* Added multiarch build support for teleport oss, ent, and fips
* Exported image/imageTag types
* Resigned dronegen
* Removed remainder of testing changes
* Removed changes to submodules
* Reverted dockerfile-fips change
* FIxed docs wording
* Un-exported most constants
* Removed teleport.e makefile deb call
* Moved "sed | cut magic" to files
* Re-added `mkdir -pv /go/cache` to push.go
* Command deterministic order fix
* Added staging-only tag pipeline
* Moved PR to teleport operator to minimize potential issue impact
* Updated promote to pull and push without build
* Made cron triggers not affect canonical tags
* Added check for pre-existing tags on immutable CRs
* Added immutability check to manifests
* Updated staging ecr to only apply $TIMESTAMP tag on cron triggers
* Updated triggerinfo struct to use a triggerflag struct
* Fixed makefile after git mistake
* Makefile fix
* PR fixes
* Moved internal tools Go version to constant
* Separated container images gofile into multiple files
* Moved testing comment
* Added licenses
* Reorganized and added docs for container images
* Moved const to correct file
* Tag trigger logic test
* Testing specific fix
* Moved testing to v10.3.2
* Make semver dirs
* Refactored local registry name/socket
* Merged previous dockerfile changes
* Added TARGETOS TARGETARCH args
* Updatd tag to testing tag
* Promotion logic test
* Promotion fixes
* Testing specific fix
* Removed prerelease check for testing
* Added staging login commands to promote
* Fixed missing credentials on promotion pull
* Rerun tag test with new "full" semver
* Made staging builds only publish full semver
* Added semver logging command
* Empty commit to trigger Drone
* Promotion test
* Fixed preceeding v on promote pull
* Empty commit to trigger Drone
* Re-enabled verify not prerelease step on promote
* Cron trigger test
* Testing fix
* Testing fix 2
* Added sleep timer on docker buildx build
* Testing cleanup
* Refactor build-buildboxes to uses multiple profiles
This greatly reduces the number of steps in the pipeline, allowing drone-runner-kube to successfully schedule the pipeline.
Fixes https://github.com/gravitational/teleport/issues/17310
Furthermore, I also updated un-dronegen'ed pipelines to have same syntax as dronegen'd ones, which is nice for consistency.
Previously, "${ARTIFACT_PATH}" was interpreted as Drone variable
subsitution, resulting in "rm -rf ${ARTIFACT_PATH}/*" becoming
"rm -rf /*", which deleted credentials on the filesystem.
* add windows submodule support for connect builds
* added connect enterprise support to mac builds
* update submodule command
* removed ability to fail webapps.e and recursive
* dronegen
This is follow up to #17201, that fixes the buildbox pipeline error seen here:
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::146628656107:user/teleport_build_user_read_only is not authorized to perform: ecr-public:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr-public:GetAuthorizationToken action
Contributes to gravitational/SecOps#213.
This PR updates our various Drone pipelines to use AWS roles for publishing.
Our AWS FTR requires that we do not use any long lived credentials in our AWS accounts and instead use roles. This means we need to move from attaching policies directly to users to attaching policies to roles and having policyless users assume those roles.
https://aws.amazon.com/partners/foundational-technical-review/
Contributes to https://github.com/gravitational/SecOps/issues/213
Without this any tag that isn't part of the history on master will fail
to successfully promote. This breaks most dev builds, which don't end
up as part of master or a release branch.
Without these changes, the promote step will always fail because of a
mismatch between where the repo is cloned and where it is referenced:
/go/src/.../teleport.git
vs
/go/src/.../teleport
(cherry picked from commit b209b98f0d)
* Port publish-rlz pipeline to dronegen
* Add artifact cleanup pipeline on tag, "before-all"
* Bump relcli in all pipelines
* Add missing license header
* Refactoring to relcli steps per code review
Only functionally-equivalent changes, .drone.yml identical to previous
* Factor out relcli pipeline
* Use docker:cli to pull relcli
* Add "wait for docker" to relcli pipelines
* Add piv build dependencies.
- Add LIBPCSCLITE build tag.
- Add libpcsclite static linking using gravitational/pcsc fork.
- Enable use of dynamic pcsc library with LIBPCSCLITE=dynamic.
- Refactor CGOFLAG in Makefile.
- Update Centos7 Dockerfile and drone.
* Refactor RELEASE_MESSAGE for readability. Now produces message like: "RELEASE_MESSAGE=Building with GOOS=linux GOARCH=amd64 REPRODUCIBLE= and with PIV support and without PAM support, FIPS support, BPF support, Windows RDP client, libfido2, Touch ID."
Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
Update metalinter, fix a few lint warnings and replace deprecated linters.
`deadcode`, `structcheck` and `varcheck` are abandoned and now replaced by [`unused`][1].
Since 1.19, `go fmt` reformats godocs according to https://go.dev/doc/comment. I've done a bulk-reformatting of the codebase to keep the linter happy. Backporting is mostly harmless (the exception being `lib/services/role_test.go`, that for some reason breaks the _old_ linter using the new format).
[1]: https://golangci-lint.run/usage/linters/
* Bump golangci-lint version
* Replace abandoned linters
* Fix bodyclose on lib/auth/github.com
* Fix bodyclose on lib/kube/proxy/streamproto/proto_test.go
* Fix bodyclose on lib/srv/alpnproxy/proxy_test.go
* Fix bodyclose on lib/web/conn_upgrade_test.go
* Silence staticcheck on lib/kube/proxy/forwarder_test.go
* Silence staticcheck on lib/utils/certs_test.go
* Address BuildNameToCertificate deprecation warnings
* Run `go fmt ./...`
* Run `go fmt ./...` on api/
* Ignore formatting in role_test.go
* Remove redundant initializers in lib/srv/uacc/
* Update e/
WARNING: Due to issues with the windows drone executor's poor escaping when it echoes commands, I have moved the error message functionality into the PS build functions in build.assets/windows/build.ps1. This means that any failures that occur during the code checkout step will not be reported.
I'm not sure that this is the correct tradeoff, but it may well suffice for now.
Uses Drone to build Teleport Connect for Windows on a Native
Windows builder.
This PR adds 2 pipelines to the Drone YAML:
1. `push-build-native-windows-amd64`: Invoked on a push to master,
branch/v*, etc., and asserts that Teleport Connect can be built, and
2. `build-native-windows-amd64`: Invoked when a branch tag is
committed to the teleport Repo. Builds Teleport Connect and uploads
it to dronestorage
These builds are run on a native windows builder (as opposed to tsh,
which is built in a linux environment and cross-compiled for Windows)
* Add proof of concept of Connect pipeline
The proof of concept includes a lot of copy-pasted lines which will get
cleared up in subsequent commits.
* Extract copying artifacts into separate functions
The tag pipeline no longer needs to worry about Connect artifacts.
* Reuse steps to install & cleanup toolchains
* Share toolchain configuration commands between pipelines
* Share build commands among different pipelines
* Download webapps only if a pipeline builds Connect
As seen by the changes to .drone.yml, this removes unnecessary webapps
clones from these tag pipelines: build-darwin-amd64, build-darwin-amd64-pkg,
build-darwin-amd64-pkg-tsh. None of them needs webapps to function anymore
and the pkg pipelines never needed webapps in the first place.
In order to do so, we add a new make target:
make teleterm
This (temporarily) assumes that the gravitational/webapps repo is
cloned at the right version as a sibling to the teleport repo.
(We'll be able to get rid of this when we merge webapps into Teleport)
Additionally, update dronegen to include the name of the calling
function that generated the snippet instead of the line number.
This gets rid of lots of superfluous diffs in the generated
.drone.yml file.
Lastly, rewrite the Go program for getting the right webapps version
in bash, because Go is not available at this step of the drone pipeline.
Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Code signing is failing on Darwin builds, and the most likely candidate is a locked keychain at build time.
This patch adds an explicit keychain unlock immediately prior to signing in order make sure the signing keys are available.
Switch from `make release-amd64` to make release-windows in Drone builds, making
release builds similar to "regular" builds (that already use
`make release-windows-unsigned`).
Fixes current woes caused by FIDO2=yes in Windows release builds. (Note that
ARCH is implied by the build.)
* Use `make release-windows` on Drone, make it similar to `make release`
* Update .drone.yaml
`$WORKSPACE_DIR/go/.version.txt` is available only in tag pipelines, so
we can't read it in pipelines that run on pushes to master.
Instead, let's always use `make print-version`. It'll return the correct
value no matter what pipeline is used.
This commit updates drone to build Teleport Connect by:
* cloning `gravitational/webapps` as a sibling directory to
gravitational/teleport
* checkout out the right version of webapps by running a simple
Go program (this step is only necessary until we move webapps
into the teleport repo)
* Running the Teleport Connect build and copying artifacts
Code signing should run on tag builds automatically as part the
electron build, assuming the Apple Account credentials are
properly loaded into the keychain.
Notarization will also happen automatically if both
`$APPLE_USERNAME` and `$APPLE_PASSWORD` are set.
In order to make the above happen, this patch also includes:
* Installing and removing a per-build Node instance in the
toolchain directory on Darwin
* Moving the toolchain temporary directory out of ~/ and into /tmp.
Drone usually sets `$HOME` to a temporary directory for each build,
but unfortunately we need it to point to the actual build user's
home directory in order for the notarisation tooling to find the
right keychain. Having $HOME point to a long-lived directory risks
both pollution from build detritus and builds stomping on one another.
In an in an attempt to isolate the builds from each other and protect
`~build` as best we can, as much of the build state as possible
(including ephemeral toolchains) has been moved under `/tmp`.
Co-authored-by: Trent Clarke <trent@goteleport.com>
Add a script to build libfido2 (and its dependencies) on macOS and enable FIDO2
static builds.
I decided to build all dependencies instead of pulling from Homebrew for a few
reasons:
1. There is no libcbor.a in a brew package
2. This captures library versions within the Teleport source code, allowing us
to build binaries against different versions of libfido2 (and its
dependencies).
I've also bumped libfido2 to 1.11.0. I've been running it locally and we are
still pre-release, so it seems like a good time to do it.
(See https://developers.yubico.com/libfido2/Release_Notes.html.)
#9160
* Build libfido2 and dependencies for macOS
* Build tsh with static fido2 on Drone
* Bump libfido2 versions in all builds
* Attempt to appease linters
* Use temp dirs inside LIB_CACHE
* Move LIB_CACHE outside of HOME
HOME is reassigned in macOS builders, but we want a "stable" cache
directory. /tmp is used by build-package.sh and build-pkg-tsh.sh.
* Rename script to build-fido2-macos.sh
* Regenerate Drone files
Add the TOUCHID=yes Makefile toggle and enable it on Drone.
Complements #12751.
#9160
* Enable touchid builds on Drone
* Update Drone URL in error message
* Run `make dronegen`
Prior to this patch the teleport buildbox version has been tagged with the Go version for the current release. This bit us during the Teleport 9 development cycle, as both Teleport 8 and 9 use the same version of Go but require different versions of Rust, and we were unable to distinguish between the 2 buildbox versions.
At the time, Teleport 8 was individually patched to create a new `teleport8` buildbox tag, decoupling the buildbox version from the Go version. This was never ported into master and now we find the teleport 9 branch sharing the same buildbox tag as master.
This patch forward-ports all the changes made to `branch/v8` and updates them for master, creating a new `teleport10` buildbox tag. The idea is that we will create a new tag for teleport11 at the same time the release branch for Teleport 10 is mad at some point in the future.
Once this is merged, Drone will create and push new buildbox images, which will become available for CI. A subsequent patch will update the CI scripts to use the new `teleport10` buildbox images.