diff --git a/.circleci/config.yml b/.circleci/config.yml index 12a5e6ee33fa8..c735e548ec11e 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,23 +1,117 @@ version: 2.1 -# Define the jobs we want to run for this project +tag-pattern: &tag-pattern + only: /(^(v)?\d+\.\d+\.\d+$)|(^[0-9]{4}\.[0-9]{1,2}\.[0-9]{1,2}\.[0-9]+$)/ + +orbs: + lumper: loadsmart/lumper@4 + aws-ecr: circleci/aws-ecr@9.5.2 + sentinel: loadsmart/sentinel@1 + jobs: - build: - docker: - - image: cimg/base:2023.03 - steps: - - checkout - - run: echo "this is the build job" - test: - docker: - - image: cimg/base:2023.03 + build-distroless: + parameters: + push: + type: boolean + default: false + arch: + type: enum + default: arm64 + enum: ['amd64', 'arm64'] + resource_class: + type: string + default: arm.large + machine: + image: ubuntu-2004:current + docker_layer_caching: true + resource_class: << parameters.resource_class >> + environment: + ARCH: << parameters.arch >> steps: - checkout - - run: echo "this is the test job" -# Orchestrate our job run sequence + - run: + name: Setup Environment Variables + command: | + TELEPORT_VERSION=$(make print-version) + echo 'export TARBALL_PATH="/tmp/teleport-tarballs"' >> "$BASH_ENV" + echo "export TELEPORT_VERSION=${TELEPORT_VERSION}" >> "$BASH_ENV" + + - restore_cache: + keys: + - go-cache-v1-{{ arch }}-{{ checksum "go.sum" }} + + - run: + name: Build Teleport Binaries + command: | + export GOCACHE="$HOME/.cache/go" + mkdir -p "$GOCACHE" + make docker-binaries + + - save_cache: + key: go-cache-v1-{{ arch }}-{{ checksum "go.sum" }} + paths: + - ~/.cache/go + + - run: + name: Build Tarball + command: | + make build-archive + + - run: + name: Prepare Artifacts + command: | + mkdir -p ${TARBALL_PATH} + cp teleport-v${TELEPORT_VERSION}-linux-${ARCH}-bin.tar.gz ${TARBALL_PATH}/ + cp build.assets/charts/fetch-debs build/fetch-debs + cp build.assets/charts/Dockerfile-distroless build/Dockerfile + + - run: + name: Build Debian Package + command: | + make deb + + - run: + name: Build Distroless Docker Image + command: | + docker buildx build \ + -f build/Dockerfile \ + --platform linux/${ARCH} \ + --build-arg TELEPORT_VERSION=${TELEPORT_VERSION} \ + --build-arg TELEPORT_RELEASE_INFIX= \ + -t ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/platform/teleport:${TELEPORT_VERSION}-${ARCH} build + + - when: + condition: << parameters.push >> + steps: + - aws-ecr/ecr_login + - aws-ecr/push_image: + repo: platform/teleport + tag: '${TELEPORT_VERSION}-${ARCH}' + workflows: - build_and_test: + build: + jobs: + - build-distroless: + context: org-global + filters: + branches: + ignore: + - master + + build-and-push: + jobs: + - build-distroless: + name: build-and-push-distroless + context: org-global + push: true + filters: + branches: + ignore: /.*/ + tags: + <<: *tag-pattern + + developer-productivity: jobs: - - build - - test + - sentinel/default: + context: org-global diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 5d2098d1b0a99..dbf0c3c07d8b3 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,8 +1 @@ -# Merge rules are governed by logic in the Workflow Bot. Protect the -# .github/workflows directory (and the merge logic) using CODEOWNERS. -/.github/workflows/ @klizhentas @russjones @r0mant @zmb3 @fheinecke @camscale @tcsc @rosstimothy -/build.assets/tooling/cmd/difftest/ @klizhentas @russjones @r0mant @zmb3 - -# Owners for dependency updates in JS packages. -/pnpm-lock.yaml @avatus @gzdunek @ravicious -web/packages/teleterm/package.json @gzdunek @ravicious +* @loadsmart/platform-operations diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000000000..4eea6e803e463 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,35 @@ +## Motivation and context for the change + + + +## A clear description of the change + + + +## Testing + + + +- [ ] The change is covered with automated tests + +#### Testing instructions + + + +## Rollback + +- [ ] The change can be automatically rolled back + +#### Rollback instructions + + diff --git a/.gitignore b/.gitignore index ebec5a42720af..52fba9e569639 100644 --- a/.gitignore +++ b/.gitignore @@ -118,3 +118,5 @@ msgfile/ # Dockerized builds generate .pnpm-store in the root, so ignore it .pnpm-store + +.terraform.lock.hcl diff --git a/Makefile b/Makefile index a2e072ee3a05b..d7371e3037d97 100644 --- a/Makefile +++ b/Makefile @@ -481,6 +481,7 @@ endif .PHONY: rdpclient rdpclient: ifeq ("$(with_rdpclient)", "yes") + cargo clean $(RDPCLIENT_ENV) \ cargo build -p rdp-client $(if $(FIPS),--features=fips) --release --locked $(CARGO_TARGET) endif diff --git a/README.md b/README.md index 65fb31b8bc666..d252acf6b5b41 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +> This fork is maintained by Loadsmart to compile Teleport CE from source under the AGPLv3 license to avoid the commercial restrictions of the Apache 2.0-licensed binaries. A CircleCI-powered pipeline automates the compilation, builds a distroless image, and pushes it to a private registry. + Teleport provides connectivity, authentication, access controls and audit for infrastructure. Here is why you might use Teleport: diff --git a/atlantis.yaml b/atlantis.yaml new file mode 100644 index 0000000000000..08b7ebb91cb00 --- /dev/null +++ b/atlantis.yaml @@ -0,0 +1,3 @@ +version: 3 +automerge: false +projects: [] diff --git a/build.assets/Makefile b/build.assets/Makefile index 17106405bbc3c..39a940bb84788 100644 --- a/build.assets/Makefile +++ b/build.assets/Makefile @@ -76,7 +76,7 @@ build: buildbox-centos7 webassets .PHONY:build-binaries build-binaries: buildbox-centos7 webassets docker run $(DOCKERFLAGS) $(NOROOT) $(BUILDBOX_CENTOS7) \ - make -C $(SRCDIR) ADDFLAGS='$(ADDFLAGS)' PIV=$(PIV) full + scl enable $(DEVTOOLSET) "make -C $(SRCDIR) ADDFLAGS='$(ADDFLAGS)' PIV=$(PIV) full" # # Build 'teleport' Enterprise release inside a docker container diff --git a/terraform/general/circleci.tf b/terraform/general/circleci.tf new file mode 100644 index 0000000000000..079aa3ada76ea --- /dev/null +++ b/terraform/general/circleci.tf @@ -0,0 +1,45 @@ +module "circleci" { + source = "git@github.com:loadsmart/terraform-modules.git//circleci-app" + + project = local.project + + allow_aws_access = true + + providers = { + aws.main = aws + aws.dev = aws.dev + } +} + +data "aws_iam_policy_document" "ecr_push" { + statement { + sid = "AllowPushToECR" + + actions = [ + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload", + "ecr:PutImage", + ] + + resources = [ + module.ecr_teleport.arn, + "${module.ecr_teleport.arn}/*", + ] + } +} + +resource "aws_iam_policy" "ecr_push" { + name = "circleci-teleport-ECRPusher" + policy = data.aws_iam_policy_document.ecr_push.json +} + +resource "aws_iam_user_policy_attachment" "ecr_push" { + user = module.circleci.user_name + policy_arn = aws_iam_policy.ecr_push.arn +} + +resource "aws_iam_user_policy_attachment" "ecr_readonly" { + user = module.circleci.user_name + policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" +} diff --git a/terraform/general/config.tf b/terraform/general/config.tf new file mode 100644 index 0000000000000..1941f791e8f9e --- /dev/null +++ b/terraform/general/config.tf @@ -0,0 +1,11 @@ +terraform { + backend "s3" { + bucket = "loadsmart-terraform" + key = "teleport/general/terraform.tfstate" + region = "us-east-1" + encrypt = true + kms_key_id = "arn:aws:kms:us-east-1:845156828388:key/a18b304d-d85b-4deb-b5b2-67771cff721a" + dynamodb_table = "terraform_locks" + profile = "loadsmart-main" + } +} diff --git a/terraform/general/ecr.tf b/terraform/general/ecr.tf new file mode 100644 index 0000000000000..cf9853f04d888 --- /dev/null +++ b/terraform/general/ecr.tf @@ -0,0 +1,6 @@ +module "ecr_teleport" { + source = "git@github.com:loadsmart/terraform-modules.git//aws-ecr" + + project = "platform/teleport" + squad = local.squad +} diff --git a/terraform/general/locals.tf b/terraform/general/locals.tf new file mode 100644 index 0000000000000..9e9d87343bf7a --- /dev/null +++ b/terraform/general/locals.tf @@ -0,0 +1,4 @@ +locals { + project = "teleport" + squad = "platform-operations" +} diff --git a/terraform/general/providers.tf b/terraform/general/providers.tf new file mode 100644 index 0000000000000..2c0960b66e3c8 --- /dev/null +++ b/terraform/general/providers.tf @@ -0,0 +1,10 @@ +provider "aws" { + region = "us-east-1" + profile = "loadsmart-main" +} + +provider "aws" { + alias = "dev" + region = "us-east-1" + profile = "loadsmart-dev" +} diff --git a/terraform/general/versions.tf b/terraform/general/versions.tf new file mode 100644 index 0000000000000..5e4ce43a3f225 --- /dev/null +++ b/terraform/general/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14" +}