diff --git a/.drone.yml b/.drone.yml index dcd91fd36489a..9fb493ffd73f0 100644 --- a/.drone.yml +++ b/.drone.yml @@ -443,7 +443,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go:32 +# Generated at dronegen/mac.go:33 ################################################ kind: pipeline @@ -581,98 +581,6 @@ steps: status: - failure ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/relcli.go (main.relcliPipeline) -################################################ - -kind: pipeline -type: kubernetes -name: clean-up-previous-build -environment: - RELCLI_IMAGE: 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/relcli:v1.1.70 -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -clone: - disable: true -steps: -- name: Check if commit is tagged - image: alpine - commands: - - '[ -n ${DRONE_TAG} ] || (echo ''DRONE_TAG is not set. Is the commit tagged?'' - && exit 1)' -- name: Wait for docker - image: docker - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - volumes: - - name: dockersock - path: /var/run -- name: Pull relcli - image: docker:cli - commands: - - apk add --no-cache aws-cli - - aws ecr get-login-password | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - - docker pull $RELCLI_IMAGE - environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_DEFAULT_REGION: us-west-2 - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET - volumes: - - name: dockersock - path: /var/run -- name: Clean up previously built artifacts - image: docker:git - commands: - - mkdir -p /tmpfs/creds - - echo "$RELEASES_CERT" | base64 -d > "$RELCLI_CERT" - - echo "$RELEASES_KEY" | base64 -d > "$RELCLI_KEY" - - trap "rm -rf /tmpfs/creds" EXIT - - |- - docker run -i -v /tmpfs/creds:/tmpfs/creds \ - -e DRONE_REPO -e DRONE_TAG -e RELCLI_BASE_URL -e RELCLI_CERT -e RELCLI_KEY \ - $RELCLI_IMAGE relcli auto_destroy -f -v 6 - environment: - RELCLI_BASE_URL: https://releases-prod.platform.teleport.sh - RELCLI_CERT: /tmpfs/creds/releases.crt - RELCLI_KEY: /tmpfs/creds/releases.key - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY - volumes: - - name: tmpfs - path: /tmpfs - - name: dockersock - path: /var/run -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: tmpfs - path: /tmpfs - - name: dockersock - path: /var/run -volumes: -- name: tmpfs - temp: - medium: memory -- name: dockersock - temp: {} - --- ################################################ # Generated using dronegen, do not edit by hand! @@ -877,6 +785,124 @@ volumes: - name: dockersock temp: {} +--- +################################################ +# Generated using dronegen, do not edit by hand! +# Use 'make dronegen' to update. +# Generated at dronegen/relcli.go:20 +################################################ + +kind: pipeline +type: kubernetes +name: clean-up-previous-build +environment: + RELCLI_IMAGE: 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/relcli:v1.1.70 +trigger: + event: + include: + - tag + ref: + include: + - refs/tags/v* + repo: + include: + - gravitational/* +clone: + disable: true +steps: +- name: Check if commit is tagged + image: alpine + commands: + - '[ -n ${DRONE_TAG} ] || (echo ''DRONE_TAG is not set. Is the commit tagged?'' + && exit 1)' +- name: Wait for docker + image: docker + commands: + - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' + volumes: + - name: dockersock + path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws +- name: Pull relcli + image: docker:cli + commands: + - apk add --no-cache aws-cli + - aws ecr get-login-password | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + - docker pull $RELCLI_IMAGE + environment: + AWS_DEFAULT_REGION: us-west-2 + volumes: + - name: dockersock + path: /var/run + - name: awsconfig + path: /root/.aws +- name: Clean up previously built artifacts + image: docker:git + commands: + - mkdir -p /tmpfs/creds + - echo "$RELEASES_CERT" | base64 -d > "$RELCLI_CERT" + - echo "$RELEASES_KEY" | base64 -d > "$RELCLI_KEY" + - trap "rm -rf /tmpfs/creds" EXIT + - |- + docker run -i -v /tmpfs/creds:/tmpfs/creds \ + -e DRONE_REPO -e DRONE_TAG -e RELCLI_BASE_URL -e RELCLI_CERT -e RELCLI_KEY \ + $RELCLI_IMAGE relcli auto_destroy -f -v 6 + environment: + RELCLI_BASE_URL: https://releases-prod.platform.teleport.sh + RELCLI_CERT: /tmpfs/creds/releases.crt + RELCLI_KEY: /tmpfs/creds/releases.key + RELEASES_CERT: + from_secret: RELEASES_CERT + RELEASES_KEY: + from_secret: RELEASES_KEY + volumes: + - name: dockersock + path: /var/run + - name: tmpfs + path: /tmpfs + - name: awsconfig + path: /root/.aws +services: +- name: Start Docker + image: docker:dind + privileged: true + volumes: + - name: tmpfs + path: /tmpfs + - name: dockersock + path: /var/run +volumes: +- name: dockersock + temp: {} +- name: tmpfs + temp: + medium: memory +- name: awsconfig + temp: {} + --- kind: pipeline type: kubernetes @@ -1008,33 +1034,6 @@ steps: - docker build --target teleport-fips --build-arg DOWNLOAD_TYPE=teleport-ent --build-arg EXTRA_DOWNLOAD_ARGS="-fips" --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $ENT_FIPS_IMAGE_NAME -f /go/build/Dockerfile-cron /go/build - docker push $ENT_FIPS_IMAGE_NAME - - name: Build/push Teleport Lab Docker image - image: docker:git - environment: - OS: linux - ARCH: amd64 - settings: - username: - from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME - password: - from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD - volumes: - - name: dockersock - path: /var/run - commands: - - export TELEPORT_TAG=$(cat /go/build/CURRENT_VERSION_TAG.txt | tr -d '^v') - - export TELEPORT_LAB_IMAGE_NAME="quay.io/gravitational/teleport-lab:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)" - # Check out code - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git init && git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin - - git checkout -qf ${DRONE_COMMIT_SHA} - # Build and push Teleport lab image - - docker login -u="$PLUGIN_USERNAME" -p="$PLUGIN_PASSWORD" quay.io - - docker build --build-arg TELEPORT_TAG=$TELEPORT_TAG -t $TELEPORT_LAB_IMAGE_NAME /go/src/github.com/gravitational/teleport/docker/sshd - - docker push $TELEPORT_LAB_IMAGE_NAME - services: - name: Start Docker image: docker:dind @@ -1095,22 +1094,66 @@ steps: # wait for Docker to be ready - sleep 3 - - name: Build and push Teleport containers (CURRENT_VERSION) - image: docker + - name: Configure Staging AWS Profile + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[staging]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile staging environment: - OS: linux - ARCH: amd64 - STAGING_AWS_ACCESS_KEY_ID: + AWS_ACCESS_KEY_ID: from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: + AWS_SECRET_ACCESS_KEY: from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET - PROD_AWS_ACCESS_KEY_ID: + AWS_ROLE: + from_secret: STAGING_TELEPORT_DRONE_ECR_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Configure Production AWS Profile + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[production]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + >> /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile production + environment: + AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: + AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET + AWS_ROLE: + from_secret: PRODUCTION_TELEPORT_DRONE_ECR_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Build and push Teleport containers (CURRENT_VERSION) + image: docker + environment: + OS: linux + ARCH: amd64 volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli - export VERSION_TAG=$(cat /go/build/CURRENT_VERSION_TAG.txt) @@ -1124,9 +1167,7 @@ steps: - export ENT_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)" - export ENT_FIPS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-fips" # Authenticate to staging registry - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com # OSS - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build - docker push $OSS_IMAGE_NAME_STAGE @@ -1138,9 +1179,7 @@ steps: - docker push $ENT_FIPS_IMAGE_NAME_STAGE # Authenticate to production registry - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws # Retag images - docker tag $OSS_IMAGE_NAME_STAGE $OSS_IMAGE_NAME_PROD - docker tag $ENT_IMAGE_NAME_STAGE $ENT_IMAGE_NAME_PROD @@ -1155,17 +1194,11 @@ steps: environment: OS: linux ARCH: amd64 - STAGING_AWS_ACCESS_KEY_ID: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET - PROD_AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli - export VERSION_TAG=$(cat /go/build/PREVIOUS_VERSION_ONE_TAG.txt) @@ -1179,9 +1212,7 @@ steps: - export ENT_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)" - export ENT_FIPS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_ONE_TAG_GENERIC.txt)-fips" # Authenticate to staging registry - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com # OSS - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron /go/build - docker push $OSS_IMAGE_NAME_STAGE @@ -1193,9 +1224,7 @@ steps: - docker push $ENT_FIPS_IMAGE_NAME_STAGE # Authenticate to production registry - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws # Retag images - docker tag $OSS_IMAGE_NAME_STAGE $OSS_IMAGE_NAME_PROD - docker tag $ENT_IMAGE_NAME_STAGE $ENT_IMAGE_NAME_PROD @@ -1210,17 +1239,11 @@ steps: environment: OS: linux ARCH: amd64 - STAGING_AWS_ACCESS_KEY_ID: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET - PROD_AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli - export CURRENT_DATE=$(date '+%Y%m%d%H%M') @@ -1234,9 +1257,7 @@ steps: - export ENT_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)" - export ENT_FIPS_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-ent:$(cat /go/build/PREVIOUS_VERSION_TWO_TAG_GENERIC.txt)-fips" # Authenticate to staging registry - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com # OSS - docker build --target teleport --build-arg DOWNLOAD_TYPE=teleport --build-arg VERSION_TAG=$VERSION_TAG --build-arg OS=$OS --build-arg ARCH=$ARCH -t $OSS_IMAGE_NAME_STAGE -f /go/build/Dockerfile-cron-v8 /go/build - docker push $OSS_IMAGE_NAME_STAGE @@ -1248,9 +1269,7 @@ steps: - docker push $ENT_FIPS_IMAGE_NAME_STAGE # Authenticate to production registry - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws # Retag images - docker tag $OSS_IMAGE_NAME_STAGE $OSS_IMAGE_NAME_PROD - docker tag $ENT_IMAGE_NAME_STAGE $ENT_IMAGE_NAME_PROD @@ -1260,6 +1279,40 @@ steps: - docker push $OSS_IMAGE_NAME_PROD - docker push $ENT_FIPS_IMAGE_NAME_PROD + - name: Build/push Teleport Lab Docker image + image: docker:git + environment: + OS: linux + ARCH: amd64 + volumes: + - name: dockersock + path: /var/run + - name: awsconfig + path: /root/.aws + commands: + - apk add --no-cache aws-cli + - export CURRENT_DATE=$(date '+%Y%m%d%H%M') + - export TELEPORT_TAG=$(cat /go/build/CURRENT_VERSION_TAG.txt | tr -d '^v') + - export TELEPORT_LAB_IMAGE_NAME_STAGING="146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-lab:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)-$CURRENT_DATE" + - export TELEPORT_LAB_IMAGE_NAME_PROD="public.ecr.aws/gravitational/teleport-lab:$(cat /go/build/CURRENT_VERSION_TAG_GENERIC.txt)" + # Check out code + - mkdir -p /go/src/github.com/gravitational/teleport + - cd /go/src/github.com/gravitational/teleport + - git init && git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin + - git checkout -qf ${DRONE_COMMIT_SHA} + # Authenticate to staging registry + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com + # Build and push image + - docker build --build-arg TELEPORT_TAG=$TELEPORT_TAG -t $TELEPORT_LAB_IMAGE_NAME_STAGING /go/src/github.com/gravitational/teleport/docker/sshd + - docker push $TELEPORT_LAB_IMAGE_NAME_STAGING + # Authenticate to production registry + - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws + # Push to production registry + - docker tag $TELEPORT_LAB_IMAGE_NAME_STAGING $TELEPORT_LAB_IMAGE_NAME_PROD + - docker push $TELEPORT_LAB_IMAGE_NAME_PROD + services: - name: Start Docker image: docker:dind @@ -1271,6 +1324,8 @@ services: volumes: - name: dockersock temp: {} + - name: awsconfig + temp: {} --- kind: pipeline @@ -1301,15 +1356,39 @@ steps: - mkdir -p /go/chart - cd /go/chart - - name: Download chart repo contents + - name: Assume AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: PRODUCTION_CHARTS_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download chart repo contents + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws commands: - mkdir -p /go/chart # download all previously packaged chart versions from the S3 bucket @@ -1328,19 +1407,17 @@ steps: - helm repo index /go/chart - name: Upload to S3 - image: plugins/s3 - settings: - bucket: + image: amazon/aws-cli + commands: + - cd /go/chart + - aws s3 sync --acl public-read . s3://$AWS_S3_BUCKET/ + environment: + AWS_REGION: us-east-2 + AWS_S3_BUCKET: from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET - access_key: - from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID - secret_key: - from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY - region: us-east-2 - acl: public-read - source: /go/chart/* - target: / - strip_prefix: /go/chart + volumes: + - name: awsconfig + path: /root/.aws - name: Send Slack notification image: plugins/slack @@ -1357,11 +1434,14 @@ steps: when: status: [failure] +volumes: + - name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:240 +# Generated at dronegen/tag.go:222 ################################################ kind: pipeline @@ -1447,19 +1527,42 @@ steps: - mv /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-centos7-bin.tar.gz - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -1514,6 +1617,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -1521,7 +1626,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:240 +# Generated at dronegen/tag.go:222 ################################################ kind: pipeline @@ -1606,19 +1711,42 @@ steps: - mv /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-centos7-fips-bin.tar.gz - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -1673,6 +1801,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -1680,7 +1810,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:240 +# Generated at dronegen/tag.go:222 ################################################ kind: pipeline @@ -1763,19 +1893,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -1830,6 +1983,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -1837,7 +1992,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:240 +# Generated at dronegen/tag.go:222 ################################################ kind: pipeline @@ -1920,19 +2075,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -1987,16 +2165,20 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} --- ################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/tag.go:464 +# This pipeline is the reason dronegen isn't on +# v8. Hand edits were made in: +# c0a1e074ec2fbb3ea03851780ac109864161bbb0 +# To prevent these edits from being reverted +# dronegen was removed in: +# fadcdaf6ea244c7e4e79964666db187543319bf5 ################################################ - kind: pipeline type: kubernetes name: build-linux-amd64-centos6 @@ -2075,19 +2257,42 @@ steps: - mv /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-centos6-bin.tar.gz - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2142,6 +2347,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -2205,6 +2412,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -2220,13 +2451,36 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-centos7-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -2242,13 +2496,9 @@ steps: # Build mainline and CentOS 7 RPMs. - make rpm - make rpm RPM_FLAGS="-c centos7" - - rm -rf $GNUPG_DIR - environment: - ARCH: amd64 - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + - rm -rf $GNUPG_DIR + environment: + ARCH: amd64 ENT_TARBALL_PATH: /go/artifacts GNUPG_DIR: /tmpfs/gnupg GPG_RPM_SIGNING_ARCHIVE: @@ -2256,10 +2506,12 @@ steps: OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: @@ -2268,19 +2520,42 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2337,17 +2612,19 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:464 +# Generated at dronegen/tag.go:481 ################################################ kind: pipeline @@ -2403,6 +2680,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -2414,13 +2715,36 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-centos7-fips-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -2439,10 +2763,6 @@ steps: - rm -rf $GNUPG_DIR environment: ARCH: amd64 - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts FIPS: "yes" GNUPG_DIR: /tmpfs/gnupg @@ -2451,29 +2771,54 @@ steps: RUNTIME: fips TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: - cd /go/src/github.com/gravitational/teleport - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2530,17 +2875,19 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:464 +# Generated at dronegen/tag.go:481 ################################################ kind: pipeline @@ -2595,6 +2942,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -2606,13 +2977,36 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -2625,16 +3019,14 @@ steps: - make deb environment: ARCH: amd64 - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -2643,19 +3035,42 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2712,12 +3127,14 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:464 +# Generated at dronegen/tag.go:481 ################################################ kind: pipeline @@ -2772,6 +3189,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -2781,13 +3222,36 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -2800,10 +3264,6 @@ steps: - make -C e deb environment: ARCH: amd64 - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts FIPS: "yes" RUNTIME: fips @@ -2811,25 +3271,50 @@ steps: volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: - cd /go/src/github.com/gravitational/teleport - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2886,12 +3371,14 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:240 +# Generated at dronegen/tag.go:222 ################################################ kind: pipeline @@ -2974,19 +3461,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -3041,6 +3551,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -3048,7 +3560,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:464 +# Generated at dronegen/tag.go:481 ################################################ kind: pipeline @@ -3103,6 +3615,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -3114,13 +3650,36 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-386-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -3137,10 +3696,6 @@ steps: - rm -rf $GNUPG_DIR environment: ARCH: "386" - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts GNUPG_DIR: /tmpfs/gnupg GPG_RPM_SIGNING_ARCHIVE: @@ -3148,10 +3703,12 @@ steps: OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: @@ -3160,19 +3717,42 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -3229,17 +3809,19 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:464 +# Generated at dronegen/tag.go:481 ################################################ kind: pipeline @@ -3292,8 +3874,32 @@ steps: commands: - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' volumes: - - name: dockersock - path: /var/run + - name: dockersock + path: /var/run +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -3305,13 +3911,36 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-386-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -3324,16 +3953,14 @@ steps: - make deb environment: ARCH: "386" - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -3342,19 +3969,42 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -3411,12 +4061,14 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go:32 +# Generated at dronegen/mac.go:33 ################################################ kind: pipeline @@ -3524,19 +4176,37 @@ steps: $FILE > $FILE.sha256; done && ls -l environment: WORKSPACE_DIR: /tmp/build-darwin-amd64 +- name: Assume AWS Role + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /tmp/build-darwin-amd64/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64/credentials - name: Upload to S3 commands: - set -u - cd $WORKSPACE_DIR/go/artifacts - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64/credentials WORKSPACE_DIR: /tmp/build-darwin-amd64 - name: Register artifacts commands: @@ -3614,7 +4284,7 @@ steps: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go:32 +# Generated at dronegen/mac.go:33 ################################################ kind: pipeline @@ -3674,6 +4344,27 @@ steps: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg +- name: Assume AWS Role + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /tmp/build-darwin-amd64-pkg/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials - name: Download built tarball artifacts from S3 commands: - set -u @@ -3684,13 +4375,10 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-darwin-amd64-bin.tar.gz $WORKSPACE_DIR/go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg @@ -3731,13 +4419,10 @@ steps: - cd $WORKSPACE_DIR/go/artifacts - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg - name: Register artifacts commands: @@ -3797,7 +4482,7 @@ steps: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go:32 +# Generated at dronegen/mac.go:33 ################################################ kind: pipeline @@ -3857,6 +4542,27 @@ steps: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh +- name: Assume AWS Role + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /tmp/build-darwin-amd64-pkg-tsh/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials - name: Download built tarball artifacts from S3 commands: - set -u @@ -3867,13 +4573,10 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-darwin-amd64-bin.tar.gz $WORKSPACE_DIR/go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh @@ -3914,13 +4617,10 @@ steps: - cd $WORKSPACE_DIR/go/artifacts - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh - name: Register artifacts commands: @@ -3980,7 +4680,7 @@ steps: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:240 +# Generated at dronegen/tag.go:222 ################################################ kind: pipeline @@ -4063,19 +4763,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -4130,6 +4853,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -4137,7 +4862,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:240 +# Generated at dronegen/tag.go:222 ################################################ kind: pipeline @@ -4220,19 +4945,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -4287,6 +5035,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -4294,7 +5044,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:464 +# Generated at dronegen/tag.go:481 ################################################ kind: pipeline @@ -4349,6 +5099,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -4360,13 +5134,36 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm64-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -4379,16 +5176,14 @@ steps: - make deb environment: ARCH: arm64 - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -4397,19 +5192,42 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -4466,12 +5284,14 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:464 +# Generated at dronegen/tag.go:481 ################################################ kind: pipeline @@ -4526,6 +5346,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -4537,13 +5381,36 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -4556,16 +5423,14 @@ steps: - make deb environment: ARCH: arm - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -4574,19 +5439,42 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -4643,12 +5531,14 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:464 +# Generated at dronegen/tag.go:481 ################################################ kind: pipeline @@ -4703,6 +5593,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -4714,13 +5628,36 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm64-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -4737,10 +5674,6 @@ steps: - rm -rf $GNUPG_DIR environment: ARCH: arm64 - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts GNUPG_DIR: /tmpfs/gnupg GPG_RPM_SIGNING_ARCHIVE: @@ -4748,10 +5681,12 @@ steps: OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: @@ -4760,19 +5695,42 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -4829,17 +5787,19 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:464 +# Generated at dronegen/tag.go:481 ################################################ kind: pipeline @@ -4894,6 +5854,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -4905,13 +5889,36 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -4928,10 +5935,6 @@ steps: - rm -rf $GNUPG_DIR environment: ARCH: arm - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts GNUPG_DIR: /tmpfs/gnupg GPG_RPM_SIGNING_ARCHIVE: @@ -4939,10 +5942,12 @@ steps: OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: @@ -4951,19 +5956,42 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -5020,17 +6048,19 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:240 +# Generated at dronegen/tag.go:222 ################################################ kind: pipeline @@ -5116,19 +6146,42 @@ steps: - cp /go/artifacts/teleport-v$${VERSION}-windows-amd64-bin.zip /go/artifacts/teleport-ent-v$${VERSION}-windows-amd64-bin.zip - cd /go/artifacts && for FILE in teleport*.zip; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -5183,6 +6236,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -5234,6 +6289,31 @@ steps: # set version - if [[ "${DRONE_TAG}" != "" ]]; then echo "${DRONE_TAG##v}" > /go/.version.txt; else egrep ^VERSION Makefile | cut -d= -f2 > /go/.version.txt; fi; cat /go/.version.txt + - name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY + AWS_ROLE: + from_secret: STAGING_TELEPORT_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws + - name: Build/push OSS/Enterprise Docker images image: docker environment: @@ -5243,13 +6323,11 @@ steps: GOPATH: /go OS: linux ARCH: amd64 - AWS_ACCESS_KEY_ID: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache make bash aws-cli - chown -R $UID:$GID /go @@ -5266,13 +6344,11 @@ steps: GOPATH: /go OS: linux ARCH: amd64 - AWS_ACCESS_KEY_ID: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache make aws-cli - chown -R $UID:$GID /go @@ -5295,6 +6371,8 @@ services: volumes: - name: dockersock temp: {} + - name: awsconfig + temp: {} --- kind: pipeline @@ -5331,31 +6409,77 @@ steps: # set version - if [[ "${DRONE_TAG}" != "" ]]; then echo "${DRONE_TAG##v}" > /go/.version.txt; else egrep ^VERSION Makefile | cut -d= -f2 > /go/.version.txt; fi; cat /go/.version.txt - - name: Download built tarball artifacts from S3 + - name: Assume Download AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download built tarball artifacts from S3 + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws commands: - export VERSION=$(cat /go/.version.txt) - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else export S3_PATH="tag/"; fi - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-amd64-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files - - name: Build OSS AMIs - image: hashicorp/packer:1.7.6 + - name: Assume Packer AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: AWS_ACCESS_KEY_ID: from_secret: AWS_PACKER_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_PACKER_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_PACKER_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Build OSS AMIs + image: hashicorp/packer:1.7.6 volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli jq make - cd /go/src/github.com/gravitational/teleport/assets/aws @@ -5371,16 +6495,40 @@ steps: make oss fi - - name: Sync OSS build timestamp to S3 + - name: Assume S3 Timestamp Sync AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Sync OSS build timestamp to S3 + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws commands: - export VERSION=$(cat /go/.version.txt) - aws s3 cp /go/src/github.com/gravitational/teleport/assets/aws/files/build/oss_build_timestamp.txt s3://$AWS_S3_BUCKET/teleport/ami/$${VERSION}/ @@ -5396,6 +6544,8 @@ services: volumes: - name: dockersock temp: {} + - name: awsconfig + temp: {} --- kind: pipeline @@ -5433,32 +6583,78 @@ steps: # set version - if [[ "${DRONE_TAG}" != "" ]]; then echo "${DRONE_TAG##v}" > /go/.version.txt; else egrep ^VERSION Makefile | cut -d= -f2 > /go/.version.txt; fi; cat /go/.version.txt - - name: Download built tarball artifacts from S3 + - name: Assume Download AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download built tarball artifacts from S3 + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws commands: - export VERSION=$(cat /go/.version.txt) - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else export S3_PATH="tag/"; fi - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files - - name: Build Enterprise AMIs - image: hashicorp/packer:1.7.6 + - name: Assume Packer AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: AWS_ACCESS_KEY_ID: from_secret: AWS_PACKER_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_PACKER_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_PACKER_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Build Enterprise AMIs + image: hashicorp/packer:1.7.6 volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli jq make - cd /go/src/github.com/gravitational/teleport/assets/aws @@ -5475,16 +6671,40 @@ steps: make ent fi - - name: Sync Enterprise build timestamp to S3 + - name: Assume S3 Timestamp Sync AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Sync Enterprise build timestamp to S3 + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws commands: - export VERSION=$(cat /go/.version.txt) - aws s3 cp /go/src/github.com/gravitational/teleport/assets/aws/files/build/ent_build_timestamp.txt s3://$AWS_S3_BUCKET/teleport/ami/$${VERSION}/ @@ -5500,12 +6720,14 @@ services: volumes: - name: dockersock temp: {} + - name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/buildbox.go:83 +# Generated at dronegen/buildbox.go:94 ################################################ kind: pipeline @@ -5545,68 +6767,94 @@ steps: volumes: - name: dockersock path: /var/run -- name: buildbox +- name: Configure Staging AWS Profile + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[staging]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile staging + environment: + AWS_ACCESS_KEY_ID: + from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY + AWS_ROLE: + from_secret: STAGING_BUILDBOX_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws +- name: Configure Production AWS Profile + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[production]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + >> /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile production + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY + AWS_ROLE: + from_secret: PRODUCTION_BUILDBOX_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws +- name: Build and push buildbox image: docker commands: - apk add --no-cache make aws-cli - chown -R $UID:$GID /go - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login + -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - make -C build.assets buildbox - docker tag public.ecr.aws/gravitational/teleport-buildbox:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker + login -u="AWS" --password-stdin public.ecr.aws - docker push public.ecr.aws/gravitational/teleport-buildbox:$BUILDBOX_VERSION - environment: - PROD_AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET - STAGING_AWS_ACCESS_KEY_ID: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run -- name: buildbox-fips + - name: awsconfig + path: /root/.aws +- name: Build and push buildbox-fips image: docker commands: - apk add --no-cache make aws-cli - chown -R $UID:$GID /go - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login + -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - make -C build.assets buildbox-fips - docker tag public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker + login -u="AWS" --password-stdin public.ecr.aws - docker push public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION - environment: - PROD_AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET - STAGING_AWS_ACCESS_KEY_ID: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run -- name: buildbox-centos6 + - name: awsconfig + path: /root/.aws +- name: Build and push buildbox-centos6 image: docker commands: - apk add --no-cache make @@ -5622,99 +6870,66 @@ steps: volumes: - name: dockersock path: /var/run -- name: buildbox-arm +- name: Build and push buildbox-arm image: docker commands: - apk add --no-cache make aws-cli - chown -R $UID:$GID /go - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login + -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - make -C build.assets buildbox-arm - docker tag public.ecr.aws/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker + login -u="AWS" --password-stdin public.ecr.aws - docker push public.ecr.aws/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION - environment: - PROD_AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET - STAGING_AWS_ACCESS_KEY_ID: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run -- name: buildbox-centos7 + - name: awsconfig + path: /root/.aws +- name: Build and push buildbox-centos7 image: docker commands: - apk add --no-cache make aws-cli - chown -R $UID:$GID /go - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login + -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - make -C build.assets buildbox-centos7 - docker tag public.ecr.aws/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker + login -u="AWS" --password-stdin public.ecr.aws - docker push public.ecr.aws/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION - environment: - PROD_AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET - STAGING_AWS_ACCESS_KEY_ID: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run -- name: buildbox-centos7-fips + - name: awsconfig + path: /root/.aws +- name: Build and push buildbox-centos7-fips image: docker commands: - apk add --no-cache make aws-cli - chown -R $UID:$GID /go - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin - 146628656107.dkr.ecr.us-west-2.amazonaws.com + - aws ecr get-login-password --profile staging --region=us-west-2 | docker login + -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - make -C build.assets buildbox-centos7-fips - docker tag public.ecr.aws/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws + - aws ecr-public get-login-password --profile production --region=us-east-1 | docker + login -u="AWS" --password-stdin public.ecr.aws - docker push public.ecr.aws/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION - environment: - PROD_AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET - STAGING_AWS_ACCESS_KEY_ID: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws services: - name: Start Docker image: docker:dind @@ -5725,12 +6940,14 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/os_repos.go:254 +# Generated at dronegen/os_repos.go:250 ################################################ kind: pipeline @@ -5758,7 +6975,7 @@ steps: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/os_repos.go:278 +# Generated at dronegen/os_repos.go:274 ################################################ kind: pipeline @@ -5802,21 +7019,76 @@ steps: a prerelease, not continuing promotion for ${DRONE_TAG}' && exit 78) depends_on: - Check out code -- name: Download artifacts for "${DRONE_TAG}" +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws + depends_on: + - Verify build is tagged + - Check out code + - Check if tag is prerelease +- name: Download artifacts for "${DRONE_TAG}" + image: amazon/aws-cli + commands: + - mkdir -pv "$ARTIFACT_PATH" + - rm -rf "$ARTIFACT_PATH/*" + - aws s3 sync --no-progress --delete --exclude "*" --include "*.deb*" s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}/ + "$ARTIFACT_PATH" + environment: + ARTIFACT_PATH: /go/artifacts + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + depends_on: + - Verify build is tagged + - Check out code + - Check if tag is prerelease +- name: Assume Upload AWS Role image: amazon/aws-cli commands: - - mkdir -pv "$ARTIFACT_PATH" - - rm -rf "${ARTIFACT_PATH}/*" - - aws s3 sync --no-progress --delete --exclude "*" --include "*.deb*" s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}/ - "$ARTIFACT_PATH" + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - ARTIFACT_PATH: /go/artifacts AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET + from_secret: APT_REPO_NEW_AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: APT_REPO_NEW_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: APT_REPO_NEW_AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws depends_on: - Verify build is tagged - Check out code @@ -5838,11 +7110,7 @@ steps: environment: APTLY_ROOT_DIR: /mnt/aptly ARTIFACT_PATH: /go/artifacts - AWS_ACCESS_KEY_ID: - from_secret: APT_REPO_NEW_AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 - AWS_SECRET_ACCESS_KEY: - from_secret: APT_REPO_NEW_AWS_SECRET_ACCESS_KEY BUCKET_CACHE_PATH: /tmp/bucket DEBIAN_FRONTEND: noninteractive GNUPGHOME: /tmpfs/gnupg @@ -5855,6 +7123,8 @@ steps: path: /mnt - name: tmpfs path: /tmpfs + - name: awsconfig + path: /root/.aws depends_on: - Download artifacts for "${DRONE_TAG}" - Verify build is tagged @@ -5867,12 +7137,14 @@ volumes: - name: tmpfs temp: medium: memory +- name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/os_repos.go:254 +# Generated at dronegen/os_repos.go:250 ################################################ kind: pipeline @@ -5900,7 +7172,7 @@ steps: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/os_repos.go:278 +# Generated at dronegen/os_repos.go:274 ################################################ kind: pipeline @@ -5944,21 +7216,76 @@ steps: a prerelease, not continuing promotion for ${DRONE_TAG}' && exit 78) depends_on: - Check out code +- name: Assume Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws + depends_on: + - Verify build is tagged + - Check out code + - Check if tag is prerelease - name: Download artifacts for "${DRONE_TAG}" image: amazon/aws-cli commands: - mkdir -pv "$ARTIFACT_PATH" - - rm -rf "${ARTIFACT_PATH}/*" + - rm -rf "$ARTIFACT_PATH/*" - aws s3 sync --no-progress --delete --exclude "*" --include "*.rpm*" s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}/ "$ARTIFACT_PATH" environment: ARTIFACT_PATH: /go/artifacts - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + depends_on: + - Verify build is tagged + - Check out code + - Check if tag is prerelease +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: YUM_REPO_NEW_AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: YUM_REPO_NEW_AWS_ROLE AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + from_secret: YUM_REPO_NEW_AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws depends_on: - Verify build is tagged - Check out code @@ -5980,11 +7307,7 @@ steps: -artifact-path "$ARTIFACT_PATH" -log-level 4 -cache-dir "$CACHE_DIR" environment: ARTIFACT_PATH: /go/artifacts - AWS_ACCESS_KEY_ID: - from_secret: YUM_REPO_NEW_AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 - AWS_SECRET_ACCESS_KEY: - from_secret: YUM_REPO_NEW_AWS_SECRET_ACCESS_KEY BUCKET_CACHE_PATH: /mnt/bucket CACHE_DIR: /mnt/createrepo_cache DEBIAN_FRONTEND: noninteractive @@ -5998,6 +7321,8 @@ steps: path: /mnt - name: tmpfs path: /tmpfs + - name: awsconfig + path: /root/.aws depends_on: - Download artifacts for "${DRONE_TAG}" - Verify build is tagged @@ -6010,14 +7335,19 @@ volumes: - name: tmpfs temp: medium: memory +- name: awsconfig + temp: {} --- - +################################################ +# Generated using dronegen, do not edit by hand! +# Use 'make dronegen' to update. +# Generated at dronegen/promote.go:82 ################################################ kind: pipeline type: kubernetes -name: promote-docker-quay +name: promote-docker-ecr trigger: event: include: @@ -6026,7 +7356,7 @@ trigger: include: - production - promote-docker - - promote-docker-quay + - promote-docker-ecr repo: include: - gravitational/* @@ -6047,6 +7377,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY + AWS_ROLE: + from_secret: PRODUCTION_TELEPORT_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Pull/retag Docker images image: docker commands: @@ -6060,29 +7414,23 @@ steps: - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips - echo "---> Tagging images for $${VERSION}" - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION} - quay.io/gravitational/teleport:$${VERSION} + public.ecr.aws/gravitational/teleport:$${VERSION} - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION} - quay.io/gravitational/teleport-ent:$${VERSION} + public.ecr.aws/gravitational/teleport-ent:$${VERSION} - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips - quay.io/gravitational/teleport-ent:$${VERSION}-fips + public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io + - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin + public.ecr.aws - echo "---> Pushing images for $${VERSION}" - - docker push quay.io/gravitational/teleport:$${VERSION} - - docker push quay.io/gravitational/teleport-ent:$${VERSION} - - docker push quay.io/gravitational/teleport-ent:$${VERSION}-fips - environment: - AWS_ACCESS_KEY_ID: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET - QUAY_PASSWORD: - from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD - QUAY_USERNAME: - from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME + - docker push public.ecr.aws/gravitational/teleport:$${VERSION} + - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION} + - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws services: - name: Start Docker image: docker:dind @@ -6093,17 +7441,19 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/promote.go:82 +# Generated at dronegen/promote.go:92 ################################################ kind: pipeline type: kubernetes -name: promote-docker-ecr +name: promote-docker-quay trigger: event: include: @@ -6112,7 +7462,7 @@ trigger: include: - production - promote-docker - - promote-docker-ecr + - promote-docker-quay repo: include: - gravitational/* @@ -6133,6 +7483,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY + AWS_ROLE: + from_secret: STAGING_TELEPORT_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Pull/retag Docker images image: docker commands: @@ -6146,26 +7520,27 @@ steps: - docker pull 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips - echo "---> Tagging images for $${VERSION}" - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$${VERSION} - public.ecr.aws/gravitational/teleport:$${VERSION} + quay.io/gravitational/teleport:$${VERSION} - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION} - public.ecr.aws/gravitational/teleport-ent:$${VERSION} + quay.io/gravitational/teleport-ent:$${VERSION} - docker tag 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$${VERSION}-fips - public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips + quay.io/gravitational/teleport-ent:$${VERSION}-fips - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws + - docker login -u="$QUAY_USERNAME" -p="$QUAY_PASSWORD" quay.io - echo "---> Pushing images for $${VERSION}" - - docker push public.ecr.aws/gravitational/teleport:$${VERSION} - - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION} - - docker push public.ecr.aws/gravitational/teleport-ent:$${VERSION}-fips + - docker push quay.io/gravitational/teleport:$${VERSION} + - docker push quay.io/gravitational/teleport-ent:$${VERSION} + - docker push quay.io/gravitational/teleport-ent:$${VERSION}-fips environment: - AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET + QUAY_PASSWORD: + from_secret: PRODUCTION_QUAYIO_DOCKER_PASSWORD + QUAY_USERNAME: + from_secret: PRODUCTION_QUAYIO_DOCKER_USERNAME volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws services: - name: Start Docker image: docker:dind @@ -6176,6 +7551,8 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- kind: pipeline @@ -6203,34 +7580,81 @@ steps: commands: - "[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)" - - name: Download artifacts from S3 + - name: Assume Download AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - AWS_REGION: us-west-2 + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download artifacts from S3 + image: amazon/aws-cli commands: - mkdir -p /go/artifacts - aws s3 sync s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}/ /go/artifacts/ + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws - - name: Upload artifacts to production S3 - image: plugins/s3 - settings: - bucket: - from_secret: PRODUCTION_AWS_S3_BUCKET - access_key: + - name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_AWS_ACCESS_KEY_ID - secret_key: + AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY - region: us-east-1 - acl: public-read - source: /go/artifacts/* - target: teleport/${DRONE_TAG##v}/ - strip_prefix: /go/artifacts/ + AWS_ROLE: + from_secret: PRODUCTION_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Upload artifacts to production S3 + image: amazon/aws-cli + environment: + AWS_REGION: us-east-1 + AWS_S3_BUCKET: + from_secret: PRODUCTION_AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + commands: + - cd /go/artifacts/ + - aws s3 sync --acl public-read . s3://$AWS_S3_BUCKET/teleport/${DRONE_TAG##v} - name: Check out code image: docker:git @@ -6242,27 +7666,73 @@ steps: git fetch origin +refs/tags/${DRONE_TAG}: git checkout -qf FETCH_HEAD - - name: Download AMI timestamps - image: docker + - name: Assume AMI Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download AMI timestamps + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws commands: - - apk add --no-cache aws-cli - mkdir -p /go/src/github.com/gravitational/teleport/assets/aws/files/build - aws s3 sync s3://$AWS_S3_BUCKET/teleport/ami/${DRONE_TAG##v}/ /go/src/github.com/gravitational/teleport/assets/aws/files/build - - name: Make AMIs public - image: docker + - name: Assume AMI Publish AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: PRODUCTION_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Make AMIs public + image: docker + volumes: + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli bash jq make - cd /go/src/github.com/gravitational/teleport/assets/aws @@ -6271,6 +7741,31 @@ steps: make change-amis-to-public-ent make change-amis-to-public-ent-fips + - name: "Helm: Assume Download AWS Role" + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: PRODUCTION_CHARTS_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + # Download all previously packaged charts. This is needed to rebuild the # index and re-publish the repository. - name: "Helm: Download chart repository" @@ -6278,10 +7773,9 @@ steps: environment: AWS_S3_BUCKET: from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET - AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws commands: - mkdir -p /go/chart - aws s3 sync s3://$AWS_S3_BUCKET/ /go/chart @@ -6299,20 +7793,43 @@ steps: - helm repo index /go/chart - ls /go/chart - - name: "Helm: Publish chart repository to S3" - image: plugins/s3 - settings: - bucket: - from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET - access_key: + - name: "Helm: Assume Upload AWS Role" + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID - secret_key: + AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY - region: us-east-2 - acl: public-read - source: /go/chart/* - target: / - strip_prefix: /go/chart + AWS_ROLE: + from_secret: PRODUCTION_CHARTS_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: "Helm: Publish chart repository to S3" + image: amazon/aws-cli + environment: + AWS_REGION: us-east-2 + AWS_S3_BUCKET: + from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + commands: + - cd /go/chart/ + - aws s3 sync --acl public-read . s3://$AWS_S3_BUCKET/ # NOTE: all mandatory steps for a release promotion need to go BEFORE this # step, as there is a chance that everything afterwards will be skipped. @@ -6331,18 +7848,41 @@ steps: - cd /go/src/github.com/gravitational/teleport/build.assets/tooling - go run ./cmd/check -tag ${DRONE_TAG} -check prerelease || (echo '---> Not publishing ${DRONE_TAG} packages to RPM and DEB repos' && exit 78) - - name: "RPM: Download RPM repository" + - name: "RPM: Assume AWS Role" image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: RPMREPO_AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: RPMREPO_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: RPMREPO_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: RPMREPO_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: "RPM: Download RPM repository" + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: RPMREPO_AWS_S3_BUCKET volumes: - name: rpmrepo path: /rpmrepo + - name: awsconfig + path: /root/.aws commands: - mkdir -p /rpmrepo/teleport/cache # Explicitly delete anything present locally before copying over new assets @@ -6401,13 +7941,11 @@ steps: environment: AWS_S3_BUCKET: from_secret: RPMREPO_AWS_S3_BUCKET - AWS_ACCESS_KEY_ID: - from_secret: RPMREPO_AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: RPMREPO_AWS_SECRET_ACCESS_KEY volumes: - name: rpmrepo path: /rpmrepo + - name: awsconfig + path: /root/.aws commands: - aws s3 sync /rpmrepo/teleport/ s3://$AWS_S3_BUCKET/teleport/ @@ -6424,6 +7962,8 @@ services: path: /tmpfs volumes: + - name: awsconfig + temp: {} - name: dockersock temp: {} - name: tmpfs @@ -6474,6 +8014,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Pull relcli image: docker:cli commands: @@ -6481,14 +8045,12 @@ steps: - aws ecr get-login-password | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - docker pull $RELCLI_IMAGE environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY AWS_DEFAULT_REGION: us-west-2 - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Publish in Release API image: docker:git commands: @@ -6509,10 +8071,12 @@ steps: RELEASES_KEY: from_secret: RELEASES_KEY volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: tmpfs + path: /tmpfs + - name: awsconfig + path: /root/.aws services: - name: Start Docker image: docker:dind @@ -6523,13 +8087,15 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock +- name: awsconfig temp: {} --- kind: signature -hmac: da4f80e4901a9cdf5a68b46497cafcbb811d155b3a35e8dc837d88b9447cba74 +hmac: ef20a2ae8f3c1a1a0c872c7d567875d6377fc67d1f00839f6a34559d07e2ec3d ...