* Remove Dockerfile-arm-fips
We don't build fips for arm, as documented in
https://github.com/gravitational/teleport/issues/10581.
* Stop building buildbox-fips
We do not use this buildbox for anything. This step is failing because
the supporting infrastructure for buildbox-fips was removed in
https://github.com/gravitational/teleport/pull/26859.
* Fix fips buildbox
BUILDBOX_FIPS was removed, replaced by BUILDBOX_CENTOS7_FIPS.
Unfortunately I missed updating this target in #26859.
This subsequently broke e CI.
* Add Docker Hub login to kubernetes pipelines
After moving Drone to AWS, we're seeing image pulls get rate limited
because they're all coming from the same IP (an AWS NAT gateway).
To avoid this, we refactor pipelines to cache/reuse images where
possible, as well as add authentication to dockerhub pulls.
* Drop dockerVolumes and dockerVolumeRefs
We don't actually consistently want these in all places. E.g. parallel
pipelines cannot share a volumeRefDockerConfig, as they'll stop on each
others login information.
* Remove shared docker config from parallel pipelines
A shared volume results in the different steps racing against each
other.
* Remove docker config from relcli steps
We don't actually pull from dockerhub in these steps.
* Fix typos
Co-authored-by: Reed Loden <reed@goteleport.com>
Co-authored-by: Walt <walt@goteleport.com>
---------
Co-authored-by: Trent Clarke <trent@goteleport.com>
Co-authored-by: Reed Loden <reed@goteleport.com>
* Refactor build-buildboxes to uses multiple profiles
This greatly reduces the number of steps in the pipeline, allowing drone-runner-kube to successfully schedule the pipeline.
Fixes https://github.com/gravitational/teleport/issues/17310
Furthermore, I also updated un-dronegen'ed pipelines to have same syntax as dronegen'd ones, which is nice for consistency.
This is follow up to #17201, that fixes the buildbox pipeline error seen here:
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::146628656107:user/teleport_build_user_read_only is not authorized to perform: ecr-public:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr-public:GetAuthorizationToken action
Contributes to gravitational/SecOps#213.
This PR updates our various Drone pipelines to use AWS roles for publishing.
Our AWS FTR requires that we do not use any long lived credentials in our AWS accounts and instead use roles. This means we need to move from attaching policies directly to users to attaching policies to roles and having policyless users assume those roles.
https://aws.amazon.com/partners/foundational-technical-review/
Contributes to https://github.com/gravitational/SecOps/issues/213
Prior to this patch the teleport buildbox version has been tagged with the Go version for the current release. This bit us during the Teleport 9 development cycle, as both Teleport 8 and 9 use the same version of Go but require different versions of Rust, and we were unable to distinguish between the 2 buildbox versions.
At the time, Teleport 8 was individually patched to create a new `teleport8` buildbox tag, decoupling the buildbox version from the Go version. This was never ported into master and now we find the teleport 9 branch sharing the same buildbox tag as master.
This patch forward-ports all the changes made to `branch/v8` and updates them for master, creating a new `teleport10` buildbox tag. The idea is that we will create a new tag for teleport11 at the same time the release branch for Teleport 10 is mad at some point in the future.
Once this is merged, Drone will create and push new buildbox images, which will become available for CI. A subsequent patch will update the CI scripts to use the new `teleport10` buildbox images.
Introduce new make targets to check and add license headers to files
("make lint-license" and "make fix-license"). License checking is now a part of
"make lint" as well.
Initial attempts used goheader, but it caused "make lint-go" to become about 9x
slower (if not more), plus it only targets go files. Google's addlicense is fast
enough and targets however many file types we want.
Existing files that were missing licenses got the header added, using the
current year as the license date.
* Introduce lint-license and fix-license make targets
* Ignore generated files
* Add license to go files
* Replace irregular licenses with standard copyright/license
* Add license to proto files
* Install addlicense in build.assets Dockerfile
