-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
108 additions
and
116 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,125 +1,38 @@ | ||
| version: 2.1 | ||
|
|
||
| setup: true | ||
| orbs: | ||
| orb-hashicorp-vault-cli: smaeda-ks/orb-hashicorp-vault-cli@<<pipeline.parameters.dev-orb-version>> | ||
| orb-tools: circleci/[email protected] | ||
| bats: circleci/[email protected] | ||
|
|
||
| # Pipeline Parameters | ||
| ## These parameters are used internally by orb-tools. Skip to the Jobs section. | ||
| parameters: | ||
| run-integration-tests: | ||
| description: An internal flag to prevent integration test from running before a development version has been created. | ||
| type: boolean | ||
| default: false | ||
| dev-orb-version: | ||
| description: > | ||
| The development version of the orb to test. | ||
| This value is automatically adjusted by the "trigger-integration-tests-workflow" job to correspond with the specific version created by the commit and should not be edited. | ||
| A "dev:alpha" version must exist for the initial pipeline run. | ||
| type: string | ||
| default: "dev:alpha" | ||
|
|
||
| jobs: | ||
| integration-test-1: | ||
| machine: true | ||
| steps: | ||
| - checkout | ||
| - run: | ||
| name: Start local Vault dev server (Docker) | ||
| command: | | ||
| docker run -d --cap-add=IPC_LOCK -p 8200:8200 -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' vault | ||
| - orb-hashicorp-vault-cli/install | ||
| - run: vault --version | ||
| - run: | ||
| name: Set up Vault dev server | ||
| command: | | ||
| vault auth enable jwt | ||
| orb-tools: circleci/[email protected] | ||
| # shellcheck: circleci/[email protected] | ||
|
|
||
| vault write auth/jwt/config \ | ||
| bound_issuer="https://oidc.circleci.com/org/${CIRCLECI_ORG_ID}" \ | ||
| oidc_discovery_url="https://oidc.circleci.com/org/${CIRCLECI_ORG_ID}" | ||
| filters: &filters | ||
| tags: | ||
| only: /.*/ | ||
|
|
||
| vault kv put secret/circleci/orb test=foo | ||
| vault policy write circleci-orb-dev -\<<EOF | ||
| path "secret/data/circleci/orb" { | ||
| capabilities = ["read"] | ||
| } | ||
| EOF | ||
| vault write auth/jwt/role/circleci-orb-dev -\<<EOF | ||
| { | ||
| "role_type": "jwt", | ||
| "user_claim": "sub", | ||
| "bound_claims": { | ||
| "aud": "${CIRCLECI_ORG_ID}" | ||
| }, | ||
| "policies": ["circleci-orb-dev"], | ||
| "ttl": "1h" | ||
| } | ||
| EOF | ||
| exit 0 | ||
| environment: | ||
| VAULT_TOKEN: myroot | ||
| VAULT_ADDR: "http://localhost:8200" | ||
| - orb-hashicorp-vault-cli/auth-oidc: | ||
| vault-address: "http://localhost:8200" | ||
| vault-role: "circleci-orb-dev" | ||
| - run: vault kv get -field=test secret/circleci/orb | ||
| workflows: | ||
| # Prior to producing a development orb (which requires credentials) basic validation, linting, and even unit testing can be performed. | ||
| # This workflow will run on every commit | ||
| test-pack: | ||
| unless: << pipeline.parameters.run-integration-tests >> | ||
| lint-pack: | ||
| jobs: | ||
| - orb-tools/lint # Lint Yaml files | ||
| - orb-tools/pack # Pack orb source | ||
| # optional: Run BATS tests against your scripts | ||
| # - bats/run: | ||
| # path: ./src/tests | ||
| # Publish development version(s) of the orb. | ||
| - orb-tools/publish-dev: | ||
| - orb-tools/lint: | ||
| filters: *filters | ||
| - orb-tools/pack: | ||
| filters: *filters | ||
| - orb-tools/review: | ||
| filters: *filters | ||
| exclude: RC006,RC009 | ||
| # - shellcheck/check: | ||
| # exclude: SC2148,SC2038,SC2086,SC2002,SC2016 | ||
| # filters: *filters | ||
| - orb-tools/publish: | ||
| orb-name: smaeda-ks/orb-hashicorp-vault-cli | ||
| context: orb-publishing # A restricted context containing your private publishing credentials. Will only execute if approved by an authorized user. | ||
| requires: | ||
| - orb-tools/lint | ||
| - orb-tools/pack | ||
| # - bats/run | ||
| # Trigger an integration workflow to test the | ||
| # dev:${CIRCLE_SHA1:0:7} version of your orb | ||
| - orb-tools/trigger-integration-tests-workflow: | ||
| name: trigger-integration-dev | ||
| context: orb-publishing | ||
| vcs-type: << pipeline.project.type >> | ||
| requires: | ||
| - orb-tools/publish-dev | ||
|
|
||
| # This `integration-test_deploy` workflow will only run | ||
| # when the run-integration-tests pipeline parameter is set to true. | ||
| # It is meant to be triggered by the "trigger-integration-tests-workflow" | ||
| # job, and run tests on <your orb>@dev:${CIRCLE_SHA1:0:7}. | ||
| integration-test_deploy: | ||
| when: << pipeline.parameters.run-integration-tests >> | ||
| jobs: | ||
| # Run any integration tests defined within the `jobs` key. | ||
| - integration-test-1: | ||
| [orb-tools/lint, orb-tools/review, orb-tools/pack] | ||
| # Use a context to hold your publishing token. | ||
| context: orb-publishing | ||
| # Publish a semver version of the orb. relies on | ||
| # the commit subject containing the text "[semver:patch|minor|major|skip]" | ||
| # as that will determine whether a patch, minor or major | ||
| # version will be published or if publishing should | ||
| # be skipped. | ||
| # e.g. [semver:patch] will cause a patch version to be published. | ||
| - orb-tools/dev-promote-prod-from-commit-subject: | ||
| orb-name: smaeda-ks/orb-hashicorp-vault-cli | ||
| context: orb-publishing | ||
| add-pr-comment: false | ||
| fail-if-semver-not-indicated: true | ||
| publish-version-tag: false | ||
| requires: | ||
| - integration-test-1 | ||
| filters: | ||
| branches: | ||
| only: | ||
| - master | ||
| - main | ||
| filters: *filters | ||
| # Triggers the next workflow in the Orb Development Kit. | ||
| - orb-tools/continue: | ||
| config-path: .circleci/test-deploy.yml | ||
| pipeline-number: << pipeline.number >> | ||
| vcs-type: << pipeline.project.type >> | ||
| requires: [orb-tools/publish] | ||
| filters: *filters |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| version: 2.1 | ||
| orbs: | ||
| orb-hashicorp-vault-cli: smaeda-ks/orb-hashicorp-vault-cli@dev:<<pipeline.git.revision>> | ||
| orb-tools: circleci/[email protected] | ||
|
|
||
| filters: &filters | ||
| tags: | ||
| only: /.*/ | ||
|
|
||
| jobs: | ||
| integration-test: | ||
| machine: true | ||
| steps: | ||
| - checkout | ||
| - run: | ||
| name: Start local Vault dev server (Docker) | ||
| command: | | ||
| docker run -d --cap-add=IPC_LOCK -p 8200:8200 -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' vault | ||
| - orb-hashicorp-vault-cli/install | ||
| - run: vault --version | ||
| - run: | ||
| name: Set up Vault dev server | ||
| command: | | ||
| vault auth enable jwt | ||
| vault write auth/jwt/config \ | ||
| bound_issuer="https://oidc.circleci.com/org/${CIRCLECI_ORG_ID}" \ | ||
| oidc_discovery_url="https://oidc.circleci.com/org/${CIRCLECI_ORG_ID}" | ||
| vault kv put secret/circleci/orb test=foo | ||
| vault policy write circleci-orb-dev -\<<EOF | ||
| path "secret/data/circleci/orb" { | ||
| capabilities = ["read"] | ||
| } | ||
| EOF | ||
| vault write auth/jwt/role/circleci-orb-dev -\<<EOF | ||
| { | ||
| "role_type": "jwt", | ||
| "user_claim": "sub", | ||
| "bound_claims": { | ||
| "aud": "${CIRCLECI_ORG_ID}" | ||
| }, | ||
| "policies": ["circleci-orb-dev"], | ||
| "ttl": "1h" | ||
| } | ||
| EOF | ||
| exit 0 | ||
| environment: | ||
| VAULT_TOKEN: myroot | ||
| VAULT_ADDR: "http://localhost:8200" | ||
| - orb-hashicorp-vault-cli/auth-oidc: | ||
| vault-address: "http://localhost:8200" | ||
| vault-role: "circleci-orb-dev" | ||
| - run: vault kv get -field=test secret/circleci/orb | ||
| workflows: | ||
| test-deploy: | ||
| jobs: | ||
| # Make sure to include "filters: *filters" in every test job you want to run as part of your deployment. | ||
| - integration-test: | ||
| filters: *filters | ||
| context: orb-publishing | ||
| - orb-tools/pack: | ||
| filters: *filters | ||
| - orb-tools/publish: | ||
| orb-name: smaeda-ks/orb-hashicorp-vault-cli | ||
| vcs-type: <<pipeline.project.type>> | ||
| pub-type: production | ||
| enable-pr-comment: false | ||
| requires: | ||
| - orb-tools/pack | ||
| - integration-test | ||
| context: orb-publishing | ||
| filters: | ||
| branches: | ||
| ignore: /.*/ | ||
| tags: | ||
| only: /^v[0-9]+\.[0-9]+\.[0-9]+$/ |