From 6f26b1cb7fa11600150ccae547e958b447e8c93b Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Mon, 7 Oct 2024 18:10:45 -0400 Subject: [PATCH] Add buildomat jobs for select images It's useful to have some images that have gone through a `permslip sign`. Do so in a very limited fashion. --- .github/buildomat/force-git-over-https.sh | 26 ++++++++ .github/buildomat/jobs/rot.sh | 39 ++++++++++++ .github/buildomat/jobs/sp.sh | 37 +++++++++++ .github/buildomat/permslip-setup.sh | 78 +++++++++++++++++++++++ .github/buildomat/sp_build_list | 18 ++++++ 5 files changed, 198 insertions(+) create mode 100644 .github/buildomat/force-git-over-https.sh create mode 100755 .github/buildomat/jobs/rot.sh create mode 100755 .github/buildomat/jobs/sp.sh create mode 100644 .github/buildomat/permslip-setup.sh create mode 100644 .github/buildomat/sp_build_list diff --git a/.github/buildomat/force-git-over-https.sh b/.github/buildomat/force-git-over-https.sh new file mode 100644 index 0000000000..3bc7b86798 --- /dev/null +++ b/.github/buildomat/force-git-over-https.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +# +# The token authentication mechanism that affords us access to other private +# repositories requires that we use HTTPS URLs for GitHub, rather than SSH. +# +override_urls=( + 'git://github.com/' + 'git@github.com:' + 'ssh://github.com/' + 'ssh://git@github.com/' + 'git+ssh://git@github.com/' +) +for (( i = 0; i < ${#override_urls[@]}; i++ )); do + git config --add --global url.https://github.com/.insteadOf \ + "${override_urls[$i]}" +done + +# +# Require that cargo use the git CLI instead of the built-in support. This +# achieves two things: first, SSH URLs should be transformed on fetch without +# requiring Cargo.toml rewriting, which is especially difficult in transitive +# dependencies; second, Cargo does not seem willing on its own to look in +# ~/.netrc and find the temporary token that buildomat generates for our job, +# so we must use git which uses curl. +# +export CARGO_NET_GIT_FETCH_WITH_CLI=true diff --git a/.github/buildomat/jobs/rot.sh b/.github/buildomat/jobs/rot.sh new file mode 100755 index 0000000000..3e0032d437 --- /dev/null +++ b/.github/buildomat/jobs/rot.sh @@ -0,0 +1,39 @@ +#!/bin/bash +#: +#: name = "build rot" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: ] +#: access_repos = [ +#: "oxidecomputer/permission-slip", +#: "oxidecomputer/dogbuild", +#: ] +#: + +set -o errexit +set -o pipefail +set -o xtrace + +_cleanup () { + kill $(jobs -p) +} + +trap _cleanup SIGINT SIGTERM EXIT + +source .github/buildomat/force-git-over-https.sh +source .github/buildomat/permslip-setup.sh + + +cargo xtask dist app/oxide-rot-1/app-dev.toml +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 \ + sign "UNTRUSTED bart" \ + target/oxide-rot-1-selfsigned/dist/a/build-oxide-rot-1-selfsigned-image-a.zip \ + --version 0.0.0-ci > /work/build-oxide-rot-1-selfsigned-image-a.zip + +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 \ + sign "UNTRUSTED bart" \ + target/oxide-rot-1-selfsigned/dist/b/build-oxide-rot-1-selfsigned-image-b.zip \ + --version 0.0.0-ci > /work/build-oxide-rot-1-selfsigned-image-b.zip diff --git a/.github/buildomat/jobs/sp.sh b/.github/buildomat/jobs/sp.sh new file mode 100755 index 0000000000..ef2d183432 --- /dev/null +++ b/.github/buildomat/jobs/sp.sh @@ -0,0 +1,37 @@ +#!/bin/bash +#: +#: name = "build sp" +#: variety = "basic" +#: target = "ubuntu-22.04" +#: rust_toolchain = true +#: output_rules = [ +#: "=/work/*.zip", +#: ] +#: access_repos = [ +#: "oxidecomputer/permission-slip", +#: "oxidecomputer/dogbuild", +#: ] +#: + +set -o errexit +set -o pipefail +set -o xtrace + +_cleanup () { + kill $(jobs -p) +} + +trap _cleanup SIGINT SIGTERM EXIT + +source .github/buildomat/force-git-over-https.sh +source .github/buildomat/permslip-setup.sh + + +while read -r line; do + name=`echo $line | cut -d ' ' -f 1` + toml=`echo $line | cut -d ' ' -f 2` + cargo xtask dist $toml + $PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED SP" \ + target/$name/dist/default/build-$name-image-default.zip \ + --version 0.0.0-ci > /work/$name.zip +done < .github/buildomat/sp_build_list diff --git a/.github/buildomat/permslip-setup.sh b/.github/buildomat/permslip-setup.sh new file mode 100644 index 0000000000..7fd2ac51bf --- /dev/null +++ b/.github/buildomat/permslip-setup.sh @@ -0,0 +1,78 @@ +#!/bin/bash + +set -ex + +sudo apt-get update +sudo apt-get install -y postgresql gcc pkgconf openssl libssl-dev + +sudo -u postgres createuser yourname +sudo -u postgres createdb permslip +sudo -u postgres psql << EOF +\x +alter user yourname with encrypted password 'password'; +EOF + +sudo -u postgres psql << EOF +\x +grant all privileges on database permslip to yourname; +EOF +sudo -u postgres psql -d permslip << EOF +grant all on schema public to yourname; +EOF + +export PERMSLIP_DIR=/work/permslip +BART_KEY=$(pwd)/support/fake_certs/fake_private_key.pem + +mkdir -p $PERMSLIP_DIR +git clone https://github.com/oxidecomputer/permission-slip.git -b ssh_key_fix $PERMSLIP_DIR +pushd $PERMSLIP_DIR +cargo build --release +export POSTGRES_HOST=localhost +export POSTGRES_PORT=5432 +export POSTGRES_USER=yourname +export POSTGRES_PASSWORD=password + +ssh-keygen -t ecdsa -b 256 -f /tmp/id_p256 -N '' -C '' +eval "$(ssh-agent -s)" +ssh-add /tmp/id_p256 +PERMSLIP_SSH_KEY=$(ssh-keygen -lf /tmp/id_p256.pub | cut -d ' ' -f 2) +export PERMSLIP_SSH_KEY + +$PERMSLIP_DIR/target/release/permslip-server import-ssh-key /tmp/id_p256.pub +$PERMSLIP_DIR/target/release/permslip-server import-private-key "UNTRUSTED bart" rsa "$BART_KEY" +$PERMSLIP_DIR/target/release/permslip-server start-server & + +sleep 5 + +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 list-keys + +# Gimlet +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-key "UNTRUSTED gimlet" rsa +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED gimlet" > gimlet.csr +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED gimlet" --kind csr gimlet.csr > gimlet.cert +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED gimlet" --kind hubris --cert gimlet.cert --root gimlet.cert + +# sidecar +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-key "UNTRUSTED sidecar" rsa +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED sidecar" > sidecar.csr +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED sidecar" --kind csr sidecar.csr > sidecar.cert +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED sidecar" --kind hubris --cert sidecar.cert --root sidecar.cert + +# psc +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-key "UNTRUSTED psc" rsa +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED psc" > psc.csr +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED psc" --kind csr psc.csr > psc.cert +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED psc" --kind hubris --cert psc.cert --root psc.cert + +# SP +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-key "UNTRUSTED SP" rsa +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED SP" > SP.csr +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED SP" --kind csr SP.csr > SP.cert +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED SP" --kind hubris --cert SP.cert --root SP.cert + +# Bart +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 generate-csr "UNTRUSTED bart" > bart.csr +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 sign "UNTRUSTED bart" --kind csr bart.csr > bart.cert +$PERMSLIP_DIR/target/release/permslip --url=http://localhost:41340 set-key-context "UNTRUSTED bart" --kind hubris --cert bart.cert --root bart.cert + +popd diff --git a/.github/buildomat/sp_build_list b/.github/buildomat/sp_build_list new file mode 100644 index 0000000000..45537c8c05 --- /dev/null +++ b/.github/buildomat/sp_build_list @@ -0,0 +1,18 @@ +gimlet-b app/gimlet/rev-b.toml +gimlet-c app/gimlet/rev-c.toml +gimlet-d app/gimlet/rev-d.toml +gimlet-e app/gimlet/rev-e.toml +gimlet-f app/gimlet/rev-f.toml +gimlet-b-lab app/gimlet/rev-b-lab.toml +gimlet-c-lab app/gimlet/rev-c-lab.toml +gimlet-d-lab app/gimlet/rev-d-lab.toml +gimlet-e-lab app/gimlet/rev-e-lab.toml +gimlet-f-lab app/gimlet/rev-f-lab.toml +psc-b app/psc/rev-b.toml +psc-c app/psc/rev-c.toml +sidecar-b app/sidecar/rev-b.toml +sidecar-c app/sidecar/rev-c.toml +sidecar-d app/sidecar/rev-d.toml +sidecar-b-lab app/sidecar/rev-b-lab.toml +sidecar-c-lab app/sidecar/rev-c-lab.toml +sidecar-d-lab app/sidecar/rev-d-lab.toml