diff --git a/.expeditor/build.habitat.yml b/.expeditor/build.habitat.yml new file mode 100644 index 0000000..72ea256 --- /dev/null +++ b/.expeditor/build.habitat.yml @@ -0,0 +1,9 @@ +--- +origin: chef + +expeditor: + defaults: + buildkite: + retry: + automatic: + limit: 1 diff --git a/.expeditor/buildkite/artifact.habitat.test.ps1 b/.expeditor/buildkite/artifact.habitat.test.ps1 new file mode 100644 index 0000000..af4b98d --- /dev/null +++ b/.expeditor/buildkite/artifact.habitat.test.ps1 @@ -0,0 +1,92 @@ +#!/usr/bin/env powershell + +#Requires -Version 5 +# https://stackoverflow.com/questions/9948517 +# TODO: Set-StrictMode -Version Latest +$PSDefaultParameterValues['*:ErrorAction']='Stop' +$ErrorActionPreference = 'Stop' +$env:HAB_BLDR_CHANNEL = "LTS-2024" +$env:HAB_ORIGIN = 'ci' +$env:CHEF_LICENSE = 'accept-no-persist' +$env:HAB_LICENSE = 'accept-no-persist' +$Plan = 'chef-vault' + +Write-Host "--- system details" +$Properties = 'Caption', 'CSName', 'Version', 'BuildType', 'OSArchitecture' +Get-CimInstance Win32_OperatingSystem | Select-Object $Properties | Format-Table -AutoSize + +Write-Host "--- Installing the version of Habitat required" + +function Stop-HabProcess { + $habProcess = Get-Process hab -ErrorAction SilentlyContinue + if ($habProcess) { + Write-Host "Stopping hab process..." + Stop-Process -Name hab -Force + } +} + +function Install-Habitat { + Write-Host "Downloading and installing Habitat..." + Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.ps1')) +} + +try { + hab --version +} +catch { + Set-ExecutionPolicy Bypass -Scope Process -Force + + Stop-HabProcess + + # Remove the existing hab.exe if it exists and if you have permissions + $habPath = "C:\ProgramData\Habitat\hab.exe" + if (Test-Path $habPath) { + Write-Host "Attempting to remove existing hab.exe..." + Remove-Item $habPath -Force -ErrorAction SilentlyContinue + if (Test-Path $habPath) { + Write-Host "Failed to remove hab.exe, re-running script with elevated permissions." + Start-Process powershell -Verb runAs -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" + exit + } + } + + Install-Habitat +} +finally { + Write-Host ":habicat: I think I have the version I need to build." +} + + +Write-Host "--- Generating fake origin key" +hab origin key generate $env:HAB_ORIGIN + +Write-Host "--- Building $Plan" +$project_root = "$(git rev-parse --show-toplevel)" +Set-Location $project_root + +$env:DO_CHECK=$true; hab pkg build . + +. $project_root/results/last_build.ps1 + +Write-Host "--- Installing $pkg_ident/$pkg_artifact" +hab pkg install -b $project_root/results/$pkg_artifact + +Write-Host "+++ Testing $Plan" + +Push-Location $project_root + +try { + Write-Host "Running unit tests..." + hab pkg exec "${pkg_ident}" rake unit + + If ($lastexitcode -ne 0) { + Write-Host "Rake unit tests failed!" -ForegroundColor Red + Exit $lastexitcode + } else { + Write-Host "Rake unit tests passed!" -ForegroundColor Green + } +} +finally { + # Ensure we always return to the original directory + Pop-Location +} diff --git a/.expeditor/buildkite/artifact.habitat.test.sh b/.expeditor/buildkite/artifact.habitat.test.sh new file mode 100644 index 0000000..225255b --- /dev/null +++ b/.expeditor/buildkite/artifact.habitat.test.sh @@ -0,0 +1,71 @@ +#!/usr/bin/env bash + +set -eo pipefail + +export HAB_ORIGIN='ci' +export PLAN='chef-vault' +export CHEF_LICENSE="accept-no-persist" +export HAB_LICENSE="accept-no-persist" +export HAB_BLDR_CHANNEL="LTS-2024" + +echo "--- checking if git is installed" +if ! command -v git &> /dev/null; then + echo "Git is not installed. Installing Git..." + sudo yum install -y git +else + echo "Git is already installed." + git --version +fi + +echo "--- add an exception for this directory since detected dubious ownership in repository at /workdir" +git config --global --add safe.directory /workdir + +echo "--- git status for this workdir" +git status + +echo "--- ruby version" +ruby -v + +export project_root="$(git rev-parse --show-toplevel)" +echo "The value for project_root is: $project_root" + +export HAB_NONINTERACTIVE=true +export HAB_NOCOLORING=true +export HAB_STUDIO_SECRET_HAB_NONINTERACTIVE=true + +echo "--- system details" +uname -a + +echo "--- Installing Habitat" +id -a +curl https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.sh | bash + +echo "--- :key: Generating fake origin key" +hab origin key generate "$HAB_ORIGIN" + + +echo "--- Building $PLAN" +cd "$project_root" +DO_CHECK=true hab pkg build . + +echo "--- Sourcing 'results/last_build.sh'" +if [ -f ./results/last_build.env ]; then + cat ./results/last_build.env + . ./results/last_build.env + export pkg_artifact +fi + +echo "+++ Installing ${pkg_ident:?is undefined}" +echo "++++" +echo $project_root +echo "+++" +hab pkg install -b "${project_root:?is undefined}/results/${pkg_artifact:?is undefined}" + +echo "+++ Testing $PLAN" + +PATH="$(hab pkg path ci/chef-vault)/bin:$PATH" +export PATH +echo "PATH is $PATH" + +echo "--- :mag_right: Testing $PLAN" +${project_root}/habitat/tests/test.sh "$pkg_ident" || error 'failures during test of executables' diff --git a/.expeditor/config.yml b/.expeditor/config.yml index e5b8b05..de986bc 100644 --- a/.expeditor/config.yml +++ b/.expeditor/config.yml @@ -46,6 +46,18 @@ subscriptions: - "Expeditor: Skip All" - built_in:build_gem: only_if: built_in:bump_version + - trigger_pipeline:habitat/build: + only_if: built_in:bump_version + ignore_labels: + - "Expeditor: Skip Habitat" + - "Expeditor: Skip All" + + # the habitat chain + - workload: buildkite_hab_build_group_published:{{agent_id}}:* + actions: + # when all of the hab package publish to the unstable channel, test and promote them + - trigger_pipeline:habitat/test + - workload: project_promoted:{{agent_id}}:* actions: - built_in:rollover_changelog @@ -55,3 +67,16 @@ pipelines: - verify: description: Pull Request validation tests public: true + - habitat/build: + env: + - HAB_NONINTERACTIVE: "true" + - HAB_NOCOLORING: "true" + - HAB_STUDIO_SECRET_HAB_NONINTERACTIVE: "true" + - habitat/test: + description: Execute tests against the habitat artifact + definition: .expeditor/habitat-test.pipeline.yml + env: + - HAB_NONINTERACTIVE: "true" + - HAB_NOCOLORING: "true" + - HAB_STUDIO_SECRET_HAB_NONINTERACTIVE: "true" + trigger: pull_request diff --git a/.expeditor/habitat-test.pipeline.yml b/.expeditor/habitat-test.pipeline.yml new file mode 100644 index 0000000..838d841 --- /dev/null +++ b/.expeditor/habitat-test.pipeline.yml @@ -0,0 +1,34 @@ +--- +expeditor: + defaults: + buildkite: + timeout_in_minutes: 30 + retry: + automatic: + limit: 1 + +steps: + + - label: ":linux: Validate Habitat Builds of Test Kitchen" + commands: + - .expeditor/buildkite/artifact.habitat.test.sh + expeditor: + executor: + docker: + image: ruby:3.1 + privileged: true + + - label: ":windows: Validate Habitat Builds of Test Kitchen" + commands: + - .expeditor/buildkite/artifact.habitat.test.ps1 + expeditor: + executor: + docker: + host_os: windows + shell: ["powershell", "-Command"] + image: rubydistros/windows-2019:3.1 + user: 'NT AUTHORITY\SYSTEM' + environment: + - FORCE_FFI_YAJL=ext + - EXPIRE_CACHE=true + - CHEF_LICENSE=accept-no-persist \ No newline at end of file diff --git a/Gemfile b/Gemfile index c8defbb..75b5b37 100644 --- a/Gemfile +++ b/Gemfile @@ -5,6 +5,7 @@ gemspec group :development do gem "chefstyle" gem "rake" + gem "appbundler" if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.0.0") gem "contracts", "~> 0.16.1" # pin until we drop ruby < 2.7 gem "chef-zero" diff --git a/habitat/plan.ps1 b/habitat/plan.ps1 new file mode 100644 index 0000000..72c3128 --- /dev/null +++ b/habitat/plan.ps1 @@ -0,0 +1,92 @@ +$ErrorActionPreference = "Stop" +$PSDefaultParameterValues['*:ErrorAction']='Stop' + +$env:HAB_BLDR_CHANNEL = "LTS-2024" +$pkg_name="chef-vault" +$pkg_origin="chef" +$pkg_version=$(Get-Content "$PLAN_CONTEXT/../VERSION") +$pkg_maintainer="The Chef Maintainers " + +$pkg_deps=@( + "chef/ruby31-plus-devkit" + "core/git" +) +$pkg_bin_dirs=@("bin" + "vendor/bin") +$project_root= (Resolve-Path "$PLAN_CONTEXT/../").Path + +function pkg_version { + Get-Content "$SRC_PATH/VERSION" +} + +function Invoke-Before { + Set-PkgVersion +} +function Invoke-SetupEnvironment { + Push-RuntimeEnv -IsPath GEM_PATH "$pkg_prefix/vendor" + + Set-RuntimeEnv APPBUNDLER_ALLOW_RVM "true" # prevent appbundler from clearing out the carefully constructed runtime GEM_PATH + Set-RuntimeEnv FORCE_FFI_YAJL "ext" + Set-RuntimeEnv LANG "en_US.UTF-8" + Set-RuntimeEnv LC_CTYPE "en_US.UTF-8" +} + +function Invoke-Build { + try { + $env:Path += ";c:\\Program Files\\Git\\bin" + Push-Location $project_root + $env:GEM_HOME = "$HAB_CACHE_SRC_PATH/$pkg_dirname/vendor" + + Write-BuildLine " ** Configuring bundler for this build environment" + bundle config --local without integration deploy maintenance + bundle config --local jobs 4 + bundle config --local retry 5 + bundle config --local silence_root_warning 1 + Write-BuildLine " ** Using bundler to retrieve the Ruby dependencies" + bundle install + + gem build chef-vault.gemspec + Write-BuildLine " ** Using gem to install" + gem install chef-vault*.gem --no-document + + If ($lastexitcode -ne 0) { Exit $lastexitcode } + } finally { + Pop-Location + } +} + +function Invoke-Install { + Write-BuildLine "** Copy built & cached gems to install directory" + Copy-Item -Path "$HAB_CACHE_SRC_PATH/$pkg_dirname/*" -Destination $pkg_prefix -Recurse -Force -Exclude @("gem_make.out", "mkmf.log", "Makefile", + "*/latest", "latest", + "*/JSON-Schema-Test-Suite", "JSON-Schema-Test-Suite") + + try { + Push-Location $pkg_prefix + bundle config --local gemfile $project_root/Gemfile + Write-BuildLine "** generating binstubs for chef-vault with precise version pins" + Write-BuildLine "** generating binstubs for chef-vault with precise version pins $project_root $pkg_prefix/bin " + Invoke-Expression -Command "appbundler.bat $project_root $pkg_prefix/bin chef-vault" + If ($lastexitcode -ne 0) { Exit $lastexitcode } + Write-BuildLine " ** Running the chef-vault project's 'rake install' to install the path-based gems so they look like any other installed gem." + + If ($lastexitcode -ne 0) { Exit $lastexitcode } + } finally { + Pop-Location + } +} + +function Invoke-After { + # We don't need the cache of downloaded .gem files ... + Remove-Item $pkg_prefix/vendor/cache -Recurse -Force + # We don't need the gem docs. + Remove-Item $pkg_prefix/vendor/doc -Recurse -Force + # We don't need to ship the test suites for every gem dependency, + # only inspec's for package verification. + Get-ChildItem $pkg_prefix/vendor/gems -Filter "spec" -Directory -Recurse -Depth 1 ` + | Where-Object -FilterScript { $_.FullName -notlike "*chef-vault*" } ` + | Remove-Item -Recurse -Force + # Remove the byproducts of compiling gems with extensions + Get-ChildItem $pkg_prefix/vendor/gems -Include @("gem_make.out", "mkmf.log", "Makefile") -File -Recurse ` + | Remove-Item -Force +} \ No newline at end of file diff --git a/habitat/plan.sh b/habitat/plan.sh new file mode 100644 index 0000000..338ca25 --- /dev/null +++ b/habitat/plan.sh @@ -0,0 +1,90 @@ +export HAB_BLDR_CHANNEL="LTS-2024" +_chef_client_ruby="core/ruby3_1" +pkg_name="chef-vault" +pkg_origin="chef" +pkg_maintainer="The Chef Maintainers " +pkg_description="Gem that allows you to encrypt a Chef Data Bag Item using the public keys of a list of chef nodes. This allows only those chef nodes to decrypt the encrypted values." +pkg_license=('Apache-2.0') +pkg_bin_dirs=( + bin + vendor/bin +) +pkg_build_deps=( + core/make + core/bash + core/gcc + core/libarchive +) +pkg_deps=( + $_chef_client_ruby + core/coreutils + core/git +) +pkg_svc_user=root + +pkg_version() { + cat "$SRC_PATH/VERSION" +} + +do_before() { + update_pkg_version +} + +do_unpack() { + mkdir -pv "$HAB_CACHE_SRC_PATH/$pkg_dirname" + cp -RT "$PLAN_CONTEXT"/.. "$HAB_CACHE_SRC_PATH/$pkg_dirname/" +} + +do_build() { + echo $(pkg_path_for $_chef_client_ruby) + export GEM_HOME="$pkg_prefix/vendor/gems" + + build_line "Setting GEM_PATH=$GEM_HOME" + export GEM_PATH="$GEM_HOME" + bundle config --local without integration deploy maintenance + bundle config --local jobs 4 + bundle config --local retry 5 + bundle config --local silence_root_warning 1 + bundle install + gem build chef-vault.gemspec +} + +do_install() { + export GEM_HOME="$pkg_prefix/vendor/gems" + + build_line "Setting GEM_PATH=$GEM_HOME" + export GEM_PATH="$GEM_HOME" + gem install chef-vault-*.gem --no-document + wrap_ruby_chef_vault + set_runtime_env "GEM_PATH" "${pkg_prefix}/vendor/gems" +} + +wrap_ruby_chef_vault() { + local bin="$pkg_prefix/bin/chef-vault" + local real_bin="$GEM_HOME/gems/chef-vault-${pkg_version}/bin/chef-vault" + wrap_bin_with_ruby "$bin" "$real_bin" +} + +wrap_bin_with_ruby() { + local bin="$1" + local real_bin="$2" + build_line "Adding wrapper $bin to $real_bin" + cat < "$bin" +#!$(pkg_path_for core/bash)/bin/bash +set -e + +# Set binary path that allows chef-vault to use non-Hab pkg binaries +export PATH="/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:\$PATH" + +# Set Ruby paths defined from 'do_setup_environment()' +export GEM_HOME="$pkg_prefix/vendor/gems" +export GEM_PATH="\$GEM_HOME" + +exec $(pkg_path_for $_chef_client_ruby)/bin/ruby $real_bin \$@ +EOF + chmod -v 755 "$bin" +} + +do_strip() { + return 0 +} diff --git a/habitat/tests/test.sh b/habitat/tests/test.sh new file mode 100644 index 0000000..bb5f881 --- /dev/null +++ b/habitat/tests/test.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +set -euo pipefail + +project_root="$(git rev-parse --show-toplevel)" + +# print error message followed by usage and exit +error () { + local message="$1" + + echo -e "\nERROR: ${message}\n" >&2 + + exit 1 +} + +[[ -n "$pkg_ident" ]] || error 'no hab package identity provided' + +package_version=$(awk -F / '{print $3}' <<<"$pkg_ident") + +cd "${project_root}" + +echo "--- :mag_right: Testing ${pkg_ident} executables" +help_message=$(hab pkg exec "${pkg_ident}" -- chef-vault -h) +original_help="Usage: chef-vault" +[[ $help_message =~ $original_help ]] || error "chef-vault help command is not as expected"