diff --git a/.drone.yml b/.drone.yml index 05d0d3859c103..6444c67a84ae6 100644 --- a/.drone.yml +++ b/.drone.yml @@ -442,7 +442,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go:18 +# Generated at dronegen/mac.go:19 ################################################ kind: pipeline @@ -776,6 +776,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Pull relcli image: docker:cli commands: @@ -783,14 +807,12 @@ steps: - aws ecr get-login-password | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - docker pull $RELCLI_IMAGE environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY AWS_DEFAULT_REGION: us-west-2 - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Clean up previously built artifacts image: docker:git commands: @@ -811,10 +833,12 @@ steps: RELEASES_KEY: from_secret: RELEASES_KEY volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: tmpfs + path: /tmpfs + - name: awsconfig + path: /root/.aws services: - name: Start Docker image: docker:dind @@ -825,10 +849,12 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock +- name: awsconfig temp: {} --- @@ -1030,15 +1056,39 @@ steps: - mkdir -p /go/chart - cd /go/chart - - name: Download chart repo contents + - name: Assume AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: PRODUCTION_CHARTS_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download chart repo contents + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws commands: - mkdir -p /go/chart # download all previously packaged chart versions from the S3 bucket @@ -1057,19 +1107,17 @@ steps: - helm repo index /go/chart - name: Upload to S3 - image: plugins/s3 - settings: - bucket: + image: amazon/aws-cli + commands: + - cd /go/chart + - aws s3 sync --acl public-read . s3://$AWS_S3_BUCKET/ + environment: + AWS_REGION: us-east-2 + AWS_S3_BUCKET: from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET - access_key: - from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID - secret_key: - from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY - region: us-east-2 - acl: public-read - source: /go/chart/* - target: / - strip_prefix: /go/chart + volumes: + - name: awsconfig + path: /root/.aws - name: Send Slack notification image: plugins/slack @@ -1086,11 +1134,14 @@ steps: when: status: [failure] +volumes: + - name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:226 +# Generated at dronegen/tag.go:202 ################################################ kind: pipeline @@ -1173,19 +1224,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -1240,6 +1314,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -1247,7 +1323,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:226 +# Generated at dronegen/tag.go:202 ################################################ kind: pipeline @@ -1330,19 +1406,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -1397,6 +1496,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -1404,7 +1505,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:226 +# Generated at dronegen/tag.go:202 ################################################ kind: pipeline @@ -1490,19 +1591,42 @@ steps: - mv /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-centos6-bin.tar.gz - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -1557,6 +1681,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -1564,7 +1690,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:423 +# Generated at dronegen/tag.go:413 ################################################ kind: pipeline @@ -1619,6 +1745,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -1630,13 +1780,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -1657,10 +1806,12 @@ steps: OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: @@ -1670,18 +1821,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -1738,17 +1888,19 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:423 +# Generated at dronegen/tag.go:413 ################################################ kind: pipeline @@ -1803,6 +1955,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -1812,13 +1988,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -1840,10 +2015,12 @@ steps: RUNTIME: fips TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: @@ -1851,18 +2028,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -1919,17 +2095,19 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:423 +# Generated at dronegen/tag.go:413 ################################################ kind: pipeline @@ -1984,6 +2162,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -1995,13 +2197,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -2017,6 +2218,8 @@ steps: volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -2026,18 +2229,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2094,12 +2296,14 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:423 +# Generated at dronegen/tag.go:413 ################################################ kind: pipeline @@ -2154,6 +2358,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -2163,13 +2391,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -2186,6 +2413,8 @@ steps: volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -2193,18 +2422,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2261,12 +2489,14 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:226 +# Generated at dronegen/tag.go:202 ################################################ kind: pipeline @@ -2349,19 +2579,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2416,6 +2669,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -2423,7 +2678,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:423 +# Generated at dronegen/tag.go:413 ################################################ kind: pipeline @@ -2478,6 +2733,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -2489,13 +2768,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-386-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -2516,11 +2794,13 @@ steps: OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run -- name: Copy artifacts + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs +- name: Copy artifacts image: docker commands: - cd /go/src/github.com/gravitational/teleport @@ -2529,18 +2809,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2597,17 +2876,19 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:423 +# Generated at dronegen/tag.go:413 ################################################ kind: pipeline @@ -2662,6 +2943,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -2673,13 +2978,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-386-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -2695,6 +2999,8 @@ steps: volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -2704,18 +3010,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -2772,12 +3077,14 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go:18 +# Generated at dronegen/mac.go:19 ################################################ kind: pipeline @@ -2858,19 +3165,37 @@ steps: $FILE > $FILE.sha256; done && ls -l environment: WORKSPACE_DIR: /tmp/build-darwin-amd64 +- name: Assume AWS Role + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /tmp/build-darwin-amd64/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64/credentials - name: Upload to S3 commands: - set -u - cd $WORKSPACE_DIR/go/artifacts - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64/credentials WORKSPACE_DIR: /tmp/build-darwin-amd64 - name: Register artifacts commands: @@ -2930,7 +3255,7 @@ steps: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go:18 +# Generated at dronegen/mac.go:19 ################################################ kind: pipeline @@ -2990,6 +3315,27 @@ steps: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg +- name: Assume AWS Role + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /tmp/build-darwin-amd64-pkg/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials - name: Download built tarball artifacts from S3 commands: - set -u @@ -3000,13 +3346,10 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-darwin-amd64-bin.tar.gz $WORKSPACE_DIR/go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg @@ -3047,13 +3390,10 @@ steps: - cd $WORKSPACE_DIR/go/artifacts - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg - name: Register artifacts commands: @@ -3113,7 +3453,7 @@ steps: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go:18 +# Generated at dronegen/mac.go:19 ################################################ kind: pipeline @@ -3173,6 +3513,27 @@ steps: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh +- name: Assume AWS Role + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /tmp/build-darwin-amd64-pkg-tsh/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials - name: Download built tarball artifacts from S3 commands: - set -u @@ -3183,13 +3544,10 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-darwin-amd64-bin.tar.gz $WORKSPACE_DIR/go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh @@ -3230,13 +3588,10 @@ steps: - cd $WORKSPACE_DIR/go/artifacts - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh - name: Register artifacts commands: @@ -3296,7 +3651,7 @@ steps: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:226 +# Generated at dronegen/tag.go:202 ################################################ kind: pipeline @@ -3379,19 +3734,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -3446,6 +3824,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -3453,7 +3833,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:226 +# Generated at dronegen/tag.go:202 ################################################ kind: pipeline @@ -3536,19 +3916,42 @@ steps: \; - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -3603,6 +4006,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -3610,7 +4015,7 @@ volumes: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:423 +# Generated at dronegen/tag.go:413 ################################################ kind: pipeline @@ -3665,6 +4070,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -3676,13 +4105,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm64-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -3698,6 +4126,8 @@ steps: volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -3707,18 +4137,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -3775,12 +4204,14 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:423 +# Generated at dronegen/tag.go:413 ################################################ kind: pipeline @@ -3835,6 +4266,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -3846,13 +4301,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -3868,6 +4322,8 @@ steps: volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Copy artifacts image: docker commands: @@ -3877,18 +4333,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -3945,12 +4400,14 @@ services: volumes: - name: dockersock temp: {} +- name: awsconfig + temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:423 +# Generated at dronegen/tag.go:413 ################################################ kind: pipeline @@ -4005,6 +4462,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -4016,13 +4497,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm64-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -4043,10 +4523,12 @@ steps: OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: @@ -4056,18 +4538,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -4124,17 +4605,19 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:423 +# Generated at dronegen/tag.go:413 ################################################ kind: pipeline @@ -4189,6 +4672,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: AWS_ACCESS_KEY_ID + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Download artifacts from S3 image: amazon/aws-cli commands: @@ -4200,13 +4707,12 @@ steps: - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm-bin.tar.gz /go/artifacts/ environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws - name: Build artifacts image: docker commands: @@ -4227,10 +4733,12 @@ steps: OSS_TARBALL_PATH: /go/artifacts TMPDIR: /go volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws + - name: tmpfs + path: /tmpfs - name: Copy artifacts image: docker commands: @@ -4240,18 +4748,17 @@ steps: - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts \; - name: Upload to S3 - image: plugins/s3 - settings: - access_key: - from_secret: AWS_ACCESS_KEY_ID - bucket: + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: - from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -4308,17 +4815,19 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} +- name: awsconfig + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock - temp: {} --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/tag.go:226 +# Generated at dronegen/tag.go:202 ################################################ kind: pipeline @@ -4404,19 +4913,42 @@ steps: - cp /go/artifacts/teleport-v$${VERSION}-windows-amd64-bin.zip /go/artifacts/teleport-ent-v$${VERSION}-windows-amd64-bin.zip - cd /go/artifacts && for FILE in teleport*.zip; do sha256sum $FILE > $FILE.sha256; done && ls -l -- name: Upload to S3 - image: plugins/s3 - settings: - access_key: +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID - bucket: - from_secret: AWS_S3_BUCKET - region: us-west-2 - secret_key: + AWS_ROLE: + from_secret: AWS_ROLE + AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - source: /go/artifacts/* - strip_prefix: /go/artifacts/ - target: teleport/tag/${DRONE_TAG##v} + volumes: + - name: awsconfig + path: /root/.aws +- name: Upload to S3 + image: amazon/aws-cli + commands: + - cd /go/artifacts/ + - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} + environment: + AWS_REGION: us-west-2 + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts image: docker commands: @@ -4471,6 +5003,8 @@ services: - name: dockersock path: /var/run volumes: +- name: awsconfig + temp: {} - name: dockersock temp: {} @@ -4623,31 +5157,77 @@ steps: # set version - if [[ "${DRONE_TAG}" != "" ]]; then echo "${DRONE_TAG##v}" > /go/.version.txt; else egrep ^VERSION Makefile | cut -d= -f2 > /go/.version.txt; fi; cat /go/.version.txt - - name: Download built tarball artifacts from S3 + - name: Assume Download AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download built tarball artifacts from S3 + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws commands: - export VERSION=$(cat /go/.version.txt) - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else export S3_PATH="tag/"; fi - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-amd64-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files - - name: Build OSS AMIs - image: hashicorp/packer:1.7.6 + - name: Assume Packer AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: AWS_ACCESS_KEY_ID: from_secret: AWS_PACKER_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_PACKER_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_PACKER_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Build OSS AMIs + image: hashicorp/packer:1.7.6 volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli jq make - cd /go/src/github.com/gravitational/teleport/assets/aws @@ -4663,16 +5243,40 @@ steps: make oss fi - - name: Sync OSS build timestamp to S3 + - name: Assume S3 Timestamp Sync AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Sync OSS build timestamp to S3 + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws commands: - export VERSION=$(cat /go/.version.txt) - aws s3 cp /go/src/github.com/gravitational/teleport/assets/aws/files/build/oss_build_timestamp.txt s3://$AWS_S3_BUCKET/teleport/ami/$${VERSION}/ @@ -4688,6 +5292,8 @@ services: volumes: - name: dockersock temp: {} + - name: awsconfig + temp: {} --- kind: pipeline @@ -4725,32 +5331,78 @@ steps: # set version - if [[ "${DRONE_TAG}" != "" ]]; then echo "${DRONE_TAG##v}" > /go/.version.txt; else egrep ^VERSION Makefile | cut -d= -f2 > /go/.version.txt; fi; cat /go/.version.txt - - name: Download built tarball artifacts from S3 + - name: Assume Download AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download built tarball artifacts from S3 + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws commands: - export VERSION=$(cat /go/.version.txt) - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else export S3_PATH="tag/"; fi - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files - - name: Build Enterprise AMIs - image: hashicorp/packer:1.7.6 + - name: Assume Packer AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: AWS_ACCESS_KEY_ID: from_secret: AWS_PACKER_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_PACKER_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_PACKER_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Build Enterprise AMIs + image: hashicorp/packer:1.7.6 volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli jq make - cd /go/src/github.com/gravitational/teleport/assets/aws @@ -4767,16 +5419,40 @@ steps: make ent fi - - name: Sync Enterprise build timestamp to S3 + - name: Assume S3 Timestamp Sync AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Sync Enterprise build timestamp to S3 + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws commands: - export VERSION=$(cat /go/.version.txt) - aws s3 cp /go/src/github.com/gravitational/teleport/assets/aws/files/build/ent_build_timestamp.txt s3://$AWS_S3_BUCKET/teleport/ami/$${VERSION}/ @@ -4792,6 +5468,8 @@ services: volumes: - name: dockersock temp: {} + - name: awsconfig + temp: {} --- ################################################ @@ -4931,34 +5609,81 @@ clone: disable: true steps: - - name: Download artifacts from S3 + - name: Assume Download AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - AWS_REGION: us-west-2 + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download artifacts from S3 + image: amazon/aws-cli commands: - mkdir -p /go/artifacts - aws s3 sync s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}/ /go/artifacts/ + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + AWS_REGION: us-west-2 + volumes: + - name: awsconfig + path: /root/.aws - - name: Upload artifacts to production S3 - image: plugins/s3 - settings: - bucket: - from_secret: PRODUCTION_AWS_S3_BUCKET - access_key: + - name: Assume Upload AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_AWS_ACCESS_KEY_ID - secret_key: + AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY - region: us-east-1 - acl: public-read - source: /go/artifacts/* - target: teleport/${DRONE_TAG##v}/ - strip_prefix: /go/artifacts/ + AWS_ROLE: + from_secret: PRODUCTION_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Upload artifacts to production S3 + image: amazon/aws-cli + environment: + AWS_REGION: us-east-1 + AWS_S3_BUCKET: + from_secret: PRODUCTION_AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + commands: + - cd /go/artifacts/ + - aws s3 sync --acl public-read . s3://$AWS_S3_BUCKET/teleport/${DRONE_TAG##v} - name: Pull/retag Docker images image: docker @@ -5009,27 +5734,73 @@ steps: git fetch origin +refs/tags/${DRONE_TAG}: git checkout -qf FETCH_HEAD - - name: Download AMI timestamps - image: docker + - name: Assume AMI Download AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download AMI timestamps + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws commands: - - apk add --no-cache aws-cli - mkdir -p /go/src/github.com/gravitational/teleport/assets/aws/files/build - aws s3 sync s3://$AWS_S3_BUCKET/teleport/ami/${DRONE_TAG##v}/ /go/src/github.com/gravitational/teleport/assets/aws/files/build - - name: Make AMIs public - image: docker + - name: Assume AMI Publish AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: PRODUCTION_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Make AMIs public + image: docker + volumes: + - name: awsconfig + path: /root/.aws commands: - apk add --no-cache aws-cli bash jq make - cd /go/src/github.com/gravitational/teleport/assets/aws @@ -5038,6 +5809,31 @@ steps: make change-amis-to-public-ent make change-amis-to-public-ent-fips + - name: "Helm: Assume Download AWS Role" + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY: + from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: PRODUCTION_CHARTS_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + # Download all previously packaged charts. This is needed to rebuild the # index and re-publish the repository. - name: "Helm: Download chart repository" @@ -5045,10 +5841,9 @@ steps: environment: AWS_S3_BUCKET: from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET - AWS_ACCESS_KEY_ID: - from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY + volumes: + - name: awsconfig + path: /root/.aws commands: - mkdir -p /go/chart - aws s3 sync s3://$AWS_S3_BUCKET/ /go/chart @@ -5066,20 +5861,43 @@ steps: - helm repo index /go/chart - ls /go/chart - - name: "Helm: Publish chart repository to S3" - image: plugins/s3 - settings: - bucket: - from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET - access_key: + - name: "Helm: Assume Upload AWS Role" + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID - secret_key: + AWS_SECRET_ACCESS_KEY: from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY - region: us-east-2 - acl: public-read - source: /go/chart/* - target: / - strip_prefix: /go/chart + AWS_ROLE: + from_secret: PRODUCTION_CHARTS_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: "Helm: Publish chart repository to S3" + image: amazon/aws-cli + environment: + AWS_REGION: us-east-2 + AWS_S3_BUCKET: + from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET + volumes: + - name: awsconfig + path: /root/.aws + commands: + - cd /go/chart/ + - aws s3 sync --acl public-read . s3://$AWS_S3_BUCKET/ # NOTE: all mandatory steps for a release promotion need to go BEFORE this # step, as there is a chance that everything afterwards will be skipped. @@ -5104,18 +5922,41 @@ steps: echo "---> Publishing packages to repos for ${DRONE_TAG}" fi - - name: Download RPM repo contents + - name: Assume RPM Repo AWS Role image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default environment: - AWS_S3_BUCKET: - from_secret: RPMREPO_AWS_S3_BUCKET AWS_ACCESS_KEY_ID: from_secret: RPMREPO_AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY: from_secret: RPMREPO_AWS_SECRET_ACCESS_KEY + AWS_ROLE: + from_secret: RPMREPO_AWS_ROLE + volumes: + - name: awsconfig + path: /root/.aws + + - name: Download RPM repo contents + image: amazon/aws-cli + environment: + AWS_S3_BUCKET: + from_secret: RPMREPO_AWS_S3_BUCKET volumes: - name: rpmrepo path: /rpmrepo + - name: awsconfig + path: /root/.aws commands: - mkdir -p /rpmrepo/teleport/cache # we explicitly want to delete anything present locally which has been deleted @@ -5165,13 +6006,11 @@ steps: environment: AWS_S3_BUCKET: from_secret: RPMREPO_AWS_S3_BUCKET - AWS_ACCESS_KEY_ID: - from_secret: RPMREPO_AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - from_secret: RPMREPO_AWS_SECRET_ACCESS_KEY volumes: - name: rpmrepo path: /rpmrepo + - name: awsconfig + path: /root/.aws commands: - aws s3 sync /rpmrepo/teleport/ s3://$AWS_S3_BUCKET/teleport/ @@ -5188,6 +6027,8 @@ services: path: /tmpfs volumes: + - name: awsconfig + temp: {} - name: dockersock temp: {} - name: tmpfs @@ -5201,6 +6042,7 @@ volumes: - name: debrepo claim: name: drone-s3-debrepo-pvc + --- ################################################ # Generated using dronegen, do not edit by hand! @@ -5238,6 +6080,30 @@ steps: volumes: - name: dockersock path: /var/run +- name: Assume AWS Role + image: amazon/aws-cli + commands: + - aws sts get-caller-identity + - |- + printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + > /root/.aws/credentials + - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + - aws sts get-caller-identity --profile default + environment: + AWS_ACCESS_KEY_ID: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY + AWS_ROLE: + from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE + AWS_SECRET_ACCESS_KEY: + from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET + volumes: + - name: awsconfig + path: /root/.aws - name: Pull relcli image: docker:cli commands: @@ -5245,14 +6111,12 @@ steps: - aws ecr get-login-password | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - docker pull $RELCLI_IMAGE environment: - AWS_ACCESS_KEY_ID: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY AWS_DEFAULT_REGION: us-west-2 - AWS_SECRET_ACCESS_KEY: - from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET volumes: - name: dockersock path: /var/run + - name: awsconfig + path: /root/.aws - name: Publish in Release API image: docker:git commands: @@ -5273,10 +6137,12 @@ steps: RELEASES_KEY: from_secret: RELEASES_KEY volumes: - - name: tmpfs - path: /tmpfs - name: dockersock path: /var/run + - name: tmpfs + path: /tmpfs + - name: awsconfig + path: /root/.aws services: - name: Start Docker image: docker:dind @@ -5287,13 +6153,15 @@ services: - name: dockersock path: /var/run volumes: +- name: dockersock + temp: {} - name: tmpfs temp: medium: memory -- name: dockersock +- name: awsconfig temp: {} --- kind: signature -hmac: 150222d317ea00eee280320eba4e78774d1b98dcdab508e3e6145c847de1532b +hmac: 16ef006a7442ffa65082ccbb3dea412476cf387ef779e4448e8b9d0fd6170b2e ... diff --git a/dronegen/aws.go b/dronegen/aws.go new file mode 100644 index 0000000000000..f5c763ce27716 --- /dev/null +++ b/dronegen/aws.go @@ -0,0 +1,138 @@ +// Copyright 2022 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import ( + "fmt" + "path/filepath" +) + +// awsRoleSettings contains the information necessary to assume an AWS Role +// +// This is intended to be imbedded, please use the kubernetes/mac/windows versions +// with their corresponding pipelines. +type awsRoleSettings struct { + awsAccessKeyID value + awsSecretAccessKey value + role value +} + +// kubernetesRoleSettings contains the info necessary to assume an AWS role and save the credentials to a volume that later steps can use +type kubernetesRoleSettings struct { + awsRoleSettings + configVolume volumeRef + name string + profile string + append bool +} + +// macRoleSettings contains the info necessary to assume an AWS role and save the credentials to a path that later steps can use +type macRoleSettings struct { + awsRoleSettings + configPath string + name string + profile string + append bool +} + +// kuberentesS3Settings contains all info needed to download from S3 in a kubernetes pipeline +type kubernetesS3Settings struct { + region string + source string + target string + configVolume volumeRef +} + +// assumeRoleCommands is a helper to build the role assumption commands on a *nix platform +func assumeRoleCommands(profile, configPath string, appendFile bool) []string { + if profile == "" { // set a default profile if none is specified + profile = "default" + } + + var redirect string + if appendFile { + redirect = ">>" + } else { + redirect = ">" + } + + assumeRoleCmd := fmt.Sprintf(`printf "[%s]\naws_access_key_id = %%s\naws_secret_access_key = %%s\naws_session_token = %%s\n" \ + $(aws sts assume-role \ + --role-arn "$AWS_ROLE" \ + --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text) \ + %s %s`, profile, redirect, configPath) + + return []string{ + `aws sts get-caller-identity`, // check the original identity + assumeRoleCmd, + `unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY`, // remove original identity from environment + `aws sts get-caller-identity --profile ` + profile, // check the new assumed identity + } +} + +// kubernetesAssumeAwsRoleStep builds a step to assume an AWS role and save it to a volume that later steps can use +func kubernetesAssumeAwsRoleStep(s kubernetesRoleSettings) step { + if s.name == "" { + s.name = "Assume AWS Role" + } + configPath := filepath.Join(s.configVolume.Path, "credentials") + return step{ + Name: s.name, + Image: "amazon/aws-cli", + Environment: map[string]value{ + "AWS_ACCESS_KEY_ID": s.awsAccessKeyID, + "AWS_SECRET_ACCESS_KEY": s.awsSecretAccessKey, + "AWS_ROLE": s.role, + }, + Volumes: []volumeRef{s.configVolume}, + Commands: assumeRoleCommands(s.profile, configPath, s.append), + } +} + +// macAssumeAwsRoleStep builds a step to assume an AWS role and save it to a host path that later steps can use +func macAssumeAwsRoleStep(s macRoleSettings) step { + if s.name == "" { + s.name = "Assume AWS Role" + } + return step{ + Name: s.name, + Environment: map[string]value{ + "AWS_ACCESS_KEY_ID": s.awsAccessKeyID, + "AWS_SECRET_ACCESS_KEY": s.awsSecretAccessKey, + "AWS_ROLE": s.role, + "AWS_SHARED_CREDENTIALS_FILE": value{raw: s.configPath}, + }, + Commands: assumeRoleCommands(s.profile, s.configPath, s.append), + } +} + +// kubernetesUploadToS3Step generates an S3 upload step +func kubernetesUploadToS3Step(s kubernetesS3Settings) step { + return step{ + Name: "Upload to S3", + Image: "amazon/aws-cli", + Environment: map[string]value{ + "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, + "AWS_REGION": {raw: s.region}, + }, + Volumes: []volumeRef{s.configVolume}, + Commands: []string{ + `cd ` + s.source, + `aws s3 sync . s3://$AWS_S3_BUCKET/` + s.target, + }, + } +} diff --git a/dronegen/buildbox.go b/dronegen/buildbox.go index eec2cf3adb918..b301bbc53ede0 100644 --- a/dronegen/buildbox.go +++ b/dronegen/buildbox.go @@ -43,7 +43,7 @@ func buildboxPipelineStep(buildboxName string, fips bool) step { "QUAYIO_DOCKER_USERNAME": {fromSecret: "QUAYIO_DOCKER_USERNAME"}, "QUAYIO_DOCKER_PASSWORD": {fromSecret: "QUAYIO_DOCKER_PASSWORD"}, }, - Volumes: dockerVolumeRefs(), + Volumes: []volumeRef{volumeRefDocker}, Commands: []string{ `apk add --no-cache make`, `chown -R $UID:$GID /go`, @@ -68,7 +68,7 @@ func buildboxPipeline() pipeline { } p.Workspace = workspace{Path: "/go/src/github.com/gravitational/teleport"} - p.Volumes = dockerVolumes() + p.Volumes = []volume{volumeDocker} p.Services = []service{ dockerService(), } diff --git a/dronegen/common.go b/dronegen/common.go index c05e93f7bea81..33f9e69506599 100644 --- a/dronegen/common.go +++ b/dronegen/common.go @@ -40,6 +40,10 @@ var ( Name: "dockersock", Temp: &volumeTemp{}, } + volumeRefDocker = volumeRef{ + Name: "dockersock", + Path: "/var/run", + } volumeTmpfs = volume{ Name: "tmpfs", Temp: &volumeTemp{Medium: "memory"}, @@ -49,9 +53,13 @@ var ( Name: "tmpfs", Path: "/tmpfs", } - volumeRefDocker = volumeRef{ - Name: "dockersock", - Path: "/var/run", + volumeAwsConfig = volume{ + Name: "awsconfig", + Temp: &volumeTemp{}, + } + volumeRefAwsConfig = volumeRef{ + Name: "awsconfig", + Path: "/root/.aws", } // TODO(gus): Set this from `make -C build.assets print-runtime-version` or similar rather @@ -154,18 +162,6 @@ func dockerService(v ...volumeRef) service { } } -// dockerVolumes returns a slice of volumes -// It includes the Docker socket volume by default, plus any extra volumes passed in -func dockerVolumes(v ...volume) []volume { - return append(v, volumeDocker) -} - -// dockerVolumeRefs returns a slice of volumeRefs -// It includes the Docker socket volumeRef as a default, plus any extra volumeRefs passed in -func dockerVolumeRefs(v ...volumeRef) []volumeRef { - return append(v, volumeRefDocker) -} - // releaseMakefileTarget gets the correct Makefile target for a given arch/fips/centos6 combo func releaseMakefileTarget(b buildType) string { makefileTarget := fmt.Sprintf("release-%s", b.arch) @@ -190,6 +186,6 @@ func waitForDockerStep() step { Commands: []string{ `timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'`, }, - Volumes: dockerVolumeRefs(), + Volumes: []volumeRef{volumeRefDocker}, } } diff --git a/dronegen/mac.go b/dronegen/mac.go index c2e74811fe808..f6625c05a6479 100644 --- a/dronegen/mac.go +++ b/dronegen/mac.go @@ -3,6 +3,7 @@ package main import ( "fmt" "path" + "path/filepath" ) // escapedPreformatted returns expr wrapped in escaped backticks, @@ -76,6 +77,7 @@ func darwinTagPipeline() pipeline { } p := newDarwinPipeline("build-darwin-amd64") p.Trigger = triggerTag + awsConfigPath := filepath.Join(p.Workspace.Path, "credentials") p.DependsOn = []string{tagCleanupPipelineName} p.Steps = []step{ setUpExecStorageStep(p.Workspace.Path), @@ -105,14 +107,21 @@ func darwinTagPipeline() pipeline { }, Commands: darwinTagCopyPackageArtifactCommands(), }, + macAssumeAwsRoleStep(macRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, + awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, + role: value{fromSecret: "AWS_ROLE"}, + }, + configPath: awsConfigPath, + }), { Name: "Upload to S3", Environment: map[string]value{ - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_ACCESS_KEY_ID": {fromSecret: "AWS_ACCESS_KEY_ID"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"}, - "AWS_REGION": {raw: "us-west-2"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, + "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, + "AWS_REGION": {raw: "us-west-2"}, + "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, + "WORKSPACE_DIR": {raw: p.Workspace.Path}, }, Commands: darwinUploadToS3Commands(), }, diff --git a/dronegen/mac_pkg.go b/dronegen/mac_pkg.go index d195d2c39f7ab..f79feb1b5a3b1 100644 --- a/dronegen/mac_pkg.go +++ b/dronegen/mac_pkg.go @@ -12,6 +12,7 @@ func darwinPkgPipeline(name, makeTarget string, pkgGlobs []string, extraQualific os: "darwin", } p := newDarwinPipeline(name) + awsConfigPath := filepath.Join(p.Workspace.Path, "credentials") p.Trigger = triggerTag p.DependsOn = []string{"build-darwin-amd64"} p.Steps = []step{ @@ -24,15 +25,22 @@ func darwinPkgPipeline(name, makeTarget string, pkgGlobs []string, extraQualific }, Commands: darwinTagCheckoutCommands(), }, + macAssumeAwsRoleStep(macRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, + awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, + role: value{fromSecret: "AWS_ROLE"}, + }, + configPath: awsConfigPath, + }), { Name: "Download built tarball artifacts from S3", Environment: map[string]value{ - "AWS_REGION": {raw: "us-west-2"}, - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_ACCESS_KEY_ID": {fromSecret: "AWS_ACCESS_KEY_ID"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, + "AWS_REGION": {raw: "us-west-2"}, + "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, + "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, + "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, + "WORKSPACE_DIR": {raw: p.Workspace.Path}, }, Commands: darwinTagDownloadArtifactCommands(), }, @@ -60,11 +68,10 @@ func darwinPkgPipeline(name, makeTarget string, pkgGlobs []string, extraQualific { Name: "Upload to S3", Environment: map[string]value{ - "AWS_REGION": {raw: "us-west-2"}, - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_ACCESS_KEY_ID": {fromSecret: "AWS_ACCESS_KEY_ID"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "AWS_SECRET_ACCESS_KEY"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, + "AWS_REGION": {raw: "us-west-2"}, + "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, + "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, + "WORKSPACE_DIR": {raw: p.Workspace.Path}, }, Commands: []string{ `set -u`, diff --git a/dronegen/push.go b/dronegen/push.go index 771cc489ec6ed..8f4a363349003 100644 --- a/dronegen/push.go +++ b/dronegen/push.go @@ -95,7 +95,7 @@ func pushPipeline(b buildType) pipeline { } p.Trigger = triggerPush p.Workspace = workspace{Path: "/go"} - p.Volumes = dockerVolumes() + p.Volumes = []volume{volumeDocker} p.Services = []service{ dockerService(), } @@ -113,7 +113,7 @@ func pushPipeline(b buildType) pipeline { Name: "Build artifacts", Image: "docker", Environment: pushEnvironment, - Volumes: dockerVolumeRefs(), + Volumes: []volumeRef{volumeRefDocker}, Commands: pushBuildCommands(b), }, { diff --git a/dronegen/relcli.go b/dronegen/relcli.go index c12919fc01c25..717151aacb2f0 100644 --- a/dronegen/relcli.go +++ b/dronegen/relcli.go @@ -31,28 +31,39 @@ func relcliPipeline(trigger trigger, name string, stepName string, command strin }, }, waitForDockerStep(), - pullRelcliStep(), + kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_KEY"}, + awsSecretAccessKey: value{fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_SECRET"}, + role: value{fromSecret: "TELEPORT_BUILD_READ_ONLY_AWS_ROLE"}, + }, + configVolume: volumeRefAwsConfig, + }), + pullRelcliStep(volumeRefAwsConfig), executeRelcliStep(stepName, command), } - p.Services = []service{ - dockerService(volumeRefTmpfs), + p.Services = []service{dockerService(volumeRefTmpfs)} + p.Volumes = []volume{ + volumeDocker, + volumeTmpfs, + volumeAwsConfig, } - p.Volumes = dockerVolumes(volumeTmpfs) return p } -func pullRelcliStep() step { +func pullRelcliStep(awsConfigVolumeRef volumeRef) step { return step{ Name: "Pull relcli", Image: "docker:cli", Environment: map[string]value{ - "AWS_ACCESS_KEY_ID": {fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_KEY"}, - "AWS_SECRET_ACCESS_KEY": {fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_SECRET"}, - "AWS_DEFAULT_REGION": {raw: "us-west-2"}, + "AWS_DEFAULT_REGION": {raw: "us-west-2"}, + }, + Volumes: []volumeRef{ + volumeRefDocker, + volumeRefAwsConfig, }, - Volumes: dockerVolumeRefs(), Commands: []string{ `apk add --no-cache aws-cli`, `aws ecr get-login-password | docker login -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com`, @@ -72,10 +83,11 @@ func executeRelcliStep(name string, command string) step { "RELCLI_CERT": {raw: "/tmpfs/creds/releases.crt"}, "RELCLI_KEY": {raw: "/tmpfs/creds/releases.key"}, }, - Volumes: dockerVolumeRefs(volumeRef{ - Name: "tmpfs", - Path: "/tmpfs", - }), + Volumes: []volumeRef{ + volumeRefDocker, + volumeRefTmpfs, + volumeRefAwsConfig, + }, Commands: []string{ `mkdir -p /tmpfs/creds`, `echo "$RELEASES_CERT" | base64 -d > "$RELCLI_CERT"`, diff --git a/dronegen/tag.go b/dronegen/tag.go index 0c75c4c66afe6..e86be583e345d 100644 --- a/dronegen/tag.go +++ b/dronegen/tag.go @@ -132,30 +132,6 @@ func tagCopyArtifactCommands(b buildType) []string { return commands } -type s3Settings struct { - region string - source string - target string - stripPrefix string -} - -// uploadToS3Step generates an S3 upload step -func uploadToS3Step(s s3Settings) step { - return step{ - Name: "Upload to S3", - Image: "plugins/s3", - Settings: map[string]value{ - "bucket": value{fromSecret: "AWS_S3_BUCKET"}, - "access_key": value{fromSecret: "AWS_ACCESS_KEY_ID"}, - "secret_key": value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, - "region": value{raw: s.region}, - "source": value{raw: s.source}, - "target": value{raw: s.target}, - "strip_prefix": value{raw: s.stripPrefix}, - }, - } -} - // tagPipelines builds all applicable tag pipeline combinations func tagPipelines() []pipeline { var ps []pipeline @@ -230,7 +206,7 @@ func tagPipeline(b buildType) pipeline { p.Trigger = triggerTag p.DependsOn = []string{tagCleanupPipelineName} p.Workspace = workspace{Path: "/go"} - p.Volumes = dockerVolumes() + p.Volumes = []volume{volumeAwsConfig, volumeDocker} p.Services = []service{ dockerService(), } @@ -248,7 +224,7 @@ func tagPipeline(b buildType) pipeline { Name: "Build artifacts", Image: "docker", Environment: tagEnvironment, - Volumes: dockerVolumeRefs(), + Volumes: []volumeRef{volumeRefDocker}, Commands: tagBuildCommands(b), }, { @@ -256,11 +232,19 @@ func tagPipeline(b buildType) pipeline { Image: "docker", Commands: tagCopyArtifactCommands(b), }, - uploadToS3Step(s3Settings{ - region: "us-west-2", - source: "/go/artifacts/*", - target: "teleport/tag/${DRONE_TAG##v}", - stripPrefix: "/go/artifacts/", + kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, + awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, + role: value{fromSecret: "AWS_ROLE"}, + }, + configVolume: volumeRefAwsConfig, + }), + kubernetesUploadToS3Step(kubernetesS3Settings{ + region: "us-west-2", + source: "/go/artifacts/", + target: "teleport/tag/${DRONE_TAG##v}", + configVolume: volumeRefAwsConfig, }), { Name: "Register artifacts", @@ -391,8 +375,14 @@ func tagPackagePipeline(packageType string, b buildType) pipeline { environment["OSS_TARBALL_PATH"] = value{raw: "/go/artifacts"} } - packageDockerVolumes := dockerVolumes() - packageDockerVolumeRefs := dockerVolumeRefs() + packageDockerVolumes := []volume{ + volumeDocker, + volumeAwsConfig, + } + packageDockerVolumeRefs := []volumeRef{ + volumeRefDocker, + volumeRefAwsConfig, + } packageDockerService := dockerService() switch packageType { @@ -407,8 +397,8 @@ func tagPackagePipeline(packageType string, b buildType) pipeline { `rm -rf $GNUPG_DIR`, ) // RPM builds require tmpfs to hold the key material in memory. - packageDockerVolumes = dockerVolumes(volumeTmpfs) - packageDockerVolumeRefs = dockerVolumeRefs(volumeRefTmpfs) + packageDockerVolumes = append(packageDockerVolumes, volumeTmpfs) + packageDockerVolumeRefs = append(packageDockerVolumeRefs, volumeRefTmpfs) packageDockerService = dockerService(volumeRefTmpfs) case debPackage: packageBuildCommands = append(packageBuildCommands, @@ -438,16 +428,23 @@ func tagPackagePipeline(packageType string, b buildType) pipeline { Commands: tagCheckoutCommands(b.fips), }, waitForDockerStep(), + kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ + awsRoleSettings: awsRoleSettings{ + awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, + awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, + role: value{fromSecret: "AWS_ROLE"}, + }, + configVolume: volumeRefAwsConfig, + }), { Name: "Download artifacts from S3", Image: "amazon/aws-cli", Environment: map[string]value{ - "AWS_REGION": value{raw: "us-west-2"}, - "AWS_S3_BUCKET": value{fromSecret: "AWS_S3_BUCKET"}, - "AWS_ACCESS_KEY_ID": value{fromSecret: "AWS_ACCESS_KEY_ID"}, - "AWS_SECRET_ACCESS_KEY": value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, + "AWS_REGION": {raw: "us-west-2"}, + "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, }, Commands: tagDownloadArtifactCommands(b), + Volumes: []volumeRef{volumeRefAwsConfig}, }, { Name: "Build artifacts", @@ -461,11 +458,11 @@ func tagPackagePipeline(packageType string, b buildType) pipeline { Image: "docker", Commands: tagCopyPackageArtifactCommands(b, packageType), }, - uploadToS3Step(s3Settings{ - region: "us-west-2", - source: "/go/artifacts/*", - target: "teleport/tag/${DRONE_TAG##v}", - stripPrefix: "/go/artifacts/", + kubernetesUploadToS3Step(kubernetesS3Settings{ + region: "us-west-2", + source: "/go/artifacts/", + target: "teleport/tag/${DRONE_TAG##v}", + configVolume: volumeRefAwsConfig, }), { Name: "Register artifacts",