Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update signArtifacts lib env vars with credentials #2275

Merged
merged 1 commit into from
Jun 29, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions tests/jenkins/TestPromoteArtifacts.groovy
Original file line number Diff line number Diff line change
Expand Up @@ -43,10 +43,12 @@ class TestPromoteArtifacts extends BuildPipelineTest {
binding.setVariable('ARTIFACT_PRODUCTION_BUCKET_NAME', 'prod-bucket-name')
binding.setVariable('WORKSPACE', 'tests/jenkins')
binding.setVariable('GITHUB_BOT_TOKEN_NAME', 'github_bot_token_name')
binding.setVariable('SIGNER_CLIENT_ROLE', 'dummy_signer_client_role')
binding.setVariable('SIGNER_CLIENT_EXTERNAL_ID', 'signer_client_external_id')
binding.setVariable('SIGNER_CLIENT_UNSIGNED_BUCKET', 'signer_client_unsigned_bucket')
binding.setVariable('SIGNER_CLIENT_SIGNED_BUCKET', 'signer_client_signed_bucket')
def signer_client_creds = ["role": "dummy_role",
"external_id": "dummy_ID",
"unsigned_bucket": "dummy_unsigned_bucket",
"signed_bucket": "dummy_signed_bucket"]
binding.setVariable('configs', signer_client_creds)
helper.registerAllowedMethod("readJSON", [Map.class], {c -> signer_client_creds})

helper.registerAllowedMethod("git", [Map])
helper.registerAllowedMethod("s3Download", [Map])
Expand Down
10 changes: 6 additions & 4 deletions tests/jenkins/TestPromoteYumRepos.groovy
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,12 @@ class TestPromoteYumRepos extends BuildPipelineTest {
binding.setVariable('AWS_ACCOUNT_ARTIFACT', 'artifactsAccount')
binding.setVariable('ARTIFACT_PRODUCTION_BUCKET_NAME', 'prod-bucket-name')
binding.setVariable('GITHUB_BOT_TOKEN_NAME', 'github_bot_token_name')
binding.setVariable('SIGNER_CLIENT_ROLE', 'dummy_signer_client_role')
binding.setVariable('SIGNER_CLIENT_EXTERNAL_ID', 'signer_client_external_id')
binding.setVariable('SIGNER_CLIENT_UNSIGNED_BUCKET', 'signer_client_unsigned_bucket')
binding.setVariable('SIGNER_CLIENT_SIGNED_BUCKET', 'signer_client_signed_bucket')
def signer_client_creds = ["role": "dummy_role",
"external_id": "dummy_ID",
"unsigned_bucket": "dummy_unsigned_bucket",
"signed_bucket": "dummy_signed_bucket"]
binding.setVariable('configs', signer_client_creds)
helper.registerAllowedMethod("readJSON", [Map.class], {c -> signer_client_creds})
helper.registerAllowedMethod("git", [Map])
helper.registerAllowedMethod("withAWS", [Map, Closure], { args, closure ->
closure.delegate = delegate
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,16 @@
signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
signArtifacts.readJSON({text=signer_client_creds})
signArtifacts.sh(
#!/bin/bash
set +x
export ROLE=dummy_signer_client_role
export EXTERNAL_ID=signer_client_external_id
export UNSIGNED_BUCKET=signer_client_unsigned_bucket
export SIGNED_BUCKET=signer_client_signed_bucket
export ROLE=dummy_role
export EXTERNAL_ID=dummy_ID
export UNSIGNED_BUCKET=dummy_unsigned_bucket
export SIGNED_BUCKET=dummy_signed_bucket

/tmp/workspace/sign.sh /tmp/workspace/archive --sigtype=.sig --platform=linux
)
Expand Down Expand Up @@ -89,14 +91,16 @@
signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
signArtifacts.readJSON({text=signer_client_creds})
signArtifacts.sh(
#!/bin/bash
set +x
export ROLE=dummy_signer_client_role
export EXTERNAL_ID=signer_client_external_id
export UNSIGNED_BUCKET=signer_client_unsigned_bucket
export SIGNED_BUCKET=signer_client_signed_bucket
export ROLE=dummy_role
export EXTERNAL_ID=dummy_ID
export UNSIGNED_BUCKET=dummy_unsigned_bucket
export SIGNED_BUCKET=dummy_signed_bucket

/tmp/workspace/sign.sh /tmp/workspace/maven --type=maven --platform=linux
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,16 @@
signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
signArtifacts.readJSON({text=signer_client_creds})
signArtifacts.sh(
#!/bin/bash
set +x
export ROLE=dummy_signer_client_role
export EXTERNAL_ID=signer_client_external_id
export UNSIGNED_BUCKET=signer_client_unsigned_bucket
export SIGNED_BUCKET=signer_client_signed_bucket
export ROLE=dummy_role
export EXTERNAL_ID=dummy_ID
export UNSIGNED_BUCKET=dummy_unsigned_bucket
export SIGNED_BUCKET=dummy_signed_bucket

/tmp/workspace/sign.sh /tmp/workspace/artifacts/distribution-build-opensearch/1.0.0/123/linux/x64/builds/opensearch/manifest.yml --type=maven --platform=linux
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,16 @@
signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
signArtifacts.readJSON({text=signer_client_creds})
signArtifacts.sh(
#!/bin/bash
set +x
export ROLE=dummy_signer_client_role
export EXTERNAL_ID=signer_client_external_id
export UNSIGNED_BUCKET=signer_client_unsigned_bucket
export SIGNED_BUCKET=signer_client_signed_bucket
export ROLE=dummy_role
export EXTERNAL_ID=dummy_ID
export UNSIGNED_BUCKET=dummy_unsigned_bucket
export SIGNED_BUCKET=dummy_signed_bucket

/tmp/workspace/sign.sh /tmp/workspace/artifacts --sigtype=.sig --platform=linux
)
Expand Down
18 changes: 9 additions & 9 deletions tests/jenkins/jobs/AssembleManifest_rpm_Jenkinsfile.txt
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,11 @@
BuildManifest.getArtifactRootUrlWithoutDistribution(https://ci.opensearch.org/dbc, vars-build, 123)
assembleManifest.sh(./assemble.sh "tests/data/opensearch-build-1.3.0-rpm.yml" --base-url https://ci.opensearch.org/dbc/vars-build/1.3.0/123/linux/x64)
assembleManifest.signArtifacts({artifactPath=rpm/dist/opensearch, sigtype=.rpm, platform=linux})
signArtifacts.echo(RPM Add Sign)
signArtifacts.withAWS({role=sign_asm_role, roleAccount=sign_asm_account, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure)
signArtifacts.string({credentialsId=jenkins-rpm-signing-asm-pass-id, variable=SIGNING_PASS_ID})
signArtifacts.string({credentialsId=jenkins-rpm-signing-asm-secret-id, variable=SIGNING_SECRET_ID})
signArtifacts.withCredentials([SIGNING_PASS_ID, SIGNING_SECRET_ID], groovy.lang.Closure)
signArtifacts.string({credentialsId=jenkins-rpm-signing-props, variable=configs})
signArtifacts.withCredentials([configs], groovy.lang.Closure)
signArtifacts.readJSON({text=configs})
signArtifacts.echo(RPM Add Sign)
signArtifacts.withAWS({role=jenki-jenki-asm-assume-role, roleAccount=1234, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure)
signArtifacts.sh(
set -e
set +x
Expand Down Expand Up @@ -57,8 +57,8 @@

echo "------------------------------------------------------------------------"
echo "Import OpenSearch keys"
aws secretsmanager get-secret-value --region "sign_asm_region" --secret-id "SIGNING_PASS_ID" | jq -r .SecretBinary | base64 --decode > passphrase
aws secretsmanager get-secret-value --region "sign_asm_region" --secret-id "SIGNING_SECRET_ID" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase -
aws secretsmanager get-secret-value --region us-west-2 --secret-id "ARN::123456" | jq -r .SecretBinary | base64 --decode > passphrase
aws secretsmanager get-secret-value --region us-west-2 --secret-id "ARN::56789" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase -

echo "------------------------------------------------------------------------"
echo "Start Signing Rpm"
Expand All @@ -85,8 +85,8 @@

echo "------------------------------------------------------------------------"
echo "Clean up gpg"
gpg --batch --yes --delete-secret-keys sign_asm_keyid
gpg --batch --yes --delete-keys sign_asm_keyid
gpg --batch --yes --delete-secret-keys abcd1234
gpg --batch --yes --delete-keys abcd1234
rm -v passphrase

)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,14 +29,16 @@
signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
signArtifacts.readJSON({text=signer_client_creds})
signArtifacts.sh(
#!/bin/bash
set +x
export ROLE=dummy_signer_client_role
export EXTERNAL_ID=signer_client_external_id
export UNSIGNED_BUCKET=signer_client_unsigned_bucket
export SIGNED_BUCKET=signer_client_signed_bucket
export ROLE=dummy_role
export EXTERNAL_ID=dummy_ID
export UNSIGNED_BUCKET=dummy_unsigned_bucket
export SIGNED_BUCKET=dummy_signed_bucket

tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig
)
Expand All @@ -60,14 +62,16 @@
signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
signArtifacts.readJSON({text=signer_client_creds})
signArtifacts.sh(
#!/bin/bash
set +x
export ROLE=dummy_signer_client_role
export EXTERNAL_ID=signer_client_external_id
export UNSIGNED_BUCKET=signer_client_unsigned_bucket
export SIGNED_BUCKET=signer_client_signed_bucket
export ROLE=dummy_role
export EXTERNAL_ID=dummy_ID
export UNSIGNED_BUCKET=dummy_unsigned_bucket
export SIGNED_BUCKET=dummy_signed_bucket

tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,14 +29,16 @@
signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
signArtifacts.readJSON({text=signer_client_creds})
signArtifacts.sh(
#!/bin/bash
set +x
export ROLE=dummy_signer_client_role
export EXTERNAL_ID=signer_client_external_id
export UNSIGNED_BUCKET=signer_client_unsigned_bucket
export SIGNED_BUCKET=signer_client_signed_bucket
export ROLE=dummy_role
export EXTERNAL_ID=dummy_ID
export UNSIGNED_BUCKET=dummy_unsigned_bucket
export SIGNED_BUCKET=dummy_signed_bucket

tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig
)
Expand All @@ -60,14 +62,16 @@
signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
signArtifacts.readJSON({text=signer_client_creds})
signArtifacts.sh(
#!/bin/bash
set +x
export ROLE=dummy_signer_client_role
export EXTERNAL_ID=signer_client_external_id
export UNSIGNED_BUCKET=signer_client_unsigned_bucket
export SIGNED_BUCKET=signer_client_signed_bucket
export ROLE=dummy_role
export EXTERNAL_ID=dummy_ID
export UNSIGNED_BUCKET=dummy_unsigned_bucket
export SIGNED_BUCKET=dummy_signed_bucket

tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig
)
Expand Down
Loading