diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 21b8521..0000000 --- a/.drone.yml +++ /dev/null @@ -1,470 +0,0 @@ ---- -kind: pipeline -name: RPM Build EL7 - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM EL7 - image: centos:7 - commands: - - policy/centos7/scripts/build - -- name: Sign RPM EL7 - image: centos:7 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/centos7/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for EL7 - image: centos:7 - commands: - - policy/centos7/scripts/repo-metadata - -- name: Upload RPM EL7 - image: centos:7 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/centos7/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release RPM EL7 - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-centos7-noarch.txt - checksum_flatten: true - files: - - "policy/centos7/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag ---- -kind: pipeline -name: RPM Build EL8 - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM EL8 - image: quay.io/centos/centos:stream8 - commands: - - policy/centos8/scripts/build - -- name: Sign RPM EL8 (dry-run) - image: quay.io/centos/centos:stream8 - commands: - - policy/centos8/scripts/sign --dry-run - when: - event: - - pull_request - -- name: Sign RPM EL8 - image: quay.io/centos/centos:stream8 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/centos8/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for EL8 - image: quay.io/centos/centos:stream8 - commands: - - policy/centos8/scripts/repo-metadata - -- name: Yum Repo Upload RPM EL8 - image: quay.io/centos/centos:stream8 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/centos8/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release RPM EL8 - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-centos8-noarch.txt - checksum_flatten: true - files: - - "policy/centos8/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - ---- -kind: pipeline -name: RPM Build EL9 - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM EL9 - image: quay.io/centos/centos:stream9 - commands: - - policy/centos9/scripts/build - -- name: Sign RPM EL9 (dry-run) - image: quay.io/centos/centos:stream9 - commands: - - policy/centos9/scripts/sign --dry-run - when: - event: - - pull_request - -- name: Sign RPM EL9 - image: quay.io/centos/centos:stream9 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/centos9/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for EL9 - image: quay.io/centos/centos:stream9 - commands: - - policy/centos9/scripts/repo-metadata - -- name: Upload RPM EL9 - image: quay.io/centos/centos:stream9 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/centos9/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release RPM EL9 - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-centos9-noarch.txt - checksum_flatten: true - files: - - "policy/centos9/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - ---- -kind: pipeline -name: RPM Build MicroOS - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM MicroOS - image: opensuse/tumbleweed - commands: - - policy/microos/scripts/build - -- name: Sign RPM MicroOS (dry-run) - image: opensuse/tumbleweed - commands: - - policy/microos/scripts/sign --dry-run - when: - event: - - pull_request - -- name: Sign RPM MicroOS - image: opensuse/tumbleweed - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/microos/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for Microos - image: opensuse/tumbleweed - commands: - - policy/microos/scripts/repo-metadata - -- name: Yum Repo Upload RPM MicroOS - image: opensuse/tumbleweed - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/microos/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release RPM MicroOS - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-microos-noarch.txt - checksum_flatten: true - files: - - "policy/microos/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - ---- -kind: pipeline -name: RPM Build Fedora37 - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM Fedora37 - image: fedora:37 - commands: - - policy/fedora37/scripts/build - -- name: Sign RPM Fedora37 (dry-run) - image: fedora:37 - commands: - - policy/fedora37/scripts/sign --dry-run - when: - event: - - pull_request - -- name: Sign RPM Fedora37 - image: fedora:37 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/fedora37/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for Fedora37 - image: fedora:37 - commands: - - policy/fedora37/scripts/repo-metadata - -- name: Yum Repo Upload Fedora37 - image: fedora:37 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/fedora37/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release Fedora37 - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-fedora37-noarch.txt - checksum_flatten: true - files: - - "policy/fedora37/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..157cfe2 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,37 @@ +name: Release + +on: + push: + tags: + - v* + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install Go + uses: actions/setup-go@v5 + with: + go-version: 'stable' + + - run: make build + env: + PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }} + PRIVATE_KEY_PASS_PHRASE: ${{ secrets.PRIVATE_KEY_PASS_PHRASE }} + TESTING_PRIVATE_KEY: ${{ secrets.TESTING_PRIVATE_KEY }} + TESTING_PRIVATE_KEY_PASS_PHRASE: ${{ secrets.TESTING_PRIVATE_KEY_PASS_PHRASE }} + + - run: make upload + env: + TESTING_AWS_ACCESS_KEY_ID: ${{ secrets.TESTING_AWS_ACCESS_KEY_ID }} + TESTING_AWS_SECRET_ACCESS_KEY: ${{ secrets.TESTING_AWS_SECRET_ACCESS_KEY }} + TESTING_AWS_S3_BUCKET: ${{ secrets.TESTING_AWS_S3_BUCKET }} + PRODUCTION_AWS_ACCESS_KEY_ID: ${{ secrets.PRODUCTION_AWS_ACCESS_KEY_ID }} + PRODUCTION_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRODUCTION_AWS_SECRET_ACCESS_KEY }} + PRODUCTION_AWS_S3_BUCKET: ${{ secrets.PRODUCTION_AWS_S3_BUCKET }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 0000000..12a7e2e --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,22 @@ +name: Tests + +on: + push: + pull_request: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install Go + uses: actions/setup-go@v5 + with: + go-version: 'stable' + + - run: make build DRY_RUN=true diff --git a/.gitignore b/.gitignore index 417485f..1002264 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .dapper /dist /.idea +/build diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..411c33c --- /dev/null +++ b/Dockerfile @@ -0,0 +1,80 @@ +ARG POLICY + +# This Dockerfile is used to create the appropriate environment +# to build the SELinux policies and package them as RPM for each +# of the target platforms. + +FROM quay.io/centos/centos:centos7 as centos7 +RUN yum install -y \ + createrepo_c \ + epel-release \ + container-selinux \ + selinux-policy-devel \ + yum-utils \ + rpm-build \ + rpm-sign expect + +# Confirm this is needed, move to final if not. +COPY hack/centos7_sign /usr/local/bin/sign + +FROM quay.io/centos/centos:stream8 as centos8 +RUN yum install -y \ + createrepo_c \ + epel-release \ + container-selinux \ + selinux-policy-devel \ + yum-utils \ + rpm-build \ + rpm-sign + +# Move to final stage if centos7_sign is removed. +COPY hack/sign /usr/local/bin/sign + +FROM quay.io/centos/centos:stream9 as centos9 +RUN yum install -y \ + createrepo_c \ + epel-release \ + container-selinux \ + selinux-policy-devel \ + yum-utils \ + rpm-build \ + rpm-sign + +# Move to final stage if centos7_sign is removed. +COPY hack/sign /usr/local/bin/sign + +FROM fedora:37 as fedora37 +RUN dnf install -y \ + createrepo_c \ + container-selinux \ + selinux-policy-devel \ + rpm-build \ + rpm-sign + +# Move to final stage if centos7_sign is removed. +COPY hack/sign /usr/local/bin/sign + +FROM opensuse/tumbleweed as microos +RUN zypper install -y \ + container-selinux \ + selinux-policy-devel \ + rpm-build \ + rpm + +# libglib is required to install createrepo_c in Tumbleweed. +RUN zypper install -y libglib-2_0-0 createrepo_c + +# Move to final stage if centos7_sign is removed. +COPY hack/sign /usr/local/bin/sign + +# Pick base image based on the target policy. +FROM ${POLICY} as final + +WORKDIR /src + +ARG POLICY +COPY policy/${POLICY}/rancher-selinux.spec \ + policy/${POLICY}/rancher.fc \ + policy/${POLICY}/rancher.te \ + hack/build \ + hack/metadata . diff --git a/Makefile b/Makefile index 1ad7a29..8c8603a 100644 --- a/Makefile +++ b/Makefile @@ -1,29 +1,95 @@ -CENTOS7_TARGETS := $(addprefix centos7-,$(shell ls policy/centos7/scripts)) -CENTOS8_TARGETS := $(addprefix centos8-,$(shell ls policy/centos8/scripts)) -CENTOS9_TARGETS := $(addprefix centos9-,$(shell ls policy/centos9/scripts)) -MICROOS_TARGETS := $(addprefix microos-,$(shell ls policy/microos/scripts)) -FEDORA37_TARGETS := $(addprefix fedora37-,$(shell ls policy/fedora37/scripts)) +RUNNER ?= docker +POLICIES = $(shell find policy -mindepth 1 -maxdepth 1 -type d | sort -u | cut -f 2 -d'/') -.dapper: - @echo Downloading dapper - @curl -sL https://releases.rancher.com/dapper/latest/dapper-$$(uname -s)-$$(uname -m) > .dapper.tmp - @@chmod +x .dapper.tmp - @./.dapper.tmp -v - @mv .dapper.tmp .dapper +# GPG Signing +DRY_RUN ?= false +SIGN_KEY_EMAIL ?= ci@rancher.com +PRIVATE_KEY ?= +PRIVATE_KEY_PASS_PHRASE ?= +TESTING_PRIVATE_KEY ?= +TESTING_PRIVATE_KEY_PASS_PHRASE ?= -$(CENTOS7_TARGETS): .dapper - ./.dapper -f Dockerfile.centos7.dapper $(@:centos7-%=%) +# S3 Upload +TESTING_AWS_ACCESS_KEY_ID ?= +TESTING_AWS_SECRET_ACCESS_KEY ?= +TESTING_AWS_S3_BUCKET ?= +PRODUCTION_AWS_ACCESS_KEY_ID ?= +PRODUCTION_AWS_SECRET_ACCESS_KEY ?= +PRODUCTION_AWS_S3_BUCKET ?= -$(CENTOS8_TARGETS): .dapper - ./.dapper -f Dockerfile.centos8.dapper $(@:centos8-%=%) +ifeq ($(DRY_RUN),true) + DRY_RUN_SIGN := --dry-run +endif -$(CENTOS9_TARGETS): .dapper - ./.dapper -f Dockerfile.centos9.dapper $(@:centos9-%=%) +SHELL := /bin/bash -$(MICROOS_TARGETS): .dapper - ./.dapper -f Dockerfile.microos.dapper $(@:microos-%=%) +include hack/make/version.mk +include hack/make/tools.mk -$(FEDORA37_TARGETS): .dapper - ./.dapper -f Dockerfile.fedora37.dapper $(@:fedora37-%=%) +.PHONY: build +build: ## build all policies. + $(MAKE) $(addsuffix -build, $(POLICIES)) -.PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS) $(CENTOS9_TARGETS) $(MICROOS_TARGETS) $(FEDORA37_TARGETS) +%-build: version ## build a specific policy. + $(MAKE) $(subst :,/,$*)-build-clean + $(MAKE) $(subst :,/,$*)-build-image + $(MAKE) $(subst :,/,$*)-build-artefacts + $(MAKE) $(subst :,/,$*)-build-sign + $(MAKE) $(subst :,/,$*)-build-metadata + +%-build-image: ## build the container image used to generate a given policy. + $(RUNNER) build --build-arg POLICY=$(subst :,/,$*) \ + -t rancher-selinux:$(subst :,/,$*) -f Dockerfile . + +%-build-clean: ## remove any artefacts related to the building of a policy. + rm -rf $(shell pwd)/build/$(subst :,/,$*) + mkdir -p $(shell pwd)/build/$(subst :,/,$*) + +%-build-artefacts: ## generate artefacts of a given policy. + $(RUNNER) run --rm \ + -e USER=$(shell id -u) -e GROUP=$(shell id -g) \ + -v $(shell pwd)/build/$(subst :,/,$*):/out \ + rancher-selinux:$(subst :,/,$*) ./build $(RPM_VERSION) $(RPM_RELEASE) + +%-build-sign: ## sign the generate rpms of a given policy. + @$(RUNNER) run --rm \ + -e USER=$(shell id -u) -e GROUP=$(shell id -g) \ + -e SIGN_KEY_EMAIL -e RPM_CHANNEL="$(RPM_CHANNEL)" \ + -e TESTING_PRIVATE_KEY_PASS_PHRASE \ + -e TESTING_PRIVATE_KEY \ + -e PRIVATE_KEY -e PRIVATE_KEY_PASS_PHRASE \ + -v $(shell pwd)/build/$(subst :,/,$*):/dist \ + rancher-selinux:$(subst :,/,$*) sign $(DRY_RUN_SIGN) + +%-build-metadata: ## generate repository metadata for a given policy. + $(RUNNER) run --rm \ + -e USER=$(shell id -u) -e GROUP=$(shell id -g) \ + -v $(shell pwd)/build/$(subst :,/,$*):/dist \ + rancher-selinux:$(subst :,/,$*) ./metadata + +upload: $(AWSCLI) version ## uploads all artefacts from each policy into S3. + $(MAKE) $(addsuffix -upload, $(POLICIES)) + +%-upload: + RPM_CHANNEL=$(RPM_CHANNEL) POLICY=$(subst :,/,$*) \ + TESTING_AWS_ACCESS_KEY_ID="$(TESTING_AWS_ACCESS_KEY_ID)" \ + TESTING_AWS_SECRET_ACCESS_KEY="$(TESTING_AWS_SECRET_ACCESS_KEY)" \ + TESTING_AWS_S3_BUCKET="$(TESTING_AWS_S3_BUCKET)" \ + PRODUCTION_AWS_ACCESS_KEY_ID="$(PRODUCTION_AWS_ACCESS_KEY_ID)" \ + PRODUCTION_AWS_SECRET_ACCESS_KEY="$(PRODUCTION_AWS_SECRET_ACCESS_KEY)" \ + PRODUCTION_AWS_S3_BUCKET="$(PRODUCTION_AWS_S3_BUCKET)" \ + ./hack/upload + +version: ## parse and display version. +ifdef VERSION_MSG + @echo $(VERSION_MSG); exit 1 +endif + + @echo Version Information + @echo RPM_VERSION: $(RPM_VERSION) + @echo RPM_RELEASE: $(RPM_RELEASE) + @echo RPM_CHANNEL: $(RPM_CHANNEL) + @echo VERSION: $(VERSION) + +help: ## display Makefile's help. + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) diff --git a/hack/build b/hack/build new file mode 100755 index 0000000..12ec0e7 --- /dev/null +++ b/hack/build @@ -0,0 +1,36 @@ +#!/bin/bash +set -eoux pipefail + +OUTDIR="${OUTDIR:-/out}" +USER="${USER:-1000}" +GROUP="${GROUP:-1000}" + +function build(){ + local RPM_VERSION=$1 + local RPM_RELEASE=$2 + + make -f /usr/share/selinux/devel/Makefile rancher.pp + + rpmbuild \ + --define "rancher_selinux_version ${RPM_VERSION}" \ + --define "rancher_selinux_release ${RPM_RELEASE}" \ + --define "_sourcedir $PWD" \ + --define "_specdir $PWD" \ + --define "_builddir $PWD" \ + --define "_srcrpmdir ${OUTDIR}/source" \ + --define "_buildrootdir $PWD/.build" \ + --define "_rpmdir ${OUTDIR}" \ + -ba rancher-selinux.spec +} + +function main(){ + build "$1" "$2" + chown -R "${USER}:${GROUP}" "${OUTDIR}/" +} + +if [ "$#" -ne 2 ]; then + echo "usage: $0 " + exit 1 +fi + +main "$1" "$2" diff --git a/hack/centos7_sign b/hack/centos7_sign new file mode 100755 index 0000000..60e5972 --- /dev/null +++ b/hack/centos7_sign @@ -0,0 +1,93 @@ +#!/bin/bash +set -eo pipefail + +PASSPHRASE_VAR="" + +function dryrun() { + export TESTING_PRIVATE_KEY_PASS_PHRASE=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c20) + export PASSPHRASE_VAR=TESTING_PRIVATE_KEY_PASS_PHRASE + + cat <<\EOF >~/.rpmmacros +%_signature gpg +%_gpg_name disposable-ci-test-key +EOF + + gpg --gen-key --batch <(echo "Key-Type: 1"; \ + echo "Key-Length: 2048"; \ + echo "Subkey-Type: 1"; \ + echo "Subkey-Length: 2048"; \ + echo "Expire-Date: 0"; \ + echo "Name-Real: disposable-ci-test-key"; \ + echo "Name-Email: disposable-ci-test-key"; \ + echo "%no-protection"; ) + + sign_rpms +} + +function check_vars() +{ + echo "checking for required vars" + + local required_vars + required_vars=(SIGN_KEY_EMAIL RPM_CHANNEL) + + for var in "${required_vars[@]}"; do + [ -z "${!var}" ] && echo "$var is not set." && var_unset=true + done + + [ -n "${var_unset}" ] && exit 1 + return 0 +} + +function import_key() { + cat <<\EOF >~/.rpmmacros +%_signature gpg +%_gpg_name ci@rancher.com +EOF + + case "${RPM_CHANNEL}" in + "testing") + PASSPHRASE_VAR="TESTING_PRIVATE_KEY_PASS_PHRASE" + KEY_VAR="TESTING_PRIVATE_KEY" + ;; + "production") + PASSPHRASE_VAR="PRIVATE_KEY_PASS_PHRASE" + KEY_VAR="PRIVATE_KEY" + ;; + *) + echo "RPM_CHANNEL ${RPM_CHANNEL} does not match one of: [testing, production]" + exit 1 + ;; + esac + + if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"${!KEY_VAR}"; then + echo "${KEY_VAR} not defined, failing rpm sign" + exit 1 + fi + gpg --import - <<<"${!KEY_VAR}" + echo "Signing keys imported successfully" +} + +function sign_rpms() { + expect < /dev/null; then + echo "${KEY_VAR} not defined, failing rpm sign" + exit 1 + fi + echo "Importing GPG private key ${KEY_VAR}" + gpg --yes --pinentry-mode loopback --batch --passphrase "${!PASSPHRASE_VAR}" --import - <<< "${!KEY_VAR}" + echo "Signing keys imported successfully" +} + +function sign_rpms(){ + gpg --armor --export --output "${SIGN_KEY_EMAIL}" "${SIGN_KEY_EMAIL}" + rpm --import "${SIGN_KEY_EMAIL}" + + echo "Signing RPMs with ${SIGN_KEY_EMAIL} GPG KEY" + rpmsign --addsign /dist/**/rancher-*.rpm \ + --define "_gpg_name ${SIGN_KEY_EMAIL}" \ + --define "_gpgbin /usr/bin/gpg" \ + --define "__gpg_sign_cmd %{__gpg} gpg \ + --batch \ + --no-armor \ + --pinentry-mode loopback \ + --passphrase ${!PASSPHRASE_VAR} \ + -u %{_gpg_name} \ + -sbo %{__signature_filename} \ + --digest-algo sha256 %{__plaintext_filename}" +} + +function verify_signatures(){ + echo "Verifying RPMs signatures" + rpm --checksig --verbose /dist/**/rancher-*.rpm +} + +function main (){ + check_vars + check_channel + sign_rpms + verify_signatures +} + +if [[ "$1" == "--dry-run" ]]; then + dryrun +else + main +fi diff --git a/hack/upload b/hack/upload new file mode 100755 index 0000000..6a0b8de --- /dev/null +++ b/hack/upload @@ -0,0 +1,88 @@ +#!/bin/bash +set -eo pipefail + +declare AWS_S3_BUCKET_VAR + +TOOLS_BIN="${TOOLS_BIN:-build/tools}" +AWS_BIN="${TOOLS_BIN}/aws/dist/aws" + +function check_vars() +{ + echo "checking for required vars" + + local required_vars + required_vars=(RPM_CHANNEL POLICY) + + for var in "${required_vars[@]}"; do + [ -z "${!var}" ] && echo "$var is not set." && var_unset=true + done + + [ -n "${var_unset}" ] && exit 1 + return 0 +} + +function aws_auth() +{ + case "${RPM_CHANNEL}" in + "testing") + export AWS_ACCESS_KEY_ID="${TESTING_AWS_ACCESS_KEY_ID}" + export AWS_SECRET_ACCESS_KEY="${TESTING_AWS_SECRET_ACCESS_KEY}" + export AWS_S3_BUCKET_VAR=TESTING_AWS_S3_BUCKET + ;; + "production") + export AWS_ACCESS_KEY_ID="${PRODUCTION_AWS_ACCESS_KEY_ID}" + export AWS_SECRET_ACCESS_KEY="${PRODUCTION_AWS_SECRET_ACCESS_KEY}" + export AWS_S3_BUCKET_VAR=PRODUCTION_AWS_S3_BUCKET + ;; + *) + echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" + exit 1 + ;; + esac + + required_vars=("${AWS_S3_BUCKET_VAR}" AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY) + for var in "${required_vars[@]}"; do + [ -z "${!var}" ] && echo "$var is not set." && var_unset=true + done + + [ -n "${var_unset}" ] && echo "failing rpm upload" && exit 1 + return 0 +} + +function upload_artefacts() +{ + case "${POLICY}" in + "centos7") + S3_POLICY_DIR="centos/7" + ;; + "centos8") + S3_POLICY_DIR="centos/8" + ;; + "centos9") + S3_POLICY_DIR="centos/9" + ;; + "fedora37") + S3_POLICY_DIR="fedora/37" + ;; + "microos") + S3_POLICY_DIR="microos" + ;; + *) + echo "unsupported policy: ${POLICY}" + exit 1 + ;; + esac + + echo "Uploading RPMs packages and repo metadata files" + "${AWS_BIN}" s3 cp "build/${POLICY}/noarch/" "s3://${!AWS_S3_BUCKET_VAR}/rancher/${RPM_CHANNEL}/${S3_POLICY_DIR}/noarch/" --recursive + "${AWS_BIN}" s3 cp "build/${POLICY}/source/" "s3://${!AWS_S3_BUCKET_VAR}/rancher/${RPM_CHANNEL}/${S3_POLICY_DIR}/source/" --recursive +} + +function main() +{ + check_vars + aws_auth + upload_artefacts +} + +main diff --git a/policy/centos7/scripts/build b/policy/centos7/scripts/build deleted file mode 100755 index 4ebb6f7..0000000 --- a/policy/centos7/scripts/build +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -yum install -y epel-release -yum install -y container-selinux selinux-policy-devel yum-utils rpm-build - -make -f /usr/share/selinux/devel/Makefile rancher.pp - -rpmbuild \ - --define "rancher_selinux_version ${RPM_VERSION}" \ - --define "rancher_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - -ba rancher-selinux.spec diff --git a/policy/centos7/scripts/entry b/policy/centos7/scripts/entry deleted file mode 100755 index dca70b3..0000000 --- a/policy/centos7/scripts/entry +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -set -ex - -if [ -e ./policy/centos7/scripts/"$1" ]; then - ./policy/centos7/scripts/"$@" -else - exec "$@" -fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi diff --git a/policy/centos7/scripts/repo-metadata b/policy/centos7/scripts/repo-metadata deleted file mode 100755 index 79f8d45..0000000 --- a/policy/centos7/scripts/repo-metadata +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -set -e -x - -DIRS=("noarch" "source") - -cd $(dirname $0)/.. -. ./scripts/version - -yum install -y createrepo_c - -for dir in "${DIRS[@]}"; do - echo "Creating repository metadata for $dir" - createrepo_c "dist/$dir/" -done - diff --git a/policy/centos7/scripts/sign b/policy/centos7/scripts/sign deleted file mode 100755 index 8453718..0000000 --- a/policy/centos7/scripts/sign +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash -set -e -x - -yum install -y rpm-sign expect - -cd $(dirname $0)/.. -. ./scripts/version - -cat <<\EOF >~/.rpmmacros -%_signature gpg -%_gpg_name ci@rancher.com -EOF - -case "$RPM_CHANNEL" in - "testing") - export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then - echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - gpg --import - <<<"$TESTING_PRIVATE_KEY" - ;; - "production") - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then - echo "PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - gpg --import - <<<"$PRIVATE_KEY" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -expect < /dev/null; then - echo "AWS CLI is installed." -else - echo "AWS CLI not found, exiting." - exit 1 -fi - -# Prepare and Upload RPMs -if [ -z "$RPM_CHANNEL" ]; then - echo "RPM_CHANNEL not defined, failing rpm upload" - exit 1 -fi - -TARGET_EL7_S3_PATH="rancher/$RPM_CHANNEL/centos/7/noarch" -TARGET_EL7_SOURCE_S3_PATH="rancher/$RPM_CHANNEL/centos/7/source" - -case "$RPM_CHANNEL" in - "testing") - if [ -z "$TESTING_AWS_S3_BUCKET" ]; then - echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then - echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then - echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID - export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY - export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET - ;; - "production") - if [ -z "$AWS_S3_BUCKET" ]; then - echo "AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_ACCESS_KEY_ID" ]; then - echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -aws s3 cp dist/noarch s3://"$AWS_S3_BUCKET"/"$TARGET_EL7_S3_PATH"/ --recursive -aws s3 cp dist/source s3://"$AWS_S3_BUCKET"/"$TARGET_EL7_SOURCE_S3_PATH"/ --recursive - diff --git a/policy/centos7/scripts/version b/policy/centos7/scripts/version deleted file mode 100755 index 018c1f0..0000000 --- a/policy/centos7/scripts/version +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"production") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - diff --git a/policy/centos8/scripts/build b/policy/centos8/scripts/build deleted file mode 100755 index ce2cc30..0000000 --- a/policy/centos8/scripts/build +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -yum install -y epel-release -yum install -y container-selinux selinux-policy-devel yum-utils rpm-build - -make -f /usr/share/selinux/devel/Makefile rancher.pp - -rpmbuild \ - --define "rancher_selinux_version ${RPM_VERSION}" \ - --define "rancher_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - -ba rancher-selinux.spec - diff --git a/policy/centos8/scripts/entry b/policy/centos8/scripts/entry deleted file mode 100755 index cdc8005..0000000 --- a/policy/centos8/scripts/entry +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -set -ex - -if [ -e ./policy/centos8/scripts/"$1" ]; then - ./policy/centos8/scripts/"$@" -else - exec "$@" -fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi diff --git a/policy/centos8/scripts/repo-metadata b/policy/centos8/scripts/repo-metadata deleted file mode 100755 index 79f8d45..0000000 --- a/policy/centos8/scripts/repo-metadata +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -set -e -x - -DIRS=("noarch" "source") - -cd $(dirname $0)/.. -. ./scripts/version - -yum install -y createrepo_c - -for dir in "${DIRS[@]}"; do - echo "Creating repository metadata for $dir" - createrepo_c "dist/$dir/" -done - diff --git a/policy/centos8/scripts/sign b/policy/centos8/scripts/sign deleted file mode 100755 index 2cf8568..0000000 --- a/policy/centos8/scripts/sign +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/bash -set -e - -DRY_RUN=$1 -SIGN_KEY_EMAIL="ci@rancher.com" - -export GPG_TTY=$(tty) - -yum install -y rpm-sign - -cd $(dirname $0)/.. -. ./scripts/version - -if [ "${DRY_RUN}" = "--dry-run" ] -then - echo "!! Executing in dry-run mode" - echo "!! Generating a temporary disposable GPG key to test the signing" - echo "!! process (this is only useful when testing PRs)" - - SIGN_KEY_EMAIL="disposable-ci-test-key" - TESTING_PRIVATE_KEY_PASS_PHRASE=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c20) - RPM_CHANNEL="testing" - - gpg --no-tty --quick-gen-key --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --yes "$SIGN_KEY_EMAIL" rsa2048 - - TESTING_PRIVATE_KEY=$(gpg --armor --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --export-secret-key "$SIGN_KEY_EMAIL") -fi - -case "$RPM_CHANNEL" in - "testing") - export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY" > /dev/null; then - echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key TESTING_PRIVATE_KEY" - gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY" - ;; - "production") - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY" > /dev/null; then - echo "PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key PRIVATE_KEY" - gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -gpg --armor --export --output "$SIGN_KEY_EMAIL" "$SIGN_KEY_EMAIL" -rpm --import "$SIGN_KEY_EMAIL" - -echo "Signing RPMs with ${SIGN_KEY_EMAIL} GPG KEY" -rpmsign --addsign dist/**/rancher-*.rpm \ - --define "_gpg_name ${SIGN_KEY_EMAIL}" \ - --define "_gpgbin /usr/bin/gpg" \ - --define "__gpg_sign_cmd %{__gpg} gpg \ - --batch \ - --no-armor \ - --pinentry-mode loopback \ - --passphrase ${PRIVATE_KEY_PASS_PHRASE} \ - -u %{_gpg_name} \ - -sbo %{__signature_filename} \ - --digest-algo sha256 %{__plaintext_filename}" - -echo "Verifying RPMs signatures" -rpm --checksig --verbose dist/**/rancher-*.rpm - diff --git a/policy/centos8/scripts/upload-repo b/policy/centos8/scripts/upload-repo deleted file mode 100755 index 115186a..0000000 --- a/policy/centos8/scripts/upload-repo +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -# Package required to unzip awscliv2.zip -yum install -y unzip - -# Install the awscli-v2 from AWS -curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" -unzip -q awscliv2.zip -./aws/install - -# Test if awscli-v2 is installed -if aws --version &> /dev/null; then - echo "AWS CLI is installed." -else - echo "AWS CLI not found, exiting." - exit 1 -fi - -# Prepare and Upload RPMs -if [ -z "$RPM_CHANNEL" ]; then - echo "RPM_CHANNEL not defined, failing rpm upload" - exit 1 -fi - -TARGET_EL8_S3_PATH="rancher/$RPM_CHANNEL/centos/8/noarch" -TARGET_EL8_SOURCE_S3_PATH="rancher/$RPM_CHANNEL/centos/8/source" - -case "$RPM_CHANNEL" in - "testing") - if [ -z "$TESTING_AWS_S3_BUCKET" ]; then - echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then - echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then - echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID - export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY - export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET - ;; - "production") - if [ -z "$AWS_S3_BUCKET" ]; then - echo "AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_ACCESS_KEY_ID" ]; then - echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -echo "Uploading RPMs packages and repo metadata files" -aws s3 cp dist/noarch/ s3://"$AWS_S3_BUCKET"/"$TARGET_EL8_S3_PATH"/ --recursive -aws s3 cp dist/source/ s3://"$AWS_S3_BUCKET"/"$TARGET_EL8_SOURCE_S3_PATH"/ --recursive - diff --git a/policy/centos8/scripts/version b/policy/centos8/scripts/version deleted file mode 100755 index 1fadf40..0000000 --- a/policy/centos8/scripts/version +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"production") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac diff --git a/policy/centos9/scripts/build b/policy/centos9/scripts/build deleted file mode 100755 index ce2cc30..0000000 --- a/policy/centos9/scripts/build +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -yum install -y epel-release -yum install -y container-selinux selinux-policy-devel yum-utils rpm-build - -make -f /usr/share/selinux/devel/Makefile rancher.pp - -rpmbuild \ - --define "rancher_selinux_version ${RPM_VERSION}" \ - --define "rancher_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - -ba rancher-selinux.spec - diff --git a/policy/centos9/scripts/entry b/policy/centos9/scripts/entry deleted file mode 100755 index 4e7c7fd..0000000 --- a/policy/centos9/scripts/entry +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -set -ex - -if [ -e ./policy/centos9/scripts/"$1" ]; then - ./policy/centos9/scripts/"$@" -else - exec "$@" -fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi diff --git a/policy/centos9/scripts/repo-metadata b/policy/centos9/scripts/repo-metadata deleted file mode 100755 index 79f8d45..0000000 --- a/policy/centos9/scripts/repo-metadata +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -set -e -x - -DIRS=("noarch" "source") - -cd $(dirname $0)/.. -. ./scripts/version - -yum install -y createrepo_c - -for dir in "${DIRS[@]}"; do - echo "Creating repository metadata for $dir" - createrepo_c "dist/$dir/" -done - diff --git a/policy/centos9/scripts/sign b/policy/centos9/scripts/sign deleted file mode 100755 index 2cf8568..0000000 --- a/policy/centos9/scripts/sign +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/bash -set -e - -DRY_RUN=$1 -SIGN_KEY_EMAIL="ci@rancher.com" - -export GPG_TTY=$(tty) - -yum install -y rpm-sign - -cd $(dirname $0)/.. -. ./scripts/version - -if [ "${DRY_RUN}" = "--dry-run" ] -then - echo "!! Executing in dry-run mode" - echo "!! Generating a temporary disposable GPG key to test the signing" - echo "!! process (this is only useful when testing PRs)" - - SIGN_KEY_EMAIL="disposable-ci-test-key" - TESTING_PRIVATE_KEY_PASS_PHRASE=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c20) - RPM_CHANNEL="testing" - - gpg --no-tty --quick-gen-key --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --yes "$SIGN_KEY_EMAIL" rsa2048 - - TESTING_PRIVATE_KEY=$(gpg --armor --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --export-secret-key "$SIGN_KEY_EMAIL") -fi - -case "$RPM_CHANNEL" in - "testing") - export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY" > /dev/null; then - echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key TESTING_PRIVATE_KEY" - gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY" - ;; - "production") - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY" > /dev/null; then - echo "PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key PRIVATE_KEY" - gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -gpg --armor --export --output "$SIGN_KEY_EMAIL" "$SIGN_KEY_EMAIL" -rpm --import "$SIGN_KEY_EMAIL" - -echo "Signing RPMs with ${SIGN_KEY_EMAIL} GPG KEY" -rpmsign --addsign dist/**/rancher-*.rpm \ - --define "_gpg_name ${SIGN_KEY_EMAIL}" \ - --define "_gpgbin /usr/bin/gpg" \ - --define "__gpg_sign_cmd %{__gpg} gpg \ - --batch \ - --no-armor \ - --pinentry-mode loopback \ - --passphrase ${PRIVATE_KEY_PASS_PHRASE} \ - -u %{_gpg_name} \ - -sbo %{__signature_filename} \ - --digest-algo sha256 %{__plaintext_filename}" - -echo "Verifying RPMs signatures" -rpm --checksig --verbose dist/**/rancher-*.rpm - diff --git a/policy/centos9/scripts/upload-repo b/policy/centos9/scripts/upload-repo deleted file mode 100755 index 74d08e0..0000000 --- a/policy/centos9/scripts/upload-repo +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -# Package required to unzip awscliv2.zip -yum install -y unzip - -# Install the awscli-v2 from AWS -curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" -unzip -q awscliv2.zip -./aws/install - -# Test if awscli-v2 is installed -if aws --version &> /dev/null; then - echo "AWS CLI is installed." -else - echo "AWS CLI not found, exiting." - exit 1 -fi - -# Prepare and Upload RPMs -if [ -z "$RPM_CHANNEL" ]; then - echo "RPM_CHANNEL not defined, failing rpm upload" - exit 1 -fi - -TARGET_EL9_S3_PATH="rancher/$RPM_CHANNEL/centos/9/noarch" -TARGET_EL9_SOURCE_S3_PATH="rancher/$RPM_CHANNEL/centos/9/source" - -case "$RPM_CHANNEL" in - "testing") - if [ -z "$TESTING_AWS_S3_BUCKET" ]; then - echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then - echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then - echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID - export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY - export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET - ;; - "production") - if [ -z "$AWS_S3_BUCKET" ]; then - echo "AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_ACCESS_KEY_ID" ]; then - echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -echo "Uploading RPMs packages and repo metadata files" -aws s3 cp dist/noarch/ s3://"$AWS_S3_BUCKET"/"$TARGET_EL9_S3_PATH"/ --recursive -aws s3 cp dist/source/ s3://"$AWS_S3_BUCKET"/"$TARGET_EL9_SOURCE_S3_PATH"/ --recursive - diff --git a/policy/centos9/scripts/version b/policy/centos9/scripts/version deleted file mode 100755 index 1fadf40..0000000 --- a/policy/centos9/scripts/version +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"production") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac diff --git a/policy/fedora37/scripts/build b/policy/fedora37/scripts/build deleted file mode 100755 index 8e6bbd5..0000000 --- a/policy/fedora37/scripts/build +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -dnf -y install container-selinux selinux-policy-devel rpm-build - -make -f /usr/share/selinux/devel/Makefile rancher.pp - -rpmbuild \ - --define "rancher_selinux_version ${RPM_VERSION}" \ - --define "rancher_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - -ba rancher-selinux.spec diff --git a/policy/fedora37/scripts/entry b/policy/fedora37/scripts/entry deleted file mode 100755 index b4972bd..0000000 --- a/policy/fedora37/scripts/entry +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -set -ex - -if [ -e ./policy/fedora37/scripts/"$1" ]; then - ./policy/fedora37/scripts/"$@" -else - exec "$@" -fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi diff --git a/policy/fedora37/scripts/repo-metadata b/policy/fedora37/scripts/repo-metadata deleted file mode 100755 index f5f400e..0000000 --- a/policy/fedora37/scripts/repo-metadata +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -set -e -x - -DIRS=("noarch" "source") - -cd $(dirname $0)/.. -. ./scripts/version - -dnf install -y createrepo_c - -for dir in "${DIRS[@]}"; do - echo "Creating repository metadata for $dir" - createrepo_c "dist/$dir/" -done diff --git a/policy/fedora37/scripts/sign b/policy/fedora37/scripts/sign deleted file mode 100755 index 33db6cb..0000000 --- a/policy/fedora37/scripts/sign +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/bash -set -e - -DRY_RUN=$1 -SIGN_KEY_EMAIL="ci@rancher.com" - -export GPG_TTY=$(tty) - -dnf install -y rpm-sign - -cd $(dirname $0)/.. -. ./scripts/version - -if [ "${DRY_RUN}" = "--dry-run" ] -then - echo "!! Executing in dry-run mode" - echo "!! Generating a temporary disposable GPG key to test the signing" - echo "!! process (this is only useful when testing PRs)" - - SIGN_KEY_EMAIL="disposable-ci-test-key" - TESTING_PRIVATE_KEY_PASS_PHRASE=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c20) - RPM_CHANNEL="testing" - - gpg --no-tty --quick-gen-key --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --yes "$SIGN_KEY_EMAIL" rsa2048 - - TESTING_PRIVATE_KEY=$(gpg --armor --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --export-secret-key "$SIGN_KEY_EMAIL") -fi - -case "$RPM_CHANNEL" in - "testing") - export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY" > /dev/null; then - echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key TESTING_PRIVATE_KEY" - gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY" - ;; - "production") - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY" > /dev/null; then - echo "PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key PRIVATE_KEY" - gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -gpg --armor --export --output "$SIGN_KEY_EMAIL" "$SIGN_KEY_EMAIL" -rpm --import "$SIGN_KEY_EMAIL" - -echo "Signing RPMs with ${SIGN_KEY_EMAIL} GPG KEY" -rpmsign --addsign dist/**/rancher-*.rpm \ - --define "_gpg_name ${SIGN_KEY_EMAIL}" \ - --define "_gpgbin /usr/bin/gpg" \ - --define "__gpg_sign_cmd %{__gpg} gpg \ - --batch \ - --no-armor \ - --pinentry-mode loopback \ - --passphrase ${PRIVATE_KEY_PASS_PHRASE} \ - -u %{_gpg_name} \ - -sbo %{__signature_filename} \ - --digest-algo sha256 %{__plaintext_filename}" - -echo "Verifying RPMs signatures" -rpm --checksig --verbose dist/**/rancher-*.rpm \ No newline at end of file diff --git a/policy/fedora37/scripts/upload-repo b/policy/fedora37/scripts/upload-repo deleted file mode 100755 index 2e8a90b..0000000 --- a/policy/fedora37/scripts/upload-repo +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -# Package required to unzip awscliv2.zip -dnf install -y unzip - -# Install the awscli-v2 from AWS -curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" -unzip -q awscliv2.zip -./aws/install - -# Test if awscli-v2 is installed -if aws --version &> /dev/null; then - echo "AWS CLI is installed." -else - echo "AWS CLI not found, exiting." - exit 1 -fi - -# Prepare and Upload RPMs -if [ -z "$RPM_CHANNEL" ]; then - echo "RPM_CHANNEL not defined, failing rpm upload" - exit 1 -fi - -TARGET_FC37_S3_PATH="rancher/$RPM_CHANNEL/fedora/37/noarch" -TARGET_FC37_SOURCE_S3_PATH="rancher/$RPM_CHANNEL/fedora/37/source" - -case "$RPM_CHANNEL" in - "testing") - if [ -z "$TESTING_AWS_S3_BUCKET" ]; then - echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then - echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then - echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID - export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY - export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET - ;; - "production") - if [ -z "$AWS_S3_BUCKET" ]; then - echo "AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_ACCESS_KEY_ID" ]; then - echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -echo "Uploading RPMs packages and repo metadata files" -aws s3 cp dist/noarch/ s3://"$AWS_S3_BUCKET"/"$TARGET_FC37_S3_PATH"/ --recursive -aws s3 cp dist/source/ s3://"$AWS_S3_BUCKET"/"$TARGET_FC37_SOURCE_S3_PATH"/ --recursive \ No newline at end of file diff --git a/policy/fedora37/scripts/version b/policy/fedora37/scripts/version deleted file mode 100755 index 7b9ff71..0000000 --- a/policy/fedora37/scripts/version +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"production") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac diff --git a/policy/microos/scripts/build b/policy/microos/scripts/build deleted file mode 100755 index 88c4716..0000000 --- a/policy/microos/scripts/build +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -zypper install -y container-selinux selinux-policy-devel rpm-build - -make -f /usr/share/selinux/devel/Makefile rancher.pp - -rpmbuild \ - --define "rancher_selinux_version ${RPM_VERSION}" \ - --define "rancher_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - -ba rancher-selinux.spec diff --git a/policy/microos/scripts/entry b/policy/microos/scripts/entry deleted file mode 100755 index 6fad799..0000000 --- a/policy/microos/scripts/entry +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -set -ex - -if [ -e ./policy/microos/scripts/"$1" ]; then - ./policy/microos/scripts/"$@" -else - exec "$@" -fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi diff --git a/policy/microos/scripts/repo-metadata b/policy/microos/scripts/repo-metadata deleted file mode 100755 index c92ddc9..0000000 --- a/policy/microos/scripts/repo-metadata +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -set -e -x - -DIRS=("noarch" "source") - -cd $(dirname $0)/.. -. ./scripts/version - -zypper install -y createrepo_c - -for dir in "${DIRS[@]}"; do - echo "Creating repository metadata for $dir" - createrepo_c "dist/$dir/" -done - diff --git a/policy/microos/scripts/sign b/policy/microos/scripts/sign deleted file mode 100755 index f3225da..0000000 --- a/policy/microos/scripts/sign +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/bash -set -e - -DRY_RUN=$1 -SIGN_KEY_EMAIL="ci@rancher.com" - -export GPG_TTY=$(tty) - -zypper install -y rpm - -cd $(dirname $0)/.. -. ./scripts/version - -if [ "${DRY_RUN}" = "--dry-run" ] -then - echo "!! Executing in dry-run mode" - echo "!! Generating a temporary disposable GPG key to test the signing" - echo "!! process (this is only useful when testing PRs)" - - SIGN_KEY_EMAIL="disposable-ci-test-key" - TESTING_PRIVATE_KEY_PASS_PHRASE=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c20) - RPM_CHANNEL="testing" - - gpg --no-tty --quick-gen-key --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --yes "$SIGN_KEY_EMAIL" rsa2048 - - TESTING_PRIVATE_KEY=$(gpg --armor --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --export-secret-key "$SIGN_KEY_EMAIL") -fi - -case "$RPM_CHANNEL" in - "testing") - export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY" > /dev/null; then - echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key TESTING_PRIVATE_KEY" - gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY" - ;; - "production") - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY" > /dev/null; then - echo "PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key PRIVATE_KEY" - gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -gpg --armor --export --output "$SIGN_KEY_EMAIL" "$SIGN_KEY_EMAIL" -rpm --import "$SIGN_KEY_EMAIL" - -echo "Signing RPMs with ${SIGN_KEY_EMAIL} GPG KEY" -rpmsign --addsign dist/**/rancher-*.rpm \ - --define "_gpg_name ${SIGN_KEY_EMAIL}" \ - --define "_gpgbin /usr/bin/gpg" \ - --define "__gpg_sign_cmd %{__gpg} gpg \ - --batch \ - --no-armor \ - --pinentry-mode loopback \ - --passphrase ${PRIVATE_KEY_PASS_PHRASE} \ - -u %{_gpg_name} \ - -sbo %{__signature_filename} \ - --digest-algo sha256 %{__plaintext_filename}" - -echo "Verifying RPMs signatures" -rpm --checksig --verbose dist/**/rancher-*.rpm - diff --git a/policy/microos/scripts/upload-repo b/policy/microos/scripts/upload-repo deleted file mode 100755 index 7e43466..0000000 --- a/policy/microos/scripts/upload-repo +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -# Package required to unzip awscliv2.zip -zypper install -y unzip - -# Install the awscli-v2 from AWS -curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" -unzip -q awscliv2.zip -./aws/install - -# Test if awscli-v2 is installed -if aws --version &> /dev/null; then - echo "AWS CLI is installed." -else - echo "AWS CLI not found, exiting." - exit 1 -fi - -# Prepare and Upload RPMs -if [ -z "$RPM_CHANNEL" ]; then - echo "RPM_CHANNEL not defined, failing rpm upload" - exit 1 -fi - -TARGET_SLE_S3_PATH="rancher/$RPM_CHANNEL/microos/noarch" -TARGET_SLE_SOURCE_S3_PATH="rancher/$RPM_CHANNEL/microos/source" - -case "$RPM_CHANNEL" in - "testing") - if [ -z "$TESTING_AWS_S3_BUCKET" ]; then - echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then - echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then - echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID - export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY - export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET - ;; - "production") - if [ -z "$AWS_S3_BUCKET" ]; then - echo "AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_ACCESS_KEY_ID" ]; then - echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -echo "Uploading RPMs packages and repo metadata files" -aws s3 cp dist/noarch/ s3://"$AWS_S3_BUCKET"/"$TARGET_SLE_S3_PATH"/ --recursive -aws s3 cp dist/source/ s3://"$AWS_S3_BUCKET"/"$TARGET_SLE_SOURCE_S3_PATH"/ --recursive - diff --git a/policy/microos/scripts/version b/policy/microos/scripts/version deleted file mode 100755 index 1fadf40..0000000 --- a/policy/microos/scripts/version +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"production") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac