diff --git a/.drone.yml b/.drone.yml index 990cca573f7d7..3b5ece35c5a82 100644 --- a/.drone.yml +++ b/.drone.yml @@ -2687,7 +2687,7 @@ steps: volumes: - name: dockersock path: /var/run -- name: Assume AWS Role +- name: Assume Download AWS Role image: amazon/aws-cli commands: - aws sts get-caller-identity @@ -2728,6 +2728,30 @@ steps: volumes: - name: awsconfig path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -2744,10 +2768,6 @@ steps: - rm -rf $GNUPG_DIR environment: ARCH: amd64 - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts GNUPG_DIR: /tmpfs/gnupg GPG_RPM_SIGNING_ARCHIVE: @@ -2769,6 +2789,30 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Upload to S3 image: amazon/aws-cli commands: @@ -2904,7 +2948,7 @@ steps: volumes: - name: dockersock path: /var/run -- name: Assume AWS Role +- name: Assume Download AWS Role image: amazon/aws-cli commands: - aws sts get-caller-identity @@ -2943,6 +2987,30 @@ steps: volumes: - name: awsconfig path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -2959,10 +3027,6 @@ steps: - rm -rf $GNUPG_DIR environment: ARCH: amd64 - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts FIPS: "yes" GNUPG_DIR: /tmpfs/gnupg @@ -2983,6 +3047,30 @@ steps: - cd /go/src/github.com/gravitational/teleport - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Upload to S3 image: amazon/aws-cli commands: @@ -3124,7 +3212,7 @@ steps: volumes: - name: dockersock path: /var/run -- name: Assume AWS Role +- name: Assume Download AWS Role image: amazon/aws-cli commands: - aws sts get-caller-identity @@ -3165,6 +3253,30 @@ steps: volumes: - name: awsconfig path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -3177,10 +3289,6 @@ steps: - make deb environment: ARCH: amd64 - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go @@ -3197,6 +3305,30 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Upload to S3 image: amazon/aws-cli commands: @@ -3327,7 +3459,7 @@ steps: volumes: - name: dockersock path: /var/run -- name: Assume AWS Role +- name: Assume Download AWS Role image: amazon/aws-cli commands: - aws sts get-caller-identity @@ -3366,6 +3498,30 @@ steps: volumes: - name: awsconfig path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -3378,10 +3534,6 @@ steps: - make -C e deb environment: ARCH: amd64 - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts FIPS: "yes" RUNTIME: fips @@ -3397,6 +3549,30 @@ steps: - cd /go/src/github.com/gravitational/teleport - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Upload to S3 image: amazon/aws-cli commands: @@ -3710,7 +3886,7 @@ steps: volumes: - name: dockersock path: /var/run -- name: Assume AWS Role +- name: Assume Download AWS Role image: amazon/aws-cli commands: - aws sts get-caller-identity @@ -3751,6 +3927,30 @@ steps: volumes: - name: awsconfig path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -3767,10 +3967,6 @@ steps: - rm -rf $GNUPG_DIR environment: ARCH: "386" - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts GNUPG_DIR: /tmpfs/gnupg GPG_RPM_SIGNING_ARCHIVE: @@ -3792,11 +3988,35 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; -- name: Upload to S3 +- name: Assume Upload AWS Role image: amazon/aws-cli commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} environment: AWS_REGION: us-west-2 AWS_S3_BUCKET: @@ -3927,7 +4147,7 @@ steps: volumes: - name: dockersock path: /var/run -- name: Assume AWS Role +- name: Assume Download AWS Role image: amazon/aws-cli commands: - aws sts get-caller-identity @@ -3968,6 +4188,30 @@ steps: volumes: - name: awsconfig path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -3980,10 +4224,6 @@ steps: - make deb environment: ARCH: "386" - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go @@ -4000,6 +4240,30 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Upload to S3 image: amazon/aws-cli commands: @@ -5118,7 +5382,7 @@ steps: volumes: - name: dockersock path: /var/run -- name: Assume AWS Role +- name: Assume Download AWS Role image: amazon/aws-cli commands: - aws sts get-caller-identity @@ -5159,6 +5423,30 @@ steps: volumes: - name: awsconfig path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -5171,10 +5459,6 @@ steps: - make deb environment: ARCH: arm64 - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go @@ -5191,6 +5475,30 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Upload to S3 image: amazon/aws-cli commands: @@ -5321,7 +5629,7 @@ steps: volumes: - name: dockersock path: /var/run -- name: Assume AWS Role +- name: Assume Download AWS Role image: amazon/aws-cli commands: - aws sts get-caller-identity @@ -5362,6 +5670,30 @@ steps: volumes: - name: awsconfig path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -5374,10 +5706,6 @@ steps: - make deb environment: ARCH: arm - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go @@ -5394,6 +5722,30 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Upload to S3 image: amazon/aws-cli commands: @@ -5524,7 +5876,7 @@ steps: volumes: - name: dockersock path: /var/run -- name: Assume AWS Role +- name: Assume Download AWS Role image: amazon/aws-cli commands: - aws sts get-caller-identity @@ -5565,6 +5917,30 @@ steps: volumes: - name: awsconfig path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -5581,10 +5957,6 @@ steps: - rm -rf $GNUPG_DIR environment: ARCH: arm64 - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts GNUPG_DIR: /tmpfs/gnupg GPG_RPM_SIGNING_ARCHIVE: @@ -5606,6 +5978,30 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Upload to S3 image: amazon/aws-cli commands: @@ -5741,7 +6137,7 @@ steps: volumes: - name: dockersock path: /var/run -- name: Assume AWS Role +- name: Assume Download AWS Role image: amazon/aws-cli commands: - aws sts get-caller-identity @@ -5782,6 +6178,30 @@ steps: volumes: - name: awsconfig path: /root/.aws +- name: Assume Build AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -5798,10 +6218,6 @@ steps: - rm -rf $GNUPG_DIR environment: ARCH: arm - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET ENT_TARBALL_PATH: /go/artifacts GNUPG_DIR: /tmpfs/gnupg GPG_RPM_SIGNING_ARCHIVE: @@ -5823,6 +6239,30 @@ steps: \; - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; +- name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Upload to S3 image: amazon/aws-cli commands: @@ -6614,160 +7054,390 @@ steps: volumes: - name: dockersock path: /var/run -- name: buildbox +- name: Assume Staging buildbox AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY + AWS_ROLE: + from_secret: STAGING_BUILDBOX_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws +- name: Build buildbox and push to Staging image: docker commands: - apk add --no-cache make aws-cli - chown -R $UID:$GID /go - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - make -C build.assets buildbox - docker tag public.ecr.aws/gravitational/teleport-buildbox:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" + volumes: + - name: dockersock + path: /var/run + - name: awsconfig + path: /root/.aws +- name: Assume Production buildbox AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY + AWS_ROLE: + from_secret: PRODUCTION_BUILDBOX_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws +- name: Push buildbox to Production + image: docker + commands: + - apk add --no-cache make aws-cli + - chown -R $UID:$GID /go - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws - docker push public.ecr.aws/gravitational/teleport-buildbox:$BUILDBOX_VERSION + volumes: + - name: dockersock + path: /var/run + - name: awsconfig + path: /root/.aws +- name: Assume Staging buildbox-fips AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - PROD_AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET - STAGING_AWS_ACCESS_KEY_ID: + AWS_ACCESS_KEY_ID: from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: + AWS_ROLE: + from_secret: STAGING_BUILDBOX_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET volumes: - - name: dockersock - path: /var/run -- name: buildbox-fips + - name: awsconfig + path: /root/.aws +- name: Build buildbox-fips and push to Staging image: docker commands: - apk add --no-cache make aws-cli - chown -R $UID:$GID /go - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - make -C build.assets buildbox-fips - docker tag public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" + volumes: + - name: dockersock + path: /var/run + - name: awsconfig + path: /root/.aws +- name: Assume Production buildbox-fips AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY + AWS_ROLE: + from_secret: PRODUCTION_BUILDBOX_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws +- name: Push buildbox-fips to Production + image: docker + commands: + - apk add --no-cache make aws-cli + - chown -R $UID:$GID /go - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws - docker push public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION + volumes: + - name: dockersock + path: /var/run + - name: awsconfig + path: /root/.aws +- name: Assume Staging buildbox-arm AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - PROD_AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET - STAGING_AWS_ACCESS_KEY_ID: + AWS_ACCESS_KEY_ID: from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: + AWS_ROLE: + from_secret: STAGING_BUILDBOX_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET volumes: - - name: dockersock - path: /var/run -- name: buildbox-arm + - name: awsconfig + path: /root/.aws +- name: Build buildbox-arm and push to Staging image: docker commands: - apk add --no-cache make aws-cli - chown -R $UID:$GID /go - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - make -C build.assets buildbox-arm - docker tag public.ecr.aws/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" + volumes: + - name: dockersock + path: /var/run + - name: awsconfig + path: /root/.aws +- name: Assume Production buildbox-arm AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY + AWS_ROLE: + from_secret: PRODUCTION_BUILDBOX_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws +- name: Push buildbox-arm to Production + image: docker + commands: + - apk add --no-cache make aws-cli + - chown -R $UID:$GID /go - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws - docker push public.ecr.aws/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION + volumes: + - name: dockersock + path: /var/run + - name: awsconfig + path: /root/.aws +- name: Assume Staging buildbox-centos7 AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - PROD_AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET - STAGING_AWS_ACCESS_KEY_ID: + AWS_ACCESS_KEY_ID: from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: + AWS_ROLE: + from_secret: STAGING_BUILDBOX_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET volumes: - - name: dockersock - path: /var/run -- name: buildbox-centos7 + - name: awsconfig + path: /root/.aws +- name: Build buildbox-centos7 and push to Staging image: docker commands: - apk add --no-cache make aws-cli - chown -R $UID:$GID /go - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - make -C build.assets buildbox-centos7 - docker tag public.ecr.aws/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" + volumes: + - name: dockersock + path: /var/run + - name: awsconfig + path: /root/.aws +- name: Assume Production buildbox-centos7 AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY + AWS_ROLE: + from_secret: PRODUCTION_BUILDBOX_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws +- name: Push buildbox-centos7 to Production + image: docker + commands: + - apk add --no-cache make aws-cli + - chown -R $UID:$GID /go - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws - docker push public.ecr.aws/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION + volumes: + - name: dockersock + path: /var/run + - name: awsconfig + path: /root/.aws +- name: Assume Staging buildbox-centos7-fips AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - PROD_AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET - STAGING_AWS_ACCESS_KEY_ID: + AWS_ACCESS_KEY_ID: from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: + AWS_ROLE: + from_secret: STAGING_BUILDBOX_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET volumes: - - name: dockersock - path: /var/run -- name: buildbox-centos7-fips + - name: awsconfig + path: /root/.aws +- name: Build buildbox-centos7-fips and push to Staging image: docker commands: - apk add --no-cache make aws-cli - chown -R $UID:$GID /go - - export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY" - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - make -C build.assets buildbox-centos7-fips - docker tag public.ecr.aws/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID" - - export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY" - - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin - public.ecr.aws - - docker push public.ecr.aws/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION + volumes: + - name: dockersock + path: /var/run + - name: awsconfig + path: /root/.aws +- name: Assume Production buildbox-centos7-fips AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity environment: - PROD_AWS_ACCESS_KEY_ID: + AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY - PROD_AWS_SECRET_ACCESS_KEY: + AWS_ROLE: + from_secret: PRODUCTION_BUILDBOX_DRONE_ECR_AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET - STAGING_AWS_ACCESS_KEY_ID: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY - STAGING_AWS_SECRET_ACCESS_KEY: - from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET + volumes: + - name: awsconfig + path: /root/.aws +- name: Push buildbox-centos7-fips to Production + image: docker + commands: + - apk add --no-cache make aws-cli + - chown -R $UID:$GID /go + - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin + public.ecr.aws + - docker push public.ecr.aws/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws services: - name: Start Docker image: docker:dind @@ -6778,6 +7448,8 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ @@ -8286,6 +8958,6 @@ steps: WORKSPACE_DIR: /tmp/build-darwin-amd64-connect --- kind: signature -hmac: a8f632da163542a11d283e349dd3f726134a463b54b1fd1c8a653e89ca05c2d2 +hmac: 0da0c58e70b198937a8389796c397742e5249256ddf8383030711616631b2551 ... diff --git a/dronegen/buildbox.go b/dronegen/buildbox.go index 537ca3e7988bb..aa32ab310035d 100644 --- a/dronegen/buildbox.go +++ b/dronegen/buildbox.go @@ -16,7 +16,7 @@ package main import "fmt" -func buildboxPipelineSteps() []step { +func allBuildboxPipelineSteps() []step { steps := []step{ { Name: "Check out code", @@ -35,46 +35,66 @@ func buildboxPipelineSteps() []step { if name == "buildbox-arm" && fips { continue } - steps = append(steps, buildboxPipelineStep(name, fips)) + steps = append(steps, buildboxPipelineSteps(name, fips)...) } } return steps } -func buildboxPipelineStep(buildboxName string, fips bool) step { +func buildboxPipelineSteps(buildboxName string, fips bool) []step { if fips { buildboxName += "-fips" } - return step{ - Name: buildboxName, - Image: "docker", - Environment: map[string]value{ - "STAGING_AWS_ACCESS_KEY_ID": {fromSecret: "STAGING_BUILDBOX_DRONE_USER_ECR_KEY"}, - "STAGING_AWS_SECRET_ACCESS_KEY": {fromSecret: "STAGING_BUILDBOX_DRONE_USER_ECR_SECRET"}, - "PROD_AWS_ACCESS_KEY_ID": {fromSecret: "PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY"}, - "PROD_AWS_SECRET_ACCESS_KEY": {fromSecret: "PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET"}, + assumeStagingRoleStep := kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "STAGING_BUILDBOX_DRONE_USER_ECR_KEY"}, + awsSecretAccessKey: value{fromSecret: "STAGING_BUILDBOX_DRONE_USER_ECR_SECRET"}, + role: value{fromSecret: "STAGING_BUILDBOX_DRONE_ECR_AWS_ROLE"}, }, - Volumes: []volumeRef{volumeRefDocker}, - Commands: []string{ - `apk add --no-cache make aws-cli`, - `chown -R $UID:$GID /go`, - // Authenticate to staging registry - `export AWS_ACCESS_KEY_ID="$STAGING_AWS_ACCESS_KEY_ID"`, - `export AWS_SECRET_ACCESS_KEY="$STAGING_AWS_SECRET_ACCESS_KEY"`, - `aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin ` + StagingRegistry, - // Build buildbox image - fmt.Sprintf(`make -C build.assets %s`, buildboxName), - // Retag for staging registry - fmt.Sprintf(`docker tag %s/gravitational/teleport-%s:$BUILDBOX_VERSION %s/gravitational/teleport-%s:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA`, ProductionRegistry, buildboxName, StagingRegistry, buildboxName), - // Push to staging registry - fmt.Sprintf(`docker push %s/gravitational/teleport-%s:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA`, StagingRegistry, buildboxName), - // Authenticate to production registry - `docker logout ` + StagingRegistry, - `export AWS_ACCESS_KEY_ID="$PROD_AWS_ACCESS_KEY_ID"`, - `export AWS_SECRET_ACCESS_KEY="$PROD_AWS_SECRET_ACCESS_KEY"`, - `aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin ` + ProductionRegistry, - // Push to production registry - fmt.Sprintf(`docker push %s/gravitational/teleport-%s:$BUILDBOX_VERSION`, ProductionRegistry, buildboxName), + configVolume: volumeRefAwsConfig, + }) + assumeStagingRoleStep.Name = fmt.Sprintf("Assume Staging %s AWS Role", buildboxName) + assumeProductionRoleStep := kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY"}, + awsSecretAccessKey: value{fromSecret: "PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET"}, + role: value{fromSecret: "PRODUCTION_BUILDBOX_DRONE_ECR_AWS_ROLE"}, + }, + configVolume: volumeRefAwsConfig, + }) + assumeProductionRoleStep.Name = fmt.Sprintf("Assume Production %s AWS Role", buildboxName) + return []step{ + assumeStagingRoleStep, + step{ + Name: fmt.Sprintf("Build %s and push to Staging", buildboxName), + Image: "docker", + Volumes: []volumeRef{volumeRefDocker, volumeRefAwsConfig}, + Commands: []string{ + `apk add --no-cache make aws-cli`, + `chown -R $UID:$GID /go`, + // Authenticate to staging registry + `aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin ` + StagingRegistry, + // Build buildbox image + fmt.Sprintf(`make -C build.assets %s`, buildboxName), + // Retag for staging registry + fmt.Sprintf(`docker tag %s/gravitational/teleport-%s:$BUILDBOX_VERSION %s/gravitational/teleport-%s:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA`, ProductionRegistry, buildboxName, StagingRegistry, buildboxName), + // Push to staging registry + fmt.Sprintf(`docker push %s/gravitational/teleport-%s:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA`, StagingRegistry, buildboxName), + }, + }, + assumeProductionRoleStep, + step{ + Name: fmt.Sprintf("Push %s to Production", buildboxName), + Image: "docker", + Volumes: []volumeRef{volumeRefDocker, volumeRefAwsConfig}, + Commands: []string{ + `apk add --no-cache make aws-cli`, + `chown -R $UID:$GID /go`, + // Authenticate to production registry + `aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin ` + ProductionRegistry, + // Push to production registry + fmt.Sprintf(`docker push %s/gravitational/teleport-%s:$BUILDBOX_VERSION`, ProductionRegistry, buildboxName), + }, }, } } @@ -90,10 +110,10 @@ func buildboxPipeline() pipeline { // only on master for now; add the release branch name when forking a new release series. p.Trigger = pushTriggerForBranch("master", "branch/*") p.Workspace = workspace{Path: "/go/src/github.com/gravitational/teleport"} - p.Volumes = []volume{volumeDocker} + p.Volumes = []volume{volumeDocker, volumeAwsConfig} p.Services = []service{ dockerService(), } - p.Steps = buildboxPipelineSteps() + p.Steps = allBuildboxPipelineSteps() return p } diff --git a/dronegen/tag.go b/dronegen/tag.go index 8648e042ac36a..7034d589898cc 100644 --- a/dronegen/tag.go +++ b/dronegen/tag.go @@ -424,11 +424,9 @@ func tagPackagePipeline(packageType string, b buildType) pipeline { } environment := map[string]value{ - "ARCH": {raw: b.arch}, - "TMPDIR": {raw: "/go"}, - "ENT_TARBALL_PATH": {raw: "/go/artifacts"}, - "AWS_ACCESS_KEY_ID": {fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_KEY"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_SECRET"}, + "ARCH": {raw: b.arch}, + "TMPDIR": {raw: "/go"}, + "ENT_TARBALL_PATH": {raw: "/go/artifacts"}, } dependentPipeline := fmt.Sprintf("build-%s-%s", b.os, b.arch) @@ -495,6 +493,34 @@ func tagPackagePipeline(packageType string, b buildType) pipeline { panic("packageType is not set") } + assumeDownloadRoleStep := kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, + awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, + role: value{fromSecret: "AWS_ROLE"}, + }, + configVolume: volumeRefAwsConfig, + }) + assumeDownloadRoleStep.Name = "Assume Download AWS Role" + assumeBuildRoleStep := kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_KEY"}, + awsSecretAccessKey: value{fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_SECRET"}, + role: value{fromSecret: "TELEPORT_BUILD_READ_ONLY_AWS_ROLE"}, + }, + configVolume: volumeRefAwsConfig, + }) + assumeBuildRoleStep.Name = "Assume Build AWS Role" + assumeUploadRoleStep := kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, + awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, + role: value{fromSecret: "AWS_ROLE"}, + }, + configVolume: volumeRefAwsConfig, + }) + assumeUploadRoleStep.Name = "Assume Upload AWS Role" + pipelineName := fmt.Sprintf("%s-%s", dependentPipeline, packageType) p := newKubePipeline(pipelineName) @@ -515,14 +541,7 @@ func tagPackagePipeline(packageType string, b buildType) pipeline { Commands: tagCheckoutCommands(b), }, waitForDockerStep(), - kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ - awsRoleSettings: awsRoleSettings{ - awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, - awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, - role: value{fromSecret: "AWS_ROLE"}, - }, - configVolume: volumeRefAwsConfig, - }), + assumeDownloadRoleStep, { Name: "Download artifacts from S3", Image: "amazon/aws-cli", @@ -533,6 +552,7 @@ func tagPackagePipeline(packageType string, b buildType) pipeline { Commands: tagDownloadArtifactCommands(b), Volumes: []volumeRef{volumeRefAwsConfig}, }, + assumeBuildRoleStep, { Name: "Build artifacts", Image: "docker", @@ -545,6 +565,7 @@ func tagPackagePipeline(packageType string, b buildType) pipeline { Image: "docker", Commands: tagCopyPackageArtifactCommands(b, packageType), }, + assumeUploadRoleStep, kubernetesUploadToS3Step(kubernetesS3Settings{ region: "us-west-2", source: "/go/artifacts/",