IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-01-11 08:32:10 -06:00
Code Issues Packages Projects Releases Wiki Activity

CI: Use GCP keys in vault and not drone secrets (#72023)

Browse Source
This commit is contained in:
Kevin Minehart 2023-07-21 08:53:57 -05:00 committed by GitHub
parent f3235ba959
commit 16e2808b43
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 63 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
.drone.yml
View File

@ -761,7 +761,7 @@ steps:
- compile-build-cmd
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
image: google/cloud-sdk:431.0.0
name: build-docker-images
volumes:
@ -774,7 +774,7 @@ steps:
- compile-build-cmd
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
image: google/cloud-sdk:431.0.0
name: build-docker-images-ubuntu
volumes:
@ -1940,7 +1940,7 @@ steps:
- end-to-end-tests-various-suite
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
PRERELEASE_BUCKET:
from_secret: prerelease_bucket
image: grafana/grafana-ci-deploy:1.3.3
@ -1971,7 +1971,7 @@ steps:
- compile-build-cmd
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
image: google/cloud-sdk:431.0.0
name: build-docker-images
volumes:
@ -1984,7 +1984,7 @@ steps:
- compile-build-cmd
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
image: google/cloud-sdk:431.0.0
name: build-docker-images-ubuntu
volumes:
@ -2001,7 +2001,7 @@ steps:
DOCKER_USER:
from_secret: docker_username
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
GITHUB_APP_ID:
from_secret: delivery-bot-app-id
GITHUB_APP_INSTALLATION_ID:
@ -2027,7 +2027,7 @@ steps:
DOCKER_USER:
from_secret: docker_username
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
GITHUB_APP_ID:
from_secret: delivery-bot-app-id
GITHUB_APP_INSTALLATION_ID:
@ -2069,7 +2069,7 @@ steps:
- end-to-end-tests-various-suite
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads_base64
PRERELEASE_BUCKET:
from_secret: prerelease_bucket
image: grafana/grafana-ci-deploy:1.3.3
@ -2083,7 +2083,7 @@ steps:
- grafana-server
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
PRERELEASE_BUCKET:
from_secret: prerelease_bucket
image: grafana/grafana-ci-deploy:1.3.3
@ -2626,7 +2626,7 @@ steps:
- compile-build-cmd
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
image: google/cloud-sdk:431.0.0
name: build-docker-images
volumes:
@ -2639,7 +2639,7 @@ steps:
- compile-build-cmd
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
image: google/cloud-sdk:431.0.0
name: build-docker-images-ubuntu
volumes:
@ -2744,7 +2744,7 @@ steps:
- grafana-server
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
PRERELEASE_BUCKET:
from_secret: prerelease_bucket
image: grafana/grafana-ci-deploy:1.3.3
@ -2758,7 +2758,7 @@ steps:
- end-to-end-tests-various-suite
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads_base64
PRERELEASE_BUCKET:
from_secret: prerelease_bucket
image: grafana/grafana-ci-deploy:1.3.3
@ -2774,7 +2774,7 @@ steps:
- end-to-end-tests-various-suite
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
PRERELEASE_BUCKET:
from_secret: prerelease_bucket
image: grafana/grafana-ci-deploy:1.3.3
@ -2789,7 +2789,7 @@ steps:
- build-frontend-packages
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_upload_artifacts_key
PRERELEASE_BUCKET:
from_secret: prerelease_bucket
image: grafana/build-container:1.7.5
@ -2992,7 +2992,7 @@ steps:
- windows-init
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads_base64
GITHUB_TOKEN:
from_secret: github_token
PRERELEASE_BUCKET:
@ -3057,7 +3057,7 @@ steps:
DOCKER_USER:
from_secret: docker_username
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
image: google/cloud-sdk:431.0.0
name: fetch-images
volumes:
@ -3074,7 +3074,7 @@ steps:
DOCKER_USER:
from_secret: docker_username
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
GITHUB_APP_ID:
from_secret: delivery-bot-app-id
GITHUB_APP_INSTALLATION_ID:
@ -3097,7 +3097,7 @@ steps:
DOCKER_USER:
from_secret: docker_username
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
GITHUB_APP_ID:
from_secret: delivery-bot-app-id
GITHUB_APP_INSTALLATION_ID:
@ -3326,7 +3326,7 @@ steps:
- publish-linux-packages-rpm
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
GRAFANA_COM_API_KEY:
from_secret: grafana_api_key
image: grafana/grafana-ci-deploy:1.3.3
@ -3540,7 +3540,7 @@ steps:
- windows-init
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads_base64
GITHUB_TOKEN:
from_secret: github_token
PRERELEASE_BUCKET:
@ -3605,7 +3605,7 @@ steps:
- windows-init
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads_base64
GITHUB_TOKEN:
from_secret: github_token
PRERELEASE_BUCKET:
@ -3847,7 +3847,7 @@ steps:
- compile-build-cmd
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
image: google/cloud-sdk:431.0.0
name: build-docker-images
volumes:
@ -3860,7 +3860,7 @@ steps:
- compile-build-cmd
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
image: google/cloud-sdk:431.0.0
name: build-docker-images-ubuntu
volumes:
@ -3966,7 +3966,7 @@ steps:
- grafana-server
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads
PRERELEASE_BUCKET:
from_secret: prerelease_bucket
image: grafana/grafana-ci-deploy:1.3.3
@ -3983,7 +3983,7 @@ steps:
- end-to-end-tests-various-suite
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads_base64
PRERELEASE_BUCKET:
from_secret: prerelease_bucket
image: grafana/grafana-ci-deploy:1.3.3
@ -4353,7 +4353,7 @@ steps:
- windows-init
environment:
GCP_KEY:
from_secret: gcp_key
from_secret: gcp_grafanauploads_base64
GITHUB_TOKEN:
from_secret: github_token
PRERELEASE_BUCKET:
@ -4868,6 +4868,18 @@ trigger:
event: cron
type: docker
---
get:
name: credentials.json
path: infra/data/ci/grafana-release-eng/grafanauploads
kind: secret
name: gcp_grafanauploads
---
get:
name: credentials_base64
path: infra/data/ci/grafana-release-eng/grafanauploads
kind: secret
name: gcp_grafanauploads_base64
---
get:
name: grafana_api_key
path: infra/data/ci/drone-plugins
@ -5019,6 +5031,6 @@ kind: secret
name: delivery-bot-app-private-key
---
kind: signature
hmac: 1eb4671cf92fa08539a22e82cfcf1a58573fa410df4d9512063a95e0c746fe97
hmac: ea32500f4c7c72fe5b95a1617dd43935becbbc4c8bc2cbbf87b87c512afcca0a
...

9
scripts/drone/events/release.star
View File

@ -51,7 +51,12 @@ load(
"scripts/drone/pipelines/test_backend.star",
"test_backend",
)
load("scripts/drone/vault.star", "from_secret", "prerelease_bucket")
load(
"scripts/drone/vault.star",
"from_secret",
"gcp_upload_artifacts_key",
"prerelease_bucket",
)
load(
"scripts/drone/utils/images.star",
"images",
@ -87,7 +92,7 @@ def store_npm_packages_step():
"build-frontend-packages",
],
"environment": {
"GCP_KEY": from_secret("gcp_key"),
"GCP_KEY": from_secret(gcp_upload_artifacts_key),
"PRERELEASE_BUCKET": from_secret(prerelease_bucket),
},
"commands": ["./bin/build artifacts npm store --tag ${DRONE_TAG}"],

21
scripts/drone/steps/lib.star
View File

@ -5,6 +5,9 @@ This module is a library of Drone steps and other pipeline components.
load(
"scripts/drone/vault.star",
"from_secret",
"gcp_grafanauploads",
"gcp_grafanauploads_base64",
"gcp_upload_artifacts_key",
"prerelease_bucket",
)
load(
@ -330,7 +333,7 @@ def store_storybook_step(ver_mode, trigger = None):
] +
end_to_end_tests_deps(),
"environment": {
"GCP_KEY": from_secret("gcp_key"),
"GCP_KEY": from_secret(gcp_grafanauploads),
"PRERELEASE_BUCKET": from_secret(prerelease_bucket),
},
"commands": commands,
@ -369,7 +372,7 @@ def e2e_tests_artifacts():
],
},
"environment": {
"GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY": from_secret("gcp_upload_artifacts_key"),
"GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY": from_secret(gcp_upload_artifacts_key),
"E2E_TEST_ARTIFACTS_BUCKET": "releng-pipeline-artifacts-dev",
"GITHUB_TOKEN": from_secret("github_token"),
},
@ -407,7 +410,7 @@ def upload_cdn_step(ver_mode, trigger = None):
"grafana-server",
],
"environment": {
"GCP_KEY": from_secret("gcp_key"),
"GCP_KEY": from_secret(gcp_grafanauploads),
"PRERELEASE_BUCKET": from_secret(prerelease_bucket),
},
"commands": [
@ -954,7 +957,7 @@ def build_docker_images_step(archs = None, ubuntu = False, publish = False):
cmd += " -archs {}".format(",".join(archs))
environment = {
"GCP_KEY": from_secret("gcp_key"),
"GCP_KEY": from_secret(gcp_grafanauploads),
}
return {
@ -974,7 +977,7 @@ def fetch_images_step():
"name": "fetch-images",
"image": images["cloudsdk_image"],
"environment": {
"GCP_KEY": from_secret("gcp_key"),
"GCP_KEY": from_secret(gcp_grafanauploads),
"DOCKER_USER": from_secret("docker_username"),
"DOCKER_PASSWORD": from_secret("docker_password"),
},
@ -1001,7 +1004,7 @@ def publish_images_step(ver_mode, docker_repo, trigger = None):
docker_repo = "grafana/{}".format(docker_repo)
environment = {
"GCP_KEY": from_secret("gcp_key"),
"GCP_KEY": from_secret(gcp_grafanauploads),
"DOCKER_USER": from_secret("docker_username"),
"DOCKER_PASSWORD": from_secret("docker_password"),
"GITHUB_APP_ID": from_secret("delivery-bot-app-id"),
@ -1177,7 +1180,7 @@ def upload_packages_step(ver_mode, trigger = None):
"image": images["publish_image"],
"depends_on": end_to_end_tests_deps(),
"environment": {
"GCP_KEY": from_secret("gcp_key"),
"GCP_KEY": from_secret(gcp_grafanauploads_base64),
"PRERELEASE_BUCKET": from_secret("prerelease_bucket"),
},
"commands": [
@ -1219,7 +1222,7 @@ def publish_grafanacom_step(ver_mode):
],
"environment": {
"GRAFANA_COM_API_KEY": from_secret("grafana_api_key"),
"GCP_KEY": from_secret("gcp_key"),
"GCP_KEY": from_secret(gcp_grafanauploads),
},
"commands": [
cmd,
@ -1368,7 +1371,7 @@ def get_windows_steps(ver_mode, bucket = "%PRERELEASE_BUCKET%", edition = "oss")
"windows-init",
],
"environment": {
"GCP_KEY": from_secret("gcp_key"),
"GCP_KEY": from_secret(gcp_grafanauploads_base64),
"PRERELEASE_BUCKET": from_secret(prerelease_bucket),
"GITHUB_TOKEN": from_secret("github_token"),
},

4
scripts/drone/vault.star
View File

@ -5,6 +5,8 @@ pull_secret = "dockerconfigjson"
drone_token = "drone_token"
prerelease_bucket = "prerelease_bucket"
gcp_upload_artifacts_key = "gcp_upload_artifacts_key"
gcp_grafanauploads = "gcp_grafanauploads"
gcp_grafanauploads_base64 = "gcp_grafanauploads_base64"
gcp_download_build_container_assets_key = "gcp_download_build_container_assets_key"
azure_sp_app_id = "azure_sp_app_id"
azure_sp_app_pw = "azure_sp_app_pw"
@ -30,6 +32,8 @@ def vault_secret(name, path, key):
def secrets():
return [
vault_secret(gcp_grafanauploads, "infra/data/ci/grafana-release-eng/grafanauploads", "credentials.json"),
vault_secret(gcp_grafanauploads_base64, "infra/data/ci/grafana-release-eng/grafanauploads", "credentials_base64"),
vault_secret("grafana_api_key", "infra/data/ci/drone-plugins", "grafana_api_key"),
vault_secret(pull_secret, "secret/data/common/gcr", ".dockerconfigjson"),
vault_secret("github_token", "infra/data/ci/github/grafanabot", "pat"),