From aed1851434f4a86b215cbc59277ec06c4c5d59c4 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 10:51:21 +0100 Subject: [PATCH 01/41] Script to sign and publish package --- .buildkite/hooks/pre-command | 8 + .../pipeline.package-storage-publish.yml | 2 + .buildkite/scripts/install_deps.sh | 36 +++++ .buildkite/scripts/integration_tests.sh | 33 +--- .buildkite/scripts/signAndPublishPackage.sh | 145 +++++++++++++++++- .buildkite/scripts/triggerJenkinsJob/main.go | 5 +- 6 files changed, 194 insertions(+), 35 deletions(-) create mode 100755 .buildkite/scripts/install_deps.sh diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command index 6fdbea036c..b6f64f7fcc 100644 --- a/.buildkite/hooks/pre-command +++ b/.buildkite/hooks/pre-command @@ -26,6 +26,8 @@ GCP_SERVICE_ACCOUNT_SECRET_PATH=secret/ci/elastic-elastic-package/gcp-service-ac AWS_SERVICE_ACCOUNT_SECRET_PATH=kv/ci-shared/platform-ingest/aws_account_auth GITHUB_TOKEN_VAULT_PATH=kv/ci-shared/platform-ingest/github_token JENKINS_API_TOKEN_PATH=kv/ci-shared/platform-ingest/jenkins_api_tokens +INTERNAL_CI_GCS_CREDENTIALS_PATH=secret/ci/elastic-elastic-package/jenkins_gcs_plugin_credentials +PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH=secret/ci/elastic-elastic-package/package-storage-uploader # Secrets must be redacted # https://buildkite.com/docs/pipelines/managing-log-output#redacted-environment-variables @@ -56,4 +58,10 @@ if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-package-package-storage-publish" && export JENKINS_USERNAME_SECRET=$(retry 5 vault kv get -field username ${JENKINS_API_TOKEN_PATH}) export JENKINS_HOST_SECRET=$(retry 5 vault kv get -field internal_ci_host ${JENKINS_API_TOKEN_PATH}) export JENKINS_TOKEN=$(retry 5 vault kv get -field internal_ci ${JENKINS_API_TOKEN_PATH}) + + # signing job + export INTERNAL_CI_GCS_CREDENTIALS_SECRET=$(retry 5 vault read -field plaintext ${INTERNAL_CI_GCS_CREDENTIALS_PATH}) + + # publishing job + export PACKAGE_UPLOADER_GCS_CREDENTIALS_SECRET=$(retry 5 vault read -field plaintext ${PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH}) fi diff --git a/.buildkite/pipeline.package-storage-publish.yml b/.buildkite/pipeline.package-storage-publish.yml index cc489cde81..e9956b2bcc 100644 --- a/.buildkite/pipeline.package-storage-publish.yml +++ b/.buildkite/pipeline.package-storage-publish.yml @@ -11,6 +11,8 @@ steps: image: "golang:1.19.5" cpu: "8" memory: "4G" + artifact_paths: + - build/packages/*.zip - label: "Test" key: sign-publish diff --git a/.buildkite/scripts/install_deps.sh b/.buildkite/scripts/install_deps.sh new file mode 100755 index 0000000000..9c5f7d111e --- /dev/null +++ b/.buildkite/scripts/install_deps.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +set -euo pipefail + +with_kubernetes() { + # FIXME add retry logic + mkdir -p ${WORKSPACE}/bin + curl -sSLo ${WORKSPACE}/bin/kind "https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-linux-amd64" + chmod +x ${WORKSPACE}/bin/kind + kind version + which kind + + mkdir -p ${WORKSPACE}/bin + curl -sSLo ${WORKSPACE}/bin/kubectl "https://storage.googleapis.com/kubernetes-release/release/${K8S_VERSION}/bin/linux/amd64/kubectl" + chmod +x ${WORKSPACE}/bin/kubectl + kubectl version --client + which kubectl +} + +with_go() { + # FIXME add retry logic + mkdir -p ${WORKSPACE}/bin + curl -sL -o ${WORKSPACE}/bin/gvm "https://github.com/andrewkroh/gvm/releases/download/${SETUP_GVM_VERSION}/gvm-linux-amd64" + chmod +x ${WORKSPACE}/bin/gvm + eval "$(gvm $(cat .go-version))" + go version + which go +} + +with_docker_compose() { + # FIXME add retry logic + mkdir -p ${WORKSPACE}/bin + curl -SL -o ${WORKSPACE}/bin/docker-compose "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-x86_64" + chmod +x ${WORKSPACE}/bin/docker-compose + docker-compose version +} diff --git a/.buildkite/scripts/integration_tests.sh b/.buildkite/scripts/integration_tests.sh index 896927a07e..e94bba9307 100755 --- a/.buildkite/scripts/integration_tests.sh +++ b/.buildkite/scripts/integration_tests.sh @@ -13,38 +13,7 @@ usage() { echo -e "\t-h: Show this message" } -with_kubernetes() { - # FIXME add retry logic - mkdir -p ${WORKSPACE}/bin - curl -sSLo ${WORKSPACE}/bin/kind "https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-linux-amd64" - chmod +x ${WORKSPACE}/bin/kind - kind version - which kind - - mkdir -p ${WORKSPACE}/bin - curl -sSLo ${WORKSPACE}/bin/kubectl "https://storage.googleapis.com/kubernetes-release/release/${K8S_VERSION}/bin/linux/amd64/kubectl" - chmod +x ${WORKSPACE}/bin/kubectl - kubectl version --client - which kubectl -} - -with_go() { - # FIXME add retry logic - mkdir -p ${WORKSPACE}/bin - curl -sL -o ${WORKSPACE}/bin/gvm "https://github.com/andrewkroh/gvm/releases/download/${SETUP_GVM_VERSION}/gvm-linux-amd64" - chmod +x ${WORKSPACE}/bin/gvm - eval "$(gvm $(cat .go-version))" - go version - which go -} - -with_docker_compose() { - # FIXME add retry logic - mkdir -p ${WORKSPACE}/bin - curl -SL -o ${WORKSPACE}/bin/docker-compose "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-x86_64" - chmod +x ${WORKSPACE}/bin/docker-compose - docker-compose version -} +source .buildkite/scripts/install_deps.sh TARGET="" PACKAGE="" diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index e81e3630d7..1c277e7140 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -1,6 +1,15 @@ #!/bin/bash set -euo pipefail +cleanup() { + cd $FIRST_PWD + rm -rf tmp.elastic-package.* +} + +trap cleanup EXIT + +FIRST_PWD=$(pwd) + echo "Checking gsutil command..." if ! command -v gsutil &> /dev/null ; then echo "⚠️ gsutil is not installed" @@ -9,4 +18,138 @@ else echo "✅ gsutil is installed" fi -gsutil help +source .buildkite/scripts/install_deps.sh + +repoName() { + # Example of URL: git@github.com:acme-inc/my-project.git + local repoUrl=$1 + + orgAndRepo=$(echo $repoUrl | cut -d':' -f 2) + echo "$(basename ${orgAndRepo} .git)" +} + +isAlreadyPublished() { + local packageZip=$1 + + if curl --head https://package-storage.elastic.co/artifacts/packages/${packageZip} | grep -q "HTTP/2 200" ; then + return 0 + fi + return 1 +} + +REPO_NAME=$(repoName "${BUILDKITE_REPO}") +BUILD_TAG="buildkite-${BUILDKITE_PIPELINE_SLUG}-${BUILDKITE_BUILD_NUMBER}" + +REPO_BUILD_TAG="${REPO_NAME}/${BUILD_TAG}/" + +BUILD_PACKAGES_PATH="build/packages" +TEMPLATE_TEMP_FOLDER="tmp.elastic-package.XXXXXXXXX" + +## Signing +INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_SUBFOLDER="${REPO_BUILD_TAG}/signed-artifacts" +INFRA_SIGNING_BUCKET_ARTIFACTS_PATH="gs://${INFRA_SIGNING_BUCKET_NAME}/${REPO_BUILD_TAG}" +INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_PATH="gs://${INFRA_SIGNING_BUCKET_NAME}/${INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_SUBFOLDER}" + +## Publishing +PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH="gs://elastic-bekitzur-package-storage-internal/queue-publishing/${REPO_BUILD_TAG}" + +JENKINS_TRIGGER_PATH=".buildkite/scripts/triggerJenkinsJob" + +GOOGLE_CREDENTIALS_FILENAME="google-cloud-credentials.json" + +google_cloud_auth() { + local key_file="$1" + gcloud gcloud auth activate-service-account --key-file ${keyFile} +} + +signPackage() { + local package=${1} + local packageZip=$(basename ${package}) + + gsUtilLocation=$(mktemp -d -p . -t ${TEMPLATE_TEMP_FOLDER}) + + secretFileLocation=${gsUtilLocation}/${GOOGLE_CREDENTIALS_FILENAME} + echo "${INTERNAL_CI_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation} + + google_cloud_auth ${secretFileLocation} + export GOOGLE_APPLICATIONS_CREDENTIALS=${secretFileLocation} + + echo "Upload package .zip file for signing" + gsutil cp ${packageZip} ${INFRA_SIGNING_BUCKET_ARTIFACTS_PATH} + + echo "Trigger Jenkins job for signing package ${packageZip}" + pushd ${JENKINS_TRIGGER_PATH} > /dev/null + + go run main.go \ + --jenkins-job sign \ + --package ${INFRA_SIGNING_BUCKET_ARTIFACTS_PATH}/${packageZip} + + sleep 5 + popd > /dev/null + + echo "Download signatures" + gsutil cp ${INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_PATH}/${packageZip}.asc ${BUILD_PACKAGES} + + echo "Rename asc to sig" + for f in build/packages/*.asc; do + mv "$f" "${f%.asc}.sig" + done + + ls -l ${BUILD_PACKAGES} + + rm -r ${gsUtilLocation} +} + +publishPackage() { + local package=$1 + + local packageZip=$(basename ${package}) + # create file with credentials + gsUtilLocation=$(mktemp -d -p . -t ${TEMPLATE_TEMP_FOLDER}) + + secretFileLocation=${gsUtilLocation}/${GOOGLE_CREDENTIALS_FILENAME} + echo "${PACKAGE_UPLOADER_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation} + + google_cloud_auth ${secretFileLocation} + export GOOGLE_APPLICATIONS_CREDENTIALS=${secretFileLocation} + + # upload files + echo "Upload package .zip file" + gsutil cp ${packageZip} ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH} + echo "Upload package .sig file" + gsutil cp ${packageZip}.sig ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH} + + echo "Trigger Jenkins job for publishing package ${packageZip}" + pushd ${JENKINS_TRIGGER_PATH} > /dev/null + + go run main.go \ + --jenkins-job publish \ + --package ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH}/${packageZip} \ + --signature ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH}/${packageZip}.sig + + sleep 5 + + popd > /dev/null + rm -r ${gsUtilLocation} +} + +# download package artifact +mkdir -p ${BUILD_PACKAGES} + +buildkite-agent artifact download "${BUILD_PACKAGES}/*.zip" --step build-package ${BUILD_PACKAGES} + + +for package in ${BUILD_PACKAGES}/*.zip; do + echo "isAlareadyInstalled ${package}?" + packageZip=$(basename ${package}) + if isAlreadyPublished ${packageZip} ; then + echo "Skipping. ${packageZip} already published" + continue + fi + + echo "Signing package ${packageZip}" + signPackage "${package}" + + echo "Publishing package ${packageZip}" + publishPackage "${package}" +done diff --git a/.buildkite/scripts/triggerJenkinsJob/main.go b/.buildkite/scripts/triggerJenkinsJob/main.go index ff6019f070..81ae184ca2 100644 --- a/.buildkite/scripts/triggerJenkinsJob/main.go +++ b/.buildkite/scripts/triggerJenkinsJob/main.go @@ -76,8 +76,9 @@ func main() { } func runSignPackageJob(ctx context.Context, client *jenkins.JenkinsClient, async bool, jobName, packagePath string) error { - params := map[string]string{} - // TODO set parameters for sign job + params := map[string]string{ + "gcs_input_path": packagePath, + } return client.RunJob(ctx, jobName, async, params) } From 19c8f7a2e050ea42cf7f18ada90c3041fa83784b Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 17:46:37 +0100 Subject: [PATCH 02/41] Add bucket name --- .buildkite/scripts/signAndPublishPackage.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index 1c277e7140..138de95af8 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -46,6 +46,7 @@ BUILD_PACKAGES_PATH="build/packages" TEMPLATE_TEMP_FOLDER="tmp.elastic-package.XXXXXXXXX" ## Signing +INFRA_SIGNING_BUCKET_NAME='internal-ci-artifacts' INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_SUBFOLDER="${REPO_BUILD_TAG}/signed-artifacts" INFRA_SIGNING_BUCKET_ARTIFACTS_PATH="gs://${INFRA_SIGNING_BUCKET_NAME}/${REPO_BUILD_TAG}" INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_PATH="gs://${INFRA_SIGNING_BUCKET_NAME}/${INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_SUBFOLDER}" From 3433d870fbaca036a213b14b2f864ca604f4c5b6 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 17:58:20 +0100 Subject: [PATCH 03/41] Fix env var --- .buildkite/scripts/signAndPublishPackage.sh | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index 138de95af8..97c855c155 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -44,6 +44,8 @@ REPO_BUILD_TAG="${REPO_NAME}/${BUILD_TAG}/" BUILD_PACKAGES_PATH="build/packages" TEMPLATE_TEMP_FOLDER="tmp.elastic-package.XXXXXXXXX" +JENKINS_TRIGGER_PATH=".buildkite/scripts/triggerJenkinsJob" +GOOGLE_CREDENTIALS_FILENAME="google-cloud-credentials.json" ## Signing INFRA_SIGNING_BUCKET_NAME='internal-ci-artifacts' @@ -54,9 +56,6 @@ INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_PATH="gs://${INFRA_SIGNING_BUCKET_NAME}/${ ## Publishing PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH="gs://elastic-bekitzur-package-storage-internal/queue-publishing/${REPO_BUILD_TAG}" -JENKINS_TRIGGER_PATH=".buildkite/scripts/triggerJenkinsJob" - -GOOGLE_CREDENTIALS_FILENAME="google-cloud-credentials.json" google_cloud_auth() { local key_file="$1" @@ -89,14 +88,14 @@ signPackage() { popd > /dev/null echo "Download signatures" - gsutil cp ${INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_PATH}/${packageZip}.asc ${BUILD_PACKAGES} + gsutil cp ${INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_PATH}/${packageZip}.asc ${BUILD_PACKAGES_PATH} echo "Rename asc to sig" for f in build/packages/*.asc; do mv "$f" "${f%.asc}.sig" done - ls -l ${BUILD_PACKAGES} + ls -l ${BUILD_PACKAGES_PATH} rm -r ${gsUtilLocation} } @@ -134,13 +133,12 @@ publishPackage() { rm -r ${gsUtilLocation} } -# download package artifact -mkdir -p ${BUILD_PACKAGES} - -buildkite-agent artifact download "${BUILD_PACKAGES}/*.zip" --step build-package ${BUILD_PACKAGES} +# download package artifact from previous step +mkdir -p ${BUILD_PACKAGES_PATH} +buildkite-agent artifact download "${BUILD_PACKAGES_PATH}/*.zip" --step build-package ${BUILD_PACKAGES_PATH} -for package in ${BUILD_PACKAGES}/*.zip; do +for package in ${BUILD_PACKAGES_PATH}/*.zip; do echo "isAlareadyInstalled ${package}?" packageZip=$(basename ${package}) if isAlreadyPublished ${packageZip} ; then From cdbfbe62db908fc7d85480edbf03f1ab4c97a1af Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 18:00:40 +0100 Subject: [PATCH 04/41] Fix var --- .buildkite/scripts/signAndPublishPackage.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index 97c855c155..a02efb4449 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -59,7 +59,7 @@ PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH="gs://elastic-bekitzur-pac google_cloud_auth() { local key_file="$1" - gcloud gcloud auth activate-service-account --key-file ${keyFile} + gcloud gcloud auth activate-service-account --key-file ${key_file} } signPackage() { From 2cbfce1dd5afd8331ce269868c41e274a3b04b9c Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 18:03:51 +0100 Subject: [PATCH 05/41] Remove duplicated gcloud --- .buildkite/scripts/signAndPublishPackage.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index a02efb4449..34e56b1e4d 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -59,7 +59,7 @@ PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH="gs://elastic-bekitzur-pac google_cloud_auth() { local key_file="$1" - gcloud gcloud auth activate-service-account --key-file ${key_file} + gcloud auth activate-service-account --key-file ${key_file} } signPackage() { From 1f5be27abf1616dcf7ce7257652ac8d0a78c0f9d Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 18:10:33 +0100 Subject: [PATCH 06/41] Show custom message --- .buildkite/scripts/signAndPublishPackage.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index 34e56b1e4d..da3c4401da 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -59,7 +59,7 @@ PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH="gs://elastic-bekitzur-pac google_cloud_auth() { local key_file="$1" - gcloud auth activate-service-account --key-file ${key_file} + gcloud auth activate-service-account --key-file ${key_file} > /dev/null } signPackage() { @@ -72,6 +72,7 @@ signPackage() { echo "${INTERNAL_CI_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation} google_cloud_auth ${secretFileLocation} + echo "Activated service account" export GOOGLE_APPLICATIONS_CREDENTIALS=${secretFileLocation} echo "Upload package .zip file for signing" @@ -111,6 +112,7 @@ publishPackage() { echo "${PACKAGE_UPLOADER_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation} google_cloud_auth ${secretFileLocation} + echo "Activated service account" export GOOGLE_APPLICATIONS_CREDENTIALS=${secretFileLocation} # upload files From 8475771882e409b9086ecbf3fabeaa0d89ad030f Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 18:13:07 +0100 Subject: [PATCH 07/41] Add depends_on key --- .buildkite/pipeline.package-storage-publish.yml | 2 ++ .buildkite/scripts/signAndPublishPackage.sh | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.buildkite/pipeline.package-storage-publish.yml b/.buildkite/pipeline.package-storage-publish.yml index e9956b2bcc..43d54dfd8e 100644 --- a/.buildkite/pipeline.package-storage-publish.yml +++ b/.buildkite/pipeline.package-storage-publish.yml @@ -17,6 +17,8 @@ steps: - label: "Test" key: sign-publish command: ".buildkite/scripts/signAndPublishPackage.sh" + depends_on: + - build-package agents: provider: "gcp" image: family/core-ubuntu-2004 diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index da3c4401da..3a9fa259d2 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -59,7 +59,7 @@ PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH="gs://elastic-bekitzur-pac google_cloud_auth() { local key_file="$1" - gcloud auth activate-service-account --key-file ${key_file} > /dev/null + gcloud auth activate-service-account --key-file ${key_file} 2> /dev/null } signPackage() { From aeff85156457253c5eef3c1bd42a27536cbcc025 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 18:17:28 +0100 Subject: [PATCH 08/41] use paths --- .buildkite/scripts/signAndPublishPackage.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index 3a9fa259d2..2670d1b40d 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -75,8 +75,8 @@ signPackage() { echo "Activated service account" export GOOGLE_APPLICATIONS_CREDENTIALS=${secretFileLocation} - echo "Upload package .zip file for signing" - gsutil cp ${packageZip} ${INFRA_SIGNING_BUCKET_ARTIFACTS_PATH} + echo "Upload package .zip file for signing ${package}" + gsutil cp ${package} ${INFRA_SIGNING_BUCKET_ARTIFACTS_PATH} echo "Trigger Jenkins job for signing package ${packageZip}" pushd ${JENKINS_TRIGGER_PATH} > /dev/null @@ -116,10 +116,10 @@ publishPackage() { export GOOGLE_APPLICATIONS_CREDENTIALS=${secretFileLocation} # upload files - echo "Upload package .zip file" - gsutil cp ${packageZip} ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH} - echo "Upload package .sig file" - gsutil cp ${packageZip}.sig ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH} + echo "Upload package .zip file ${package}" + gsutil cp ${package} ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH} + echo "Upload package .sig file ${package}.sig" + gsutil cp ${package}.sig ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH} echo "Trigger Jenkins job for publishing package ${packageZip}" pushd ${JENKINS_TRIGGER_PATH} > /dev/null From c795a30e6eefbb22b05364b9e1d54ae0d39bacec Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 18:25:45 +0100 Subject: [PATCH 09/41] Download all files from build/packages/ --- .buildkite/scripts/signAndPublishPackage.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index 2670d1b40d..59d2d2eb9d 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -138,7 +138,10 @@ publishPackage() { # download package artifact from previous step mkdir -p ${BUILD_PACKAGES_PATH} -buildkite-agent artifact download "${BUILD_PACKAGES_PATH}/*.zip" --step build-package ${BUILD_PACKAGES_PATH} +buildkite-agent artifact download "${BUILD_PACKAGES_PATH}/*" --step build-package ${BUILD_PACKAGES_PATH} + +echo "Artifacts downloaded:" +ls -l ${BUILD_PACKAGES_PATH} for package in ${BUILD_PACKAGES_PATH}/*.zip; do echo "isAlareadyInstalled ${package}?" From 6005807ba880071f816115639906781d13c9c755 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 18:32:06 +0100 Subject: [PATCH 10/41] Use ls to loop files --- .buildkite/scripts/signAndPublishPackage.sh | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index 59d2d2eb9d..be704f66b8 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -92,7 +92,7 @@ signPackage() { gsutil cp ${INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_PATH}/${packageZip}.asc ${BUILD_PACKAGES_PATH} echo "Rename asc to sig" - for f in build/packages/*.asc; do + for f in $(ls ${BUILD_PACKAGES_PATH}/*.asc); do mv "$f" "${f%.asc}.sig" done @@ -138,13 +138,10 @@ publishPackage() { # download package artifact from previous step mkdir -p ${BUILD_PACKAGES_PATH} -buildkite-agent artifact download "${BUILD_PACKAGES_PATH}/*" --step build-package ${BUILD_PACKAGES_PATH} +buildkite-agent artifact download "${BUILD_PACKAGES_PATH}/*.zip" --step build-package ${BUILD_PACKAGES_PATH} -echo "Artifacts downloaded:" -ls -l ${BUILD_PACKAGES_PATH} - -for package in ${BUILD_PACKAGES_PATH}/*.zip; do - echo "isAlareadyInstalled ${package}?" +for package in $(ls ${BUILD_PACKAGES_PATH}/*.zip); do + echo "isAlreadyInstalled ${package}?" packageZip=$(basename ${package}) if isAlreadyPublished ${packageZip} ; then echo "Skipping. ${packageZip} already published" From 0ab3aca3dd941bb1155e5f672c486a4a347215ee Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 18:33:36 +0100 Subject: [PATCH 11/41] Remove hello step --- .buildkite/pipeline.package-storage-publish.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.buildkite/pipeline.package-storage-publish.yml b/.buildkite/pipeline.package-storage-publish.yml index 43d54dfd8e..34ee858943 100644 --- a/.buildkite/pipeline.package-storage-publish.yml +++ b/.buildkite/pipeline.package-storage-publish.yml @@ -1,7 +1,4 @@ steps: - - label: "Example Test" - command: echo "Hello!" - - label: ":go: Build package" key: build-package command: From 8dc0cbe09b591c1f2e87972a5b22a674af60b7b7 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 18:39:41 +0100 Subject: [PATCH 12/41] show artifacts --- .buildkite/scripts/signAndPublishPackage.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index be704f66b8..283edaa5eb 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -139,6 +139,8 @@ publishPackage() { mkdir -p ${BUILD_PACKAGES_PATH} buildkite-agent artifact download "${BUILD_PACKAGES_PATH}/*.zip" --step build-package ${BUILD_PACKAGES_PATH} +echo "Show artifacts downloaded from previous step ${BUILD_PACKAGES_PATH}" +ls -l ${BUILD_PACKAGES_PATH} for package in $(ls ${BUILD_PACKAGES_PATH}/*.zip); do echo "isAlreadyInstalled ${package}?" From d56742c5fe1ed41705d315318bad9f0165f93e6e Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 18:45:24 +0100 Subject: [PATCH 13/41] buildkite downloads artifacts with the same folder structure --- .buildkite/scripts/signAndPublishPackage.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index 283edaa5eb..f691debdf4 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -136,9 +136,9 @@ publishPackage() { } # download package artifact from previous step -mkdir -p ${BUILD_PACKAGES_PATH} +mkdir -p BUILD_PACKAGES_PATH -buildkite-agent artifact download "${BUILD_PACKAGES_PATH}/*.zip" --step build-package ${BUILD_PACKAGES_PATH} +buildkite-agent artifact download "${BUILD_PACKAGES_PATH}/*.zip" --step build-package . echo "Show artifacts downloaded from previous step ${BUILD_PACKAGES_PATH}" ls -l ${BUILD_PACKAGES_PATH} From 9924b036e4db38adb92c27809b8137421144efb6 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 18:58:28 +0100 Subject: [PATCH 14/41] Update field for secret --- .buildkite/hooks/pre-command | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command index b6f64f7fcc..d7a5f513d5 100644 --- a/.buildkite/hooks/pre-command +++ b/.buildkite/hooks/pre-command @@ -63,5 +63,5 @@ if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-package-package-storage-publish" && export INTERNAL_CI_GCS_CREDENTIALS_SECRET=$(retry 5 vault read -field plaintext ${INTERNAL_CI_GCS_CREDENTIALS_PATH}) # publishing job - export PACKAGE_UPLOADER_GCS_CREDENTIALS_SECRET=$(retry 5 vault read -field plaintext ${PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH}) + export PACKAGE_UPLOADER_GCS_CREDENTIALS_SECRET=$(retry 5 vault read -field value ${PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH}) fi From 72273b886ed85e4dd3c4e316cc9365d046553201 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 19:04:25 +0100 Subject: [PATCH 15/41] Show bucket path --- .buildkite/scripts/signAndPublishPackage.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index f691debdf4..d9ae7256bf 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -116,9 +116,9 @@ publishPackage() { export GOOGLE_APPLICATIONS_CREDENTIALS=${secretFileLocation} # upload files - echo "Upload package .zip file ${package}" + echo "Upload package .zip file ${package} to ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH}" gsutil cp ${package} ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH} - echo "Upload package .sig file ${package}.sig" + echo "Upload package .sig file ${package}.sig to ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH}" gsutil cp ${package}.sig ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH} echo "Trigger Jenkins job for publishing package ${packageZip}" From 4219d2a7179fb85d0bc04aa0ec5f5fe6ce965d97 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Mon, 6 Mar 2023 19:09:03 +0100 Subject: [PATCH 16/41] Show bucket path --- .buildkite/scripts/signAndPublishPackage.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index d9ae7256bf..f7f003c4a0 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -75,7 +75,7 @@ signPackage() { echo "Activated service account" export GOOGLE_APPLICATIONS_CREDENTIALS=${secretFileLocation} - echo "Upload package .zip file for signing ${package}" + echo "Upload package .zip file for signing ${package} to ${INFRA_SIGNING_BUCKET_ARTIFACTS_PATH}" gsutil cp ${package} ${INFRA_SIGNING_BUCKET_ARTIFACTS_PATH} echo "Trigger Jenkins job for signing package ${packageZip}" From c06cde69dba5f01ca7d2380fbd471d14d266f9a8 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 7 Mar 2023 10:12:39 +0100 Subject: [PATCH 17/41] Force testing triggering Jenkins job --- .buildkite/scripts/signAndPublishPackage.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index f7f003c4a0..eb27e42746 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -135,6 +135,21 @@ publishPackage() { rm -r ${gsUtilLocation} } +# test triggering job in Jenkins +echo "Trigger Jenkins job for publishing package" +pushd ${JENKINS_TRIGGER_PATH} > /dev/null + +go run main.go \ + --jenkins-job publish \ + --package gs://elastic-bekitzur-package-storage-internal/queue-publishing/elastic-package/jenkins-Ingest-manager-elastic-package-package-storage-publish-PR-1175-14/package_storage_candidate-0.0.1.zip\ + --signature gs://elastic-bekitzur-package-storage-internal/queue-publishing/elastic-package/jenkins-Ingest-manager-elastic-package-package-storage-publish-PR-1175-14/package_storage_candidate-0.0.1.zip.sig + +sleep 5 + +popd > /dev/null + +exit 0 + # download package artifact from previous step mkdir -p BUILD_PACKAGES_PATH From 6d64c7116962aea1644cb8bc98eaf1dba48d7fe2 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 7 Mar 2023 10:18:27 +0100 Subject: [PATCH 18/41] Add golang instalation --- .buildkite/scripts/signAndPublishPackage.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index eb27e42746..51e881d073 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -135,6 +135,9 @@ publishPackage() { rm -r ${gsUtilLocation} } +# Required to trigger Jenkins job +with_go + # test triggering job in Jenkins echo "Trigger Jenkins job for publishing package" pushd ${JENKINS_TRIGGER_PATH} > /dev/null From 693d072aee53d331e94d8ecffc93da2c4a79382e Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 7 Mar 2023 10:22:50 +0100 Subject: [PATCH 19/41] Add workspace var --- .buildkite/scripts/signAndPublishPackage.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index 51e881d073..41a93ce29b 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -9,6 +9,7 @@ cleanup() { trap cleanup EXIT FIRST_PWD=$(pwd) +WORKSPACE="$(pwd)" echo "Checking gsutil command..." if ! command -v gsutil &> /dev/null ; then From 6e3b29d037142560eb2ba41dc3df4dcd47295269 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 7 Mar 2023 10:27:11 +0100 Subject: [PATCH 20/41] Add SETUP_GVM_VERSION var --- .buildkite/pipeline.package-storage-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.buildkite/pipeline.package-storage-publish.yml b/.buildkite/pipeline.package-storage-publish.yml index 34ee858943..aeab927ba2 100644 --- a/.buildkite/pipeline.package-storage-publish.yml +++ b/.buildkite/pipeline.package-storage-publish.yml @@ -1,3 +1,6 @@ +env: + SETUP_GVM_VERSION: 'v0.5.0' # https://github.com/andrewkroh/gvm/issues/44#issuecomment-1013231151 + steps: - label: ":go: Build package" key: build-package From acecf2f37033de799e8605f4be960edab3223659 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 7 Mar 2023 10:32:04 +0100 Subject: [PATCH 21/41] Update PATH --- .buildkite/scripts/signAndPublishPackage.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index 41a93ce29b..98cc26f321 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -2,14 +2,14 @@ set -euo pipefail cleanup() { - cd $FIRST_PWD + cd ${WORKSPACE} rm -rf tmp.elastic-package.* } trap cleanup EXIT -FIRST_PWD=$(pwd) WORKSPACE="$(pwd)" +export PATH="${WORKSPACE}/bin:${PATH}" echo "Checking gsutil command..." if ! command -v gsutil &> /dev/null ; then From 0229ddef5198671f0a4dbbd9184c76b6650f0fac Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 7 Mar 2023 10:38:29 +0100 Subject: [PATCH 22/41] Fix errors in jenkins command --- .buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go index 58b27df1f8..7266947d85 100644 --- a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go +++ b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go @@ -101,9 +101,10 @@ func (j *JenkinsClient) waitForBuildFinished(ctx context.Context, build *gojenki case <-ctx.Done(): return ctx.Err() } - _, err = build.Poll(ctx) + _, err := build.Poll(ctx) if err != nil { return err } } + return nil } From 8b5086b542916a59db698d6c0f34ae08dbae4031 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 7 Mar 2023 10:48:17 +0100 Subject: [PATCH 23/41] Remove extra var --- .buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go index 7266947d85..41ade1b2f8 100644 --- a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go +++ b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go @@ -50,7 +50,7 @@ func (j *JenkinsClient) RunJob(ctx context.Context, jobName string, async bool, return fmt.Errorf("not finished job %s/%d: %w", jobName, build.GetBuildNumber(), err) } - log.Printf("Build %s finished with result: %v\n", build.GetUrl(), build.GetBuildNumber(), build.GetResult()) + log.Printf("Build %s finished with result: %s\n", build.GetUrl(), build.GetResult()) return nil } From 00d771e0ca9f6eaab5f5067e641ce4543c78a7d3 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 7 Mar 2023 11:00:42 +0100 Subject: [PATCH 24/41] Test with other vault path --- .buildkite/hooks/pre-command | 2 +- .buildkite/scripts/signAndPublishPackage.sh | 15 --------------- 2 files changed, 1 insertion(+), 16 deletions(-) diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command index d7a5f513d5..d9cf962529 100644 --- a/.buildkite/hooks/pre-command +++ b/.buildkite/hooks/pre-command @@ -26,7 +26,7 @@ GCP_SERVICE_ACCOUNT_SECRET_PATH=secret/ci/elastic-elastic-package/gcp-service-ac AWS_SERVICE_ACCOUNT_SECRET_PATH=kv/ci-shared/platform-ingest/aws_account_auth GITHUB_TOKEN_VAULT_PATH=kv/ci-shared/platform-ingest/github_token JENKINS_API_TOKEN_PATH=kv/ci-shared/platform-ingest/jenkins_api_tokens -INTERNAL_CI_GCS_CREDENTIALS_PATH=secret/ci/elastic-elastic-package/jenkins_gcs_plugin_credentials +INTERNAL_CI_GCS_CREDENTIALS_PATH=secret/ci/elastic-elastic-package/jenkins_k8s_plugin_credentials PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH=secret/ci/elastic-elastic-package/package-storage-uploader # Secrets must be redacted diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index 98cc26f321..8acde805dd 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -139,21 +139,6 @@ publishPackage() { # Required to trigger Jenkins job with_go -# test triggering job in Jenkins -echo "Trigger Jenkins job for publishing package" -pushd ${JENKINS_TRIGGER_PATH} > /dev/null - -go run main.go \ - --jenkins-job publish \ - --package gs://elastic-bekitzur-package-storage-internal/queue-publishing/elastic-package/jenkins-Ingest-manager-elastic-package-package-storage-publish-PR-1175-14/package_storage_candidate-0.0.1.zip\ - --signature gs://elastic-bekitzur-package-storage-internal/queue-publishing/elastic-package/jenkins-Ingest-manager-elastic-package-package-storage-publish-PR-1175-14/package_storage_candidate-0.0.1.zip.sig - -sleep 5 - -popd > /dev/null - -exit 0 - # download package artifact from previous step mkdir -p BUILD_PACKAGES_PATH From 340e69b893bb18eea03226ba4fb421be8e7d708b Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 7 Mar 2023 11:19:08 +0100 Subject: [PATCH 25/41] Update to 10 secs to check for jenkins status --- .buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go index 41ade1b2f8..d955cfc747 100644 --- a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go +++ b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go @@ -97,7 +97,7 @@ func (j *JenkinsClient) waitForBuildFinished(ctx context.Context, build *gojenki for build.IsRunning(ctx) { log.Printf("Build still running, waiting for 5 secs...") select { - case <-time.After(5000 * time.Millisecond): + case <-time.After(10000 * time.Millisecond): case <-ctx.Done(): return ctx.Err() } From 5e733e7ff0428f0f949999aa08cc1a3561ed7aed Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 7 Mar 2023 17:37:19 +0100 Subject: [PATCH 26/41] Add tooling script --- .buildkite/hooks/pre-command | 2 +- .buildkite/scripts/install_deps.sh | 13 +++-- .buildkite/scripts/signAndPublishPackage.sh | 54 ++++++++++----------- .buildkite/scripts/tooling.sh | 40 +++++++++++++++ 4 files changed, 72 insertions(+), 37 deletions(-) create mode 100755 .buildkite/scripts/tooling.sh diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command index d9cf962529..d7a5f513d5 100644 --- a/.buildkite/hooks/pre-command +++ b/.buildkite/hooks/pre-command @@ -26,7 +26,7 @@ GCP_SERVICE_ACCOUNT_SECRET_PATH=secret/ci/elastic-elastic-package/gcp-service-ac AWS_SERVICE_ACCOUNT_SECRET_PATH=kv/ci-shared/platform-ingest/aws_account_auth GITHUB_TOKEN_VAULT_PATH=kv/ci-shared/platform-ingest/github_token JENKINS_API_TOKEN_PATH=kv/ci-shared/platform-ingest/jenkins_api_tokens -INTERNAL_CI_GCS_CREDENTIALS_PATH=secret/ci/elastic-elastic-package/jenkins_k8s_plugin_credentials +INTERNAL_CI_GCS_CREDENTIALS_PATH=secret/ci/elastic-elastic-package/jenkins_gcs_plugin_credentials PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH=secret/ci/elastic-elastic-package/package-storage-uploader # Secrets must be redacted diff --git a/.buildkite/scripts/install_deps.sh b/.buildkite/scripts/install_deps.sh index 9c5f7d111e..20a1f8a9c2 100755 --- a/.buildkite/scripts/install_deps.sh +++ b/.buildkite/scripts/install_deps.sh @@ -2,25 +2,25 @@ set -euo pipefail +source .buildkite/scripts/tooling.sh + with_kubernetes() { - # FIXME add retry logic mkdir -p ${WORKSPACE}/bin - curl -sSLo ${WORKSPACE}/bin/kind "https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-linux-amd64" + retry 5 curl -sSLo ${WORKSPACE}/bin/kind "https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-linux-amd64" chmod +x ${WORKSPACE}/bin/kind kind version which kind mkdir -p ${WORKSPACE}/bin - curl -sSLo ${WORKSPACE}/bin/kubectl "https://storage.googleapis.com/kubernetes-release/release/${K8S_VERSION}/bin/linux/amd64/kubectl" + retry 5 curl -sSLo ${WORKSPACE}/bin/kubectl "https://storage.googleapis.com/kubernetes-release/release/${K8S_VERSION}/bin/linux/amd64/kubectl" chmod +x ${WORKSPACE}/bin/kubectl kubectl version --client which kubectl } with_go() { - # FIXME add retry logic mkdir -p ${WORKSPACE}/bin - curl -sL -o ${WORKSPACE}/bin/gvm "https://github.com/andrewkroh/gvm/releases/download/${SETUP_GVM_VERSION}/gvm-linux-amd64" + retry 5 curl -sL -o ${WORKSPACE}/bin/gvm "https://github.com/andrewkroh/gvm/releases/download/${SETUP_GVM_VERSION}/gvm-linux-amd64" chmod +x ${WORKSPACE}/bin/gvm eval "$(gvm $(cat .go-version))" go version @@ -28,9 +28,8 @@ with_go() { } with_docker_compose() { - # FIXME add retry logic mkdir -p ${WORKSPACE}/bin - curl -SL -o ${WORKSPACE}/bin/docker-compose "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-x86_64" + retry 5 curl -SL -o ${WORKSPACE}/bin/docker-compose "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-x86_64" chmod +x ${WORKSPACE}/bin/docker-compose docker-compose version } diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index 8acde805dd..f18ddb3387 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -20,14 +20,7 @@ else fi source .buildkite/scripts/install_deps.sh - -repoName() { - # Example of URL: git@github.com:acme-inc/my-project.git - local repoUrl=$1 - - orgAndRepo=$(echo $repoUrl | cut -d':' -f 2) - echo "$(basename ${orgAndRepo} .git)" -} +source .buildkite/scripts/tooling.sh isAlreadyPublished() { local packageZip=$1 @@ -58,23 +51,33 @@ INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_PATH="gs://${INFRA_SIGNING_BUCKET_NAME}/${ PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH="gs://elastic-bekitzur-package-storage-internal/queue-publishing/${REPO_BUILD_TAG}" -google_cloud_auth() { - local key_file="$1" - gcloud auth activate-service-account --key-file ${key_file} 2> /dev/null +google_cloud_auth_signing() { + local gsUtilLocation=$(mktemp -d -p . -t ${TEMPLATE_TEMP_FOLDER}) + + local secretFileLocation=${gsUtilLocation}/${GOOGLE_CREDENTIALS_FILENAME} + echo "${INTERNAL_CI_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation} + + google_cloud_auth "${secretFileLocation}" + + echo "${gsUtilLocation}" +} + +google_cloud_auth_publishing() { + local gsUtilLocation=$(mktemp -d -p . -t ${TEMPLATE_TEMP_FOLDER}) + + local secretFileLocation=${gsUtilLocation}/${GOOGLE_CREDENTIALS_FILENAME} + echo "${PACKAGE_UPLOADER_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation} + + google_cloud_auth "${secretFileLocation}" + + echo "${gsUtilLocation}" } signPackage() { local package=${1} local packageZip=$(basename ${package}) - gsUtilLocation=$(mktemp -d -p . -t ${TEMPLATE_TEMP_FOLDER}) - - secretFileLocation=${gsUtilLocation}/${GOOGLE_CREDENTIALS_FILENAME} - echo "${INTERNAL_CI_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation} - - google_cloud_auth ${secretFileLocation} - echo "Activated service account" - export GOOGLE_APPLICATIONS_CREDENTIALS=${secretFileLocation} + local gsUtilLocation=$(google_cloud_auth_signing) echo "Upload package .zip file for signing ${package} to ${INFRA_SIGNING_BUCKET_ARTIFACTS_PATH}" gsutil cp ${package} ${INFRA_SIGNING_BUCKET_ARTIFACTS_PATH} @@ -104,17 +107,10 @@ signPackage() { publishPackage() { local package=$1 - local packageZip=$(basename ${package}) - # create file with credentials - gsUtilLocation=$(mktemp -d -p . -t ${TEMPLATE_TEMP_FOLDER}) - secretFileLocation=${gsUtilLocation}/${GOOGLE_CREDENTIALS_FILENAME} - echo "${PACKAGE_UPLOADER_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation} - - google_cloud_auth ${secretFileLocation} - echo "Activated service account" - export GOOGLE_APPLICATIONS_CREDENTIALS=${secretFileLocation} + # create file with credentials + local gsUtilLocation=$(google_cloud_auth_publishing) # upload files echo "Upload package .zip file ${package} to ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH}" @@ -140,7 +136,7 @@ publishPackage() { with_go # download package artifact from previous step -mkdir -p BUILD_PACKAGES_PATH +mkdir -p ${BUILD_PACKAGES_PATH} buildkite-agent artifact download "${BUILD_PACKAGES_PATH}/*.zip" --step build-package . echo "Show artifacts downloaded from previous step ${BUILD_PACKAGES_PATH}" diff --git a/.buildkite/scripts/tooling.sh b/.buildkite/scripts/tooling.sh new file mode 100755 index 0000000000..244edeca09 --- /dev/null +++ b/.buildkite/scripts/tooling.sh @@ -0,0 +1,40 @@ +#!/bin/bash +set -euo pipefail + +repoName() { + # Example of URL: git@github.com:acme-inc/my-project.git + local repoUrl=$1 + + orgAndRepo=$(echo $repoUrl | cut -d':' -f 2) + echo "$(basename ${orgAndRepo} .git)" +} + +google_cloud_auth() { + local keyFile=$1 + + gcloud auth activate-service-account --key-file ${keyFile} 2> /dev/null + + echo "Activated service account" + export GOOGLE_APPLICATIONS_CREDENTIALS=${secretFileLocation} +} + +retry() { + local retries=$1 + shift + + local count=0 + until "$@"; do + exit=$? + wait=$((2 ** count)) + count=$((count + 1)) + if [ $count -lt "$retries" ]; then + >&2 echo "Retry $count/$retries exited $exit, retrying in $wait seconds..." + sleep $wait + else + >&2 echo "Retry $count/$retries exited $exit, no more retries left." + return $exit + fi + done + return 0 +} + From 1e025931b923536ee954325d7575e9fce2137fab Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 7 Mar 2023 17:42:48 +0100 Subject: [PATCH 27/41] Add silent parameter to curl --- .buildkite/scripts/signAndPublishPackage.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index f18ddb3387..c2f671f78f 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -25,9 +25,11 @@ source .buildkite/scripts/tooling.sh isAlreadyPublished() { local packageZip=$1 - if curl --head https://package-storage.elastic.co/artifacts/packages/${packageZip} | grep -q "HTTP/2 200" ; then + if curl -s --head https://package-storage.elastic.co/artifacts/packages/${packageZip} | grep -q "HTTP/2 200" ; then + echo "- Already published ${packageZip}" return 0 fi + echo "- Not published ${packageZip}" return 1 } From b15e5d3c735c5287bce307f305430d40e3646b8f Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 14 Mar 2023 20:19:35 +0100 Subject: [PATCH 28/41] Update vault path --- .buildkite/hooks/pre-command | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command index d7a5f513d5..1c121704f0 100644 --- a/.buildkite/hooks/pre-command +++ b/.buildkite/hooks/pre-command @@ -26,7 +26,7 @@ GCP_SERVICE_ACCOUNT_SECRET_PATH=secret/ci/elastic-elastic-package/gcp-service-ac AWS_SERVICE_ACCOUNT_SECRET_PATH=kv/ci-shared/platform-ingest/aws_account_auth GITHUB_TOKEN_VAULT_PATH=kv/ci-shared/platform-ingest/github_token JENKINS_API_TOKEN_PATH=kv/ci-shared/platform-ingest/jenkins_api_tokens -INTERNAL_CI_GCS_CREDENTIALS_PATH=secret/ci/elastic-elastic-package/jenkins_gcs_plugin_credentials +INTERNAL_CI_GCS_CREDENTIALS_PATH=secret/ci/elastic-elastic-package/gcs_artifacts_credentials PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH=secret/ci/elastic-elastic-package/package-storage-uploader # Secrets must be redacted @@ -60,7 +60,7 @@ if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-package-package-storage-publish" && export JENKINS_TOKEN=$(retry 5 vault kv get -field internal_ci ${JENKINS_API_TOKEN_PATH}) # signing job - export INTERNAL_CI_GCS_CREDENTIALS_SECRET=$(retry 5 vault read -field plaintext ${INTERNAL_CI_GCS_CREDENTIALS_PATH}) + export INTERNAL_CI_GCS_CREDENTIALS_SECRET=$(retry 5 vault read -field value ${INTERNAL_CI_GCS_CREDENTIALS_PATH}) # publishing job export PACKAGE_UPLOADER_GCS_CREDENTIALS_SECRET=$(retry 5 vault read -field value ${PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH}) From 78e8fc19cc198f9bd24bc2185ef89ca5a9202936 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 14 Mar 2023 20:35:44 +0100 Subject: [PATCH 29/41] Add Fatalf --- .buildkite/scripts/triggerJenkinsJob/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/scripts/triggerJenkinsJob/main.go b/.buildkite/scripts/triggerJenkinsJob/main.go index 81ae184ca2..b63b58c91f 100644 --- a/.buildkite/scripts/triggerJenkinsJob/main.go +++ b/.buildkite/scripts/triggerJenkinsJob/main.go @@ -71,7 +71,7 @@ func main() { } if err != nil { - log.Fatal("Error: %s", err) + log.Fatalf("Error: %s", err) } } From 5b1a596032c5cfdbafb5e7384a3faf420306f73b Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 14 Mar 2023 20:42:31 +0100 Subject: [PATCH 30/41] Fix jenkins job name --- .buildkite/scripts/triggerJenkinsJob/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/scripts/triggerJenkinsJob/main.go b/.buildkite/scripts/triggerJenkinsJob/main.go index b63b58c91f..3134a9e1ad 100644 --- a/.buildkite/scripts/triggerJenkinsJob/main.go +++ b/.buildkite/scripts/triggerJenkinsJob/main.go @@ -17,7 +17,7 @@ import ( const ( publishingRemoteJob = "package_storage/job/publishing-job-remote" - signingJob = "elastic+unified-release+master+sign-artifacts-wigh-gpg" + signingJob = "elastic+unified-release+master+sign-artifacts-with-gpg" publishJobKey = "publish" signJobKey = "sign" From 1bbc052674e40953077cb938431646c76474b282 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 14 Mar 2023 20:58:48 +0100 Subject: [PATCH 31/41] Add new parameter --folder --- .buildkite/scripts/signAndPublishPackage.sh | 2 +- .../triggerJenkinsJob/jenkins/jenkins.go | 2 +- .buildkite/scripts/triggerJenkinsJob/main.go | 18 ++++++++++++++---- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index c2f671f78f..d8e6c5b857 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -89,7 +89,7 @@ signPackage() { go run main.go \ --jenkins-job sign \ - --package ${INFRA_SIGNING_BUCKET_ARTIFACTS_PATH}/${packageZip} + --folder ${INFRA_SIGNING_BUCKET_ARTIFACTS_PATH} sleep 5 popd > /dev/null diff --git a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go index d955cfc747..19dcb0346f 100644 --- a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go +++ b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go @@ -95,7 +95,7 @@ func (j *JenkinsClient) getBuildFromQueueID(ctx context.Context, job *gojenkins. func (j *JenkinsClient) waitForBuildFinished(ctx context.Context, build *gojenkins.Build) error { for build.IsRunning(ctx) { - log.Printf("Build still running, waiting for 5 secs...") + log.Printf("Build still running, waiting for 10 secs...") select { case <-time.After(10000 * time.Millisecond): case <-ctx.Done(): diff --git a/.buildkite/scripts/triggerJenkinsJob/main.go b/.buildkite/scripts/triggerJenkinsJob/main.go index 3134a9e1ad..25f5dbc9c2 100644 --- a/.buildkite/scripts/triggerJenkinsJob/main.go +++ b/.buildkite/scripts/triggerJenkinsJob/main.go @@ -44,7 +44,8 @@ func jenkinsJobOptions() []string { func main() { jenkinsJob := flag.String("jenkins-job", "", fmt.Sprintf("Jenkins job to trigger. Allowed values: %s", strings.Join(jenkinsJobOptions(), " ,"))) - zipPackagePath := flag.String("package", "", "Path to zip package file (*.zip) ") + folderPath := flag.String("folder", "", "Path to artifacts folder") + zipPackagePath := flag.String("package", "", "Path to zip package file (*.zip)") sigPackagePath := flag.String("signature", "", "Path to the signature file of the package file (*.zip.sig)") async := flag.Bool("async", false, "Run async the Jenkins job") flag.Parse() @@ -65,7 +66,7 @@ func main() { case publishJobKey: err = runPublishingRemoteJob(ctx, client, *async, allowedJenkinsJobs[*jenkinsJob], *zipPackagePath, *sigPackagePath) case signJobKey: - err = runSignPackageJob(ctx, client, *async, allowedJenkinsJobs[*jenkinsJob], *zipPackagePath) + err = runSignPackageJob(ctx, client, *async, allowedJenkinsJobs[*jenkinsJob], *folderPath) default: log.Fatal("unsupported jenkins job") } @@ -75,15 +76,24 @@ func main() { } } -func runSignPackageJob(ctx context.Context, client *jenkins.JenkinsClient, async bool, jobName, packagePath string) error { +func runSignPackageJob(ctx context.Context, client *jenkins.JenkinsClient, async bool, jobName, folderPath string) error { + if folderPath == "" { + return fmt.Errorf("missing parameter --gcs_input_path for") + } params := map[string]string{ - "gcs_input_path": packagePath, + "gcs_input_path": folderPath, } return client.RunJob(ctx, jobName, async, params) } func runPublishingRemoteJob(ctx context.Context, client *jenkins.JenkinsClient, async bool, jobName, packagePath, signaturePath string) error { + if zipPackagePath == "" { + return fmt.Errorf("missing parameter --gs_package_build_zip_path") + } + if signaturePath == "" { + return fmt.Errorf("missing parameter --gs_package_signature_path") + } // Run the job with some parameters params := map[string]string{ From f6153a2c6418f1dc1262d26a7bcd7565181e2657 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 14 Mar 2023 21:05:34 +0100 Subject: [PATCH 32/41] Return error if job fails --- .buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go index 19dcb0346f..c99ebaf9ed 100644 --- a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go +++ b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go @@ -51,6 +51,10 @@ func (j *JenkinsClient) RunJob(ctx context.Context, jobName string, async bool, } log.Printf("Build %s finished with result: %s\n", build.GetUrl(), build.GetResult()) + + if build.GetResult() != gojenkins.STATUS_SUCCESS { + return fmt.Errorf("build %s finished with result %s", build.GetUrl(), build.GetResult()) + } return nil } From 3d7beb83f8f9a7010438b4f486463cca0184cfc5 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 14 Mar 2023 21:25:51 +0100 Subject: [PATCH 33/41] Fix var name --- .buildkite/scripts/triggerJenkinsJob/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/scripts/triggerJenkinsJob/main.go b/.buildkite/scripts/triggerJenkinsJob/main.go index 25f5dbc9c2..bfddaa2f6d 100644 --- a/.buildkite/scripts/triggerJenkinsJob/main.go +++ b/.buildkite/scripts/triggerJenkinsJob/main.go @@ -88,7 +88,7 @@ func runSignPackageJob(ctx context.Context, client *jenkins.JenkinsClient, async } func runPublishingRemoteJob(ctx context.Context, client *jenkins.JenkinsClient, async bool, jobName, packagePath, signaturePath string) error { - if zipPackagePath == "" { + if packagePath == "" { return fmt.Errorf("missing parameter --gs_package_build_zip_path") } if signaturePath == "" { From 334ee6e0ea801106e86d48184040f770983e5d0a Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 14 Mar 2023 21:43:03 +0100 Subject: [PATCH 34/41] Remove messages in google cloud auth command --- .buildkite/scripts/signAndPublishPackage.sh | 9 +++++++-- .buildkite/scripts/tooling.sh | 1 - .buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go | 5 +++-- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index d8e6c5b857..ded4b49362 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -2,8 +2,10 @@ set -euo pipefail cleanup() { + echo "Deleting temporal files..." cd ${WORKSPACE} rm -rf tmp.elastic-package.* + echo "Done." } trap cleanup EXIT @@ -104,7 +106,8 @@ signPackage() { ls -l ${BUILD_PACKAGES_PATH} - rm -r ${gsUtilLocation} + echo "Removing temporal location ${gsUtilLocation}" + rm -r "${gsUtilLocation}" } publishPackage() { @@ -131,7 +134,9 @@ publishPackage() { sleep 5 popd > /dev/null - rm -r ${gsUtilLocation} + + echo "Removing temporal location ${gsUtilLocation}" + rm -r "${gsUtilLocation}" } # Required to trigger Jenkins job diff --git a/.buildkite/scripts/tooling.sh b/.buildkite/scripts/tooling.sh index 244edeca09..0ea9bfba66 100755 --- a/.buildkite/scripts/tooling.sh +++ b/.buildkite/scripts/tooling.sh @@ -14,7 +14,6 @@ google_cloud_auth() { gcloud auth activate-service-account --key-file ${keyFile} 2> /dev/null - echo "Activated service account" export GOOGLE_APPLICATIONS_CREDENTIALS=${secretFileLocation} } diff --git a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go index c99ebaf9ed..353dbb60f6 100644 --- a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go +++ b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go @@ -98,10 +98,11 @@ func (j *JenkinsClient) getBuildFromQueueID(ctx context.Context, job *gojenkins. } func (j *JenkinsClient) waitForBuildFinished(ctx context.Context, build *gojenkins.Build) error { + waitingPeriod := 10000 * time.Millisecond for build.IsRunning(ctx) { - log.Printf("Build still running, waiting for 10 secs...") + log.Printf("Build still running, waiting for %s...", waitingPeriod) select { - case <-time.After(10000 * time.Millisecond): + case <-time.After(waitingPeriod): case <-ctx.Done(): return ctx.Err() } From c7e7adaab1fb3671ba5f9dcb2363d902347fcd68 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 14 Mar 2023 22:00:40 +0100 Subject: [PATCH 35/41] Remove trailing slash --- .buildkite/scripts/signAndPublishPackage.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index ded4b49362..e50ee8d8c3 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -38,7 +38,7 @@ isAlreadyPublished() { REPO_NAME=$(repoName "${BUILDKITE_REPO}") BUILD_TAG="buildkite-${BUILDKITE_PIPELINE_SLUG}-${BUILDKITE_BUILD_NUMBER}" -REPO_BUILD_TAG="${REPO_NAME}/${BUILD_TAG}/" +REPO_BUILD_TAG="${REPO_NAME}/${BUILD_TAG}" BUILD_PACKAGES_PATH="build/packages" TEMPLATE_TEMP_FOLDER="tmp.elastic-package.XXXXXXXXX" From 4e8f31178f5e03d71a386411b97eb5716fbc3317 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Tue, 14 Mar 2023 22:24:21 +0100 Subject: [PATCH 36/41] Ensure files are uploaded into folders in buckets --- .buildkite/scripts/signAndPublishPackage.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index e50ee8d8c3..ca1f42ce60 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -83,8 +83,9 @@ signPackage() { local gsUtilLocation=$(google_cloud_auth_signing) + # upload zip package (trailing forward slashes are required) echo "Upload package .zip file for signing ${package} to ${INFRA_SIGNING_BUCKET_ARTIFACTS_PATH}" - gsutil cp ${package} ${INFRA_SIGNING_BUCKET_ARTIFACTS_PATH} + gsutil cp ${package} "${INFRA_SIGNING_BUCKET_ARTIFACTS_PATH}/" echo "Trigger Jenkins job for signing package ${packageZip}" pushd ${JENKINS_TRIGGER_PATH} > /dev/null @@ -97,14 +98,14 @@ signPackage() { popd > /dev/null echo "Download signatures" - gsutil cp ${INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_PATH}/${packageZip}.asc ${BUILD_PACKAGES_PATH} + gsutil cp "${INFRA_SIGNING_BUCKET_SIGNED_ARTIFACTS_PATH}/${packageZip}.asc" "${BUILD_PACKAGES_PATH}" echo "Rename asc to sig" for f in $(ls ${BUILD_PACKAGES_PATH}/*.asc); do mv "$f" "${f%.asc}.sig" done - ls -l ${BUILD_PACKAGES_PATH} + ls -l "${BUILD_PACKAGES_PATH}" echo "Removing temporal location ${gsUtilLocation}" rm -r "${gsUtilLocation}" @@ -117,19 +118,19 @@ publishPackage() { # create file with credentials local gsUtilLocation=$(google_cloud_auth_publishing) - # upload files + # upload files (trailing forward slashes are required) echo "Upload package .zip file ${package} to ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH}" - gsutil cp ${package} ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH} + gsutil cp ${package} "${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH}/" echo "Upload package .sig file ${package}.sig to ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH}" - gsutil cp ${package}.sig ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH} + gsutil cp ${package}.sig "${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH}/" echo "Trigger Jenkins job for publishing package ${packageZip}" pushd ${JENKINS_TRIGGER_PATH} > /dev/null go run main.go \ --jenkins-job publish \ - --package ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH}/${packageZip} \ - --signature ${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH}/${packageZip}.sig + --package "${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH}/${packageZip}" \ + --signature "${PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH}/${packageZip}.sig" sleep 5 @@ -143,11 +144,11 @@ publishPackage() { with_go # download package artifact from previous step -mkdir -p ${BUILD_PACKAGES_PATH} +mkdir -p "${BUILD_PACKAGES_PATH}" buildkite-agent artifact download "${BUILD_PACKAGES_PATH}/*.zip" --step build-package . echo "Show artifacts downloaded from previous step ${BUILD_PACKAGES_PATH}" -ls -l ${BUILD_PACKAGES_PATH} +ls -l "${BUILD_PACKAGES_PATH}" for package in $(ls ${BUILD_PACKAGES_PATH}/*.zip); do echo "isAlreadyInstalled ${package}?" From a48db31744bb7cd3a72a76e543c91c0e8ba57623 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 15 Mar 2023 03:46:19 +0100 Subject: [PATCH 37/41] Rename step --- .buildkite/pipeline.package-storage-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/pipeline.package-storage-publish.yml b/.buildkite/pipeline.package-storage-publish.yml index aeab927ba2..360fba092b 100644 --- a/.buildkite/pipeline.package-storage-publish.yml +++ b/.buildkite/pipeline.package-storage-publish.yml @@ -14,7 +14,7 @@ steps: artifact_paths: - build/packages/*.zip - - label: "Test" + - label: "Sign and Publish package" key: sign-publish command: ".buildkite/scripts/signAndPublishPackage.sh" depends_on: From 7f9fb9d81bc74fe73adb410092994c63ae02cb1f Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Wed, 15 Mar 2023 18:39:45 +0100 Subject: [PATCH 38/41] Update .buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go Co-authored-by: Jaime Soriano Pastor --- .buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go index 353dbb60f6..b285990ea2 100644 --- a/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go +++ b/.buildkite/scripts/triggerJenkinsJob/jenkins/jenkins.go @@ -98,7 +98,7 @@ func (j *JenkinsClient) getBuildFromQueueID(ctx context.Context, job *gojenkins. } func (j *JenkinsClient) waitForBuildFinished(ctx context.Context, build *gojenkins.Build) error { - waitingPeriod := 10000 * time.Millisecond + const waitingPeriod = 10000 * time.Millisecond for build.IsRunning(ctx) { log.Printf("Build still running, waiting for %s...", waitingPeriod) select { From 757ddf23628146bfc96eb9b71b5a7220e6147a3d Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 16 Mar 2023 04:45:47 +0100 Subject: [PATCH 39/41] Add base template folder variable --- .buildkite/scripts/signAndPublishPackage.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index ca1f42ce60..911cd38282 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -1,16 +1,18 @@ #!/bin/bash set -euo pipefail +WORKSPACE="$(pwd)" +TMP_FOLDER_TEMPLATE_BASE="tmp.elastic-package" + cleanup() { echo "Deleting temporal files..." cd ${WORKSPACE} - rm -rf tmp.elastic-package.* + rm -rf ${TMP_FOLDER_TEMPLATE_BASE}.* echo "Done." } trap cleanup EXIT -WORKSPACE="$(pwd)" export PATH="${WORKSPACE}/bin:${PATH}" echo "Checking gsutil command..." @@ -41,7 +43,7 @@ BUILD_TAG="buildkite-${BUILDKITE_PIPELINE_SLUG}-${BUILDKITE_BUILD_NUMBER}" REPO_BUILD_TAG="${REPO_NAME}/${BUILD_TAG}" BUILD_PACKAGES_PATH="build/packages" -TEMPLATE_TEMP_FOLDER="tmp.elastic-package.XXXXXXXXX" +TMP_FOLDER_TEMPLATE="${TMP_FOLDER_TEMPLATE_BASE}.XXXXXXXXX" JENKINS_TRIGGER_PATH=".buildkite/scripts/triggerJenkinsJob" GOOGLE_CREDENTIALS_FILENAME="google-cloud-credentials.json" @@ -56,7 +58,7 @@ PACKAGE_STORAGE_INTERNAL_BUCKET_QUEUE_PUBLISHING_PATH="gs://elastic-bekitzur-pac google_cloud_auth_signing() { - local gsUtilLocation=$(mktemp -d -p . -t ${TEMPLATE_TEMP_FOLDER}) + local gsUtilLocation=$(mktemp -d -p . -t ${TMP_FOLDER_TEMPLATE}) local secretFileLocation=${gsUtilLocation}/${GOOGLE_CREDENTIALS_FILENAME} echo "${INTERNAL_CI_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation} @@ -67,7 +69,7 @@ google_cloud_auth_signing() { } google_cloud_auth_publishing() { - local gsUtilLocation=$(mktemp -d -p . -t ${TEMPLATE_TEMP_FOLDER}) + local gsUtilLocation=$(mktemp -d -p . -t ${TMP_FOLDER_TEMPLATE}) local secretFileLocation=${gsUtilLocation}/${GOOGLE_CREDENTIALS_FILENAME} echo "${PACKAGE_UPLOADER_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation} From 613f5c85e056d42ae443a7999b56ad603096cdc8 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 16 Mar 2023 05:15:21 +0100 Subject: [PATCH 40/41] Update vault paths --- .buildkite/hooks/pre-command | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command index 1c121704f0..214ea18256 100644 --- a/.buildkite/hooks/pre-command +++ b/.buildkite/hooks/pre-command @@ -26,8 +26,8 @@ GCP_SERVICE_ACCOUNT_SECRET_PATH=secret/ci/elastic-elastic-package/gcp-service-ac AWS_SERVICE_ACCOUNT_SECRET_PATH=kv/ci-shared/platform-ingest/aws_account_auth GITHUB_TOKEN_VAULT_PATH=kv/ci-shared/platform-ingest/github_token JENKINS_API_TOKEN_PATH=kv/ci-shared/platform-ingest/jenkins_api_tokens -INTERNAL_CI_GCS_CREDENTIALS_PATH=secret/ci/elastic-elastic-package/gcs_artifacts_credentials -PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH=secret/ci/elastic-elastic-package/package-storage-uploader +INTERNAL_CI_GCS_CREDENTIALS_PATH=kv/ci-shared/platform-ingest/signing_packages_gcs_artifacts_credentials +PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH=kv/ci-shared/platform-ingest/package_storage_uploader # Secrets must be redacted # https://buildkite.com/docs/pipelines/managing-log-output#redacted-environment-variables @@ -60,8 +60,8 @@ if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-package-package-storage-publish" && export JENKINS_TOKEN=$(retry 5 vault kv get -field internal_ci ${JENKINS_API_TOKEN_PATH}) # signing job - export INTERNAL_CI_GCS_CREDENTIALS_SECRET=$(retry 5 vault read -field value ${INTERNAL_CI_GCS_CREDENTIALS_PATH}) + export INTERNAL_CI_GCS_CREDENTIALS_SECRET=$(retry 5 vault kv get -field value ${INTERNAL_CI_GCS_CREDENTIALS_PATH}) # publishing job - export PACKAGE_UPLOADER_GCS_CREDENTIALS_SECRET=$(retry 5 vault read -field value ${PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH}) + export PACKAGE_UPLOADER_GCS_CREDENTIALS_SECRET=$(retry 5 vault kv get -field value ${PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH}) fi From fa6b28ec066ccbbba4599b29ec5159630a10d1e5 Mon Sep 17 00:00:00 2001 From: Mario Rodriguez Molins Date: Thu, 16 Mar 2023 05:31:17 +0100 Subject: [PATCH 41/41] Rename secret var --- .buildkite/hooks/pre-command | 4 ++-- .buildkite/scripts/signAndPublishPackage.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command index 214ea18256..44d9ebb2ff 100644 --- a/.buildkite/hooks/pre-command +++ b/.buildkite/hooks/pre-command @@ -26,7 +26,7 @@ GCP_SERVICE_ACCOUNT_SECRET_PATH=secret/ci/elastic-elastic-package/gcp-service-ac AWS_SERVICE_ACCOUNT_SECRET_PATH=kv/ci-shared/platform-ingest/aws_account_auth GITHUB_TOKEN_VAULT_PATH=kv/ci-shared/platform-ingest/github_token JENKINS_API_TOKEN_PATH=kv/ci-shared/platform-ingest/jenkins_api_tokens -INTERNAL_CI_GCS_CREDENTIALS_PATH=kv/ci-shared/platform-ingest/signing_packages_gcs_artifacts_credentials +SIGNING_PACKAGES_GCS_CREDENTIALS_PATH=kv/ci-shared/platform-ingest/signing_packages_gcs_artifacts_credentials PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH=kv/ci-shared/platform-ingest/package_storage_uploader # Secrets must be redacted @@ -60,7 +60,7 @@ if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-package-package-storage-publish" && export JENKINS_TOKEN=$(retry 5 vault kv get -field internal_ci ${JENKINS_API_TOKEN_PATH}) # signing job - export INTERNAL_CI_GCS_CREDENTIALS_SECRET=$(retry 5 vault kv get -field value ${INTERNAL_CI_GCS_CREDENTIALS_PATH}) + export SIGNING_PACKAGES_GCS_CREDENTIALS_SECRET=$(retry 5 vault kv get -field value ${SIGNING_PACKAGES_GCS_CREDENTIALS_PATH}) # publishing job export PACKAGE_UPLOADER_GCS_CREDENTIALS_SECRET=$(retry 5 vault kv get -field value ${PACKAGE_UPLOADER_GCS_CREDENTIALS_PATH}) diff --git a/.buildkite/scripts/signAndPublishPackage.sh b/.buildkite/scripts/signAndPublishPackage.sh index 911cd38282..a7eccb81bb 100755 --- a/.buildkite/scripts/signAndPublishPackage.sh +++ b/.buildkite/scripts/signAndPublishPackage.sh @@ -61,7 +61,7 @@ google_cloud_auth_signing() { local gsUtilLocation=$(mktemp -d -p . -t ${TMP_FOLDER_TEMPLATE}) local secretFileLocation=${gsUtilLocation}/${GOOGLE_CREDENTIALS_FILENAME} - echo "${INTERNAL_CI_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation} + echo "${SIGNING_PACKAGES_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation} google_cloud_auth "${secretFileLocation}"