Deuxfleurs/albatros
17
2
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity

First iteration on secret management
All checks were successful
Albatros build
Details

Browse source
This commit is contained in:
Quentin 2023-03-16 09:34:04 +01:00
parent c36a4527c0
commit 71cf9a125e
Signed by: quentin
GPG key ID: E9602264D639FF68
3 changed files with 15 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.albatros
View file

@ -3,4 +3,5 @@
set -euxo pipefail set -euxo pipefail
go build go build
cat $SECRET_PATH
echo "done" >&2 echo "done" >&2

5
example/albatros.json
View file

@ -1,11 +1,14 @@
{ {
"ref": "refs/heads/main", "ref": "refs/heads/main",
"after": "d5b22924745b8ea9fb5618e45cb78d1a2f61734b", "after": "c36a4527c06f0cbea1d4441f859265a73da04cca",
"repository": { "repository": {
"owner": { "owner": {
"username": "quentin" "username": "quentin"
}, },
"name": "albatros", "name": "albatros",
"clone_url": "https://git.deuxfleurs.fr/quentin/albatros.git" "clone_url": "https://git.deuxfleurs.fr/quentin/albatros.git"
},
"sender": {
"username": "quentin"
} }
} }

16
main.go
View file

@ -8,6 +8,7 @@ import (
"github.com/caarlos0/env/v7" "github.com/caarlos0/env/v7"
consul "github.com/hashicorp/consul/api" consul "github.com/hashicorp/consul/api"
nomad "github.com/hashicorp/nomad/api" nomad "github.com/hashicorp/nomad/api"
"golang.org/x/exp/slices"
"io" "io"
"log" "log"
"net/http" "net/http"
@ -115,7 +116,7 @@ func notifSummary(notification *GiteaNotification) string {
func lifecycle(notification *GiteaNotification, dispatch *nomad.JobDispatchResponse, giteaCreds *SecretGitea) { func lifecycle(notification *GiteaNotification, dispatch *nomad.JobDispatchResponse, giteaCreds *SecretGitea) {
notifInfo := notifSummary(notification) notifInfo := notifSummary(notification)
log.Printf("[lifecyle] Commit to build: %s, Gitea URL: %s\n", notifInfo, giteaCreds.Url) log.Printf("[lifecycle] Commit to build: %s, Gitea URL: %s\n", notifInfo, giteaCreds.Url)
// init Gitea // init Gitea
forge, err := gitea.NewClient(giteaCreds.Url, gitea.SetToken(giteaCreds.Token)) forge, err := gitea.NewClient(giteaCreds.Url, gitea.SetToken(giteaCreds.Token))
if err != nil { if err != nil {
@ -239,19 +240,22 @@ func hook(w http.ResponseWriter, r *http.Request) {
"BRANCH": strings.ReplaceAll(notification.Ref, "refs/heads/", ""), "BRANCH": strings.ReplaceAll(notification.Ref, "refs/heads/", ""),
} }
// @FIXME logic on how to inject secrets securely // Check sender
// 1. Check senders payload := []byte{}
// 2. Transform the consul object into a nomad payload if slices.Contains(repoDesc.Trusted.Senders, notification.Sender.Username) {
log.Printf("Trusted build of %s as %s in the list of allowed senders, inject secrets\n", notifInfo, notification.Sender.Username)
// Write payload
payload = []byte(repoDesc.Inject)
}
jobs := NomadClient.Jobs() jobs := NomadClient.Jobs()
dres, _, err := jobs.Dispatch("builder", meta, []byte{}, "albatros", &nomad.WriteOptions{}) dres, _, err := jobs.Dispatch("builder", meta, payload, "albatros", &nomad.WriteOptions{})
if err != nil { if err != nil {
http.Error(w, "Can't submit your job to Nomad", http.StatusInternalServerError) http.Error(w, "Can't submit your job to Nomad", http.StatusInternalServerError)
} }
log.Printf("Created job %s for %s\n", dres.DispatchedJobID, notifInfo) log.Printf("Created job %s for %s\n", dres.DispatchedJobID, notifInfo)
// Start a lifecycle observer to update gitea status // Start a lifecycle observer to update gitea status
// @FIXME: need to inject gitea descriptor
go lifecycle(&notification, dres, &repoDesc.Gitea) go lifecycle(&notification, dres, &repoDesc.Gitea)
io.WriteString(w, dres.DispatchedJobID) io.WriteString(w, dres.DispatchedJobID)