From 528cdfcb92273af877d1128fb605ebbab2eca4e4 Mon Sep 17 00:00:00 2001 From: Sayali Gaikawad <61760125+gaiksaya@users.noreply.github.com> Date: Thu, 21 Jul 2022 14:13:44 -0700 Subject: [PATCH] Move clubbed secrets to individual secrets (#2356) * Move clubbed secrets to individual secrets Signed-off-by: Sayali Gaikawad --- ...data-prepper-all-artifacts.jenkinsfile.txt | 40 +++++----- .../maven-sign-release.jenkinsfile.txt | 20 ++--- .../sign-standalone-artifacts.jenkinsfile.txt | 20 ++--- .../jobs/AssembleManifest_rpm_Jenkinsfile.txt | 18 +++-- ...ArtifactsQualifier_actions_Jenkinsfile.txt | 40 +++++----- ...ions_OpenSearch_Dashboards_Jenkinsfile.txt | 40 +++++----- .../PromoteArtifacts_actions_Jenkinsfile.txt | 60 +++++++------- ...ions_OpenSearch_Dashboards_Jenkinsfile.txt | 40 +++++----- .../jobs/PromoteYumRepos_Jenkinsfile.txt | 20 ++--- .../jobs/SignArtifacts_Jenkinsfile.txt | 58 +++++++------- .../lib-testers/SignArtifactsLibTester.groovy | 16 ---- vars/signArtifacts.groovy | 80 +++++++++++-------- 12 files changed, 228 insertions(+), 224 deletions(-) diff --git a/tests/jenkins/jenkinsjob-regression-files/data-prepper/release-data-prepper-all-artifacts.jenkinsfile.txt b/tests/jenkins/jenkinsjob-regression-files/data-prepper/release-data-prepper-all-artifacts.jenkinsfile.txt index 9f145a8c14..dfa4aa6201 100644 --- a/tests/jenkins/jenkinsjob-regression-files/data-prepper/release-data-prepper-all-artifacts.jenkinsfile.txt +++ b/tests/jenkins/jenkinsjob-regression-files/data-prepper/release-data-prepper-all-artifacts.jenkinsfile.txt @@ -22,19 +22,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + /tmp/workspace/sign.sh /tmp/workspace/archive --sigtype=.sig --platform=linux ) release-data-prepper-all-artifacts.stage(Release Archives to Production Distribution Bucket, groovy.lang.Closure) @@ -98,19 +98,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + /tmp/workspace/sign.sh /tmp/workspace/maven --type=maven --platform=linux ) release-data-prepper-all-artifacts.stage(Upload Artifacts to Sonatype, groovy.lang.Closure) diff --git a/tests/jenkins/jenkinsjob-regression-files/maven-sign-release/maven-sign-release.jenkinsfile.txt b/tests/jenkins/jenkinsjob-regression-files/maven-sign-release/maven-sign-release.jenkinsfile.txt index 2da3f0658d..0dce765910 100644 --- a/tests/jenkins/jenkinsjob-regression-files/maven-sign-release/maven-sign-release.jenkinsfile.txt +++ b/tests/jenkins/jenkinsjob-regression-files/maven-sign-release/maven-sign-release.jenkinsfile.txt @@ -19,19 +19,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + /tmp/workspace/sign.sh /tmp/workspace/artifacts/distribution-build-opensearch/1.0.0/123/linux/x64/builds/opensearch/manifest.yml --type=maven --platform=linux ) maven-sign-release.stage(stage maven artifacts, groovy.lang.Closure) diff --git a/tests/jenkins/jenkinsjob-regression-files/sign-standalone-artifacts/sign-standalone-artifacts.jenkinsfile.txt b/tests/jenkins/jenkinsjob-regression-files/sign-standalone-artifacts/sign-standalone-artifacts.jenkinsfile.txt index c9950f67ec..5ec87c3e98 100644 --- a/tests/jenkins/jenkinsjob-regression-files/sign-standalone-artifacts/sign-standalone-artifacts.jenkinsfile.txt +++ b/tests/jenkins/jenkinsjob-regression-files/sign-standalone-artifacts/sign-standalone-artifacts.jenkinsfile.txt @@ -15,19 +15,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + /tmp/workspace/sign.sh /tmp/workspace/artifacts --sigtype=.sig --platform=linux ) sign-standalone-artifacts.uploadToS3({sourcePath=/tmp/workspace/artifacts, bucket=dummy_bucket_name, path=sign_artifacts_job/dummy/upload/path/20/dist/signed}) diff --git a/tests/jenkins/jobs/AssembleManifest_rpm_Jenkinsfile.txt b/tests/jenkins/jobs/AssembleManifest_rpm_Jenkinsfile.txt index cbb7ce7ede..d6f1a60de6 100644 --- a/tests/jenkins/jobs/AssembleManifest_rpm_Jenkinsfile.txt +++ b/tests/jenkins/jobs/AssembleManifest_rpm_Jenkinsfile.txt @@ -13,11 +13,13 @@ BuildManifest.getArtifactRootUrlWithoutDistribution(https://ci.opensearch.org/dbc, vars-build, 123) assembleManifest.sh(./assemble.sh "tests/data/opensearch-build-1.3.0-rpm.yml" --base-url https://ci.opensearch.org/dbc/vars-build/1.3.0/123/linux/x64) assembleManifest.signArtifacts({artifactPath=rpm/dist/opensearch, sigtype=.rpm, platform=linux}) - signArtifacts.string({credentialsId=jenkins-rpm-signing-props, variable=configs}) - signArtifacts.withCredentials([configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-rpm-signing-account-number, variable=RPM_SIGNING_ACCOUNT_NUMBER}) + signArtifacts.string({credentialsId=jenkins-rpm-signing-passphrase-secrets-arn, variable=RPM_SIGNING_PASSPHRASE_SECRETS_ARN}) + signArtifacts.string({credentialsId=jenkins-rpm-signing-secret-key-secrets-arn, variable=RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN}) + signArtifacts.string({credentialsId=jenkins-rpm-signing-key-id, variable=RPM_SIGNING_KEY_ID}) + signArtifacts.withCredentials([RPM_SIGNING_ACCOUNT_NUMBER, RPM_SIGNING_PASSPHRASE_SECRETS_ARN, RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN, RPM_SIGNING_KEY_ID], groovy.lang.Closure) signArtifacts.echo(RPM Add Sign) - signArtifacts.withAWS({role=jenkins-prod-rpm-signing-assume-role, roleAccount=1234, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure) + signArtifacts.withAWS({role=jenkins-prod-rpm-signing-assume-role, roleAccount=RPM_SIGNING_ACCOUNT_NUMBER, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure) signArtifacts.sh( set -e set +x @@ -57,8 +59,8 @@ echo "------------------------------------------------------------------------" echo "Import OpenSearch keys" - aws secretsmanager get-secret-value --region us-west-2 --secret-id "ARN::123456" | jq -r .SecretBinary | base64 --decode > passphrase - aws secretsmanager get-secret-value --region us-west-2 --secret-id "ARN::56789" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - + aws secretsmanager get-secret-value --region us-west-2 --secret-id "RPM_SIGNING_PASSPHRASE_SECRETS_ARN" | jq -r .SecretBinary | base64 --decode > passphrase + aws secretsmanager get-secret-value --region us-west-2 --secret-id "RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - echo "------------------------------------------------------------------------" echo "Start Signing Rpm" @@ -85,8 +87,8 @@ echo "------------------------------------------------------------------------" echo "Clean up gpg" - gpg --batch --yes --delete-secret-keys abcd1234 - gpg --batch --yes --delete-keys abcd1234 + gpg --batch --yes --delete-secret-keys RPM_SIGNING_KEY_ID + gpg --batch --yes --delete-keys RPM_SIGNING_KEY_ID rm -v passphrase ) diff --git a/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_Jenkinsfile.txt b/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_Jenkinsfile.txt index a0225a6b39..3406463300 100644 --- a/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_Jenkinsfile.txt +++ b/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_Jenkinsfile.txt @@ -38,19 +38,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) promoteArtifacts.withAWS({role=ARTIFACT_PROMOTION_ROLE_NAME, roleAccount=AWS_ACCOUNT_ARTIFACT, duration=900, roleSessionName=jenkins-session}, groovy.lang.Closure) @@ -76,19 +76,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) promoteArtifacts.withAWS({role=ARTIFACT_PROMOTION_ROLE_NAME, roleAccount=AWS_ACCOUNT_ARTIFACT, duration=900, roleSessionName=jenkins-session}, groovy.lang.Closure) diff --git a/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_OpenSearch_Dashboards_Jenkinsfile.txt b/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_OpenSearch_Dashboards_Jenkinsfile.txt index 69d8395a15..eb5d38293f 100644 --- a/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_OpenSearch_Dashboards_Jenkinsfile.txt +++ b/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_OpenSearch_Dashboards_Jenkinsfile.txt @@ -38,19 +38,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) promoteArtifacts.withAWS({role=ARTIFACT_PROMOTION_ROLE_NAME, roleAccount=AWS_ACCOUNT_ARTIFACT, duration=900, roleSessionName=jenkins-session}, groovy.lang.Closure) @@ -76,19 +76,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) promoteArtifacts.withAWS({role=ARTIFACT_PROMOTION_ROLE_NAME, roleAccount=AWS_ACCOUNT_ARTIFACT, duration=900, roleSessionName=jenkins-session}, groovy.lang.Closure) diff --git a/tests/jenkins/jobs/PromoteArtifacts_actions_Jenkinsfile.txt b/tests/jenkins/jobs/PromoteArtifacts_actions_Jenkinsfile.txt index 0041f2d35b..4c85171470 100644 --- a/tests/jenkins/jobs/PromoteArtifacts_actions_Jenkinsfile.txt +++ b/tests/jenkins/jobs/PromoteArtifacts_actions_Jenkinsfile.txt @@ -41,19 +41,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + tests/jenkins/sign.sh tests/jenkins/artifacts/tar/vars-build/1.3.0/33/linux/x64/tar/builds/opensearch/core-plugins --sigtype=.sig ) promoteArtifacts.println(Signing Core/Bundle Artifacts) @@ -70,19 +70,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) promoteArtifacts.withAWS({role=ARTIFACT_PROMOTION_ROLE_NAME, roleAccount=AWS_ACCOUNT_ARTIFACT, duration=900, roleSessionName=jenkins-session}, groovy.lang.Closure) @@ -128,19 +128,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) promoteArtifacts.withAWS({role=ARTIFACT_PROMOTION_ROLE_NAME, roleAccount=AWS_ACCOUNT_ARTIFACT, duration=900, roleSessionName=jenkins-session}, groovy.lang.Closure) diff --git a/tests/jenkins/jobs/PromoteArtifacts_actions_OpenSearch_Dashboards_Jenkinsfile.txt b/tests/jenkins/jobs/PromoteArtifacts_actions_OpenSearch_Dashboards_Jenkinsfile.txt index 312e8e8d4b..8e05a891a0 100644 --- a/tests/jenkins/jobs/PromoteArtifacts_actions_OpenSearch_Dashboards_Jenkinsfile.txt +++ b/tests/jenkins/jobs/PromoteArtifacts_actions_OpenSearch_Dashboards_Jenkinsfile.txt @@ -38,19 +38,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) promoteArtifacts.withAWS({role=ARTIFACT_PROMOTION_ROLE_NAME, roleAccount=AWS_ACCOUNT_ARTIFACT, duration=900, roleSessionName=jenkins-session}, groovy.lang.Closure) @@ -76,19 +76,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) promoteArtifacts.withAWS({role=ARTIFACT_PROMOTION_ROLE_NAME, roleAccount=AWS_ACCOUNT_ARTIFACT, duration=900, roleSessionName=jenkins-session}, groovy.lang.Closure) diff --git a/tests/jenkins/jobs/PromoteYumRepos_Jenkinsfile.txt b/tests/jenkins/jobs/PromoteYumRepos_Jenkinsfile.txt index 21175d5bb4..f752f82494 100644 --- a/tests/jenkins/jobs/PromoteYumRepos_Jenkinsfile.txt +++ b/tests/jenkins/jobs/PromoteYumRepos_Jenkinsfile.txt @@ -49,19 +49,19 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + /tmp/workspace/sign.sh /tmp/workspace/artifacts/releases/bundle/opensearch/1.x/yum/repodata/repomd.pom --sigtype=.sig --platform=linux ) promoteYumRepos.sh( diff --git a/tests/jenkins/jobs/SignArtifacts_Jenkinsfile.txt b/tests/jenkins/jobs/SignArtifacts_Jenkinsfile.txt index b3e2726907..6ef8ada6f2 100644 --- a/tests/jenkins/jobs/SignArtifacts_Jenkinsfile.txt +++ b/tests/jenkins/jobs/SignArtifacts_Jenkinsfile.txt @@ -9,27 +9,29 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + /tmp/workspace/sign.sh /tmp/workspace/artifacts --sigtype=.sig --platform=linux ) SignArtifacts_Jenkinsfile.signArtifacts({artifactPath=/tmp/workspace/artifacts, sigtype=.rpm, platform=linux}) - signArtifacts.string({credentialsId=jenkins-rpm-signing-props, variable=configs}) - signArtifacts.withCredentials([configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-rpm-signing-account-number, variable=RPM_SIGNING_ACCOUNT_NUMBER}) + signArtifacts.string({credentialsId=jenkins-rpm-signing-passphrase-secrets-arn, variable=RPM_SIGNING_PASSPHRASE_SECRETS_ARN}) + signArtifacts.string({credentialsId=jenkins-rpm-signing-secret-key-secrets-arn, variable=RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN}) + signArtifacts.string({credentialsId=jenkins-rpm-signing-key-id, variable=RPM_SIGNING_KEY_ID}) + signArtifacts.withCredentials([RPM_SIGNING_ACCOUNT_NUMBER, RPM_SIGNING_PASSPHRASE_SECRETS_ARN, RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN, RPM_SIGNING_KEY_ID], groovy.lang.Closure) signArtifacts.echo(RPM Add Sign) - signArtifacts.withAWS({role=jenkins-prod-rpm-signing-assume-role, roleAccount=null, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure) + signArtifacts.withAWS({role=jenkins-prod-rpm-signing-assume-role, roleAccount=RPM_SIGNING_ACCOUNT_NUMBER, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure) signArtifacts.sh( set -e set +x @@ -69,8 +71,8 @@ echo "------------------------------------------------------------------------" echo "Import OpenSearch keys" - aws secretsmanager get-secret-value --region us-west-2 --secret-id "null" | jq -r .SecretBinary | base64 --decode > passphrase - aws secretsmanager get-secret-value --region us-west-2 --secret-id "null" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - + aws secretsmanager get-secret-value --region us-west-2 --secret-id "RPM_SIGNING_PASSPHRASE_SECRETS_ARN" | jq -r .SecretBinary | base64 --decode > passphrase + aws secretsmanager get-secret-value --region us-west-2 --secret-id "RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - echo "------------------------------------------------------------------------" echo "Start Signing Rpm" @@ -97,8 +99,8 @@ echo "------------------------------------------------------------------------" echo "Clean up gpg" - gpg --batch --yes --delete-secret-keys null - gpg --batch --yes --delete-keys null + gpg --batch --yes --delete-secret-keys RPM_SIGNING_KEY_ID + gpg --batch --yes --delete-keys RPM_SIGNING_KEY_ID rm -v passphrase ) @@ -108,18 +110,18 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=configs}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], configs], groovy.lang.Closure) - signArtifacts.readJSON({text=configs}) + signArtifacts.string({credentialsId=jenkins-signer-client-role, variable=SIGNER_CLIENT_ROLE}) + signArtifacts.string({credentialsId=jenkins-signer-client-external-id, variable=SIGNER_CLIENT_EXTERNAL_ID}) + signArtifacts.string({credentialsId=jenkins-signer-client-unsigned-bucket, variable=SIGNER_CLIENT_UNSIGNED_BUCKET}) + signArtifacts.string({credentialsId=jenkins-signer-client-signed-bucket, variable=SIGNER_CLIENT_SIGNED_BUCKET}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_CLIENT_ROLE, SIGNER_CLIENT_EXTERNAL_ID, SIGNER_CLIENT_UNSIGNED_BUCKET, SIGNER_CLIENT_SIGNED_BUCKET], groovy.lang.Closure) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_role - export EXTERNAL_ID=dummy_ID - export UNSIGNED_BUCKET=dummy_unsigned_bucket - export SIGNED_BUCKET=dummy_signed_bucket - export PROFILE_IDENTIFIER=null - export PLATFORM_IDENTIFIER=null - + export ROLE=SIGNER_CLIENT_ROLE + export EXTERNAL_ID=SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=SIGNER_CLIENT_SIGNED_BUCKET + /tmp/workspace/sign.sh /tmp/workspace/file.yml --platform=linux --type=maven ) diff --git a/tests/jenkins/lib-testers/SignArtifactsLibTester.groovy b/tests/jenkins/lib-testers/SignArtifactsLibTester.groovy index d49aec143e..d50c3c5587 100644 --- a/tests/jenkins/lib-testers/SignArtifactsLibTester.groovy +++ b/tests/jenkins/lib-testers/SignArtifactsLibTester.groovy @@ -19,22 +19,6 @@ class SignArtifactsLibTester extends LibFunctionTester { void configure(helper, binding) { binding.setVariable('GITHUB_BOT_TOKEN_NAME', 'github_bot_token_name') - if (this.sigtype.equals('.rpm')) { - def configs = ['account': '1234', - 'passphrase_secrets_arn': 'ARN::123456', - 'secret_key_id_secrets_arn': 'ARN::56789', - 'key_id': 'abcd1234'] - binding.setVariable('configs', configs) - helper.registerAllowedMethod('readJSON', [Map.class], { c -> configs }) - } - else { - def configs = ["role": "dummy_role", - "external_id": "dummy_ID", - "unsigned_bucket": "dummy_unsigned_bucket", - "signed_bucket": "dummy_signed_bucket"] - binding.setVariable('configs', configs) - helper.registerAllowedMethod('readJSON', [Map.class], { c -> configs }) - } helper.registerAllowedMethod('git', [Map]) helper.registerAllowedMethod('withCredentials', [Map, Closure], { args, closure -> closure.delegate = delegate diff --git a/vars/signArtifacts.groovy b/vars/signArtifacts.groovy index a5a080f0c5..4288b85fa4 100644 --- a/vars/signArtifacts.groovy +++ b/vars/signArtifacts.groovy @@ -16,16 +16,14 @@ SignArtifacts signs the given artifacts and saves the signature in the same dire */ void call(Map args = [:]) { if (args.sigtype.equals('.rpm')) { - withCredentials([string(credentialsId: 'jenkins-rpm-signing-props', variable: 'configs')]) { - def props = readJSON(text: configs) - def signingAccount = props['account'] - def signingPassphraseSecretsArn = props['passphrase_secrets_arn'] - def signingSecretKeyIdSecretsArn = props['secret_key_id_secrets_arn'] - def signingKeyId = props['key_id'] - + withCredentials([ + string(credentialsId: 'jenkins-rpm-signing-account-number', variable: 'RPM_SIGNING_ACCOUNT_NUMBER'), + string(credentialsId: 'jenkins-rpm-signing-passphrase-secrets-arn', variable: 'RPM_SIGNING_PASSPHRASE_SECRETS_ARN'), + string(credentialsId: 'jenkins-rpm-signing-secret-key-secrets-arn', variable: 'RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN'), + string(credentialsId: 'jenkins-rpm-signing-key-id', variable: 'RPM_SIGNING_KEY_ID')]) { echo 'RPM Add Sign' - withAWS(role: 'jenkins-prod-rpm-signing-assume-role', roleAccount: "${signingAccount}", duration: 900, roleSessionName: 'jenkins-signing-session') { + withAWS(role: 'jenkins-prod-rpm-signing-assume-role', roleAccount: "${RPM_SIGNING_ACCOUNT_NUMBER}", duration: 900, roleSessionName: 'jenkins-signing-session') { sh """ set -e set +x @@ -63,8 +61,8 @@ void call(Map args = [:]) { echo "------------------------------------------------------------------------" echo "Import OpenSearch keys" - aws secretsmanager get-secret-value --region us-west-2 --secret-id "${signingPassphraseSecretsArn}" | jq -r .SecretBinary | base64 --decode > passphrase - aws secretsmanager get-secret-value --region us-west-2 --secret-id "${signingSecretKeyIdSecretsArn}" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - + aws secretsmanager get-secret-value --region us-west-2 --secret-id "${RPM_SIGNING_PASSPHRASE_SECRETS_ARN}" | jq -r .SecretBinary | base64 --decode > passphrase + aws secretsmanager get-secret-value --region us-west-2 --secret-id "${RPM_SIGNING_SECRET_KEY_ID_SECRETS_ARN}" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - echo "------------------------------------------------------------------------" echo "Start Signing Rpm" @@ -91,8 +89,8 @@ void call(Map args = [:]) { echo "------------------------------------------------------------------------" echo "Clean up gpg" - gpg --batch --yes --delete-secret-keys ${signingKeyId} - gpg --batch --yes --delete-keys ${signingKeyId} + gpg --batch --yes --delete-secret-keys ${RPM_SIGNING_KEY_ID} + gpg --batch --yes --delete-keys ${RPM_SIGNING_KEY_ID} rm -v passphrase """ @@ -100,7 +98,7 @@ void call(Map args = [:]) { } } else { - echo "PGP or Windows Signature Signing" + echo 'PGP or Windows Signature Signing' if (!fileExists("$WORKSPACE/sign.sh")) { git url: 'https://github.com/opensearch-project/opensearch-build.git', branch: 'main' @@ -111,28 +109,46 @@ void call(Map args = [:]) { String arguments = generateArguments(args) // Sign artifacts - def configSecret = args.platform == "windows" ? "jenkins-signer-windows-config" : "jenkins-signer-client-creds" - withCredentials([usernamePassword(credentialsId: "${GITHUB_BOT_TOKEN_NAME}", usernameVariable: 'GITHUB_USER', passwordVariable: 'GITHUB_TOKEN'), - string(credentialsId: configSecret, variable: 'configs')]) { - def creds = readJSON(text: configs) - def ROLE = creds['role'] - def EXTERNAL_ID = creds['external_id'] - def UNSIGNED_BUCKET = creds['unsigned_bucket'] - def SIGNED_BUCKET = creds['signed_bucket'] - def PROFILE_IDENTIFIER = creds['profile_identifier'] - def PLATFORM_IDENTIFIER = creds['platform_identifier'] - sh """ + // def configSecret = args.platform == "windows" ? "jenkins-signer-windows-config" : "jenkins-signer-client-creds" + if (args.platform == 'windows') { + withCredentials([usernamePassword(credentialsId: "${GITHUB_BOT_TOKEN_NAME}", usernameVariable: 'GITHUB_USER', passwordVariable: 'GITHUB_TOKEN'), + string(credentialsId: 'jenkins-signer-windows-role', variable: 'SIGNER_WINDOWS_ROLE'), + string(credentialsId: 'jenkins-signer-windows-external-id', variable: 'SIGNER_WINDOWS_EXTERNAL_ID'), + string(credentialsId: 'jenkins-signer-windows-unsigned-bucket', variable: 'SIGNER_WINDOWS_UNSIGNED_BUCKET'), + string(credentialsId: 'jenkins-signer-windows-signed-bucket', variable: 'SIGNER_WINDOWS_SIGNED_BUCKET'), + string(credentialsId: 'jenkins-signer-windows-profile-identifier', variable: 'SIGNER_WINDOWS_PROFILE_IDENTIFIER'), + string(credentialsId: 'jenkins-signer-windows-platform-identifier', variable: 'SIGNER_WINDOWS_PLATFORM_IDENTIFIER')]) { + sh """ + #!/bin/bash + set +x + export ROLE=$SIGNER_WINDOWS_ROLE + export EXTERNAL_ID=$SIGNER_WINDOWS_EXTERNAL_ID + export UNSIGNED_BUCKET=$SIGNER_WINDOWS_UNSIGNED_BUCKET + export SIGNED_BUCKET=$SIGNER_WINDOWS_SIGNED_BUCKET + export PROFILE_IDENTIFIER=$SIGNER_WINDOWS_PROFILE_IDENTIFIER + export PLATFORM_IDENTIFIER=$SIGNER_WINDOWS_PLATFORM_IDENTIFIER + + $WORKSPACE/sign.sh ${arguments} + """ + } + } + else { + withCredentials([usernamePassword(credentialsId: "${GITHUB_BOT_TOKEN_NAME}", usernameVariable: 'GITHUB_USER', passwordVariable: 'GITHUB_TOKEN'), + string(credentialsId: 'jenkins-signer-client-role', variable: 'SIGNER_CLIENT_ROLE'), + string(credentialsId: 'jenkins-signer-client-external-id', variable: 'SIGNER_CLIENT_EXTERNAL_ID'), + string(credentialsId: 'jenkins-signer-client-unsigned-bucket', variable: 'SIGNER_CLIENT_UNSIGNED_BUCKET'), + string(credentialsId: 'jenkins-signer-client-signed-bucket', variable: 'SIGNER_CLIENT_SIGNED_BUCKET')]) { + sh """ #!/bin/bash set +x - export ROLE=$ROLE - export EXTERNAL_ID=$EXTERNAL_ID - export UNSIGNED_BUCKET=$UNSIGNED_BUCKET - export SIGNED_BUCKET=$SIGNED_BUCKET - export PROFILE_IDENTIFIER=$PROFILE_IDENTIFIER - export PLATFORM_IDENTIFIER=$PLATFORM_IDENTIFIER - + export ROLE=$SIGNER_CLIENT_ROLE + export EXTERNAL_ID=$SIGNER_CLIENT_EXTERNAL_ID + export UNSIGNED_BUCKET=$SIGNER_CLIENT_UNSIGNED_BUCKET + export SIGNED_BUCKET=$SIGNER_CLIENT_SIGNED_BUCKET + $WORKSPACE/sign.sh ${arguments} """ + } } } } @@ -142,7 +158,7 @@ String generateArguments(args) { // artifactPath is mandatory and the first argument String arguments = artifactPath // generation command line arguments - args.each { key, value -> arguments += " --${key }=${value }"} + args.each { key, value -> arguments += " --${key }=${value }" } return arguments }