-
Notifications
You must be signed in to change notification settings - Fork 186
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add buildomat jobs for select images
It's useful to have some images that have gone through a `permslip sign`. Do so in a very limited fashion.
- Loading branch information
Showing
5 changed files
with
198 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
#!/usr/bin/env bash | ||
# | ||
# The token authentication mechanism that affords us access to other private | ||
# repositories requires that we use HTTPS URLs for GitHub, rather than SSH. | ||
# | ||
override_urls=( | ||
'git://github.com/' | ||
'[email protected]:' | ||
'ssh://github.com/' | ||
'ssh://[email protected]/' | ||
'git+ssh://[email protected]/' | ||
) | ||
for (( i = 0; i < ${#override_urls[@]}; i++ )); do | ||
git config --add --global url.https://github.com/.insteadOf \ | ||
"${override_urls[$i]}" | ||
done | ||
|
||
# | ||
# Require that cargo use the git CLI instead of the built-in support. This | ||
# achieves two things: first, SSH URLs should be transformed on fetch without | ||
# requiring Cargo.toml rewriting, which is especially difficult in transitive | ||
# dependencies; second, Cargo does not seem willing on its own to look in | ||
# ~/.netrc and find the temporary token that buildomat generates for our job, | ||
# so we must use git which uses curl. | ||
# | ||
export CARGO_NET_GIT_FETCH_WITH_CLI=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
#!/bin/bash | ||
#: | ||
#: name = "build rot" | ||
#: variety = "basic" | ||
#: target = "ubuntu-22.04" | ||
#: rust_toolchain = true | ||
#: output_rules = [ | ||
#: "=/work/*.zip", | ||
#: ] | ||
#: access_repos = [ | ||
#: "oxidecomputer/permission-slip", | ||
#: "oxidecomputer/dogbuild", | ||
#: ] | ||
#: | ||
|
||
set -o errexit | ||
set -o pipefail | ||
set -o xtrace | ||
|
||
_cleanup () { | ||
kill $(jobs -p) | ||
} | ||
|
||
trap _cleanup SIGINT SIGTERM EXIT | ||
|
||
source .github/buildomat/force-git-over-https.sh | ||
source .github/buildomat/permslip-setup.sh | ||
|
||
|
||
cargo xtask dist app/oxide-rot-1/app-dev.toml | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 \ | ||
sign "UNTRUSTED bart" \ | ||
target/oxide-rot-1-selfsigned/dist/a/build-oxide-rot-1-selfsigned-image-a.zip \ | ||
--version 0.0.0-ci > /work/build-oxide-rot-1-selfsigned-image-a.zip | ||
|
||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 \ | ||
sign "UNTRUSTED bart" \ | ||
target/oxide-rot-1-selfsigned/dist/b/build-oxide-rot-1-selfsigned-image-b.zip \ | ||
--version 0.0.0-ci > /work/build-oxide-rot-1-selfsigned-image-b.zip |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
#!/bin/bash | ||
#: | ||
#: name = "build sp" | ||
#: variety = "basic" | ||
#: target = "ubuntu-22.04" | ||
#: rust_toolchain = true | ||
#: output_rules = [ | ||
#: "=/work/*.zip", | ||
#: ] | ||
#: access_repos = [ | ||
#: "oxidecomputer/permission-slip", | ||
#: "oxidecomputer/dogbuild", | ||
#: ] | ||
#: | ||
|
||
set -o errexit | ||
set -o pipefail | ||
set -o xtrace | ||
|
||
_cleanup () { | ||
kill $(jobs -p) | ||
} | ||
|
||
trap _cleanup SIGINT SIGTERM EXIT | ||
|
||
source .github/buildomat/force-git-over-https.sh | ||
source .github/buildomat/permslip-setup.sh | ||
|
||
|
||
while read -r line; do | ||
name=`echo $line | cut -d ' ' -f 1` | ||
toml=`echo $line | cut -d ' ' -f 2` | ||
cargo xtask dist $toml | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED SP" \ | ||
target/$name/dist/default/build-$name-image-default.zip \ | ||
--version 0.0.0-ci > /work/$name.zip | ||
done < .github/buildomat/sp_build_list |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
#!/bin/bash | ||
|
||
set -ex | ||
|
||
sudo apt-get update | ||
sudo apt-get install -y postgresql gcc pkgconf openssl libssl-dev | ||
|
||
sudo -u postgres createuser yourname | ||
sudo -u postgres createdb permslip | ||
sudo -u postgres psql << EOF | ||
\x | ||
alter user yourname with encrypted password 'password'; | ||
EOF | ||
|
||
sudo -u postgres psql << EOF | ||
\x | ||
grant all privileges on database permslip to yourname; | ||
EOF | ||
sudo -u postgres psql -d permslip << EOF | ||
grant all on schema public to yourname; | ||
EOF | ||
|
||
export PERMSLIP_DIR=/work/permslip | ||
BART_KEY=$(pwd)/support/fake_certs/fake_private_key.pem | ||
|
||
mkdir -p $PERMSLIP_DIR | ||
git clone https://github.com/oxidecomputer/permission-slip.git -b ssh_key_fix $PERMSLIP_DIR | ||
pushd $PERMSLIP_DIR | ||
cargo build --release | ||
export POSTGRES_HOST=localhost | ||
export POSTGRES_PORT=5432 | ||
export POSTGRES_USER=yourname | ||
export POSTGRES_PASSWORD=password | ||
|
||
ssh-keygen -t ecdsa -b 256 -f /tmp/id_p256 -N '' -C '' | ||
eval "$(ssh-agent -s)" | ||
ssh-add /tmp/id_p256 | ||
PERMSLIP_SSH_KEY=$(ssh-keygen -lf /tmp/id_p256.pub | cut -d ' ' -f 2) | ||
export PERMSLIP_SSH_KEY | ||
|
||
$PERMSLIP_DIR/target/release/permslip-server import-ssh-key /tmp/id_p256.pub | ||
$PERMSLIP_DIR/target/release/permslip-server import-private-key "UNTRUSTED bart" rsa "$BART_KEY" | ||
$PERMSLIP_DIR/target/release/permslip-server start-server & | ||
|
||
sleep 5 | ||
|
||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 list-keys | ||
|
||
# Gimlet | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-key "UNTRUSTED gimlet" rsa | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED gimlet" > gimlet.csr | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED gimlet" --kind csr gimlet.csr > gimlet.cert | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED gimlet" --kind hubris --cert gimlet.cert --root gimlet.cert | ||
|
||
# sidecar | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-key "UNTRUSTED sidecar" rsa | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED sidecar" > sidecar.csr | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED sidecar" --kind csr sidecar.csr > sidecar.cert | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED sidecar" --kind hubris --cert sidecar.cert --root sidecar.cert | ||
|
||
# psc | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-key "UNTRUSTED psc" rsa | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED psc" > psc.csr | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED psc" --kind csr psc.csr > psc.cert | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED psc" --kind hubris --cert psc.cert --root psc.cert | ||
|
||
# SP | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-key "UNTRUSTED SP" rsa | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED SP" > SP.csr | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED SP" --kind csr SP.csr > SP.cert | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED SP" --kind hubris --cert SP.cert --root SP.cert | ||
|
||
# Bart | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED bart" > bart.csr | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED bart" --kind csr bart.csr > bart.cert | ||
$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED bart" --kind hubris --cert bart.cert --root bart.cert | ||
|
||
popd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
gimlet-b app/gimlet/rev-b.toml | ||
gimlet-c app/gimlet/rev-c.toml | ||
gimlet-d app/gimlet/rev-d.toml | ||
gimlet-e app/gimlet/rev-e.toml | ||
gimlet-f app/gimlet/rev-f.toml | ||
gimlet-b-lab app/gimlet/rev-b-lab.toml | ||
gimlet-c-lab app/gimlet/rev-c-lab.toml | ||
gimlet-d-lab app/gimlet/rev-d-lab.toml | ||
gimlet-e-lab app/gimlet/rev-e-lab.toml | ||
gimlet-f-lab app/gimlet/rev-f-lab.toml | ||
psc-b app/psc/rev-b.toml | ||
psc-c app/psc/rev-c.toml | ||
sidecar-b app/sidecar/rev-b.toml | ||
sidecar-c app/sidecar/rev-c.toml | ||
sidecar-d app/sidecar/rev-d.toml | ||
sidecar-b-lab app/sidecar/rev-b-lab.toml | ||
sidecar-c-lab app/sidecar/rev-c-lab.toml | ||
sidecar-d-lab app/sidecar/rev-d-lab.toml |