diff --git a/.drone.yml b/.drone.yml index 558a8330ea269..0b6ebbf251031 100644 --- a/.drone.yml +++ b/.drone.yml @@ -7289,19 +7289,6 @@ steps: commands: - '[ -n ${DRONE_TAG} ] || (echo ''DRONE_TAG is not set. Is the commit tagged?'' && exit 1)' -- name: Check if tag is prerelease - image: golang:1.18-alpine - commands: - - apk add git - - mkdir -pv "/tmp/repo" - - cd "/tmp/repo" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "${DRONE_TAG}" - - cd "/tmp/repo/build.assets/tooling" - - go run ./cmd/check -tag ${DRONE_TAG} -check prerelease || (echo '---> This is - a prerelease, not continuing promotion for ${DRONE_TAG}' && exit 78) - name: Check out code image: alpine/git:latest commands: @@ -7337,13 +7324,12 @@ steps: path: /root/.aws depends_on: - Verify build is tagged - - Check if tag is prerelease - Check out code - name: Download artifacts for "${DRONE_TAG}" image: amazon/aws-cli commands: - mkdir -pv "$ARTIFACT_PATH" - - rm -rf "$ARTIFACT_PATH/*" + - rm -rf "$ARTIFACT_PATH"/* - aws s3 sync --no-progress --delete --exclude "*" --include "*.deb*" s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}/ "$ARTIFACT_PATH" environment: @@ -7354,8 +7340,8 @@ steps: - name: awsconfig path: /root/.aws depends_on: + - Assume Download AWS Role - Verify build is tagged - - Check if tag is prerelease - Check out code - name: Assume Upload AWS Role image: amazon/aws-cli @@ -7382,8 +7368,25 @@ steps: - name: awsconfig path: /root/.aws depends_on: + - Download artifacts for "${DRONE_TAG}" + - Verify build is tagged + - Check out code +- name: Check if tag is prerelease + image: golang:1.18-alpine + commands: + - apk add git + - mkdir -pv "/tmp/repo" + - cd "/tmp/repo" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_TAG}" + - cd "/tmp/repo/build.assets/tooling" + - go run ./cmd/check -tag ${DRONE_TAG} -check prerelease || (echo '---> This is + a prerelease, not continuing promotion for ${DRONE_TAG}' && exit 78) + depends_on: + - Assume Upload AWS Role - Verify build is tagged - - Check if tag is prerelease - Check out code - name: Publish debs to APT repos for "${DRONE_TAG}" image: golang:1.18-bullseye @@ -7418,9 +7421,8 @@ steps: - name: awsconfig path: /root/.aws depends_on: - - Download artifacts for "${DRONE_TAG}" - - Verify build is tagged - Check if tag is prerelease + - Verify build is tagged - Check out code volumes: - name: apt-persistence @@ -7490,19 +7492,6 @@ steps: commands: - '[ -n ${DRONE_TAG} ] || (echo ''DRONE_TAG is not set. Is the commit tagged?'' && exit 1)' -- name: Check if tag is prerelease - image: golang:1.18-alpine - commands: - - apk add git - - mkdir -pv "/tmp/repo" - - cd "/tmp/repo" - - git init - - git remote add origin ${DRONE_REMOTE_URL} - - git fetch origin --tags - - git checkout -qf "${DRONE_TAG}" - - cd "/tmp/repo/build.assets/tooling" - - go run ./cmd/check -tag ${DRONE_TAG} -check prerelease || (echo '---> This is - a prerelease, not continuing promotion for ${DRONE_TAG}' && exit 78) - name: Check out code image: alpine/git:latest commands: @@ -7538,13 +7527,12 @@ steps: path: /root/.aws depends_on: - Verify build is tagged - - Check if tag is prerelease - Check out code - name: Download artifacts for "${DRONE_TAG}" image: amazon/aws-cli commands: - mkdir -pv "$ARTIFACT_PATH" - - rm -rf "$ARTIFACT_PATH/*" + - rm -rf "$ARTIFACT_PATH"/* - aws s3 sync --no-progress --delete --exclude "*" --include "*.rpm*" s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}/ "$ARTIFACT_PATH" environment: @@ -7555,8 +7543,8 @@ steps: - name: awsconfig path: /root/.aws depends_on: + - Assume Download AWS Role - Verify build is tagged - - Check if tag is prerelease - Check out code - name: Assume Upload AWS Role image: amazon/aws-cli @@ -7576,15 +7564,32 @@ steps: AWS_ACCESS_KEY_ID: from_secret: YUM_REPO_NEW_AWS_ACCESS_KEY_ID AWS_ROLE: - from_secret: YUM_REPO_NEW_ROLE + from_secret: YUM_REPO_NEW_AWS_ROLE AWS_SECRET_ACCESS_KEY: from_secret: YUM_REPO_NEW_AWS_SECRET_ACCESS_KEY volumes: - name: awsconfig path: /root/.aws depends_on: + - Download artifacts for "${DRONE_TAG}" + - Verify build is tagged + - Check out code +- name: Check if tag is prerelease + image: golang:1.18-alpine + commands: + - apk add git + - mkdir -pv "/tmp/repo" + - cd "/tmp/repo" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_TAG}" + - cd "/tmp/repo/build.assets/tooling" + - go run ./cmd/check -tag ${DRONE_TAG} -check prerelease || (echo '---> This is + a prerelease, not continuing promotion for ${DRONE_TAG}' && exit 78) + depends_on: + - Assume Upload AWS Role - Verify build is tagged - - Check if tag is prerelease - Check out code - name: Publish rpms to YUM repos for "${DRONE_TAG}" image: golang:1.18-bullseye @@ -7620,9 +7625,8 @@ steps: - name: awsconfig path: /root/.aws depends_on: - - Download artifacts for "${DRONE_TAG}" - - Verify build is tagged - Check if tag is prerelease + - Verify build is tagged - Check out code volumes: - name: yum-persistence @@ -11575,6 +11579,6 @@ volumes: temp: {} --- kind: signature -hmac: 47934b14a6ca045c0beb0357b731373852ce4d490bd3d248db2d45f30025e1e8 +hmac: e70373fddb9ac5bff144dfcacff1c8d60ece46429a4f70c724bad0307bf03740 ... diff --git a/dronegen/os_repos.go b/dronegen/os_repos.go index 3d3c69b71bbf1..7479bfcb49f01 100644 --- a/dronegen/os_repos.go +++ b/dronegen/os_repos.go @@ -195,10 +195,10 @@ func (optpb *OsPackageToolPipelineBuilder) buildPromoteOsPackagePipeline() pipel p.Trigger = triggerPromote p.Trigger.Repo.Include = []string{"gravitational/teleport"} - setupSteps := append( - verifyValidPromoteRunSteps(), + setupSteps := []step{ + verifyTaggedStep(), cloneRepoStep(checkoutPath, commitName), - ) + } setupStepNames := make([]string, 0, len(setupSteps)) for _, setupStep := range setupSteps { @@ -343,12 +343,6 @@ func (optpb *OsPackageToolPipelineBuilder) getVersionSteps(codePath, version str } toolSetupCommands = append(toolSetupCommands, optpb.setupCommands...) - downloadStepName := fmt.Sprintf("Download artifacts for %q", version) - buildStepDependencies := []string{} - if enableParallelism { - buildStepDependencies = append(buildStepDependencies, downloadStepName) - } - assumeDownloadRoleStep := kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ awsRoleSettings: awsRoleSettings{ awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, @@ -359,86 +353,99 @@ func (optpb *OsPackageToolPipelineBuilder) getVersionSteps(codePath, version str name: "Assume Download AWS Role", }) + downloadStep := step{ + Name: fmt.Sprintf("Download artifacts for %q", version), + Image: "amazon/aws-cli", + Environment: map[string]value{ + "AWS_S3_BUCKET": { + fromSecret: "AWS_S3_BUCKET", + }, + "ARTIFACT_PATH": { + raw: optpb.artifactPath, + }, + }, + Volumes: []volumeRef{volumeRefAwsConfig}, + Commands: []string{ + "mkdir -pv \"$ARTIFACT_PATH\"", + // Clear out old versions from previous steps + "rm -rf \"$ARTIFACT_PATH\"/*", + strings.Join( + []string{ + "aws s3 sync", + "--no-progress", + "--delete", + "--exclude \"*\"", + fmt.Sprintf("--include \"*.%s*\"", optpb.packageType), + fmt.Sprintf("s3://$AWS_S3_BUCKET/teleport/tag/%s/", bucketFolder), + "\"$ARTIFACT_PATH\"", + }, + " ", + ), + }, + } + assumeUploadRoleStep := kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{ awsRoleSettings: optpb.bucketSecrets.awsRoleSettings, configVolume: volumeRefAwsConfig, name: "Assume Upload AWS Role", }) - return []step{ - assumeDownloadRoleStep, - { - Name: downloadStepName, - Image: "amazon/aws-cli", - Environment: map[string]value{ - "AWS_S3_BUCKET": { - fromSecret: "AWS_S3_BUCKET", - }, - "ARTIFACT_PATH": { - raw: optpb.artifactPath, - }, - }, - Volumes: []volumeRef{volumeRefAwsConfig}, - Commands: []string{ - "mkdir -pv \"$ARTIFACT_PATH\"", - // Clear out old versions from previous steps - "rm -rf \"$ARTIFACT_PATH/*\"", + verifyNotPrereleaseStep := verifyNotPrereleaseStep() + + buildAndUploadStep := step{ + Name: fmt.Sprintf("Publish %ss to %s repos for %q", optpb.packageType, strings.ToUpper(optpb.packageManagerName), version), + Image: fmt.Sprintf("golang:%s-bullseye", GoVersion), + Environment: optpb.environmentVars, + Commands: append( + toolSetupCommands, + []string{ + "mkdir -pv -m0700 \"$GNUPGHOME\"", + "echo \"$GPG_RPM_SIGNING_ARCHIVE\" | base64 -d | tar -xzf - -C $GNUPGHOME", + "chown -R root:root \"$GNUPGHOME\"", + fmt.Sprintf("cd %q", path.Join(codePath, "build.assets", "tooling")), + fmt.Sprintf("export VERSION=%q", version), + "export RELEASE_CHANNEL=\"stable\"", // The tool supports several release channels but I'm not sure where this should be configured strings.Join( - []string{ - "aws s3 sync", - "--no-progress", - "--delete", - "--exclude \"*\"", - fmt.Sprintf("--include \"*.%s*\"", optpb.packageType), - fmt.Sprintf("s3://$AWS_S3_BUCKET/teleport/tag/%s/", bucketFolder), - "\"$ARTIFACT_PATH\"", - }, + append( + []string{ + // This just makes the (long) command a little more readable + "go run ./cmd/build-os-package-repos", + optpb.packageManagerName, + "-bucket \"$REPO_S3_BUCKET\"", + "-local-bucket-path \"$BUCKET_CACHE_PATH\"", + "-artifact-version \"$VERSION\"", + "-release-channel \"$RELEASE_CHANNEL\"", + "-artifact-path \"$ARTIFACT_PATH\"", + "-log-level 4", // Set this to 5 for debug logging + }, + optpb.extraArgs..., + ), " ", ), + }..., + ), + Volumes: []volumeRef{ + { + Name: optpb.volumeName, + Path: optpb.pvcMountPoint, }, + volumeRefTmpfs, + volumeRefAwsConfig, }, + } + + if enableParallelism { + downloadStep.DependsOn = []string{assumeDownloadRoleStep.Name} + assumeUploadRoleStep.DependsOn = []string{downloadStep.Name} + verifyNotPrereleaseStep.DependsOn = []string{assumeUploadRoleStep.Name} + buildAndUploadStep.DependsOn = []string{verifyNotPrereleaseStep.Name} + } + + return []step{ + assumeDownloadRoleStep, + downloadStep, assumeUploadRoleStep, - { - Name: fmt.Sprintf("Publish %ss to %s repos for %q", optpb.packageType, strings.ToUpper(optpb.packageManagerName), version), - Image: fmt.Sprintf("golang:%s-bullseye", GoVersion), - Environment: optpb.environmentVars, - Commands: append( - toolSetupCommands, - []string{ - "mkdir -pv -m0700 \"$GNUPGHOME\"", - "echo \"$GPG_RPM_SIGNING_ARCHIVE\" | base64 -d | tar -xzf - -C $GNUPGHOME", - "chown -R root:root \"$GNUPGHOME\"", - fmt.Sprintf("cd %q", path.Join(codePath, "build.assets", "tooling")), - fmt.Sprintf("export VERSION=%q", version), - "export RELEASE_CHANNEL=\"stable\"", // The tool supports several release channels but I'm not sure where this should be configured - strings.Join( - append( - []string{ - // This just makes the (long) command a little more readable - "go run ./cmd/build-os-package-repos", - optpb.packageManagerName, - "-bucket \"$REPO_S3_BUCKET\"", - "-local-bucket-path \"$BUCKET_CACHE_PATH\"", - "-artifact-version \"$VERSION\"", - "-release-channel \"$RELEASE_CHANNEL\"", - "-artifact-path \"$ARTIFACT_PATH\"", - "-log-level 4", // Set this to 5 for debug logging - }, - optpb.extraArgs..., - ), - " ", - ), - }..., - ), - Volumes: []volumeRef{ - { - Name: optpb.volumeName, - Path: optpb.pvcMountPoint, - }, - volumeRefTmpfs, - volumeRefAwsConfig, - }, - DependsOn: buildStepDependencies, - }, + verifyNotPrereleaseStep, + buildAndUploadStep, } } diff --git a/dronegen/yum.go b/dronegen/yum.go index 0a8960d0b1262..2cbbb44a3fa63 100644 --- a/dronegen/yum.go +++ b/dronegen/yum.go @@ -36,7 +36,7 @@ func getYumPipelineBuilder() *OsPackageToolPipelineBuilder { "YUM_REPO_NEW_AWS_S3_BUCKET", "YUM_REPO_NEW_AWS_ACCESS_KEY_ID", "YUM_REPO_NEW_AWS_SECRET_ACCESS_KEY", - "YUM_REPO_NEW_ROLE", + "YUM_REPO_NEW_AWS_ROLE", ), )