teleport/dronegen/buildbox.go

// Copyright 2021 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package main

import "fmt"

func buildboxPipelineSteps() []step {
	steps := []step{
		{
			Name:  "Check out code",
			Image: "docker:git",
			Commands: []string{
				`git clone --depth 1 --single-branch --branch ${DRONE_SOURCE_BRANCH:-master} https://github.com/gravitational/${DRONE_REPO_NAME}.git .`,
				`git checkout ${DRONE_COMMIT}`,
			},
		},
		waitForDockerStep(),
		kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{
			awsRoleSettings: awsRoleSettings{
				awsAccessKeyID:     value{fromSecret: "STAGING_BUILDBOX_DRONE_USER_ECR_KEY"},
				awsSecretAccessKey: value{fromSecret: "STAGING_BUILDBOX_DRONE_USER_ECR_SECRET"},
				role:               value{fromSecret: "STAGING_BUILDBOX_DRONE_ECR_AWS_ROLE"},
			},
			configVolume: volumeRefAwsConfig,
			name:         "Configure Staging AWS Profile",
			profile:      "staging",
		}),
		kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{
			awsRoleSettings: awsRoleSettings{
				awsAccessKeyID:     value{fromSecret: "PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY"},
				awsSecretAccessKey: value{fromSecret: "PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET"},
				role:               value{fromSecret: "PRODUCTION_BUILDBOX_DRONE_ECR_AWS_ROLE"},
			},
			configVolume: volumeRefAwsConfig,
			name:         "Configure Production AWS Profile",
			append:       true,
			profile:      "production",
		}),
	}

	for _, name := range []string{"buildbox", "buildbox-arm", "buildbox-centos7"} {
		for _, fips := range []bool{false, true} {
			// FIPS is unsupported on ARM/ARM64
			if name == "buildbox-arm" && fips {
				continue
			}
			steps = append(steps, buildboxPipelineStep(name, fips))
		}
	}
	return steps
}

func buildboxPipelineStep(buildboxName string, fips bool) step {
	if fips {
		buildboxName += "-fips"
	}
	return step{
		Name:    "Build and push " + buildboxName,
		Image:   "docker",
		Pull:    "if-not-exists",
		Volumes: []volumeRef{volumeRefAwsConfig, volumeRefDocker, volumeRefDockerConfig},
		Commands: []string{
			`apk add --no-cache make aws-cli`,
			`chown -R $UID:$GID /go`,
			// Authenticate to staging registry
			`aws ecr get-login-password --profile staging --region=us-west-2 | docker login -u="AWS" --password-stdin ` + StagingRegistry,
			// Build buildbox image
			fmt.Sprintf(`make -C build.assets %s`, buildboxName),
			// Retag for staging registry
			fmt.Sprintf(`docker tag %s/gravitational/teleport-%s:$BUILDBOX_VERSION %s/gravitational/teleport-%s:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA`, ProductionRegistry, buildboxName, StagingRegistry, buildboxName),
			// Push to staging registry
			fmt.Sprintf(`docker push %s/gravitational/teleport-%s:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA`, StagingRegistry, buildboxName),
			// Authenticate to production registry
			`docker logout ` + StagingRegistry,
			`aws ecr-public get-login-password --profile production --region=us-east-1 | docker login -u="AWS" --password-stdin ` + ProductionRegistry,
			// Push to production registry
			fmt.Sprintf(`docker push %s/gravitational/teleport-%s:$BUILDBOX_VERSION`, ProductionRegistry, buildboxName),
		},
	}
}

func buildboxPipeline() pipeline {
	p := newKubePipeline("build-buildboxes")
	p.Environment = map[string]value{
		"BUILDBOX_VERSION": buildboxVersion,
		"UID":              {raw: "1000"},
		"GID":              {raw: "1000"},
	}

	// only on master for now; add the release branch name when forking a new release series.
	p.Trigger = pushTriggerForBranch("master", "branch/*")
	p.Workspace = workspace{Path: "/go/src/github.com/gravitational/teleport"}
	p.Volumes = []volume{volumeAwsConfig, volumeDocker, volumeDockerConfig}
	p.Services = []service{
		dockerService(),
	}
	p.Steps = buildboxPipelineSteps()
	return p
}
Lint and fix missing license headers (#8075) Introduce new make targets to check and add license headers to files ("make lint-license" and "make fix-license"). License checking is now a part of "make lint" as well. Initial attempts used goheader, but it caused "make lint-go" to become about 9x slower (if not more), plus it only targets go files. Google's addlicense is fast enough and targets however many file types we want. Existing files that were missing licenses got the header added, using the current year as the license date. * Introduce lint-license and fix-license make targets * Ignore generated files * Add license to go files * Replace irregular licenses with standard copyright/license * Add license to proto files * Install addlicense in build.assets Dockerfile 2021-08-30 16:44:09 +00:00			`// Copyright 2021 Gravitational, Inc`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

dronegen: add buildboxes (#6197) 2021-03-31 20:41:51 +00:00			`package main`

			`import "fmt"`

Fix build-buildboxes timeouts (#17314) * Refactor build-buildboxes to uses multiple profiles This greatly reduces the number of steps in the pipeline, allowing drone-runner-kube to successfully schedule the pipeline. Fixes https://github.com/gravitational/teleport/issues/17310 Furthermore, I also updated un-dronegen'ed pipelines to have same syntax as dronegen'd ones, which is nice for consistency. 2022-10-12 19:59:41 +00:00			`func buildboxPipelineSteps() []step {`
dronegen: add buildboxes (#6197) 2021-03-31 20:41:51 +00:00			`steps := []step{`
			`{`
			`Name: "Check out code",`
			`Image: "docker:git",`
			`Commands: []string{`
			`git clone --depth 1 --single-branch --branch ${DRONE_SOURCE_BRANCH:-master} https://github.com/gravitational/${DRONE_REPO_NAME}.git .`,
			`git checkout ${DRONE_COMMIT}`,
			`},`
			`},`
			`waitForDockerStep(),`
Fix build-buildboxes timeouts (#17314) * Refactor build-buildboxes to uses multiple profiles This greatly reduces the number of steps in the pipeline, allowing drone-runner-kube to successfully schedule the pipeline. Fixes https://github.com/gravitational/teleport/issues/17310 Furthermore, I also updated un-dronegen'ed pipelines to have same syntax as dronegen'd ones, which is nice for consistency. 2022-10-12 19:59:41 +00:00			`kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{`
			`awsRoleSettings: awsRoleSettings{`
			`awsAccessKeyID: value{fromSecret: "STAGING_BUILDBOX_DRONE_USER_ECR_KEY"},`
			`awsSecretAccessKey: value{fromSecret: "STAGING_BUILDBOX_DRONE_USER_ECR_SECRET"},`
			`role: value{fromSecret: "STAGING_BUILDBOX_DRONE_ECR_AWS_ROLE"},`
			`},`
			`configVolume: volumeRefAwsConfig,`
			`name: "Configure Staging AWS Profile",`
			`profile: "staging",`
			`}),`
			`kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{`
			`awsRoleSettings: awsRoleSettings{`
			`awsAccessKeyID: value{fromSecret: "PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY"},`
			`awsSecretAccessKey: value{fromSecret: "PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET"},`
			`role: value{fromSecret: "PRODUCTION_BUILDBOX_DRONE_ECR_AWS_ROLE"},`
			`},`
			`configVolume: volumeRefAwsConfig,`
			`name: "Configure Production AWS Profile",`
			`append: true,`
			`profile: "production",`
			`}),`
dronegen: add buildboxes (#6197) 2021-03-31 20:41:51 +00:00			`}`

Update buildbox to push to ECR (#15058) 2022-08-16 21:07:07 +00:00			`for _, name := range []string{"buildbox", "buildbox-arm", "buildbox-centos7"} {`
dronegen: add buildboxes (#6197) 2021-03-31 20:41:51 +00:00			`for _, fips := range []bool{false, true} {`
			`// FIPS is unsupported on ARM/ARM64`
			`if name == "buildbox-arm" && fips {`
			`continue`
			`}`
Fix build-buildboxes timeouts (#17314) * Refactor build-buildboxes to uses multiple profiles This greatly reduces the number of steps in the pipeline, allowing drone-runner-kube to successfully schedule the pipeline. Fixes https://github.com/gravitational/teleport/issues/17310 Furthermore, I also updated un-dronegen'ed pipelines to have same syntax as dronegen'd ones, which is nice for consistency. 2022-10-12 19:59:41 +00:00			`steps = append(steps, buildboxPipelineStep(name, fips))`
dronegen: add buildboxes (#6197) 2021-03-31 20:41:51 +00:00			`}`
			`}`
			`return steps`
			`}`

Fix build-buildboxes timeouts (#17314) * Refactor build-buildboxes to uses multiple profiles This greatly reduces the number of steps in the pipeline, allowing drone-runner-kube to successfully schedule the pipeline. Fixes https://github.com/gravitational/teleport/issues/17310 Furthermore, I also updated un-dronegen'ed pipelines to have same syntax as dronegen'd ones, which is nice for consistency. 2022-10-12 19:59:41 +00:00			`func buildboxPipelineStep(buildboxName string, fips bool) step {`
dronegen: add buildboxes (#6197) 2021-03-31 20:41:51 +00:00			`if fips {`
			`buildboxName += "-fips"`
			`}`
Fix build-buildboxes timeouts (#17314) * Refactor build-buildboxes to uses multiple profiles This greatly reduces the number of steps in the pipeline, allowing drone-runner-kube to successfully schedule the pipeline. Fixes https://github.com/gravitational/teleport/issues/17310 Furthermore, I also updated un-dronegen'ed pipelines to have same syntax as dronegen'd ones, which is nice for consistency. 2022-10-12 19:59:41 +00:00			`return step{`
			`Name: "Build and push " + buildboxName,`
			`Image: "docker",`
Add Docker Hub login to Drone's Kubernetes pipelines (#23956) * Add Docker Hub login to kubernetes pipelines After moving Drone to AWS, we're seeing image pulls get rate limited because they're all coming from the same IP (an AWS NAT gateway). To avoid this, we refactor pipelines to cache/reuse images where possible, as well as add authentication to dockerhub pulls. * Drop dockerVolumes and dockerVolumeRefs We don't actually consistently want these in all places. E.g. parallel pipelines cannot share a volumeRefDockerConfig, as they'll stop on each others login information. * Remove shared docker config from parallel pipelines A shared volume results in the different steps racing against each other. * Remove docker config from relcli steps We don't actually pull from dockerhub in these steps. * Fix typos Co-authored-by: Reed Loden <reed@goteleport.com> Co-authored-by: Walt <walt@goteleport.com> --------- Co-authored-by: Trent Clarke <trent@goteleport.com> Co-authored-by: Reed Loden <reed@goteleport.com> 2023-04-03 00:07:09 +00:00			`Pull: "if-not-exists",`
			`Volumes: []volumeRef{volumeRefAwsConfig, volumeRefDocker, volumeRefDockerConfig},`
Fix build-buildboxes timeouts (#17314) * Refactor build-buildboxes to uses multiple profiles This greatly reduces the number of steps in the pipeline, allowing drone-runner-kube to successfully schedule the pipeline. Fixes https://github.com/gravitational/teleport/issues/17310 Furthermore, I also updated un-dronegen'ed pipelines to have same syntax as dronegen'd ones, which is nice for consistency. 2022-10-12 19:59:41 +00:00			`Commands: []string{`
			`apk add --no-cache make aws-cli`,
			`chown -R $UID:$GID /go`,
			`// Authenticate to staging registry`
			`aws ecr get-login-password --profile staging --region=us-west-2 \| docker login -u="AWS" --password-stdin ` + StagingRegistry,
			`// Build buildbox image`
			fmt.Sprintf(`make -C build.assets %s`, buildboxName),
			`// Retag for staging registry`
			fmt.Sprintf(`docker tag %s/gravitational/teleport-%s:$BUILDBOX_VERSION %s/gravitational/teleport-%s:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA`, ProductionRegistry, buildboxName, StagingRegistry, buildboxName),
			`// Push to staging registry`
			fmt.Sprintf(`docker push %s/gravitational/teleport-%s:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA`, StagingRegistry, buildboxName),
			`// Authenticate to production registry`
			`docker logout ` + StagingRegistry,
			`aws ecr-public get-login-password --profile production --region=us-east-1 \| docker login -u="AWS" --password-stdin ` + ProductionRegistry,
			`// Push to production registry`
			fmt.Sprintf(`docker push %s/gravitational/teleport-%s:$BUILDBOX_VERSION`, ProductionRegistry, buildboxName),
dronegen: add buildboxes (#6197) 2021-03-31 20:41:51 +00:00			`},`
			`}`
			`}`

			`func buildboxPipeline() pipeline {`
			`p := newKubePipeline("build-buildboxes")`
			`p.Environment = map[string]value{`
Upgrade buildbox to go 1.17.7 & tag as `teleport10` (#10611) Prior to this patch the teleport buildbox version has been tagged with the Go version for the current release. This bit us during the Teleport 9 development cycle, as both Teleport 8 and 9 use the same version of Go but require different versions of Rust, and we were unable to distinguish between the 2 buildbox versions. At the time, Teleport 8 was individually patched to create a new `teleport8` buildbox tag, decoupling the buildbox version from the Go version. This was never ported into master and now we find the teleport 9 branch sharing the same buildbox tag as master. This patch forward-ports all the changes made to `branch/v8` and updates them for master, creating a new `teleport10` buildbox tag. The idea is that we will create a new tag for teleport11 at the same time the release branch for Teleport 10 is mad at some point in the future. Once this is merged, Drone will create and push new buildbox images, which will become available for CI. A subsequent patch will update the CI scripts to use the new `teleport10` buildbox images. 2022-03-01 04:31:46 +00:00			`"BUILDBOX_VERSION": buildboxVersion,`
			`"UID": {raw: "1000"},`
			`"GID": {raw: "1000"},`
dronegen: add buildboxes (#6197) 2021-03-31 20:41:51 +00:00			`}`
Upgrade buildbox to go 1.17.7 & tag as `teleport10` (#10611) Prior to this patch the teleport buildbox version has been tagged with the Go version for the current release. This bit us during the Teleport 9 development cycle, as both Teleport 8 and 9 use the same version of Go but require different versions of Rust, and we were unable to distinguish between the 2 buildbox versions. At the time, Teleport 8 was individually patched to create a new `teleport8` buildbox tag, decoupling the buildbox version from the Go version. This was never ported into master and now we find the teleport 9 branch sharing the same buildbox tag as master. This patch forward-ports all the changes made to `branch/v8` and updates them for master, creating a new `teleport10` buildbox tag. The idea is that we will create a new tag for teleport11 at the same time the release branch for Teleport 10 is mad at some point in the future. Once this is merged, Drone will create and push new buildbox images, which will become available for CI. A subsequent patch will update the CI scripts to use the new `teleport10` buildbox images. 2022-03-01 04:31:46 +00:00
			`// only on master for now; add the release branch name when forking a new release series.`
			`p.Trigger = pushTriggerForBranch("master", "branch/*")`
dronegen: add buildboxes (#6197) 2021-03-31 20:41:51 +00:00			`p.Workspace = workspace{Path: "/go/src/github.com/gravitational/teleport"}`
Add Docker Hub login to Drone's Kubernetes pipelines (#23956) * Add Docker Hub login to kubernetes pipelines After moving Drone to AWS, we're seeing image pulls get rate limited because they're all coming from the same IP (an AWS NAT gateway). To avoid this, we refactor pipelines to cache/reuse images where possible, as well as add authentication to dockerhub pulls. * Drop dockerVolumes and dockerVolumeRefs We don't actually consistently want these in all places. E.g. parallel pipelines cannot share a volumeRefDockerConfig, as they'll stop on each others login information. * Remove shared docker config from parallel pipelines A shared volume results in the different steps racing against each other. * Remove docker config from relcli steps We don't actually pull from dockerhub in these steps. * Fix typos Co-authored-by: Reed Loden <reed@goteleport.com> Co-authored-by: Walt <walt@goteleport.com> --------- Co-authored-by: Trent Clarke <trent@goteleport.com> Co-authored-by: Reed Loden <reed@goteleport.com> 2023-04-03 00:07:09 +00:00			`p.Volumes = []volume{volumeAwsConfig, volumeDocker, volumeDockerConfig}`
dronegen: add buildboxes (#6197) 2021-03-31 20:41:51 +00:00			`p.Services = []service{`
			`dockerService(),`
			`}`
Fix build-buildboxes timeouts (#17314) * Refactor build-buildboxes to uses multiple profiles This greatly reduces the number of steps in the pipeline, allowing drone-runner-kube to successfully schedule the pipeline. Fixes https://github.com/gravitational/teleport/issues/17310 Furthermore, I also updated un-dronegen'ed pipelines to have same syntax as dronegen'd ones, which is nice for consistency. 2022-10-12 19:59:41 +00:00			`p.Steps = buildboxPipelineSteps()`
dronegen: add buildboxes (#6197) 2021-03-31 20:41:51 +00:00			`return p`
			`}`