From 67a293907edfcf3f4b7e2465f77b8cda40c0834f Mon Sep 17 00:00:00 2001 From: Thanh Ha Date: Fri, 17 Aug 2018 22:15:07 -0400 Subject: [PATCH] Add sigul signing to maven-stage job Refactor the lf-sigul* macros into a new one called lf-sigul-sign-dir to be used as a one shot macro to sign a directory. Macro initializes and cleans up after itself so no need to call extra builder steps. Issue: RELENG-1071 Change-Id: I0ff965c2ef24fa7a44a114445d8a97c3176e575a Signed-off-by: Thanh Ha --- docs/jjb/lf-macros.rst | 31 ++++------------ docs/jjb/lf-maven-jobs.rst | 1 + jjb/lf-macros.yaml | 43 +++++++++++----------- jjb/lf-maven-jobs.yaml | 4 ++ .../notes/sigul-signing-f9d7389354ad6b3a.yaml | 38 +++++++++++++++++++ shell/sigul-sign-dir.sh | 17 +++++++++ 6 files changed, 88 insertions(+), 46 deletions(-) create mode 100644 releasenotes/notes/sigul-signing-f9d7389354ad6b3a.yaml create mode 100644 shell/sigul-sign-dir.sh diff --git a/docs/jjb/lf-macros.rst b/docs/jjb/lf-macros.rst index a57fac5c..c6334fda 100644 --- a/docs/jjb/lf-macros.rst +++ b/docs/jjb/lf-macros.rst @@ -187,27 +187,6 @@ Cleanup maven settings.xml configuration. This should be called at the end of any macros that calles the :ref:`lf-provide-maven-settings ` macro. -.. _provide-sigul-config: - -lf-provide-sigul-configuration ------------------------------- - -Provides sigual configuration to the Jenkins build node. - -Requires the following Config File Provider managed files in Jenkins -preconfigured. - -* sigul-config -* sigul-password -* sigul-pki - -.. _provide-sigul-config-cleanup: - -lf-provide-sigul-configuration-cleanup --------------------------------------- - -Cleanup configuration provided by `provide-sigul-config`. - lf-rtd-trigger-build -------------------- @@ -218,13 +197,17 @@ lf-rtd-verify ReadTheDocs verify script. -lf-sigul-install ----------------- +lf-sigul-sign-dir +----------------- -Install Sigul. +Use Sigul to sign a directory via {sign-dir}. Requires ``SIGUL_BRIDGE_IP`` configured as a global envvar. +:Required Parameters: + :sign-artifacts: Whether or not to sign artifacts with Sigul. + :sign-dir: Directory to sign. + lf-infra-provide-docker-cleanup ------------------------------- diff --git a/docs/jjb/lf-maven-jobs.rst b/docs/jjb/lf-maven-jobs.rst index 74a3e7ee..6144e050 100644 --- a/docs/jjb/lf-maven-jobs.rst +++ b/docs/jjb/lf-maven-jobs.rst @@ -297,6 +297,7 @@ directory is then used later to deploy to Nexus. :mvn-opts: Sets MAVEN_OPTS. (default: '') :mvn-params: Additional mvn parameters to pass to the cli. (default: '') :mvn-version: Version of maven to use. (default: mvn35) + :sign-artifacts: Sign artifacts with Sigul. (default: false) :stream: Keyword that can be used to represent a release code-name. Often the same as the branch. (default: master) :submodule-recursive: Whether to checkout submodules recursively. diff --git a/jjb/lf-macros.yaml b/jjb/lf-macros.yaml index 5188417a..2e3a8571 100644 --- a/jjb/lf-macros.yaml +++ b/jjb/lf-macros.yaml @@ -176,20 +176,6 @@ - file-id: '{settings-file}' variable: 'SETTINGS_FILE' -- builder: - name: lf-provide-sigul-configuration - # Push configuration files to interact with sigul - builders: - - config-file-provider: - files: - - file-id: sigul-config - variable: SIGUL_CONFIG - - file-id: sigul-password - variable: SIGUL_PASSWORD - - file-id: sigul-pki - variable: SIGUL_PKI - - shell: !include-raw: ../shell/sigul-configuration.sh - - builder: name: lf-pip-install builders: @@ -214,12 +200,6 @@ # DO NOT fail build if any of the above lines fail. exit 0 -- builder: - name: lf-provide-sigul-configuration-cleanup - # Clear sigul configuration files after we're done using them - builders: - - shell: !include-raw: ../shell/sigul-configuration-cleanup.sh - - builder: name: lf-rtd-trigger-build builders: @@ -239,11 +219,30 @@ - ../shell/rtd-verify.sh - builder: - name: lf-sigul-install + name: lf-sigul-sign-dir # Requires that Jenkins be configured with SIGUL_BRIDGE_IP as a global # Environment variable builders: - - shell: !include-raw: ../shell/sigul-install.sh + - conditional-step: + condition-kind: boolean-expression + condition-expression: '{sign-artifacts}' + steps: + - config-file-provider: + files: + - file-id: sigul-config + variable: SIGUL_CONFIG + - file-id: sigul-password + variable: SIGUL_PASSWORD + - file-id: sigul-pki + variable: SIGUL_PKI + - shell: !include-raw-escape: ../shell/sigul-configuration.sh + - shell: !include-raw-escape: ../shell/sigul-install.sh + - inject: + properties-content: SIGN_DIR={sign-dir} + - shell: !include-raw-escape: + - ../shell/common-variables.sh + - ../shell/sigul-sign-dir.sh + - shell: !include-raw-escape: ../shell/sigul-configuration-cleanup.sh - builder: name: lf-infra-provide-docker-cleanup diff --git a/jjb/lf-maven-jobs.yaml b/jjb/lf-maven-jobs.yaml index c89ba5b1..78ef2f64 100644 --- a/jjb/lf-maven-jobs.yaml +++ b/jjb/lf-maven-jobs.yaml @@ -658,6 +658,7 @@ mvn-opts: '' mvn-params: '' mvn-version: mvn35 + sign-artifacts: false stream: master submodule-recursive: true @@ -707,6 +708,9 @@ - ../shell/maven-patch-release.sh - lf-maven-build: mvn-goals: '{mvn-goals}' + - lf-sigul-sign-dir: + sign-artifacts: '{sign-artifacts}' + sign-dir: '$WORKSPACE/m2repo' - lf-maven-stage - lf-provide-maven-settings-cleanup diff --git a/releasenotes/notes/sigul-signing-f9d7389354ad6b3a.yaml b/releasenotes/notes/sigul-signing-f9d7389354ad6b3a.yaml new file mode 100644 index 00000000..560ab30e --- /dev/null +++ b/releasenotes/notes/sigul-signing-f9d7389354ad6b3a.yaml @@ -0,0 +1,38 @@ +--- +features: + - | + New macro ``lf-sigul-sign-dir`` available to sign artifacts in a provided + directory using Sigul. + + Usage: + + .. code-block:: yaml + + - lf-sigul-sign-dir: + sign-dir: '$WORKSPACE/m2repo' + + This macro also requires a boolean variable to ``SIGN_ARTIFACTS`` to be set + to true to activate the macro. We recommend the job-template that uses + this macro to define it in the job parameters section. + + Example: + + .. code-block:: yaml + + - bool: + name: SIGN_ARTIFACTS + default: '{sign-artifacts}' + description: Use Sigul to sign artifacts. + + - | + Add Sigul signing support to the maven-staging job. To activate Sigul + signing make sure to set ``sign-artifacts: true``. Example: + + .. code-block:: yaml + + - project: + name: abc + jobs: + - gerrit-maven-stage + + sign-artifacts: true diff --git a/shell/sigul-sign-dir.sh b/shell/sigul-sign-dir.sh new file mode 100644 index 00000000..8bb7beac --- /dev/null +++ b/shell/sigul-sign-dir.sh @@ -0,0 +1,17 @@ +#!/bin/bash -l +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2018 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +echo "---> sigul-sign-dir.sh" + +# Ensure we fail the job if any steps fail. +set -e -o pipefail + +lftools_activate +lftools sign sigul "${SIGN_DIR}" -- 2.16.6