diff --git a/.ci/pipeline.yml b/.ci/pipeline.yml index efa736ec13d4928399536f79510be1e573c0423d..8013c4007799b8ebe8fc156e766bca8b15f6299a 100644 --- a/.ci/pipeline.yml +++ b/.ci/pipeline.yml @@ -11,6 +11,7 @@ stages: - .pre - build - test + - package - deploy # On MR or on 'main'. @@ -28,40 +29,27 @@ stages: - if: "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH" when: always -before_script: - - CI_COMMIT_SHA_7=$(echo $CI_COMMIT_SHA | cut -c1-7) +.before-script: &before-script + - tools/ci/scripts/merge-target-branch.sh -build-image: - stage: build +.buildah-setup: &buildah-setup + image: + name: quay.io/buildah/stable:v1.37 + +.kaniko-setup: &kaniko-setup image: name: gcr.io/kaniko-project/executor:v1.21.1-debug entrypoint: [""] - script: | - sh "${CI_PROJECT_DIR}/tools/ci/scripts/build-kaniko.sh" \ - "$COMP_PATH" "$CI_COMMIT_SHA_7" "${PUSH_IMAGES:-false}" \ - "$CI_PROJECT_DIR" "$CI_REGISTRY_IMAGE" - parallel: - matrix: - - COMP_PATH: - [ - "components/policy-decision-point", - "components/contract-manager", - "components/db-jena", - "components/key-manager", - "components/knowledgebase", - "components/audit-trail", - "components/gateway", - ] - rules: - - *release-vars - - *default-rules +# Jobs ======================================================================== test: - image: "registry.gitlab.com/data-custodian/custodian/ci-base-go:1.22" + image: "docker.io/library/golang:1.22-alpine" stage: test + before_script: *before-script script: - echo '==== stage test ==== start' - cd $WHAT + - apk add coreutils findutils git git-lfs - go test ./... - cd - - echo '==== stage test ==== end (SUCCESS)' @@ -82,18 +70,50 @@ test: rules: - *default-rules +package: + stage: package + # To use the initial kaniko setup use: `kaniko-setup` + <<: *buildah-setup + before_script: *before-script + script: + - | + sh "${CI_PROJECT_DIR}/tools/ci/scripts/build-images.sh" \ + "$COMP_PATH" "${PUSH_IMAGES:-false}" \ + "$CI_PROJECT_DIR" "$CI_REGISTRY_IMAGE" + parallel: + matrix: + - COMP_PATH: + [ + "components/policy-decision-point", + "components/contract-manager", + "components/db-jena", + "components/key-manager", + "components/knowledgebase", + "components/audit-trail", + "components/gateway", + ] + rules: + - *release-vars + - *default-rules + deploy: image: "${CI_REGISTRY_IMAGE}/custodian-deploy-ci:20230915" stage: deploy + before_script: *before-script script: - echo '==== stage deploy ==== start' - kubectl config get-contexts - kubectl config use-context data-custodian/custodian:custodian-cicd - cd deploy/charts - - sed "s/tag:"" [0-9a-f]\+/tag:"" ${CI_COMMIT_SHA_7}/g" $WHAT/values.yaml > $WHAT-tagged_values.yaml # update image tag + - sed "s/tag:"" [0-9a-f]\+/tag:"" + ${CI_COMMIT_SHA_7}/g" + $WHAT/values.yaml > + $WHAT-tagged_values.yaml # update image tag - helm dep update $WHAT - echo $FAKE_CUSTODIAN_CONFIG | base64 -d > cicd-values.yaml - - helm upgrade --install $WHAT $WHAT -n custodian-cicd -f $WHAT-tagged_values.yaml -f cicd-values.yaml + - helm upgrade --install + $WHAT $WHAT -n custodian-cicd -f + $WHAT-tagged_values.yaml -f cicd-values.yaml - echo '==== stage deploy ==== end (SUCCESS)' parallel: matrix: @@ -109,16 +129,20 @@ deploy: name: dev-deploy rules: - *main-rules - needs: ["build-image"] + needs: ["package"] deploy-package-stable: image: "${CI_REGISTRY_IMAGE}/custodian-deploy-ci:20230915" stage: deploy + before_script: *before-script script: - cd deploy/charts - helm dep up $WHAT - helm package $WHAT - - 'curl --request POST --user gitlab-ci-token:$CI_JOB_TOKEN --form "chart=@$WHAT-${HELM_VERSION}.tgz" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"' + - curl --request POST + --user gitlab-ci-token:$CI_JOB_TOKEN + --form "chart=@$WHAT-${HELM_VERSION}.tgz" + "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts" parallel: matrix: - WHAT: @@ -131,11 +155,12 @@ deploy-package-stable: ] rules: - *main-rules - needs: ["build-image"] + needs: ["package"] pages-test: - stage: test + stage: build image: python:3.8-alpine + before_script: *before-script script: - apk add just bash git - cd docs/custodian && just build @@ -145,6 +170,7 @@ pages-test: pages: stage: deploy image: python:3.8-alpine + before_script: *before-script script: - apk add just bash git # Copy the artifacts such that Gitlab can upload it. diff --git a/.docker/DeployDockerfile b/.docker/DeployDockerfile index 2c68f75aad4e76c05920546ee787b4b9e0734771..4cd1b0f4f0b395c354b2f919871fea884a38d45e 100644 --- a/.docker/DeployDockerfile +++ b/.docker/DeployDockerfile @@ -8,8 +8,9 @@ RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/s && chmod 700 get_helm.sh \ && ./get_helm.sh \ && rm get_helm.sh +RUN apk add git RUN adduser -D custodian_user USER custodian_user -WORKDIR / \ No newline at end of file +WORKDIR / diff --git a/components/db-jena/Dockerfile b/components/db-jena/Dockerfile index 3f1bc2457a231d5f4729447b1f697a95d97ffbfc..fff899e5408513222de513da257e337179043c37 100644 --- a/components/db-jena/Dockerfile +++ b/components/db-jena/Dockerfile @@ -31,7 +31,7 @@ ARG JENA_FOLDER=components/db-jena ## ---- Stage: Download and build java. -FROM eclipse-temurin:${JAVA_VERSION}-alpine AS base +FROM docker.io/library/eclipse-temurin:${JAVA_VERSION}-alpine AS base ARG JAVA_MINIMAL ARG JENA_VERSION @@ -68,11 +68,11 @@ RUN ./download.sh --chksum sha1 "$JAR_URL" ARG JDEPS_EXTRA="jdk.crypto.cryptoki,jdk.crypto.ec" RUN \ - JDEPS="$(jdeps --multi-release base --print-module-deps --ignore-missing-deps ${FUSEKI_JAR})" && \ - jlink \ - --compress 2 --strip-debug --no-header-files --no-man-pages \ - --output "${JAVA_MINIMAL}" \ - --add-modules "${JDEPS},${JDEPS_EXTRA}" + JDEPS="$(jdeps --multi-release base --print-module-deps --ignore-missing-deps ${FUSEKI_JAR})" && \ + jlink \ + --compress 2 --strip-debug --no-header-files --no-man-pages \ + --output "${JAVA_MINIMAL}" \ + --add-modules "${JDEPS},${JDEPS_EXTRA}" ADD ${JENA_FOLDER}/entrypoint.sh . ADD ${JENA_FOLDER}/log4j2.properties . @@ -80,7 +80,7 @@ ADD ${JENA_FOLDER}/log4j2.properties . RUN echo -e "" > /fuseki/fuseki-users ## ---- Stage: Build runtime -FROM alpine:${ALPINE_VERSION} +FROM docker.io/library/alpine:${ALPINE_VERSION} ## Import ARGs ARG JENA_VERSION @@ -92,9 +92,9 @@ ARG JENA_FOLDER COPY --from=base /opt/java-minimal /opt/java-minimal COPY --from=base /fuseki /fuseki -# Special conf file with API endpoints -COPY ${JENA_FOLDER}/config.ttl /fuseki/config.ttl -COPY ${JENA_FOLDER}/config-kb.ttl /fuseki/config-kb.ttl +# Special conf file with API endpoints +COPY ${JENA_FOLDER}/config.ttl /fuseki/config.ttl +COPY ${JENA_FOLDER}/config-kb.ttl /fuseki/config-kb.ttl WORKDIR $FUSEKI_DIR diff --git a/components/db-jena/download.sh b/components/db-jena/download.sh index 211eca784cb5b8ff304c2d5ffd72fc13180b8ab0..2b62cb9d6aa3baec79afbab52178b4063131ebd2 100755 --- a/components/db-jena/download.sh +++ b/components/db-jena/download.sh @@ -28,27 +28,25 @@ USAGE="Usage: $(basename "$0") --chksum [sha1|sha512] URL" -if [ $# -eq 0 ] -then +if [ $# -eq 0 ]; then echo "$USAGE" 2>&1 exit 1 fi CHKSUM_TYPE='unset' -while [ $# -gt 0 ] ; do +while [ $# -gt 0 ]; do case "$1" in - --chksum|-chksum|-sha|--sha) - if [ $# -lt 2 ] - then - echo "$USAGE" 1>&2 - exit 1 + --chksum | -chksum | -sha | --sha) + if [ $# -lt 2 ]; then + echo "$USAGE" 1>&2 + exit 1 fi CHKSUM_TYPE=$2 shift shift ;; - -h|--help) + -h | --help) echo "$USAGE" 1>&2 exit 0 ;; @@ -57,10 +55,9 @@ while [ $# -gt 0 ] ; do exit 1 ;; *) - if [ $# -ne 1 ] - then - echo "$USAGE" 1>&2 - exit 1 + if [ $# -ne 1 ]; then + echo "$USAGE" 1>&2 + exit 1 fi URL="$1" shift @@ -69,12 +66,12 @@ while [ $# -gt 0 ] ; do done case "${CHKSUM_TYPE}" in - unset) +unset) echo "$USAGE" 1>&2 exit 1 ;; - sha*|md5) ;; - *) +sha* | md5) ;; +*) echo "Bad checksum type: '$CHKSUM_TYPE' (must start 'sha' or be 'md5')" 2>&1 exit 1 ;; @@ -94,8 +91,7 @@ CHKSUMPROG="${CHKSUM_TYPE}sum" # -------- CURL_FETCH_OPTS="-s -S --fail --location --max-redirs 3" -if false -then +if false; then echo "ARTIFACT_URL=$ARTIFACT_URL" echo "CHKSUM_URL=$CHKSUM_URL" fi @@ -103,13 +99,15 @@ fi download() { # URL local URL="$1" local FN="$(basename "$URL")" - if [ ! -e "$FN" ] - then - echo "Fetching $URL" - curl $CURL_FETCH_OPTS "$URL" --output "$FN" \ - || { echo "Bad download of $FN" 2>&1 ; return 1 ; } + if [ ! -e "$FN" ]; then + echo "Fetching $URL" + curl $CURL_FETCH_OPTS "$URL" --output "$FN" || + { + echo "Bad download of $FN" 2>&1 + return 1 + } else - echo "$FN already present" + echo "$FN already present" fi return 0 } @@ -117,19 +115,17 @@ download() { # URL checkChksum() { # Filename checksum local FN="$1" local CHKSUM="$2" - if [ ! -e "$FN" ] - then - echo "No such file: '$FN'" 2>&1 - exit 1 + if [ ! -e "$FN" ]; then + echo "No such file: '$FN'" 2>&1 + exit 1 fi # NB Two spaces required for busybox - echo "$CHKSUM $FN" | ${CHKSUMPROG} -c > /dev/null + echo "$CHKSUM $FN" | ${CHKSUMPROG} -c >/dev/null } download "$ARTIFACT_URL" || exit 1 -if [ -z "$CHKSUM" ] -then +if [ -z "$CHKSUM" ]; then # Checksum not previously set. # Extract from file, copes with variations in content (filename or not) download "$CHKSUM_URL" || exit 1 @@ -137,8 +133,7 @@ then fi checkChksum "${ARTIFACT_NAME}" "$CHKSUM" -if [ $? = 0 ] -then +if [ $? = 0 ]; then echo "Good download: $ARTIFACT_NAME" else echo "BAD download !!!! $ARTIFACT_NAME" diff --git a/components/db-jena/entrypoint.sh b/components/db-jena/entrypoint.sh index 4fb0e1d099c3663a72caec729c495396c68b5099..47470f2a98608e3bfc44455c9b3bff99874c815f 100755 --- a/components/db-jena/entrypoint.sh +++ b/components/db-jena/entrypoint.sh @@ -1,8 +1,6 @@ #!/bin/sh ## Licensed under the terms of http://www.apache.org/licenses/LICENSE-2.0 - cp /run/secrets/fuseki-users /fuseki/fuseki-users ## env | sort exec "$JAVA_HOME/bin/java" $JAVA_OPTIONS -jar "${FUSEKI_DIR}/${FUSEKI_JAR}" "$@" - diff --git a/tools/ci/scripts/build-images.sh b/tools/ci/scripts/build-images.sh new file mode 100755 index 0000000000000000000000000000000000000000..f96170a6c2c8bbd125c70cff1cdfd45bf441a2f1 --- /dev/null +++ b/tools/ci/scripts/build-images.sh @@ -0,0 +1,84 @@ +#!/usr/bin/env sh +# shellcheck disable=SC2153 + +# TODO: WILL be removed once better CI is in place! +# Podman and Nix. +# NEEDS to be POSIX SH compatible. + +set -e +set -u + +COMP_PATH="$1" +PUSH="${2:-false}" +CI_PROJECT_DIR="${3:-$CI_PROJECT_DIR}" +CI_REGISTRY_IMAGE="${4:-$CI_REGISTRY_IMAGE}" + +CI_IMAGE_BUILD_TOOL="buildah" +CI_COMMIT_SHA_7="$(echo "$CI_COMMIT_SHA" | cut -c1-7)" +GO_IMAGE="registry.gitlab.com/data-custodian/custodian/ci-base-go:1.22" +CONTAINER_IMAGE="registry.gitlab.com/data-custodian/custodian/ci-base-alpine:3.18.3" + +FILES=$(find "$COMP_PATH" -name Dockerfile) + +if [ "$FILES" = "" ]; then + echo "no docker files in $COMP_PATH" >&2 + exit 1 +fi + +if [ -f /kaniko/executor ]; then + CI_IMAGE_BUILD_TOOL="kaniko" +fi + +echo '==== stage build ==== start' +for DOCKERFILE in $FILES; do + + echo "==== stage build ==== start image build for $DOCKERFILE" + SERVICE=$(dirname "$DOCKERFILE") + SERVICE="${SERVICE##components/}" + SERVICE=$(echo "$SERVICE" | sed 's/\//-/g') + + IMAGE="${CI_REGISTRY_IMAGE}/${SERVICE}:${CI_COMMIT_SHA_7}" + echo "Dockerfile: $DOCKERFILE" + echo "Image: $IMAGE" + + if [ "$CI_IMAGE_BUILD_TOOL" = "kaniko" ]; then + echo "Build with kaniko" + args="--no-push" + if [ "$PUSH" = "true" ]; then + args="--destination $IMAGE --cache=true" + fi + + # shellcheck disable=SC2086 + /kaniko/executor \ + --context "${CI_PROJECT_DIR}" \ + --dockerfile "${DOCKERFILE}" \ + --build-arg CI__GO_IMAGE=${GO_IMAGE} \ + --build-arg CI__CONTAINER_IMAGE=${CONTAINER_IMAGE} \ + $args + + elif [ "$CI_IMAGE_BUILD_TOOL" = "buildah" ]; then + echo "Build with buildah" + + echo "$CI_REGISTRY_PASSWORD" | + buildah login \ + -u "$CI_REGISTRY_USER" \ + --password-stdin "$CI_REGISTRY" + + buildah build \ + -f "${DOCKERFILE}" \ + --isolation=chroot \ + --storage-driver=vfs \ + --format=docker \ + --build-arg CI__GO_IMAGE=${GO_IMAGE} \ + --build-arg CI__CONTAINER_IMAGE=${CONTAINER_IMAGE} \ + -t "$IMAGE" "${CI_PROJECT_DIR}" + + if [ "$PUSH" = "true" ]; then + buildah push "$IMAGE" + fi + fi + + echo "==== stage build ==== end image build for $DOCKERFILE (SUCCESS)" +done + +echo '==== stage build ==== end' diff --git a/tools/ci/scripts/build-kaniko.sh b/tools/ci/scripts/build-kaniko.sh deleted file mode 100755 index 693edc5c2ef9afe3c135331e7df7b087a87836df..0000000000000000000000000000000000000000 --- a/tools/ci/scripts/build-kaniko.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/env sh - -# TODO: WILL be removed once better CI is in place! -# Podman and Nix. -# NEEDS to be POSIX SH compatible. - -set -e -set -u - -COMP_PATH="$1" -CI_COMMIT_SHA_7="$2" -PUSH="${3:-false}" -CI_PROJECT_DIR="${4:-$CI_PROJECT_DIR}" -CI_REGISTRY_IMAGE="${5:-$CI_REGISTRY_IMAGE}" - -GO_IMAGE="registry.gitlab.com/data-custodian/custodian/ci-base-go:1.22" -CONTAINER_IMAGE="registry.gitlab.com/data-custodian/custodian/ci-base-alpine:3.18.3" - -FILES=$(find "$COMP_PATH" -name Dockerfile) - -if [ "$FILES" = "" ]; then - echo "no docker files in $COMP_PATH" >&2 - exit 1 -fi - -echo '==== stage build ==== start' -for DOCKERFILE in $FILES; do - - echo "==== stage build ==== start kaniko build for $DOCKERFILE" - SERVICE=$(dirname "$DOCKERFILE") - SERVICE="${SERVICE##components/}" - SERVICE=$(echo "$SERVICE" | sed 's/\//-/g') - - IMAGE="${CI_REGISTRY_IMAGE}/${SERVICE}:${CI_COMMIT_SHA_7}" - - args="--no-push" - if [ "$PUSH" = "true" ]; then - args="--destination $IMAGE --cache=true" - fi - - echo "Dockerfile: $DOCKERFILE" - echo "Image: $IMAGE" - /kaniko/executor \ - --context "${CI_PROJECT_DIR}" \ - --dockerfile "${DOCKERFILE}" \ - --build-arg CI__GO_IMAGE=${GO_IMAGE} \ - --build-arg CI__CONTAINER_IMAGE=${CONTAINER_IMAGE} \ - $args - - echo "==== stage build ==== end kaniko build for $DOCKERFILE (SUCCESS)" -done - -echo '==== stage build ==== end' diff --git a/tools/ci/scripts/merge-target-branch.sh b/tools/ci/scripts/merge-target-branch.sh new file mode 100755 index 0000000000000000000000000000000000000000..687af0ee477c695087e7a42c9977cd022b5b478d --- /dev/null +++ b/tools/ci/scripts/merge-target-branch.sh @@ -0,0 +1,64 @@ +#!/bin/sh + +set -u +set -e + +# TODO: Remove that script and build it into `ci-tool` +target_branch="${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:-}" +source_branch="${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME:-}" + +if [ -z "$target_branch" ]; then + echo "Not on a Merge Request." + exit 0 +fi + +cleanUp() { + git branch -d "temp" >/dev/null 2>&1 || true +} + +trap cleanUp EXIT + +setup_git() { + if grep "fedora" /etc/os-release; then + dnf install -y git git-lfs + elif grep "debian" /etc/os-release; then + apt install -y git git-lfs + elif grep "alpine" /etc/os-release; then + apk add git git-lfs + else + echo "OS not implemented." + exit 1 + fi + + git lfs install + + git config --global user.email "custodian@datascience.com" && + git config --global user.name "Custodian CI" +} + +main() { + setup_git + + HEAD_COMMIT=$(git rev-parse HEAD) + echo "Merging source branch '$HEAD_COMMIT' into '$target_branch'." + + echo "Fetching '$source_branch'..." + git branch -v + git branch -r + + echo "Fetching '$target_branch'..." + git branch -D origin/target-branch || true + git fetch origin "$target_branch:origin/target-branch" + + echo "Checkout '$target_branch' as 'merged-temp'..." + git checkout "origin/target-branch" + git branch -D "merged-temp" || true # Remove cached stuff. + git checkout -b "merged-temp" + + echo "Merge '$source_branch' ..." + git merge --no-ff "$HEAD_COMMIT" + + echo "Merge commit: $(git rev-parse HEAD)" +} + +main "$@" diff --git a/tools/ci/scripts/start-gitlab-runner-docker.sh b/tools/ci/scripts/start-gitlab-runner-docker.sh index 2f7939808cec1e9697ddf1bf93d7a47dbbf40cd3..3be615c03b19c128733197c1bf996b7073aa4f91 100755 --- a/tools/ci/scripts/start-gitlab-runner-docker.sh +++ b/tools/ci/scripts/start-gitlab-runner-docker.sh @@ -27,7 +27,7 @@ ROOT=$(git rev-parse --show-toplevel) force="false" config_dir="$ROOT/.gitlab/local/config" runner_name="custodian-ci-docker" -cores=$(grep "^cpu\\scores" /proc/cpuinfo | uniq | cut -d ' ' -f 3) +cores=$(grep '^cpu\scores' /proc/cpuinfo | uniq | cut -d ' ' -f 3) max_jobs="$cores" function create() { diff --git a/tools/ci/scripts/start-gitlab-runner-podman.sh b/tools/ci/scripts/start-gitlab-runner-podman.sh index 3a14f1a2af994d72b66eaca1194d858da6af7bbb..e35ff404257fcebd9ca75d860a1f9f8cdbdfbef8 100755 --- a/tools/ci/scripts/start-gitlab-runner-podman.sh +++ b/tools/ci/scripts/start-gitlab-runner-podman.sh @@ -77,7 +77,7 @@ ROOT=$(git rev-parse --show-toplevel) force="false" config_dir="$ROOT/.gitlab/local/config" runner_name="custodian-ci-podman" -cores=$(grep "^cpu\\scores" /proc/cpuinfo | uniq | cut -d ' ' -f 3) +cores=$(grep '^cpu\scores' /proc/cpuinfo | uniq | cut -d ' ' -f 3) max_jobs="$cores" image="registry.gitlab.com/qontainers/pipglr-alpine:latest" # Or use the fedora version @@ -130,16 +130,18 @@ function register_runner() { # This is only needed if direct access to podman is # needed inside the `jobs`. - # TODO: Might be not necessary since we are using Nix at the end. # modify_config ".runners.first().docker.volumes.append()" \ # "/home/runner/podman.sock:/var/run/podman.sock:rw" string + modify_config ".runners.first().docker.image" \ + "alpine:latest" string + # Add an auxiliary volume `auxvol`. modify_config ".runners.first().docker.volumes.append()" \ "auxvol:/auxvol" string modify_config ".runners.first().pre_build_script" \ - "echo 'Prebuild'\\nenv" string + "echo 'Prebuild Script'" string podman secret rm config.toml &>/dev/null || true podman secret create config.toml "$config_dir/config.toml" || diff --git a/tools/deploy/secrets-generator/scripts/configure_ca.sh b/tools/deploy/secrets-generator/scripts/configure_ca.sh index 4d7099f6fb0bad851f2d3fb3fc93705348133d2f..b5351adc7e9f88d957b8850f2c18ab17d27f6912 100755 --- a/tools/deploy/secrets-generator/scripts/configure_ca.sh +++ b/tools/deploy/secrets-generator/scripts/configure_ca.sh @@ -8,7 +8,7 @@ read -p "Locality: " LOCALITY_NAME read -p "Organization: " ORGANIZATION_NAME read -p "Common Name: " COMMON_NAME -cat << EOF | envsubst > config/cert_ext.cnf.sample +cat <config/cert_ext.cnf.sample [req] default_bit = 4096 distinguished_name = req_distinguished_name @@ -21,7 +21,7 @@ localityName = $LOCALITY_NAME organizationName = $ORGANIZATION_NAME EOF -cat << EOF | envsubst > config/custodianCA_cert.cnf +cat <config/custodianCA_cert.cnf [req] distinguished_name = req_distinguished_name x509_extensions = v3_ca @@ -40,7 +40,7 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer EOF -cat << EOF | envsubst > config/custodianCA.cnf.sample +cat <config/custodianCA.cnf.sample authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment diff --git a/tools/deploy/secrets-generator/scripts/create_ecdsa_key_pair.sh b/tools/deploy/secrets-generator/scripts/create_ecdsa_key_pair.sh index 51e52e8f4f7715c585707b6dc94558380fbb3081..bb781c65f3be0e5ea5b3a5dedfe3eb845641d02f 100755 --- a/tools/deploy/secrets-generator/scripts/create_ecdsa_key_pair.sh +++ b/tools/deploy/secrets-generator/scripts/create_ecdsa_key_pair.sh @@ -1,15 +1,13 @@ #!/bin/bash -if [ $# -lt 1 ] ; -then - echo "Usage: $0 name [folder]" >&2 - exit 1 +if [ $# -lt 1 ]; then + echo "Usage: $0 name [folder]" >&2 + exit 1 else - mkdir -p $1 - folder=$1 + mkdir -p $1 + folder=$1 fi # Generate ECDSA key pair openssl ecparam -name prime256v1 -genkey -noout -out ${folder}/private.pem -openssl ec -in ${folder}/private.pem -pubout > ${folder}/public.pem - +openssl ec -in ${folder}/private.pem -pubout >${folder}/public.pem diff --git a/tools/deploy/secrets-generator/scripts/create_ssl_certificate.sh b/tools/deploy/secrets-generator/scripts/create_ssl_certificate.sh index 30753dca7cec1b12c3c371d56e9d6d11f87b5fee..e350f80539c7fe950db0c48367064c112dad4905 100755 --- a/tools/deploy/secrets-generator/scripts/create_ssl_certificate.sh +++ b/tools/deploy/secrets-generator/scripts/create_ssl_certificate.sh @@ -1,8 +1,8 @@ #!/bin/bash -if [ "$#" -ne 3 ] || ! [[ $1 =~ ^[a-zA-Z-]+$ ]] || ! [[ $2 =~ ^[a-zA-Z-]+$ ]] ; then - echo "Usage: $0 COMMON_NAME POD_NAME folder" >&2 - exit 1 +if [ "$#" -ne 3 ] || ! [[ $1 =~ ^[a-zA-Z-]+$ ]] || ! [[ $2 =~ ^[a-zA-Z-]+$ ]]; then + echo "Usage: $0 COMMON_NAME POD_NAME folder" >&2 + exit 1 fi echo $# $1 $2 @@ -26,27 +26,26 @@ CA_EXT_SAMPLE="./custodianCA.cnf.sample" # generating server key echo "Generating private key" $OPENSSL_CMD genrsa -out $SERVER_KEY 4096 2>/dev/null -if [ $? -ne 0 ] ; then - echo "ERROR: Failed to generate $SERVER_KEY" - exit 1 +if [ $? -ne 0 ]; then + echo "ERROR: Failed to generate $SERVER_KEY" + exit 1 fi ## Update Common Name in External File cp $EXTFILE_SAMPLE $EXTFILE -/bin/echo "commonName = $COMMON_NAME" >> $EXTFILE +/bin/echo "commonName = $COMMON_NAME" >>$EXTFILE cp $CA_EXT_SAMPLE $CA_EXT -/bin/echo "DNS.2 = $POD_NAME" >> $CA_EXT +/bin/echo "DNS.2 = $POD_NAME" >>$CA_EXT # Generating Certificate Signing Request using config file echo "Generating Certificate Signing Request" $OPENSSL_CMD req -new -key $SERVER_KEY -out $SERVER_CSR -config $EXTFILE 2>/dev/null -if [ $? -ne 0 ] ; then - echo "ERROR: Failed to generate $SERVER_CSR" - exit 1 +if [ $? -ne 0 ]; then + echo "ERROR: Failed to generate $SERVER_CSR" + exit 1 fi - #echo "Generating self signed certificate" #$OPENSSL_CMD x509 -req -days 3650 -in $SERVER_CSR -signkey $SERVER_KEY -out $SERVER_CRT 2>/dev/null #if [ $? -ne 0 ] ; then @@ -55,7 +54,7 @@ fi echo "Generating RootCA signed server certificate" $OPENSSL_CMD x509 -req -in $SERVER_CSR -CA $CA_CRT -CAkey $CA_KEY -out $SERVER_CRT -CAcreateserial -days 365 -sha512 -extfile $CA_EXT --passin file:secrets/ca/.pem_password -if [ $? -ne 0 ] ; then +if [ $? -ne 0 ]; then echo "ERROR: Failed to generate $SERVER_CRT" exit 1 fi diff --git a/tools/deploy/secrets-generator/scripts/setup_ssl_certificates.sh b/tools/deploy/secrets-generator/scripts/setup_ssl_certificates.sh index 55b75209bbd4e4b6ce2885399cc015311d234fb1..bc145b229c7d03090ad1065c4a78f76939147c53 100755 --- a/tools/deploy/secrets-generator/scripts/setup_ssl_certificates.sh +++ b/tools/deploy/secrets-generator/scripts/setup_ssl_certificates.sh @@ -3,7 +3,7 @@ PEM_PASSWORD_FILE=secrets/ca/.pem_password mkdir -p secrets/ca -openssl rand -base64 24 > $PEM_PASSWORD_FILE +openssl rand -base64 24 >$PEM_PASSWORD_FILE # Generate CA openssl genrsa -des3 -out secrets/ca/custodianCA.key -passout file:$PEM_PASSWORD_FILE 4096 diff --git a/tools/nix/custodian/treefmt.nix b/tools/nix/custodian/treefmt.nix index f9f478145f30cf5226d1a178a83e7b292082cd76..0061d6f93d117d7df2ee4fca2d6855a6ed3866c5 100644 --- a/tools/nix/custodian/treefmt.nix +++ b/tools/nix/custodian/treefmt.nix @@ -12,6 +12,12 @@ programs.prettier.enable = true; settings.formatter.prettier.excludes = [ "deploy/charts/**/templates/*" ]; + # Shellscripts (which we should not have!) + programs.shfmt = { + enable = true; + indent_size = 4; + }; + # Nix. programs.nixfmt.enable = true; }