forked from opensearch-project/opensearch-build
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathAssembleManifest_rpm_Jenkinsfile.txt
106 lines (91 loc) · 6.82 KB
/
AssembleManifest_rpm_Jenkinsfile.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
AssembleManifest_rpm_Jenkinsfile.run()
AssembleManifest_rpm_Jenkinsfile.legacySCM(groovy.lang.Closure)
AssembleManifest_rpm_Jenkinsfile.library({identifier=jenkins@20211123, retriever=null})
AssembleManifest_rpm_Jenkinsfile.pipeline(groovy.lang.Closure)
AssembleManifest_rpm_Jenkinsfile.echo(Executing on agent [label:none])
AssembleManifest_rpm_Jenkinsfile.stage(assembleManifest rpm, groovy.lang.Closure)
AssembleManifest_rpm_Jenkinsfile.script(groovy.lang.Closure)
AssembleManifest_rpm_Jenkinsfile.assembleManifest({buildManifest=tests/data/opensearch-build-1.3.0-rpm.yml})
assembleManifest.legacySCM(groovy.lang.Closure)
assembleManifest.library({identifier=jenkins@20211123, retriever=null})
assembleManifest.readYaml({file=tests/data/opensearch-build-1.3.0-rpm.yml})
BuildManifest.asBoolean()
BuildManifest.getArtifactRootUrlWithoutDistribution(https://ci.opensearch.org/dbc, vars-build, 123)
assembleManifest.sh(./assemble.sh "tests/data/opensearch-build-1.3.0-rpm.yml" --base-url https://ci.opensearch.org/dbc/vars-build/1.3.0/123/linux/x64)
assembleManifest.signArtifacts({artifactPath=rpm/dist/opensearch, sigtype=.rpm, platform=linux})
signArtifacts.echo(RPM Add Sign)
signArtifacts.withAWS({role=sign_asm_role, roleAccount=sign_asm_account, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure)
signArtifacts.string({credentialsId=jenkins-rpm-signing-asm-pass-id, variable=SIGNING_PASS_ID})
signArtifacts.string({credentialsId=jenkins-rpm-signing-asm-secret-id, variable=SIGNING_SECRET_ID})
signArtifacts.withCredentials([SIGNING_PASS_ID, SIGNING_SECRET_ID], groovy.lang.Closure)
signArtifacts.sh(
set -e
set +x
ARTIFACT_PATH="rpm/dist/opensearch"
echo "------------------------------------------------------------------------"
echo "Check Utility Versions"
gpg_version_requirement="2.2.0"
rpm_version_requirement="4.13.0" # https://bugzilla.redhat.com/show_bug.cgi?id=227632
gpg_version_check=`gpg --version | head -n 1 | grep -oE '[0-9.]+'`
gpg_version_check_final=`echo $gpg_version_check $gpg_version_requirement | tr ' ' '
' | sort -V | head -n 1`
rpm_version_check=`rpm --version | head -n 1 | grep -oE '[0-9.]+'`
rpm_version_check_final=`echo $rpm_version_check $rpm_version_requirement | tr ' ' '
' | sort -V | head -n 1`
echo -e "gpg_version_requirement gpg_version_check"
echo -e "$gpg_version_requirement $gpg_version_check"
echo -e "rpm_version_requirement rpm_version_check"
echo -e "$rpm_version_requirement $rpm_version_check"
if [[ $gpg_version_requirement = $gpg_version_check_final ]] && [[ $rpm_version_requirement = $rpm_version_check_final ]]; then
echo "Utility version is equal or greater than set limit, continue."
else
echo "Utility version is lower than set limit, exit 1"
exit 1
fi
export GPG_TTY=`tty`
echo "------------------------------------------------------------------------"
echo "Setup RPM Macros"
cp -v scripts/pkg/sign_templates/rpmmacros ~/.rpmmacros
sed -i "s/##key_name##/OpenSearch project/g;s/##passphrase_name##/passphrase/g" ~/.rpmmacros
echo "------------------------------------------------------------------------"
echo "Import OpenSearch keys"
aws secretsmanager get-secret-value --region "sign_asm_region" --secret-id "SIGNING_PASS_ID" | jq -r .SecretBinary | base64 --decode > passphrase
aws secretsmanager get-secret-value --region "sign_asm_region" --secret-id "SIGNING_SECRET_ID" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase -
echo "------------------------------------------------------------------------"
echo "Start Signing Rpm"
if file $ARTIFACT_PATH | grep -q directory; then
echo "Sign directory"
for rpm_file in `ls $ARTIFACT_PATH`; do
if file $ARTIFACT_PATH/$rpm_file | grep -q RPM; then
rpm --addsign $ARTIFACT_PATH/$rpm_file
rpm -qip $ARTIFACT_PATH/$rpm_file | grep Signature
fi
done
elif file $ARTIFACT_PATH | grep -q RPM; then
echo "Sign single rpm"
rpm --addsign $ARTIFACT_PATH
rpm -qip $ARTIFACT_PATH | grep Signature
else
echo "This is neither a directory nor a RPM pkg, exit 1"
exit 1
fi
echo "------------------------------------------------------------------------"
echo "Clean up gpg"
gpg --batch --yes --delete-secret-keys sign_asm_keyid
gpg --batch --yes --delete-keys sign_asm_keyid
rm -v passphrase
)
assembleManifest.buildYumRepo({baseUrl=https://ci.opensearch.org/dbc/vars-build/1.3.0/123/linux/x64, buildManifest=tests/data/opensearch-build-1.3.0-rpm.yml})
buildYumRepo.legacySCM(groovy.lang.Closure)
buildYumRepo.library({identifier=jenkins@20211123, retriever=null})
buildYumRepo.readYaml({file=tests/data/opensearch-build-1.3.0-rpm.yml})
BuildManifest.asBoolean()
buildYumRepo.echo(Create yum repo metadata and repo file tests/data/opensearch-build-1.3.0-rpm.yml)
buildYumRepo.sh(createrepo "rpm/dist/opensearch")
buildYumRepo.writeFile({file=rpm/dist/opensearch/opensearch-1.3.0.staging.repo, text=[opensearch-1.3.0-123-staging]
name=OpenSearch 1.3.0 123 Staging
baseurl=https://ci.opensearch.org/dbc/vars-build/1.3.0/123/linux/x64/rpm/dist/opensearch/
enabled=1
gpgcheck=0
autorefresh=1
type=rpm-md})