From: Eric Ball <eball@linuxfoundation.org>
Date: Wed, 29 Apr 2020 01:17:53 +0000 (-0700)
Subject: Add signing to Akraino deploy templates
X-Git-Url: https://gerrit.akraino.org/r/gitweb?p=ci-management.git;a=commitdiff_plain;h=0904fdd5e0e3b113ee90e77c646a7f156d878762;hp=37ee9b6ad5c3bc8d38a05149299f201f8f89d1b8

Add signing to Akraino deploy templates

Since Akraino projects do not follow standard release procedures, we
will simply sign the artifacts before pushing them to Nexus, just to
provide signatures showing that all artifacts come from LF infra.

Change-Id: Ia3478900acd02d419fe49c25b1902b1a3459f73d
Issue-ID: LF-Jira RELENG-2819
Signed-off-by: Eric Ball <eball@linuxfoundation.org>
---

diff --git a/jjb/akraino-templates/akraino-jjb-templates.yaml b/jjb/akraino-templates/akraino-jjb-templates.yaml
index 52d4901..01210ac 100644
--- a/jjb/akraino-templates/akraino-jjb-templates.yaml
+++ b/jjb/akraino-templates/akraino-jjb-templates.yaml
@@ -115,6 +115,20 @@
 
     builders:
       - lf-infra-pre-build
+      - config-file-provider:
+          files:
+            - file-id: lftoolsini
+              target: "$HOME/.config/lftools/lftools.ini"
+            - file-id: sigul-config
+              variable: SIGUL_CONFIG
+            - file-id: sigul-password
+              variable: SIGUL_PASSWORD
+            - file-id: sigul-pki
+              variable: SIGUL_PKI
+            - file-id: signing-pubkey
+              variable: SIGNING_PUBKEY
+      - shell: !include-raw-escape: ../global-jjb/shell/sigul-configuration.sh
+      - shell: !include-raw-escape: ../global-jjb/shell/sigul-install.sh
       - lf-maven-install:
           mvn-version: '{mvn-version}'
       - lf-update-java-alternatives:
@@ -243,6 +257,20 @@
 
     builders:
       - lf-infra-pre-build
+      - config-file-provider:
+          files:
+            - file-id: lftoolsini
+              target: "$HOME/.config/lftools/lftools.ini"
+            - file-id: sigul-config
+              variable: SIGUL_CONFIG
+            - file-id: sigul-password
+              variable: SIGUL_PASSWORD
+            - file-id: sigul-pki
+              variable: SIGUL_PKI
+            - file-id: signing-pubkey
+              variable: SIGNING_PUBKEY
+      - shell: !include-raw-escape: ../global-jjb/shell/sigul-configuration.sh
+      - shell: !include-raw-escape: ../global-jjb/shell/sigul-install.sh
       - lf-jacoco-nojava-workaround
       - lf-maven-install:
           mvn-version: '{mvn-version}'
diff --git a/jjb/akraino-templates/akraino-ta-common-macros.yaml b/jjb/akraino-templates/akraino-ta-common-macros.yaml
index a0d578c..feb1bc2 100644
--- a/jjb/akraino-templates/akraino-ta-common-macros.yaml
+++ b/jjb/akraino-templates/akraino-ta-common-macros.yaml
@@ -189,6 +189,16 @@
           files:
             - file-id: 'ta-settings'
               variable: 'SETTINGS_FILE'
+            - file-id: lftoolsini
+              target: "$HOME/.config/lftools/lftools.ini"
+            - file-id: sigul-config
+              variable: SIGUL_CONFIG
+            - file-id: sigul-password
+              variable: SIGUL_PASSWORD
+            - file-id: sigul-pki
+              variable: SIGUL_PKI
+            - file-id: signing-pubkey
+              variable: SIGNING_PUBKEY
       - inject:
           properties-content: 'ALT_NEXUS_URL=https://nexus3.akraino.org'
       - lf-infra-create-netrc:
@@ -201,6 +211,8 @@
           # Ensure python-tools are installed in case job template does not
           # call the lf-infra-pre-build macro.
           - ../../global-jjb/shell/python-tools-install.sh
+      - shell: !include-raw: ../global-jjb/shell/sigul-configuration.sh
+      - shell: !include-raw: ../global-jjb/shell/sigul-install.sh
       - shell: !include-raw:
           - ../shell/ta-rpm-deploy.sh
       - shell: !include-raw:
@@ -215,12 +227,24 @@
           files:
             - file-id: 'ta-settings'
               variable: 'SETTINGS_FILE'
+            - file-id: lftoolsini
+              target: "$HOME/.config/lftools/lftools.ini"
+            - file-id: sigul-config
+              variable: SIGUL_CONFIG
+            - file-id: sigul-password
+              variable: SIGUL_PASSWORD
+            - file-id: sigul-pki
+              variable: SIGUL_PKI
+            - file-id: signing-pubkey
+              variable: SIGNING_PUBKEY
       - lf-infra-create-netrc:
           server-id: images-snapshots
       - shell: !include-raw:
           # Ensure python-tools are installed in case job template does not
           # call the lf-infra-pre-build macro.
           - ../../global-jjb/shell/python-tools-install.sh
+      - shell: !include-raw: ../global-jjb/shell/sigul-configuration.sh
+      - shell: !include-raw: ../global-jjb/shell/sigul-install.sh
       - shell: !include-raw:
           - ../shell/ta-iso-deploy.sh
       - shell: !include-raw:
diff --git a/jjb/shell/make-tar.sh b/jjb/shell/make-tar.sh
index adc830d..2e8819a 100644
--- a/jjb/shell/make-tar.sh
+++ b/jjb/shell/make-tar.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -l
 #
 # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
 #
@@ -14,6 +14,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+echo "---> make-tar.sh"
+
 sudo yum install -y dos2unix
 # shellcheck source="$WORKSPACE/version.properties" disable=SC1091
 dos2unix "${WORKSPACE}/version.properties"
@@ -47,25 +49,29 @@ then
     # Build the regional controller scripts tar ball
     ARTIFACT_NAME="onap-amsterdam-regional-controller-${STREAM}"
     TAR_NAME="${ARTIFACT_NAME}-${VERSION}.tgz"
-    echo "Making tar file ${TARDIR}/${TAR_NAME}"
+    echo "---> Making tar file ${TARDIR}/${TAR_NAME}"
     cd ./src/regional_controller_scripts/
     tar -cvzf "${TARDIR}/${TAR_NAME}" -- *
 
     # Build the ONAP VM scripts tar ball
     ARTIFACT_NAME="onap-amsterdam-VM-${STREAM}"
     TAR_NAME="${ARTIFACT_NAME}-${VERSION}.tgz"
-    echo "Making tar file ${TARDIR}/${TAR_NAME}"
+    echo "---> Making tar file ${TARDIR}/${TAR_NAME}"
     cd ../onap_vm_scripts/
     tar -cvzf "${TARDIR}/${TAR_NAME}" -- *
 
 else
 
     TAR_NAME="${PROJECT}-${VERSION}.tgz"
-    echo "Making tar file ${TARDIR}/${TAR_NAME}"
+    echo "---> Making tar file ${TARDIR}/${TAR_NAME}"
     # Put the file in /tmp initially to prevent it $TARDIR from going into the tar file
     tar -cvzf "/tmp/${TAR_NAME}" -- *
     mkdir "$TARDIR"
     cp "/tmp/${TAR_NAME}" "${TARDIR}/${TAR_NAME}"
 
 fi
+
+echo "-----> Sign all artifacts"
+lftools sign sigul "${TARDIR}"
+
 set +u +x
diff --git a/jjb/shell/ta-iso-deploy.sh b/jjb/shell/ta-iso-deploy.sh
index e40eeba..9525e8a 100644
--- a/jjb/shell/ta-iso-deploy.sh
+++ b/jjb/shell/ta-iso-deploy.sh
@@ -41,6 +41,9 @@ fi
 cp "$WORKSPACE/work/results/images/"* "$upload_dir1"
 cp "$WORKSPACE/work/results/images/"* "$upload_dir2"
 
+echo "-----> Sign all artifacts"
+lftools sign sigul "$repo_dir"
+
 echo "-----> Upload ISOs to Nexus"
 lftools deploy nexus "$nexus_repo_url" "$repo_dir"
 rm -rf "$repo_dir"
diff --git a/jjb/shell/ta-rpm-deploy.sh b/jjb/shell/ta-rpm-deploy.sh
index d742333..719ec5d 100644
--- a/jjb/shell/ta-rpm-deploy.sh
+++ b/jjb/shell/ta-rpm-deploy.sh
@@ -63,6 +63,9 @@ for artifact in \
         fi
     done
 
+echo "-----> Sign all artifacts"
+lftools sign sigul "$repo_dir"
+
 echo "-----> Upload RPMs to Nexus"
 lftools deploy nexus "$nexus_repo_url" "$repo_dir"