Merge pull request #65 from kfox1111/rpms

Add spec files for rpms

.github/workflows/pr_build.yaml

@@ -26,3 +26,47 @@ jobs:
       #  run: examples/envoy/test.sh
       - name: K8s examples
         run: examples/k8s/test-all.sh
+  packages:
+    strategy:
+      matrix:
+        os: [ubuntu-24.04]
+        arch: ["", "-arm"]
+    runs-on: ${{ matrix.os }}${{ matrix.arch }}
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - run: |
+          set -xe
+          echo "building: {{github.ref_name}}-$(uname -i)"
+          docker build -t t examples/rpms
+          docker run -i --rm -v /tmp:/tmp t /bin/bash -c 'cp -a /usr/share/nginx/html/packages /tmp'
+      - name: Archive artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: packages${{ matrix.arch }}
+          retention-days: 1
+          path: |
+            /tmp/packages
+  combined-packages:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
+    needs: packages
+    steps:
+      - name: Download archived artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: packages
+          path: /tmp/packages
+      - name: Download archived artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: packages-arm
+          path: /tmp/packages
+      - name: Archive artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: all-packages
+          retention-days: 7
+          path: |
+            /tmp/packages

examples/rpms/Dockerfile

@@ -0,0 +1,46 @@
+ARG STEPVER="0.28.2"
+
+FROM docker.io/library/almalinux:9 AS rpm-builder
+ARG STEPVER
+
+WORKDIR /tmp
+
+COPY *.spec /tmp
+
+RUN \
+  dnf install -y rpmdevtools rpm-build git make && \
+  spectool -g -R spire.spec && \
+  rpmbuild -ba spire.spec && \
+  spectool -g -R spiffe-step-ssh.spec && \
+  rpmbuild -ba spiffe-step-ssh.spec && \
+  spectool -g -R spire-ha-agent.spec && \
+  rpmbuild -ba spire-ha-agent.spec
+
+RUN \
+  dnf localinstall -y https://github.com/smallstep/cli/releases/download/v${STEPVER}/step-cli-${STEPVER}-1.$(uname -i).rpm && \
+  dnf localinstall -y /root/rpmbuild/RPMS/*/*.rpm
+
+FROM docker.io/library/ubuntu:latest AS deb-builder
+ARG STEPVER
+
+COPY --from=rpm-builder /root/rpmbuild/RPMS /root/rpmbuild/RPMS
+
+RUN \
+  apt-get update && \
+  apt-get install -y software-properties-common && \
+  add-apt-repository universe && \
+  apt-get install -y alien && \
+  mkdir -p /root/debbuild && \
+  cd /root/debbuild && \
+  mkdir $(dpkg --print-architecture) && \
+  cd * && \
+  alien -k -c --to-deb /root/rpmbuild/RPMS/*/*.rpm
+
+RUN \
+  curl -L -o step-cli.deb https://github.com/smallstep/cli/releases/download/v${STEPVER}/step-cli_${STEPVER}-1_$(dpkg --print-architecture).deb && \
+  apt-get install -y ./step-cli.deb && \
+  apt-get install -y /root/debbuild/*/*.deb
+
+FROM docker.io/library/nginx:latest
+COPY --from=rpm-builder /root/rpmbuild/RPMS /usr/share/nginx/html/packages/RPMS
+COPY --from=deb-builder /root/debbuild /usr/share/nginx/html/packages/DEBS

examples/rpms/spiffe-step-ssh.spec

@@ -0,0 +1,56 @@
+##############################################################################
+#
+# To you, dear reader:
+#
+# If you are a normal user, we recommend not reading further. Its probably not
+# the file your looking for.
+#
+# If you are looking at using this file as a base for your own work, please
+# don't. It is a horrible example. Please look elsewhere.
+#
+# If you are a package maintainer, please read on. We recognize this spec file
+# is blasphemous, a terrible abomination, a crime against nature, and more. We
+# regret needing to produce it, but had to in order to attract enough users to
+# find you. We beseech thee, kind and generous package maintainer, please help
+# us mend our wicked ways by joining us and help us produce proper packaging.
+# You are our only hope.
+#
+##############################################################################
+
+%define ARCH %(echo %{_arch} | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)
+
+Summary:    SPIFFE Step SSH
+Name:       spiffe-step-ssh
+Version:    0.0.5
+Release:    1
+Group:      Applications/Internet
+License:    Apache-2.0
+URL:        https://spiffe.io
+Source0:    https://github.com/spiffe/spiffe-step-ssh/archive/refs/tags/v%{version}.tar.gz
+Requires:   step-cli
+
+%description
+SPIFFE Step SSH
+
+%global _missing_build_ids_terminate_build 0
+%global debug_package %{nil}
+
+%prep
+
+%setup -c
+
+%build
+
+%install
+cd spiffe-step-ssh-%{version}
+make install DESTDIR="%{buildroot}"
+
+%clean
+rm -rf %{buildroot}
+
+%files
+/usr/libexec/spiffe-step-ssh/*
+/usr/lib/systemd/system/sshd.service.d/10-spiffe-step-ssh.conf
+/usr/lib/systemd/system/spiffe-step-ssh@.service
+/usr/lib/systemd/system/spiffe-step-ssh-cleanup.service
+%config(noreplace) /etc/spiffe/step-ssh

examples/rpms/spire-ha-agent.spec

@@ -0,0 +1,54 @@
+##############################################################################
+#
+# To you, dear reader:
+#
+# If you are a normal user, we recommend not reading further. Its probably not
+# the file your looking for.
+#
+# If you are looking at using this file as a base for your own work, please
+# don't. It is a horrible example. Please look elsewhere.
+#
+# If you are a package maintainer, please read on. We recognize this spec file
+# is blasphemous, a terrible abomination, a crime against nature, and more. We
+# regret needing to produce it, but had to in order to attract enough users to
+# find you. We beseech thee, kind and generous package maintainer, please help
+# us mend our wicked ways by joining us and help us produce proper packaging.
+# You are our only hope.
+#
+##############################################################################
+
+%define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
+
+Summary:    SPIRE HA Agent
+Name:       spire-ha-agent
+Version:    0.0.9
+Release:    1
+Group:      Applications/Internet
+License:    Apache-2.0
+URL:        https://spiffe.io
+Source0:    https://github.com/spiffe/spire-ha-agent/releases/download/v%{version}/spire-ha-agent_Linux_%{ARCH}.tar.gz
+
+%description
+SPIRE HA Agent
+
+%global _missing_build_ids_terminate_build 0
+%global debug_package %{nil}
+
+%prep
+
+%setup -c
+
+%build
+
+%install
+mkdir -p %{buildroot}/usr/bin
+mkdir -p %{buildroot}/usr/lib/systemd/system
+mv spire-ha-agent %{buildroot}/usr/bin
+cp -a systemd/spire-ha-agent@.service %{buildroot}/usr/lib/systemd/system
+
+%clean
+rm -rf %{buildroot}
+
+%files
+/usr/bin/spire-ha-agent
+/usr/lib/systemd/system/spire-ha-agent@.service

examples/rpms/spire.spec

@@ -0,0 +1,113 @@
+##############################################################################
+#
+# To you, dear reader:
+#
+# If you are a normal user, we recommend not reading further. Its probably not
+# the file your looking for.
+#
+# If you are looking at using this file as a base for your own work, please
+# don't. It is a horrible example. Please look elsewhere.
+#
+# If you are a package maintainer, please read on. We recognize this spec file
+# is blasphemous, a terrible abomination, a crime against nature, and more. We
+# regret needing to produce it, but had to in order to attract enough users to
+# find you. We beseech thee, kind and generous package maintainer, please help
+# us mend our wicked ways by joining us and help us produce proper packaging.
+# You are our only hope.
+#
+##############################################################################
+
+%define ARCH %(echo %{_arch} | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)
+
+Summary:    SPIRE components
+Name:       spire-common
+Version:    1.11.1
+Release:    1
+Group:      Applications/Internet
+License:    Apache-2.0
+URL:        https://spiffe.io
+Source0:    https://github.com/spiffe/spire/releases/download/v%{version}/spire-%{version}-linux-%{ARCH}-musl.tar.gz
+Source1:    https://github.com/spiffe/spire/releases/download/v%{version}/spire-extras-%{version}-linux-%{ARCH}-musl.tar.gz
+
+%description
+SPIRE Common
+
+%package -n spire-server
+Summary: SPIRE Server
+Requires: spire-common
+%description -n spire-server
+SPIRE Server
+
+%preun -n spire-server
+%if 0%{?suse_version}
+%service_del_preun spire-server@\*.service spire-server.target
+%endif
+%if 0%{?fedora} || 0%{?rhel} || 0%{?openEuler}
+%systemd_preun spire-server@\*.service spire-server.target
+%endif
+
+%postun -n spire-server
+%systemd_postun spire-server@\*.service spire-server.target
+
+%package -n spire-agent
+Summary: SPIRE Agent
+Requires: spire-common
+%description -n spire-agent
+SPIRE Agent
+
+%preun -n spire-agent
+%if 0%{?suse_version}
+%service_del_preun spire-agent@\*.service spire-agent.target
+%endif
+%if 0%{?fedora} || 0%{?rhel} || 0%{?openEuler}
+%systemd_preun spire-agent@\*.service spire-agent.target
+%endif
+
+%postun -n spire-agent
+%systemd_postun spire-agent@\*.service spire-agent.target
+
+%package -n spiffe-oidc-discovery-provider
+Summary: SPIFFE OIDC Discovery Provider
+Requires: spire-common
+%description -n spiffe-oidc-discovery-provider
+SPIFFE OIDC Discovery Provider
+
+%global _missing_build_ids_terminate_build 0
+%global debug_package %{nil}
+
+%prep
+
+%setup -c
+%setup -T -D -a 1
+
+%build
+
+%install
+
+mkdir -p "%{buildroot}/bin"
+cp "spire-%{version}"/bin/* "%{buildroot}/bin"
+cp "spire-extras-%{version}"/bin/oidc-discovery-provider "%{buildroot}/bin/spiffe-oidc-discovery-provider"
+git clone https://github.com/spiffe/spire-examples
+cd spire-examples
+cd examples/systemd
+make install DESTDIR="%{buildroot}"
+
+%clean
+rm -rf %{buildroot}
+
+%files
+/usr/lib/systemd/system/*.target
+%config(noreplace) /etc/spiffe/default-trust-domain.env
+
+%files -n spire-server
+/usr/lib/systemd/system/spire-server@.service
+/bin/spire-server
+%config(noreplace) /etc/spire/server/default.conf
+
+%files -n spire-agent
+/usr/lib/systemd/system/spire-agent@.service
+/bin/spire-agent
+%config(noreplace) /etc/spire/agent/default.conf
+
+%files -n spiffe-oidc-discovery-provider
+/bin/spiffe-oidc-discovery-provider