Deuxfleurs/albatros
17
2
Fork 0
Code Issues 5 Pull requests Packages Projects Releases Wiki Activity

First iteration on secret management
All checks were successful
Albatros build
Details

Browse source
This commit is contained in:
Quentin 2023-03-16 09:34:04 +01:00
parent c36a4527c0
commit 71cf9a125e
Signed by: quentin
GPG key ID: E9602264D639FF68
3 changed files with 15 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.albatros
View file

@ -3,4 +3,5 @@
set -euxo pipefail
go build
cat $SECRET_PATH
echo "done" >&2

5
example/albatros.json
View file

@ -1,11 +1,14 @@
{
"ref": "refs/heads/main",
"after": "d5b22924745b8ea9fb5618e45cb78d1a2f61734b",
"after": "c36a4527c06f0cbea1d4441f859265a73da04cca",
"repository": {
"owner": {
"username": "quentin"
},
"name": "albatros",
"clone_url": "https://git.deuxfleurs.fr/quentin/albatros.git"
},
"sender": {
"username": "quentin"
}
}

16
main.go
View file

@ -8,6 +8,7 @@ import (
"github.com/caarlos0/env/v7"
consul "github.com/hashicorp/consul/api"
nomad "github.com/hashicorp/nomad/api"
"golang.org/x/exp/slices"
"io"
"log"
"net/http"
@ -115,7 +116,7 @@ func notifSummary(notification *GiteaNotification) string {
func lifecycle(notification *GiteaNotification, dispatch *nomad.JobDispatchResponse, giteaCreds *SecretGitea) {
notifInfo := notifSummary(notification)
log.Printf("[lifecyle] Commit to build: %s, Gitea URL: %s\n", notifInfo, giteaCreds.Url)
log.Printf("[lifecycle] Commit to build: %s, Gitea URL: %s\n", notifInfo, giteaCreds.Url)
// init Gitea
forge, err := gitea.NewClient(giteaCreds.Url, gitea.SetToken(giteaCreds.Token))
if err != nil {
@ -239,19 +240,22 @@ func hook(w http.ResponseWriter, r *http.Request) {
"BRANCH": strings.ReplaceAll(notification.Ref, "refs/heads/", ""),
}
// @FIXME logic on how to inject secrets securely
// 1. Check senders
// 2. Transform the consul object into a nomad payload
// Check sender
payload := []byte{}
if slices.Contains(repoDesc.Trusted.Senders, notification.Sender.Username) {
log.Printf("Trusted build of %s as %s in the list of allowed senders, inject secrets\n", notifInfo, notification.Sender.Username)
// Write payload
payload = []byte(repoDesc.Inject)
}
jobs := NomadClient.Jobs()
dres, _, err := jobs.Dispatch("builder", meta, []byte{}, "albatros", &nomad.WriteOptions{})
dres, _, err := jobs.Dispatch("builder", meta, payload, "albatros", &nomad.WriteOptions{})
if err != nil {
http.Error(w, "Can't submit your job to Nomad", http.StatusInternalServerError)
}
log.Printf("Created job %s for %s\n", dres.DispatchedJobID, notifInfo)
// Start a lifecycle observer to update gitea status
// @FIXME: need to inject gitea descriptor
go lifecycle(&notification, dres, &repoDesc.Gitea)
io.WriteString(w, dres.DispatchedJobID)