fumiama/terasu-cloudflared
1
0
Fork 0
mirror of https://github.com/fumiama/terasu-cloudflared.git synced 2026-06-12 06:00:25 +08:00
Code Activity

TUN-9800: Add pipelines for linux packaging

Browse Source
This commit is contained in:
João "Pisco" Fernandes
2025-10-31 14:43:50 +00:00
parent 70658b863b
commit a8fdbb83d0
11 changed files with 229 additions and 282 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.ci/commons.gitlab-ci.yml
View File

@@ -3,14 +3,14 @@
# Rules to run the job only on the master branch
run-on-master:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: always
when: on_success
- when: never
# Rules to run the job only on merge requests
run-on-mr:
- if: $CI_COMMIT_TAG
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
when: always
when: on_success
- when: never
# Rules to run the job on merge_requests and master branch
run-always:
@@ -18,7 +18,7 @@
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH != null && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: always
when: on_success
- when: never
# This before_script is injected into every job that runs on master meaning that if there is no tag the step

8
.ci/image/Dockerfile
View File

@@ -16,7 +16,13 @@ RUN apt-get update && \
python3-venv \
# libmsi and libgcab are libraries the wixl binary depends on.
libmsi-dev \
libgcab-dev && \
libgcab-dev \
# deb and rpm build tools
rubygem-fpm \
rpm \
# create deb and rpm repository files
reprepro \
createrepo-c && \
rm -rf /var/lib/apt/lists/* && \
# Install wixl
curl -o /usr/local/bin/wixl -L https://pkg.cloudflare.com/binaries/wixl && \

31
.ci/linux.gitlab-ci.yml
View File

@@ -8,6 +8,18 @@
imageVersion: "3371-f5539bd6f83d@sha256:a2a68f580070f9411d0d3155959ed63b700ef319b5fcc62db340e92227bbc628"
CGO_ENABLED: 1
.default-packaging-job: &packaging-job-defaults
stage: build
needs:
- ci-image-get-image-ref
rules:
- !reference [.default-rules, run-on-master]
image: $BUILD_IMAGE
cache: {}
artifacts:
paths:
- artifacts/*
include:
###################
### Linux Build ###
@@ -89,3 +101,22 @@ component-tests-linux-fips:
variables:
<<: *component-tests-variables
COMPONENT_TESTS_FIPS: 1
################################
####### Linux Packaging ########
################################
linux-packaging:
<<: *packaging-job-defaults
parallel:
matrix:
- ARCH: ["386", "amd64", "arm", "armhf", "arm64"]
script:
- ./.ci/scripts/linux/build-packages.sh ${ARCH}
################################
##### Linux FIPS Packaging #####
################################
linux-packaging-fips:
<<: *packaging-job-defaults
script:
- ./.ci/scripts/linux/build-packages-fips.sh

120
.ci/release.gitlab-ci.yml
View File

@@ -1,17 +1,28 @@
include:
- local: .ci/commons.gitlab-ci.yml
###########################################
### Push Cloudflared Binaries to Github ###
###########################################
release-cloudflared-to-github:
######################################
### Build and Push DockerHub Image ###
######################################
- component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
inputs:
stage: release
jobPrefix: docker-hub
runOnMR: false
runOnBranches: '^master$'
runOnChangesTo: ['RELEASE_NOTES']
needs:
- generate-version-file
- release-cloudflared-to-r2
commentImageRefs: false
runner: vm-linux-x86-4cpu-8gb
DOCKER_USER_BRANCH: svcgithubdockerhubcloudflar045
DOCKER_PASSWORD_BRANCH: gitlab/cloudflare/tun/cloudflared/_dev/dockerhub/svc_password/data
EXTRA_DIB_ARGS: --overwrite
.default-release-job: &release-job-defaults
stage: release
image: $BUILD_IMAGE
extends: .check-tag
needs:
- ci-image-get-image-ref
- package-windows
- build-and-sign-cloudflared-macos
rules:
- !reference [.default-rules, run-on-master]
cache:
@@ -19,8 +30,16 @@ release-cloudflared-to-github:
- .cache/pip
variables:
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
# KV Vars
KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
KV_ACCOUNT: 5ab4e9dfbd435d24068829fda0077963
KV_ACCOUNT: &cf-account 5ab4e9dfbd435d24068829fda0077963
# R2 Vars
R2_BUCKET: cloudflared-pkgs
R2_ACCOUNT_ID: *cf-account
# APT and RPM Repository Vars
GPG_PUBLIC_KEY_URL: "https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
PKG_URL: "https://pkg.cloudflare.com/cloudflared"
BINARY_NAME: cloudflared
secrets:
KV_API_TOKEN:
vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
@@ -28,12 +47,77 @@ release-cloudflared-to-github:
API_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
file: false
R2_CLIENT_ID:
vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_id@kv
file: false
R2_CLIENT_SECRET:
vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_secret@kv
file: false
LINUX_SIGNING_PUBLIC_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/public_key@kv
file: false
LINUX_SIGNING_PRIVATE_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/private_key@kv
file: false
LINUX_SIGNING_PUBLIC_KEY_2:
vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/public_key@kv
file: false
LINUX_SIGNING_PRIVATE_KEY_2:
vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/private_key@kv
file: false
###########################################
### Push Cloudflared Binaries to Github ###
###########################################
release-cloudflared-to-github:
<<: *release-job-defaults
extends: .check-tag
needs:
- build-and-sign-cloudflared-macos
- ci-image-get-image-ref
- linux-packaging
- linux-packaging-fips
- package-windows
script:
- python3 --version ; pip --version # For debugging
- python3 -m venv venv
- source venv/bin/activate
- pip install pynacl==1.4.0 pygithub==1.55
- echo $VERSION
- echo $TAG_EXISTS
- echo "Running release because tag exists."
- make gitlab-release
- ./.ci/scripts/release-target.sh github-release
#########################################
### Upload Cloudflared Binaries to R2 ###
#########################################
release-cloudflared-to-r2:
<<: *release-job-defaults
extends: .check-tag
needs:
- ci-image-get-image-ref
- linux-packaging # We only release non-FIPS binaries to R2
- release-cloudflared-to-github
script:
- ./.ci/scripts/release-target.sh r2-linux-release
#################################################
### Upload Cloudflared Nightly Binaries to R2 ###
#################################################
release-cloudflared-nightly-to-r2:
<<: *release-job-defaults
variables:
R2_BUCKET: cloudflared-pkgs-next
GPG_PUBLIC_KEY_URL: "https://next.pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
PKG_URL: "https://next.pkg.cloudflare.com/cloudflared"
needs:
- ci-image-get-image-ref
- linux-packaging # We only release non-FIPS binaries to R2
script:
- ./.ci/scripts/release-target.sh r2-linux-release
#############################
### Generate Version File ###
#############################
generate-version-file:
<<: *release-job-defaults
needs:
- ci-image-get-image-ref
script:
- make generate-docker-version
artifacts:
paths:
- versions

26
.ci/scripts/linux/build-packages-fips.sh Executable file
View File

@@ -0,0 +1,26 @@
#!/bin/bash
VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
echo $VERSION
# This controls the directory the built artifacts go into
export ARTIFACT_DIR=artifacts/
mkdir -p $ARTIFACT_DIR
arch=("amd64")
export TARGET_ARCH=$arch
export TARGET_OS=linux
export FIPS=true
# For BoringCrypto to link, we need CGO enabled. Otherwise compilation fails.
export CGO_ENABLED=1
make cloudflared-deb
mv cloudflared-fips\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-fips-linux-$arch.deb
# rpm packages invert the - and _ and use x86_64 instead of amd64.
RPMVERSION=$(echo $VERSION | sed -r 's/-/_/g')
RPMARCH="x86_64"
make cloudflared-rpm
mv cloudflared-fips-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-fips-linux-$RPMARCH.rpm
# finally move the linux binary as well.
mv ./cloudflared $ARTIFACT_DIR/cloudflared-fips-linux-$arch

59
.ci/scripts/linux/build-packages.sh Executable file
View File

@@ -0,0 +1,59 @@
#!/bin/bash
# Check if architecture argument is provided
if [ $# -eq 0 ]; then
echo "Error: Architecture argument is required"
echo "Usage: $0 <architecture>"
exit 1
fi
# Parameters
arch=$1
# Get Version
VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
echo $VERSION
# Disable FIPS module in go-boring
export GOEXPERIMENT=noboringcrypto
export CGO_ENABLED=0
# This controls the directory the built artifacts go into
export ARTIFACT_DIR=artifacts/
mkdir -p $ARTIFACT_DIR
export TARGET_OS=linux
unset TARGET_ARM
export TARGET_ARCH=$arch
## Support for arm platforms without hardware FPU enabled
if [[ $arch == arm ]] ; then
export TARGET_ARCH=arm
export TARGET_ARM=5
fi
## Support for armhf builds
if [[ $arch == armhf ]] ; then
export TARGET_ARCH=arm
export TARGET_ARM=7
fi
make cloudflared-deb
mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
# rpm packages invert the - and _ and use x86_64 instead of amd64.
RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
RPMARCH=$arch
if [ $arch == "amd64" ];then
RPMARCH="x86_64"
fi
if [ $arch == "arm64" ]; then
RPMARCH="aarch64"
fi
make cloudflared-rpm
mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
# finally move the linux binary as well.
mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch

18
.ci/scripts/release-target.sh Executable file
View File

@@ -0,0 +1,18 @@
#!/bin/bash
set -e -o pipefail
# Check if a make target is provided as an argument
if [ $# -eq 0 ]; then
echo "Error: Make target argument is required"
echo "Usage: $0 <make-target>"
exit 1
fi
MAKE_TARGET=$1
python3 -m venv venv
source venv/bin/activate
# Our release scripts are written in python, so we should install their dependecies here.
pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
make $MAKE_TARGET