-
Notifications
You must be signed in to change notification settings - Fork 482
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Source binaries for linux artifacts from docker images #4491
Changes from 1 commit
62586ba
ebd9d26
07ca5e8
2653584
e809013
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
#!/bin/bash | ||
|
||
set -e | ||
|
||
REPODIR=$(git rev-parse --show-toplevel) | ||
|
||
TAG=${TAG:-$(git log -n1 --pretty=%h)} | ||
OUTDIR=${OUTDIR:-"${REPODIR}/artifacts"} | ||
|
||
TARCMD=tar | ||
if [[ $(uname -s) == "Darwin" ]]; then | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: Since this script is only invoked for Linux artifact builds, I think this can be removed. Otherwise if this is meant to handle macOS builds too, we should rename this file and fix the invocation in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This was mostly for test convenience. As a developer it was convenient to build the linux artifacts from my box instead of spinning up yet-another-container. I'm ok removing it 🤷 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm inclined to keep it as is to make the developer experience easier. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In that case, it makes sense to keep, but since it's just for dev purposes, I would suggest adding a comment to clarify that. |
||
# When building linux artifacts from darwin, gtar is required. | ||
TARCMD="gtar" | ||
fi | ||
|
||
TAROPTS=("--owner=root" "--group=root") | ||
|
||
TMPDIR=$(mktemp -d) | ||
cleanup() { | ||
rm -rf "${TMPDIR}" | ||
} | ||
trap cleanup EXIT | ||
|
||
azdagron marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
copy_binary_from_multiarch_tar() { | ||
local arch=$1 | ||
local binary=$2 | ||
local destdir=$3 | ||
|
||
local srcpath="/opt/spire/bin/${binary}" | ||
local destpath="${destdir}/${binary}" | ||
local ocidir="ocidir://${TMPDIR}/${arch}/oci/${binary}" | ||
local imagetar="${REPODIR}/${binary}-image.tar" | ||
local platform="linux/${arch}" | ||
|
||
echo "Importing multiarch image ${imagetar}..." | ||
regctl image import "${ocidir}" "${imagetar}" | ||
|
||
echo "Copying ${srcpath} for platform ${platform}..." | ||
regctl image get-file "${ocidir}" "${srcpath}" "${destpath}" -p "${platform}" | ||
|
||
# file does not retain permission bits, so fix up the executable bit. | ||
chmod +x "${destpath}" | ||
} | ||
|
||
build_artifact() { | ||
ARCH="$1" | ||
rturner3 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
ARTIFACT="${OUTDIR}/spire-${TAG}-linux-${ARCH}-musl.tar.gz" | ||
CHECKSUM="${OUTDIR}/spire-${TAG}-linux-${ARCH}-musl_sha256sum.txt" | ||
|
||
EXTRAS_ARTIFACT="${OUTDIR}/spire-extras-${TAG}-linux-${ARCH}-musl.tar.gz" | ||
EXTRAS_CHECKSUM="${OUTDIR}/spire-extras-${TAG}-linux-${ARCH}-musl_sha256sum.txt" | ||
|
||
TARDIR="${TMPDIR}/${ARCH}/tar" | ||
mkdir -p "${TARDIR}" | ||
rturner3 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
STAGING="${TARDIR}"/spire/spire-${TAG} | ||
EXTRAS_STAGING="${TARDIR}"/spire-extras/spire-extras-${TAG} | ||
mkdir -p "${STAGING}" "${EXTRAS_STAGING}" | ||
|
||
echo "Creating \"${ARTIFACT}\" and \"${EXTRAS_ARTIFACT}\"" | ||
|
||
# Copy in the contents under release/ | ||
cp -r "${REPODIR}"/release/posix/spire/* "${STAGING}" | ||
cp -r "${REPODIR}"/release/posix/spire-extras/* "${EXTRAS_STAGING}" | ||
|
||
# Copy in the LICENSE | ||
cp "${REPODIR}"/LICENSE "${STAGING}" | ||
cp "${REPODIR}"/LICENSE "${EXTRAS_STAGING}" | ||
|
||
# Copy in the SPIRE binaries from the docker images: | ||
# 1. import the image from the multiarch tarball into the OCI directory | ||
mkdir -p "${STAGING}"/bin "${EXTRAS_STAGING}"/bin | ||
copy_binary_from_multiarch_tar "$ARCH" "spire-server" "${STAGING}/bin" | ||
copy_binary_from_multiarch_tar "$ARCH" "spire-agent" "${STAGING}/bin" | ||
copy_binary_from_multiarch_tar "$ARCH" "oidc-discovery-provider" "${EXTRAS_STAGING}/bin" | ||
|
||
mkdir -p "${OUTDIR}" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: can we consolidate some of these |
||
|
||
# Create the tarballs and checksums | ||
(cd "${TARDIR}/spire"; ${TARCMD} -cvzf "${ARTIFACT}" "${TAROPTS[@]}" -- *) | ||
(cd "${TARDIR}/spire-extras"; ${TARCMD} -cvzf "${EXTRAS_ARTIFACT}" "${TAROPTS[@]}" -- *) | ||
|
||
(cd "$(dirname "${ARTIFACT}")"; shasum -a 256 "$(basename "${ARTIFACT}")" > "${CHECKSUM}" ) | ||
(cd "$(dirname "${EXTRAS_ARTIFACT}")"; shasum -a 256 "$(basename "${EXTRAS_ARTIFACT}")" > "${EXTRAS_CHECKSUM}" ) | ||
} | ||
|
||
command -v regctl >/dev/null 2>&1 || { echo -e "The regctl cli is required to run this script." >&2 ; exit 1; } | ||
command -v "${TARCMD}" >/dev/null 2>&1 || { echo -e "The ${TARCMD} command is required to run this script." >&2 ; exit 1; } | ||
|
||
build_artifact amd64 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: just for readability, could define a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. that's what the old code did and i found it less readable putting in all the looping stuff and array declaration to handle two elements :) |
||
build_artifact arm64 |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
#!/bin/bash | ||
|
||
set -e | ||
|
||
REPODIR=$(git rev-parse --show-toplevel) | ||
BINDIR="${REPODIR}/bin" | ||
|
||
TAG=${TAG:-$(git log -n1 --pretty=%h)} | ||
OUTDIR=${OUTDIR:-"${REPODIR}/artifacts"} | ||
|
||
ARCH=amd64 | ||
|
||
ARTIFACT="${OUTDIR}/spire-${TAG}-windows-${ARCH}.zip" | ||
CHECKSUM="${OUTDIR}/spire-${TAG}-windows-${ARCH}_sha256sum.txt" | ||
|
||
EXTRAS_ARTIFACT="${OUTDIR}/spire-extras-${TAG}-windows-${ARCH}.zip" | ||
EXTRAS_CHECKSUM="${OUTDIR}/spire-extras-${TAG}-windows-${ARCH}_sha256sum.txt" | ||
|
||
TMPDIR=$(mktemp -d) | ||
cleanup() { | ||
rm -rf "${TMPDIR}" | ||
} | ||
trap cleanup EXIT | ||
|
||
STAGING="${TMPDIR}"/spire/spire-${TAG} | ||
EXTRAS_STAGING="${TMPDIR}"/spire-extras/spire-extras-${TAG} | ||
mkdir -p "${STAGING}" "${EXTRAS_STAGING}" | ||
|
||
echo "Creating \"${ARTIFACT}\" and \"${EXTRAS_ARTIFACT}\"" | ||
|
||
# Copy in the contents under release/ | ||
cp -r "${REPODIR}"/release/windows/spire/* "${STAGING}" | ||
cp -r "${REPODIR}"/release/windows/spire-extras/* "${EXTRAS_STAGING}" | ||
|
||
# Copy in the LICENSE | ||
cp "${REPODIR}"/LICENSE "${STAGING}" | ||
cp "${REPODIR}"/LICENSE "${EXTRAS_STAGING}" | ||
|
||
# Copy in the SPIRE binaries | ||
mkdir -p "${STAGING}"/bin "${EXTRAS_STAGING}"/bin | ||
cp "${BINDIR}"/spire-server.exe "${STAGING}"/bin | ||
cp "${BINDIR}"/spire-agent.exe "${STAGING}"/bin | ||
cp "${BINDIR}"/oidc-discovery-provider.exe "${EXTRAS_STAGING}"/bin | ||
|
||
mkdir -p "${OUTDIR}" | ||
|
||
(cd "${TMPDIR}/spire"; zip -rv "${ARTIFACT}" -- *) | ||
(cd "${TMPDIR}/spire-extras"; zip -rv "${EXTRAS_ARTIFACT}" -- *) | ||
|
||
(cd "$(dirname "${ARTIFACT}")"; CertUtil -hashfile "$(basename "${ARTIFACT}")" SHA256 > "${CHECKSUM}") | ||
(cd "$(dirname "${EXTRAS_ARTIFACT}")"; CertUtil -hashfile "$(basename "${EXTRAS_ARTIFACT}")" SHA256 > "${EXTRAS_CHECKSUM}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we pin to a versioned commit? Looks like the latest version is v1.2.8. I see we are pinning to
main
in other places too, so not something we would need to handle in this PR.I suspect we will also run into problems with dependabot with this dependency because it isn't generating GitHub releases. Perhaps we can create an issue in that project similar to msys2/setup-msys2#327.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We tried to move the regctl stuff forward at some point but ran into some breaking changes. I think this is worth exploring at another time.