teleport/ami/$${VERSION}/ @@ -5751,6 +6524,8 @@ services: volumes: - name: dockersock temp: {} + - name: awsconfig + temp: {} --- ################################################ @@ -6036,6 +6811,34 @@ steps: a prerelease, not continuing promotion for ${DRONE_TAG}' && exit 78) depends_on: - Check out code +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws + depends_on: + - Verify build is tagged + - Check out code + - Check if tag is prerelease - name: Download artifacts for "${DRONE_TAG}" image: amazon/aws-cli commands: @@ -6045,12 +6848,39 @@ steps: "$ARTIFACT_PATH" environment: ARTIFACT_PATH: /go/artifacts - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + depends_on: + - Verify build is tagged + - Check out code + - Check if tag is prerelease +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: APT_REPO_NEW_AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: APT_REPO_NEW_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: APT_REPO_NEW_AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws depends_on: - Verify build is tagged - Check out code @@ -6072,11 +6902,7 @@ steps: environment: APTLY_ROOT_DIR: /mnt/aptly ARTIFACT_PATH: /go/artifacts - AWS_ACCESS_KEY_ID: - from_secret: APT_REPO_NEW_AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 - AWS_SECRET_ACCESS_KEY: - from_secret: APT_REPO_NEW_AWS_SECRET_ACCESS_KEY BUCKET_CACHE_PATH: /tmp/bucket DEBIAN_FRONTEND: noninteractive GNUPGHOME: /tmpfs/gnupg @@ -6089,6 +6915,8 @@ steps: path: /mnt - name: tmpfs path: /tmpfs + - name: awsconfig + path: /root/.aws depends_on: - Download artifacts for "${DRONE_TAG}" - Verify build is tagged @@ -6101,6 +6929,8 @@ volumes: - name: tmpfs temp: medium: memory +- name: awsconfig + temp: {} --- ################################################ @@ -6178,6 +7008,34 @@ steps: a prerelease, not continuing promotion for ${DRONE_TAG}' && exit 78) depends_on: - Check out code +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws + depends_on: + - Verify build is tagged + - Check out code + - Check if tag is prerelease - name: Download artifacts for "${DRONE_TAG}" image: amazon/aws-cli commands: @@ -6187,12 +7045,39 @@ steps: "$ARTIFACT_PATH" environment: ARTIFACT_PATH: /go/artifacts - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + depends_on: + - Verify build is tagged + - Check out code + - Check if tag is prerelease +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: YUM_REPO_NEW_AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: YUM_REPO_NEW_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: YUM_REPO_NEW_AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws depends_on: - Verify build is tagged - Check out code @@ -6214,11 +7099,7 @@ steps: -artifact-path "$ARTIFACT_PATH" -log-level 4 -cache-dir "$CACHE_DIR" environment: ARTIFACT_PATH: /go/artifacts - AWS_ACCESS_KEY_ID: - from_secret: YUM_REPO_NEW_AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 - AWS_SECRET_ACCESS_KEY: - from_secret: YUM_REPO_NEW_AWS_SECRET_ACCESS_KEY BUCKET_CACHE_PATH: /mnt/bucket CACHE_DIR: /mnt/createrepo_cache DEBIAN_FRONTEND: noninteractive @@ -6232,6 +7113,8 @@ steps: path: /mnt - name: tmpfs path: /tmpfs + - name: awsconfig + path: /root/.aws depends_on: - Download artifacts for "${DRONE_TAG}" - Verify build is tagged @@ -6244,6 +7127,8 @@ volumes: - name: tmpfs temp: medium: memory +- name: awsconfig + temp: {} --- ################################################ @@ -6284,6 +7169,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY + AWS_ROLE: + from_secret: PRODUCTION_TELEPORT_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Pull/retag Docker images image: docker commands: @@ -6313,14 +7222,11 @@ steps: - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION} - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips - docker push public.ecr.aws/gravitational/teleport-operator:$${VERSION} - environment: - AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws services: - name: Start Docker image: docker:dind @@ -6331,6 +7237,8 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ @@ -6371,6 +7279,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY + AWS_ROLE: + from_secret: PRODUCTION_TELEPORT_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Pull/retag Docker images image: docker commands: @@ -6400,10 +7332,6 @@ steps: - docker push quay.io/gravitational/teleport-ent:$${VERSION}-fips - docker push quay.io/gravitational/teleport-operator:$${VERSION} environment: - AWS_ACCESS_KEY_ID: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET QUAY_PASSWORD: from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD QUAY_USERNAME: @@ -6411,6 +7339,8 @@ steps: volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws services: - name: Start Docker image: docker:dind @@ -6421,6 +7351,8 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- kind: pipeline @@ -6448,34 +7380,81 @@ steps: commands: - "[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)" - - name: Download artifacts from S3 + - name: Assume Download AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - AWS_REGION: us-west-2 + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download artifacts from S3 + image: amazon/aws-cli commands: - mkdir -p /go/artifacts - aws s3 sync s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}/ /go/artifacts/ + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws - - name: Upload artifacts to production S3 - image: plugins/s3 - settings: - bucket: - from_secret: PRODUCTION_AWS_S3_BUCKET - access_key: + - name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_AWS_ACCESS_KEY_ID - secret_key: + AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY - region: us-east-1 - acl: public-read - source: /go/artifacts/* - target: teleport/${DRONE_TAG##v}/ - strip_prefix: /go/artifacts/ + AWS_ROLE: + from_secret: PRODUCTION_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Upload artifacts to production S3 + image: amazon/aws-cli + environment: + AWS_REGION: us-east-1 + AWS_S3_BUCKET: + from_secret: PRODUCTION_AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + commands: + - cd /go/artifacts/ + - aws s3 sync --acl public-read . s3://$AWS_S3_BUCKET/teleport/${DRONE_TAG##v} - name: Check out code image: docker:git @@ -6487,27 +7466,73 @@ steps: git fetch origin +refs/tags/${DRONE_TAG}: git checkout -qf FETCH_HEAD - - name: Download AMI timestamps - image: docker + - name: Assume AMI Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download AMI timestamps + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws commands: - - apk add --no-cache aws-cli - mkdir -p /go/src/github.com/gravitational/teleport/assets/aws/files/build - aws s3 sync s3://$AWS_S3_BUCKET/teleport/ami/${DRONE_TAG##v}/ /go/src/github.com/gravitational/teleport/assets/aws/files/build - - name: Make AMIs public - image: docker + - name: Assume AMI Publish AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: PRODUCTION_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Make AMIs public + image: docker + volumes: + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli bash jq make - cd /go/src/github.com/gravitational/teleport/assets/aws @@ -6516,6 +7541,31 @@ steps: make change-amis-to-public-ent make change-amis-to-public-ent-fips + - name: "Helm: Assume Download AWS Role" + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: PRODUCTION_CHARTS_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + # Download all previously packaged charts. This is needed to rebuild the # index and re-publish the repository. - name: "Helm: Download chart repository" @@ -6523,10 +7573,9 @@ steps: environment: AWS_S3_BUCKET: from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET - AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws commands: - mkdir -p /go/chart - aws s3 sync s3://$AWS_S3_BUCKET/ /go/chart @@ -6544,20 +7593,43 @@ steps: - helm repo index /go/chart - ls /go/chart - - name: "Helm: Publish chart repository to S3" - image: plugins/s3 - settings: - bucket: - from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET - access_key: + - name: "Helm: Assume Upload AWS Role" + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID - secret_key: + AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY - region: us-east-2 - acl: public-read - source: /go/chart/* - target: / - strip_prefix: /go/chart + AWS_ROLE: + from_secret: PRODUCTION_CHARTS_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: "Helm: Publish chart repository to S3" + image: amazon/aws-cli + environment: + AWS_REGION: us-east-2 + AWS_S3_BUCKET: + from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + commands: + - cd /go/chart/ + - aws s3 sync --acl public-read . s3://$AWS_S3_BUCKET/ # NOTE: all mandatory steps for a release promotion need to go BEFORE this # step, as there is a chance that everything afterwards will be skipped. @@ -6576,18 +7648,41 @@ steps: - cd /go/src/github.com/gravitational/teleport/build.assets/tooling - go run ./cmd/check -tag ${DRONE_TAG} -check prerelease || (echo '---> Not publishing ${DRONE_TAG} packages to RPM and DEB repos' && exit 78) - - name: Download RPM repo contents + - name: Assume RPM Repo AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - AWS_S3_BUCKET: - from_secret: RPMREPO_AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: RPMREPO_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: RPMREPO_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: RPMREPO_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download RPM repo contents + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: RPMREPO_AWS_S3_BUCKET volumes: - name: rpmrepo path: /rpmrepo + - name: awsconfig + path: /root/.aws commands: - mkdir -p /rpmrepo/teleport/cache # we explicitly want to delete anything present locally which has been deleted @@ -6637,13 +7732,11 @@ steps: environment: AWS_S3_BUCKET: from_secret: RPMREPO_AWS_S3_BUCKET - AWS_ACCESS_KEY_ID: - from_secret: RPMREPO_AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: RPMREPO_AWS_SECRET_ACCESS_KEY volumes: - name: rpmrepo path: /rpmrepo + - name: awsconfig + path: /root/.aws commands: - aws s3 sync /rpmrepo/teleport/ s3://$AWS_S3_BUCKET/teleport/ @@ -6657,18 +7750,41 @@ steps: - cd /go/src/github.com/gravitational/teleport/build.assets/tooling - go run ./cmd/check -tag ${DRONE_TAG} -check latest || (echo '---> Not publishing ${DRONE_REPO} packages to DEB repo' && exit 78) - - name: Download DEB repo contents + - name: Assume Deb Repo AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - AWS_S3_BUCKET: - from_secret: DEBREPO_AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: DEBREPO_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: DEBREPO_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: DEBREPO_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download DEB repo contents + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: DEBREPO_AWS_S3_BUCKET volumes: - name: debrepo path: /debrepo + - name: awsconfig + path: /root/.aws commands: # we explicitly want to delete anything present locally which has been deleted # from the upstream S3 bucket @@ -6735,15 +7851,13 @@ steps: environment: AWS_S3_BUCKET: from_secret: DEBREPO_AWS_S3_BUCKET - AWS_ACCESS_KEY_ID: - from_secret: DEBREPO_AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: DEBREPO_AWS_SECRET_ACCESS_KEY volumes: - name: debrepo path: /debrepo + - name: awsconfig + path: /root/.aws commands: - - aws s3 sync /debrepo/teleport/ s3://$AWS_S3_BUCKET/teleport/ + - aws s3 sync /debrepo/teleport/ s3://$AWS_S3_BUCKET/teleport/ services: - name: Start Docker @@ -6756,6 +7870,8 @@ services: path: /tmpfs volumes: + - name: awsconfig + temp: {} - name: dockersock temp: {} - name: tmpfs @@ -6806,6 +7922,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Pull relcli image: docker:cli commands: @@ -6813,14 +7953,12 @@ steps: - aws ecr get-login-password | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - docker pull $RELCLI_IMAGE environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY AWS_DEFAULT_REGION: us-west-2 - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Publish in Release API image: docker:git commands: @@ -6841,10 +7979,12 @@ steps: RELEASES_KEY: from_secret: RELEASES_KEY volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: tmpfs + path: /tmpfs + - name: awsconfig + path: /root/.aws services: - name: Start Docker image: docker:dind @@ -6855,10 +7995,12 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock +- name: awsconfig temp: {} --- @@ -6947,6 +8089,27 @@ steps: - echo Yarn reporting version $(yarn --version) environment: WORKSPACE_DIR: /tmp/build-darwin-amd64-connect +- name: Assume AWS Role + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /tmp/build-darwin-amd64-connect/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-connect/credentials - name: Download tsh.pkg artifact from S3 commands: - set -u @@ -6954,13 +8117,10 @@ steps: - export S3_PATH="tag/$${DRONE_TAG##v}/" - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}tsh-$${VERSION}.pkg $WORKSPACE_DIR/go/src/github.com/gravitational/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-connect/credentials GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY WORKSPACE_DIR: /tmp/build-darwin-amd64-connect @@ -7012,13 +8172,10 @@ steps: - cd $WORKSPACE_DIR/go/artifacts - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-connect/credentials WORKSPACE_DIR: /tmp/build-darwin-amd64-connect - name: Register artifact commands: @@ -7085,6 +8242,6 @@ steps: WORKSPACE_DIR: /tmp/build-darwin-amd64-connect --- kind: signature -hmac: 8be241fd9eec8e795af521e656e0fa089c9a0b18b70c9ac193e11bacaa0f5e88 +hmac: 72fa53029bec93edf602887e348bde9775f3f34a6501edc69aa04f75b8de8a69 ... diff --git a/build.assets/windows/build.ps1 b/build.assets/windows/build.ps1 index e1e792819a535..15e6590df64e4 100644 --- a/build.assets/windows/build.ps1 +++ b/build.assets/windows/build.ps1 @@ -169,6 +169,23 @@ function Format-FileHashes { } } +function Save-Role { + <# + .SYNOPSIS + Assume an AWS role and save the session to the supplied file + #> + [CmdletBinding()] + param( + [string] $RoleArn, + [string] $RoleSessionName, + [string] $FilePath + ) + begin { + $RoleCreds = (Use-STSRole -RoleArn $RoleArn -RoleSessionName $RoleSessionName).Credentials + "[default]`r`naws_access_key_id = {0}`r`naws_secret_access_key = {1}`r`naws_session_token = {2}" -f $RoleCreds.AccessKeyId, $RoleCreds.SecretAccessKey, $RoleCreds.SessionToken | Out-File -FilePath $FilePath + } +} + function Copy-Artifacts { <# .SYNOPSIS @@ -176,15 +193,16 @@ function Copy-Artifacts { #> [CmdletBinding()] param( + [string] $ProfileLocation, [string] $Path, [string] $Bucket, - [string] $DstRoot + [string] $DstRoot ) begin { foreach ($file in $(Get-ChildItem $Path)) { Write-Output "Uploading $($file.Name)" $Key = "$DstRoot/$($file.Name)" - Write-S3Object -File $file.FullName -Bucket $Bucket -Key $Key + Write-S3Object -ProfileLocation $ProfileLocation -File $file.FullName -Bucket $Bucket -Key $Key } } } diff --git a/dronegen/apt.go b/dronegen/apt.go index 13aa148ed8a5d..e59b8ea3706fd 100644 --- a/dronegen/apt.go +++ b/dronegen/apt.go @@ -30,10 +30,11 @@ func getAptPipelineBuilder() *OsPackageToolPipelineBuilder { "drone-s3-aptrepo-pvc", "deb", "apt", - NewRepoBucketSecretNames( + NewRepoBucketSecrets( "APT_REPO_NEW_AWS_S3_BUCKET", "APT_REPO_NEW_AWS_ACCESS_KEY_ID", "APT_REPO_NEW_AWS_SECRET_ACCESS_KEY", + "APT_REPO_NEW_AWS_ROLE", ), ) diff --git a/dronegen/aws.go b/dronegen/aws.go new file mode 100644 index 0000000000000..972bd63e42e51 --- /dev/null +++ b/dronegen/aws.go @@ -0,0 +1,112 @@ +// Copyright 2022 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import "path/filepath" + +// awsRoleSettings contains the information necessary to assume an AWS Role +// +// This is intended to be imbedded, please use the kubernetes/mac/windows versions +// with their corresponding pipelines. +type awsRoleSettings struct { + awsAccessKeyID value + awsSecretAccessKey value + role value +} + +// kubernetesRoleSettings contains the info necessary to assume an AWS role and save the credentials to a volume that later steps can use +type kubernetesRoleSettings struct { + awsRoleSettings + configVolume volumeRef +} + +// macRoleSettings contains the info necessary to assume an AWS role and save the credentials to a path that later steps can use +type macRoleSettings struct { + awsRoleSettings + configPath string +} + +// kuberentesS3Settings contains all info needed to download from S3 in a kubernetes pipeline +type kubernetesS3Settings struct { + region string + source string + target string + configVolume volumeRef +} + +// assumeRoleCommands is a helper to build the role assumtipn commands on a *nix platform +func assumeRoleCommands(configPath string) []string { + assumeRoleCmd := `printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > ` + configPath + return []string{ + `aws sts get-caller-identity`, // check the original identity + assumeRoleCmd, + `unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY`, // remove original identity from environment + `aws sts get-caller-identity`, // check the new assumed identity + } + +} + +// kubernetesAssumeAwsRoleStep builds a step to assume an AWS role and save it to a volume that later steps can use +func kubernetesAssumeAwsRoleStep(s kubernetesRoleSettings) step { + configPath := filepath.Join(s.configVolume.Path, "credentials") + return step{ + Name: "Assume AWS Role", + Image: "amazon/aws-cli", + Environment: map[string]value{ + "AWS_ACCESS_KEY_ID": s.awsAccessKeyID, + "AWS_SECRET_ACCESS_KEY": s.awsSecretAccessKey, + "AWS_ROLE": s.role, + }, + Volumes: []volumeRef{s.configVolume}, + Commands: assumeRoleCommands(configPath), + } +} + +// macAssumeAwsRoleStep builds a step to assume an AWS role and save it to a host path that later steps can use +func macAssumeAwsRoleStep(s macRoleSettings) step { + return step{ + Name: "Assume AWS Role", + Environment: map[string]value{ + "AWS_ACCESS_KEY_ID": s.awsAccessKeyID, + "AWS_SECRET_ACCESS_KEY": s.awsSecretAccessKey, + "AWS_ROLE": s.role, + "AWS_SHARED_CREDENTIALS_FILE": value{raw: s.configPath}, + }, + Commands: assumeRoleCommands(s.configPath), + } +} + +// kubernetesUploadToS3Step generates an S3 upload step +func kubernetesUploadToS3Step(s kubernetesS3Settings) step { + return step{ + Name: "Upload to S3", + Image: "amazon/aws-cli", + Environment: map[string]value{ + "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, + "AWS_REGION": {raw: s.region}, + }, + Volumes: []volumeRef{s.configVolume}, + Commands: []string{ + `cd ` + s.source, + `aws s3 sync . s3://$AWS_S3_BUCKET/` + s.target, + }, + } +} diff --git a/dronegen/buildbox.go b/dronegen/buildbox.go index 3d39e1a1a5c7a..537ca3e7988bb 100644 --- a/dronegen/buildbox.go +++ b/dronegen/buildbox.go @@ -54,7 +54,7 @@ func buildboxPipelineStep(buildboxName string, fips bool) step { "PROD_AWS_ACCESS_KEY_ID": {fromSecret: "PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY"}, "PROD_AWS_SECRET_ACCESS_KEY": {fromSecret: "PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET"}, }, - Volumes: dockerVolumeRefs(), + Volumes: []volumeRef{volumeRefDocker}, Commands: []string{ `apk add --no-cache make aws-cli`, `chown -R $UID:$GID /go`, @@ -90,7 +90,7 @@ func buildboxPipeline() pipeline { // only on master for now; add the release branch name when forking a new release series. p.Trigger = pushTriggerForBranch("master", "branch/*") p.Workspace = workspace{Path: "/go/src/github.com/gravitational/teleport"} - p.Volumes = dockerVolumes() + p.Volumes = []volume{volumeDocker} p.Services = []service{ dockerService(), } diff --git a/dronegen/common.go b/dronegen/common.go index a23fde3139941..888ad689e1129 100644 --- a/dronegen/common.go +++ b/dronegen/common.go @@ -56,6 +56,10 @@ var ( Name: "dockersock", Temp: &volumeTemp{}, } + volumeRefDocker = volumeRef{ + Name: "dockersock", + Path: "/var/run", + } volumeTmpfs = volume{ Name: "tmpfs", Temp: &volumeTemp{Medium: "memory"}, @@ -64,9 +68,13 @@ var ( Name: "tmpfs", Path: "/tmpfs", } - volumeRefDocker = volumeRef{ - Name: "dockersock", - Path: "/var/run", + volumeAwsConfig = volume{ + Name: "awsconfig", + Temp: &volumeTemp{}, + } + volumeRefAwsConfig = volumeRef{ + Name: "awsconfig", + Path: "/root/.aws", } ) @@ -207,18 +215,6 @@ func dockerService(v ...volumeRef) service { } } -// dockerVolumes returns a slice of volumes -// It includes the Docker socket volume by default, plus any extra volumes passed in -func dockerVolumes(v ...volume) []volume { - return append(v, volumeDocker) -} - -// dockerVolumeRefs returns a slice of volumeRefs -// It includes the Docker socket volumeRef as a default, plus any extra volumeRefs passed in -func dockerVolumeRefs(v ...volumeRef) []volumeRef { - return append(v, volumeRefDocker) -} - // releaseMakefileTarget gets the correct Makefile target for a given arch/fips/centos combo func releaseMakefileTarget(b buildType) string { makefileTarget := fmt.Sprintf("release-%s", b.arch) @@ -251,7 +247,7 @@ func waitForDockerStep() step { Commands: []string{ `timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'`, }, - Volumes: dockerVolumeRefs(), + Volumes: []volumeRef{volumeRefDocker}, } } diff --git a/dronegen/mac.go b/dronegen/mac.go index 1d56e29cf771c..f6dd462694ffb 100644 --- a/dronegen/mac.go +++ b/dronegen/mac.go @@ -17,6 +17,7 @@ package main import ( "fmt" "path" + "path/filepath" ) const ( @@ -49,6 +50,7 @@ func darwinConnectDmgPipeline() pipeline { artifactConfig := onlyConnectWithBundledTshApp p := newDarwinPipeline("build-darwin-amd64-connect") + awsConfigPath := filepath.Join(p.Workspace.Path, "credentials") p.Trigger = triggerTag p.DependsOn = []string{"build-darwin-amd64-pkg-tsh"} p.Steps = []step{ @@ -65,15 +67,22 @@ func darwinConnectDmgPipeline() pipeline { p.Steps = append(p.Steps, installToolchains(p.Workspace.Path, toolchainConfig)...) p.Steps = append(p.Steps, []step{ + macAssumeAwsRoleStep(macRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, + awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, + role: value{fromSecret: "AWS_ROLE"}, + }, + configPath: awsConfigPath, + }), { Name: "Download tsh.pkg artifact from S3", Environment: map[string]value{ - "AWS_REGION": {raw: "us-west-2"}, - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_ACCESS_KEY_ID": {fromSecret: "AWS_ACCESS_KEY_ID"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, + "AWS_REGION": {raw: "us-west-2"}, + "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, + "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, + "WORKSPACE_DIR": {raw: p.Workspace.Path}, + "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, }, Commands: darwinConnectDownloadArtifactCommands(), }, @@ -88,11 +97,10 @@ func darwinConnectDmgPipeline() pipeline { { Name: "Upload to S3", Environment: map[string]value{ - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_ACCESS_KEY_ID": {fromSecret: "AWS_ACCESS_KEY_ID"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"}, - "AWS_REGION": {raw: "us-west-2"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, + "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, + "AWS_REGION": {raw: "us-west-2"}, + "WORKSPACE_DIR": {raw: p.Workspace.Path}, + "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, }, Commands: darwinUploadToS3Commands(), }, @@ -173,6 +181,7 @@ func darwinTagPipeline() pipeline { artifactConfig := onlyBinaries p := newDarwinPipeline("build-darwin-amd64") + awsConfigPath := filepath.Join(p.Workspace.Path, "credentials") p.Trigger = triggerTag p.DependsOn = []string{tagCleanupPipelineName} p.Steps = []step{ @@ -198,14 +207,21 @@ func darwinTagPipeline() pipeline { }, Commands: darwinTagCopyPackageArtifactCommands(), }, + macAssumeAwsRoleStep(macRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, + awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, + role: value{fromSecret: "AWS_ROLE"}, + }, + configPath: awsConfigPath, + }), { Name: "Upload to S3", Environment: map[string]value{ - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_ACCESS_KEY_ID": {fromSecret: "AWS_ACCESS_KEY_ID"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"}, - "AWS_REGION": {raw: "us-west-2"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, + "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, + "AWS_REGION": {raw: "us-west-2"}, + "WORKSPACE_DIR": {raw: p.Workspace.Path}, + "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, }, Commands: darwinUploadToS3Commands(), }, diff --git a/dronegen/mac_pkg.go b/dronegen/mac_pkg.go index a4968006bdd1b..20ed18e3d4d8c 100644 --- a/dronegen/mac_pkg.go +++ b/dronegen/mac_pkg.go @@ -28,6 +28,7 @@ func darwinPkgPipeline(name, makeTarget string, pkgGlobs []string, extraQualific artifactConfig := onlyBinaries p := newDarwinPipeline(name) + awsConfigPath := filepath.Join(p.Workspace.Path, "credentials") p.Trigger = triggerTag p.DependsOn = []string{"build-darwin-amd64"} p.Steps = []step{ @@ -40,15 +41,22 @@ func darwinPkgPipeline(name, makeTarget string, pkgGlobs []string, extraQualific }, Commands: darwinTagCheckoutCommands(artifactConfig), }, + macAssumeAwsRoleStep(macRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, + awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, + role: value{fromSecret: "AWS_ROLE"}, + }, + configPath: awsConfigPath, + }), { Name: "Download built tarball artifacts from S3", Environment: map[string]value{ - "AWS_REGION": {raw: "us-west-2"}, - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_ACCESS_KEY_ID": {fromSecret: "AWS_ACCESS_KEY_ID"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, + "AWS_REGION": {raw: "us-west-2"}, + "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, + "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, + "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, + "WORKSPACE_DIR": {raw: p.Workspace.Path}, }, Commands: darwinTagDownloadArtifactCommands(), }, @@ -76,11 +84,10 @@ func darwinPkgPipeline(name, makeTarget string, pkgGlobs []string, extraQualific { Name: "Upload to S3", Environment: map[string]value{ - "AWS_REGION": {raw: "us-west-2"}, - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_ACCESS_KEY_ID": {fromSecret: "AWS_ACCESS_KEY_ID"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, + "AWS_REGION": {raw: "us-west-2"}, + "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, + "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, + "WORKSPACE_DIR": {raw: p.Workspace.Path}, }, Commands: []string{ `set -u`, diff --git a/dronegen/os_repos.go b/dronegen/os_repos.go index 3ad05acf2aaa8..82f08f20e89cd 100644 --- a/dronegen/os_repos.go +++ b/dronegen/os_repos.go @@ -102,17 +102,19 @@ func artifactMigrationPipeline() []pipeline { } } -type RepoBucketSecretNames struct { - bucketName string - accessKeyID string - secretAccessKey string +type RepoBucketSecrets struct { + awsRoleSettings + bucketName value } -func NewRepoBucketSecretNames(bucketName, accessKeyID, secretAccessKey string) *RepoBucketSecretNames { - return &RepoBucketSecretNames{ - bucketName: bucketName, - accessKeyID: accessKeyID, - secretAccessKey: secretAccessKey, +func NewRepoBucketSecrets(bucketName, accessKeyID, secretAccessKey, role string) *RepoBucketSecrets { + return &RepoBucketSecrets{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: accessKeyID}, + awsSecretAccessKey: value{fromSecret: secretAccessKey}, + role: value{fromSecret: role}, + }, + bucketName: value{fromSecret: bucketName}, } } @@ -124,7 +126,7 @@ type OsPackageToolPipelineBuilder struct { pipelineNameSuffix string artifactPath string pvcMountPoint string - bucketSecrets *RepoBucketSecretNames + bucketSecrets *RepoBucketSecrets extraArgs []string requiredPackages []string setupCommands []string @@ -134,7 +136,7 @@ type OsPackageToolPipelineBuilder struct { // This function configures the build tool with it's requirements and sensible defaults. // If additional configuration required then the returned struct should be modified prior // to calling "build" functions on it. -func NewOsPackageToolPipelineBuilder(claimName, packageType, packageManagerName string, bucketSecrets *RepoBucketSecretNames) *OsPackageToolPipelineBuilder { +func NewOsPackageToolPipelineBuilder(claimName, packageType, packageManagerName string, bucketSecrets *RepoBucketSecrets) *OsPackageToolPipelineBuilder { optpb := &OsPackageToolPipelineBuilder{ clameName: claimName, packageType: packageType, @@ -150,15 +152,7 @@ func NewOsPackageToolPipelineBuilder(claimName, packageType, packageManagerName } optpb.environmentVars = map[string]value{ - "REPO_S3_BUCKET": { - fromSecret: optpb.bucketSecrets.bucketName, - }, - "AWS_ACCESS_KEY_ID": { - fromSecret: optpb.bucketSecrets.accessKeyID, - }, - "AWS_SECRET_ACCESS_KEY": { - fromSecret: optpb.bucketSecrets.secretAccessKey, - }, + "REPO_S3_BUCKET": optpb.bucketSecrets.bucketName, "AWS_REGION": { raw: "us-west-2", }, @@ -285,6 +279,7 @@ func (optpb *OsPackageToolPipelineBuilder) buildBaseOsPackagePipeline(pipelineNa }, }, volumeTmpfs, + volumeAwsConfig, } p.Steps = []step{ { @@ -363,7 +358,24 @@ func (optpb *OsPackageToolPipelineBuilder) getVersionSteps(codePath, version str buildStepDependencies = append(buildStepDependencies, downloadStepName) } + assumeDownloadRoleStep := kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, + awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, + role: value{fromSecret: "AWS_ROLE"}, + }, + configVolume: volumeRefAwsConfig, + }) + assumeDownloadRoleStep.Name = "Assume Download AWS Role" // multiple steps cannot have the same name + + assumeUploadRoleStep := kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: optpb.bucketSecrets.awsRoleSettings, + configVolume: volumeRefAwsConfig, + }) + assumeUploadRoleStep.Name = "Assume Upload AWS Role" // multiple steps cannot have the same name + return []step{ + assumeDownloadRoleStep, { Name: downloadStepName, Image: "amazon/aws-cli", @@ -371,16 +383,11 @@ func (optpb *OsPackageToolPipelineBuilder) getVersionSteps(codePath, version str "AWS_S3_BUCKET": { fromSecret: "AWS_S3_BUCKET", }, - "AWS_ACCESS_KEY_ID": { - fromSecret: "AWS_ACCESS_KEY_ID", - }, - "AWS_SECRET_ACCESS_KEY": { - fromSecret: "AWS_SECRET_ACCESS_KEY", - }, "ARTIFACT_PATH": { raw: optpb.artifactPath, }, }, + Volumes: []volumeRef{volumeRefAwsConfig}, Commands: []string{ "mkdir -pv \"$ARTIFACT_PATH\"", // Clear out old versions from previous steps @@ -399,6 +406,7 @@ func (optpb *OsPackageToolPipelineBuilder) getVersionSteps(codePath, version str ), }, }, + assumeUploadRoleStep, { Name: fmt.Sprintf("Publish %ss to %s repos for %q", optpb.packageType, strings.ToUpper(optpb.packageManagerName), version), Image: "golang:1.18.4-bullseye", @@ -437,6 +445,7 @@ func (optpb *OsPackageToolPipelineBuilder) getVersionSteps(codePath, version str Path: optpb.pvcMountPoint, }, volumeRefTmpfs, + volumeRefAwsConfig, }, DependsOn: buildStepDependencies, }, diff --git a/dronegen/promote.go b/dronegen/promote.go index 99a39278b9537..ee008d204a296 100644 --- a/dronegen/promote.go +++ b/dronegen/promote.go @@ -34,20 +34,30 @@ func buildDockerPromotionPipelineECR() pipeline { dockerPipeline.Services = []service{ dockerService(), } - dockerPipeline.Volumes = dockerVolumes() + dockerPipeline.Volumes = []volume{ + volumeDocker, + volumeAwsConfig, + } dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep()) dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep()) // Pull/Push Steps + dockerPipeline.Steps = append(dockerPipeline.Steps, kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY"}, + awsSecretAccessKey: value{fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET"}, + role: value{fromSecret: "PRODUCTION_TELEPORT_DRONE_ECR_AWS_ROLE"}, + }, + configVolume: volumeRefAwsConfig, + })) dockerPipeline.Steps = append(dockerPipeline.Steps, step{ Name: "Pull/retag Docker images", Image: "docker", - Environment: map[string]value{ - "AWS_ACCESS_KEY_ID": {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET"}, + Volumes: []volumeRef{ + volumeRefDocker, + volumeRefAwsConfig, }, - Volumes: dockerVolumeRefs(), Commands: []string{ "apk add --no-cache aws-cli", "export VERSION=${DRONE_TAG##v}", @@ -91,22 +101,34 @@ func buildDockerPromotionPipelineQuay() pipeline { dockerPipeline.Services = []service{ dockerService(), } - dockerPipeline.Volumes = dockerVolumes() + dockerPipeline.Volumes = []volume{ + volumeDocker, + volumeAwsConfig, + } dockerPipeline.Steps = append(dockerPipeline.Steps, verifyTaggedBuildStep()) dockerPipeline.Steps = append(dockerPipeline.Steps, waitForDockerStep()) // Pull/Push Steps + dockerPipeline.Steps = append(dockerPipeline.Steps, kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY"}, + awsSecretAccessKey: value{fromSecret: "PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET"}, + role: value{fromSecret: "PRODUCTION_TELEPORT_DRONE_ECR_AWS_ROLE"}, + }, + configVolume: volumeRefAwsConfig, + })) dockerPipeline.Steps = append(dockerPipeline.Steps, step{ Name: "Pull/retag Docker images", Image: "docker", Environment: map[string]value{ - "QUAY_USERNAME": {fromSecret: "PRODUCTION_QUAYIO_DOCKER_USERNAME"}, - "QUAY_PASSWORD": {fromSecret: "PRODUCTION_QUAYIO_DOCKER_PASSWORD"}, - "AWS_ACCESS_KEY_ID": {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_KEY"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "STAGING_TELEPORT_DRONE_USER_ECR_SECRET"}, + "QUAY_USERNAME": {fromSecret: "PRODUCTION_QUAYIO_DOCKER_USERNAME"}, + "QUAY_PASSWORD": {fromSecret: "PRODUCTION_QUAYIO_DOCKER_PASSWORD"}, + }, + Volumes: []volumeRef{ + volumeRefDocker, + volumeRefAwsConfig, }, - Volumes: dockerVolumeRefs(), Commands: []string{ "apk add --no-cache aws-cli", "export VERSION=${DRONE_TAG##v}", diff --git a/dronegen/push.go b/dronegen/push.go index 35471cc08c614..dfc080fd72e98 100644 --- a/dronegen/push.go +++ b/dronegen/push.go @@ -138,7 +138,7 @@ func pushPipeline(b buildType) pipeline { } p.Trigger = triggerPush p.Workspace = workspace{Path: "/go"} - p.Volumes = dockerVolumes() + p.Volumes = []volume{volumeDocker} p.Services = []service{ dockerService(), } @@ -156,7 +156,7 @@ func pushPipeline(b buildType) pipeline { Name: "Build artifacts", Image: "docker", Environment: pushEnvironment, - Volumes: dockerVolumeRefs(), + Volumes: []volumeRef{volumeRefDocker}, Commands: pushBuildCommands(b), }, { diff --git a/dronegen/relcli.go b/dronegen/relcli.go index c12919fc01c25..717151aacb2f0 100644 --- a/dronegen/relcli.go +++ b/dronegen/relcli.go @@ -31,28 +31,39 @@ func relcliPipeline(trigger trigger, name string, stepName string, command strin }, }, waitForDockerStep(), - pullRelcliStep(), + kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_KEY"}, + awsSecretAccessKey: value{fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_SECRET"}, + role: value{fromSecret: "TELEPORT_BUILD_READ_ONLY_AWS_ROLE"}, + }, + configVolume: volumeRefAwsConfig, + }), + pullRelcliStep(volumeRefAwsConfig), executeRelcliStep(stepName, command), } - p.Services = []service{ - dockerService(volumeRefTmpfs), + p.Services = []service{dockerService(volumeRefTmpfs)} + p.Volumes = []volume{ + volumeDocker, + volumeTmpfs, + volumeAwsConfig, } - p.Volumes = dockerVolumes(volumeTmpfs) return p } -func pullRelcliStep() step { +func pullRelcliStep(awsConfigVolumeRef volumeRef) step { return step{ Name: "Pull relcli", Image: "docker:cli", Environment: map[string]value{ - "AWS_ACCESS_KEY_ID": {fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_KEY"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_SECRET"}, - "AWS_DEFAULT_REGION": {raw: "us-west-2"}, + "AWS_DEFAULT_REGION": {raw: "us-west-2"}, + }, + Volumes: []volumeRef{ + volumeRefDocker, + volumeRefAwsConfig, }, - Volumes: dockerVolumeRefs(), Commands: []string{ `apk add --no-cache aws-cli`, `aws ecr get-login-password | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com`, @@ -72,10 +83,11 @@ func executeRelcliStep(name string, command string) step { "RELCLI_CERT": {raw: "/tmpfs/creds/releases.crt"}, "RELCLI_KEY": {raw: "/tmpfs/creds/releases.key"}, }, - Volumes: dockerVolumeRefs(volumeRef{ - Name: "tmpfs", - Path: "/tmpfs", - }), + Volumes: []volumeRef{ + volumeRefDocker, + volumeRefTmpfs, + volumeRefAwsConfig, + }, Commands: []string{ `mkdir -p /tmpfs/creds`, `echo "$RELEASES_CERT" | base64 -d > "$RELCLI_CERT"`, diff --git a/dronegen/tag.go b/dronegen/tag.go index 094a8bf2e4bbc..8648e042ac36a 100644 --- a/dronegen/tag.go +++ b/dronegen/tag.go @@ -191,30 +191,6 @@ done && ls -l`) return commands } -type s3Settings struct { - region string - source string - target string - stripPrefix string -} - -// uploadToS3Step generates an S3 upload step -func uploadToS3Step(s s3Settings) step { - return step{ - Name: "Upload to S3", - Image: "plugins/s3", - Settings: map[string]value{ - "bucket": {fromSecret: "AWS_S3_BUCKET"}, - "access_key": {fromSecret: "AWS_ACCESS_KEY_ID"}, - "secret_key": {fromSecret: "AWS_SECRET_ACCESS_KEY"}, - "region": {raw: s.region}, - "source": {raw: s.source}, - "target": {raw: s.target}, - "strip_prefix": {raw: s.stripPrefix}, - }, - } -} - // tagPipelines builds all applicable tag pipeline combinations func tagPipelines() []pipeline { var ps []pipeline @@ -296,7 +272,7 @@ func tagPipeline(b buildType) pipeline { p.Trigger = triggerTag p.DependsOn = []string{tagCleanupPipelineName} p.Workspace = workspace{Path: "/go"} - p.Volumes = dockerVolumes() + p.Volumes = []volume{volumeAwsConfig, volumeDocker} p.Services = []service{ dockerService(), } @@ -314,7 +290,7 @@ func tagPipeline(b buildType) pipeline { Name: "Build artifacts", Image: "docker", Environment: tagEnvironment, - Volumes: dockerVolumeRefs(), + Volumes: []volumeRef{volumeRefDocker}, Commands: tagBuildCommands(b), }, { @@ -322,11 +298,19 @@ func tagPipeline(b buildType) pipeline { Image: "docker", Commands: tagCopyArtifactCommands(b), }, - uploadToS3Step(s3Settings{ - region: "us-west-2", - source: "/go/artifacts/*", - target: "teleport/tag/${DRONE_TAG##v}", - stripPrefix: "/go/artifacts/", + kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, + awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, + role: value{fromSecret: "AWS_ROLE"}, + }, + configVolume: volumeRefAwsConfig, + }), + kubernetesUploadToS3Step(kubernetesS3Settings{ + region: "us-west-2", + source: "/go/artifacts/", + target: "teleport/tag/${DRONE_TAG##v}", + configVolume: volumeRefAwsConfig, }), { Name: "Register artifacts", @@ -478,8 +462,14 @@ func tagPackagePipeline(packageType string, b buildType) pipeline { environment["OSS_TARBALL_PATH"] = value{raw: "/go/artifacts"} } - packageDockerVolumes := dockerVolumes() - packageDockerVolumeRefs := dockerVolumeRefs() + packageDockerVolumes := []volume{ + volumeDocker, + volumeAwsConfig, + } + packageDockerVolumeRefs := []volumeRef{ + volumeRefDocker, + volumeRefAwsConfig, + } packageDockerService := dockerService() switch packageType { @@ -494,8 +484,8 @@ func tagPackagePipeline(packageType string, b buildType) pipeline { `rm -rf $GNUPG_DIR`, ) // RPM builds require tmpfs to hold the key material in memory. - packageDockerVolumes = dockerVolumes(volumeTmpfs) - packageDockerVolumeRefs = dockerVolumeRefs(volumeRefTmpfs) + packageDockerVolumes = append(packageDockerVolumes, volumeTmpfs) + packageDockerVolumeRefs = append(packageDockerVolumeRefs, volumeRefTmpfs) packageDockerService = dockerService(volumeRefTmpfs) case debPackage: packageBuildCommands = append(packageBuildCommands, @@ -525,16 +515,23 @@ func tagPackagePipeline(packageType string, b buildType) pipeline { Commands: tagCheckoutCommands(b), }, waitForDockerStep(), + kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, + awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, + role: value{fromSecret: "AWS_ROLE"}, + }, + configVolume: volumeRefAwsConfig, + }), { Name: "Download artifacts from S3", Image: "amazon/aws-cli", Environment: map[string]value{ - "AWS_REGION": {raw: "us-west-2"}, - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_ACCESS_KEY_ID": {fromSecret: "AWS_ACCESS_KEY_ID"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"}, + "AWS_REGION": {raw: "us-west-2"}, + "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, }, Commands: tagDownloadArtifactCommands(b), + Volumes: []volumeRef{volumeRefAwsConfig}, }, { Name: "Build artifacts", @@ -548,11 +545,11 @@ func tagPackagePipeline(packageType string, b buildType) pipeline { Image: "docker", Commands: tagCopyPackageArtifactCommands(b, packageType), }, - uploadToS3Step(s3Settings{ - region: "us-west-2", - source: "/go/artifacts/*", - target: "teleport/tag/${DRONE_TAG##v}", - stripPrefix: "/go/artifacts/", + kubernetesUploadToS3Step(kubernetesS3Settings{ + region: "us-west-2", + source: "/go/artifacts/", + target: "teleport/tag/${DRONE_TAG##v}", + configVolume: volumeRefAwsConfig, }), { Name: "Register artifacts", diff --git a/dronegen/windows.go b/dronegen/windows.go index 551f527ab9360..fc1eb448170be 100644 --- a/dronegen/windows.go +++ b/dronegen/windows.go @@ -48,26 +48,45 @@ func windowsTagPipeline() pipeline { buildWindowsTshStep(p.Workspace.Path), buildWindowsTeleportConnectStep(p.Workspace.Path), { - Name: "Upload Artifacts", + Name: "Assume AWS Role", Environment: map[string]value{ "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "AWS_REGION": {raw: "us-west-2"}, - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, "AWS_ACCESS_KEY_ID": {fromSecret: "AWS_ACCESS_KEY_ID"}, "AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"}, + "AWS_ROLE": {fromSecret: "AWS_ROLE"}, + }, + Commands: []string{ + `$Workspace = "` + perBuildWorkspace + `"`, + `$TeleportSrc = "$Workspace` + teleportSrc + `"`, + `$AwsSharedCredentialsFile = "$Workspace/credentials"`, + `$SessionName = "drone-$Env:DRONE_REPO-$Env:DRONE_BUILD_NUMBER".replace("/", "-")`, + `. "$TeleportSrc/build.assets/windows/build.ps1"`, + `Get-STSCallerIdentity`, + `Save-Role -RoleArn $Env:AWS_ROLE -RoleSessionName $SessionName -FilePath $AwsSharedCredentialsFile`, + `Get-ChildItem -Path Env: | Where-Object {($_.Name -Like "AWS_SECRET_ACCESS_KEY") -or ($_.Name -Like "AWS_ACCESS_KEY_ID") } | Remove-Item`, + `Get-STSCallerIdentity -ProfileLocation $AwsSharedCredentialsFile`, + }, + }, + { + Name: "Upload Artifacts", + Environment: map[string]value{ + "WORKSPACE_DIR": {raw: p.Workspace.Path}, + "AWS_REGION": {raw: "us-west-2"}, + "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, }, Commands: []string{ `$Workspace = "` + perBuildWorkspace + `"`, `$TeleportSrc = "$Workspace` + teleportSrc + `"`, `$WebappsSrc = "$Workspace` + webappsSrc + `"`, `$TeleportVersion=$Env:DRONE_TAG.TrimStart('v')`, + `$AwsSharedCredentialsFile = "$Workspace/credentials"`, `$OutputsDir="$Workspace/outputs"`, `New-Item -Path "$OutputsDir" -ItemType 'Directory' | Out-Null`, `Get-ChildItem "$WebappsSrc/packages/teleterm/build/release`, `Copy-Item -Path "$WebappsSrc/packages/teleterm/build/release/Teleport Connect Setup*.exe" -Destination $OutputsDir`, `. "$TeleportSrc/build.assets/windows/build.ps1"`, `Format-FileHashes -PathGlob "$OutputsDir/*.exe"`, - `Copy-Artifacts -Path $OutputsDir -Bucket $Env:AWS_S3_BUCKET -DstRoot "/teleport/tag/$TeleportVersion"`, + `Copy-Artifacts -ProfileLocation $AwsSharedCredentialsFile -Path $OutputsDir -Bucket $Env:AWS_S3_BUCKET -DstRoot "/teleport/tag/$TeleportVersion"`, }, }, windowsRegisterArtifactsStep(p.Workspace.Path), diff --git a/dronegen/yum.go b/dronegen/yum.go index b65078f9c7475..0a8960d0b1262 100644 --- a/dronegen/yum.go +++ b/dronegen/yum.go @@ -32,10 +32,11 @@ func getYumPipelineBuilder() *OsPackageToolPipelineBuilder { "drone-s3-yumrepo-pvc", "rpm", "yum", - NewRepoBucketSecretNames( + NewRepoBucketSecrets( "YUM_REPO_NEW_AWS_S3_BUCKET", "YUM_REPO_NEW_AWS_ACCESS_KEY_ID", "YUM_REPO_NEW_AWS_SECRET_ACCESS_KEY", + "YUM_REPO_NEW_ROLE", ), )