ci: add pipeline to build/push distroless images to loadsmart registry

.circleci/config.yml

@@ -1,23 +1,117 @@
 version: 2.1
 
-# Define the jobs we want to run for this project
+tag-pattern: &tag-pattern
+  only: /(^(v)?\d+\.\d+\.\d+$)|(^[0-9]{4}\.[0-9]{1,2}\.[0-9]{1,2}\.[0-9]+$)/
+
+orbs:
+  lumper: loadsmart/lumper@4
+  aws-ecr: circleci/aws-ecr@9.5.2
+  sentinel: loadsmart/sentinel@1
+
 jobs:
-  build:
-    docker:
-      - image: cimg/base:2023.03
-    steps:
-      - checkout
-      - run: echo "this is the build job"
-  test:
-    docker:
-      - image: cimg/base:2023.03
+  build-distroless:
+    parameters:
+      push:
+        type: boolean
+        default: false
+      arch:
+        type: enum
+        default: arm64
+        enum: ['amd64', 'arm64']
+      resource_class:
+        type: string
+        default: arm.large
+    machine:
+      image: ubuntu-2004:current
+      docker_layer_caching: true
+    resource_class: << parameters.resource_class >>
+    environment:
+      ARCH: << parameters.arch >>
     steps:
       - checkout
-      - run: echo "this is the test job"
 
-# Orchestrate our job run sequence
+      - run:
+          name: Setup Environment Variables
+          command: |
+            TELEPORT_VERSION=$(make print-version)
+            echo 'export TARBALL_PATH="/tmp/teleport-tarballs"' >> "$BASH_ENV"
+            echo "export TELEPORT_VERSION=${TELEPORT_VERSION}" >> "$BASH_ENV"
+
+      - restore_cache:
+          keys:
+            - go-cache-v1-{{ arch }}-{{ checksum "go.sum" }}
+
+      - run:
+          name: Build Teleport Binaries
+          command: |
+            export GOCACHE="$HOME/.cache/go"
+            mkdir -p "$GOCACHE"
+            make docker-binaries
+
+      - save_cache:
+          key: go-cache-v1-{{ arch }}-{{ checksum "go.sum" }}
+          paths:
+            - ~/.cache/go
+
+      - run:
+          name: Build Tarball
+          command: |
+            make build-archive
+
+      - run:
+          name: Prepare Artifacts
+          command: |
+            mkdir -p ${TARBALL_PATH}
+            cp teleport-v${TELEPORT_VERSION}-linux-${ARCH}-bin.tar.gz ${TARBALL_PATH}/
+            cp build.assets/charts/fetch-debs build/fetch-debs
+            cp build.assets/charts/Dockerfile-distroless build/Dockerfile
+
+      - run:
+          name: Build Debian Package
+          command: |
+            make deb
+
+      - run:
+          name: Build Distroless Docker Image
+          command: |
+            docker buildx build \
+              -f build/Dockerfile \
+              --platform linux/${ARCH} \
+              --build-arg TELEPORT_VERSION=${TELEPORT_VERSION} \
+              --build-arg TELEPORT_RELEASE_INFIX= \
+              -t ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/platform/teleport:${TELEPORT_VERSION}-${ARCH} build
+
+      - when:
+          condition: << parameters.push >>
+          steps:
+            - aws-ecr/ecr_login
+            - aws-ecr/push_image:
+                repo: platform/teleport
+                tag: '${TELEPORT_VERSION}-${ARCH}'
+
 workflows:
-  build_and_test:
+  build:
+    jobs:
+      - build-distroless:
+          context: org-global
+          filters:
+            branches:
+              ignore:
+                - master
+
+  build-and-push:
+    jobs:
+      - build-distroless:
+          name: build-and-push-distroless
+          context: org-global
+          push: true
+          filters:
+            branches:
+              ignore: /.*/
+            tags:
+              <<: *tag-pattern
+
+  developer-productivity:
     jobs:
-      - build
-      - test
+      - sentinel/default:
+          context: org-global

.github/CODEOWNERS

@@ -1,8 +1 @@
-# Merge rules are governed by logic in the Workflow Bot. Protect the
-# .github/workflows directory (and the merge logic) using CODEOWNERS.
-/.github/workflows/ @klizhentas @russjones @r0mant @zmb3 @fheinecke @camscale @tcsc @rosstimothy
-/build.assets/tooling/cmd/difftest/ @klizhentas @russjones @r0mant @zmb3
-
-# Owners for dependency updates in JS packages.
-/pnpm-lock.yaml @avatus @gzdunek @ravicious
-web/packages/teleterm/package.json @gzdunek @ravicious
+*   @loadsmart/platform-operations

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,35 @@
+## Motivation and context for the change
+
+<!--
+Describe the motivation against creating this change and, if applicable, describe the current behavior and any relevant screenshots or diagrams (if applicable).
+-->
+
+## A clear description of the change
+
+<!--
+Describe the change, including new behavior, possible impacts, and any relevant screenshots or diagrams (if applicable).
+-->
+
+## Testing
+
+<!--
+Inform whether or not the change is covered with automated tests.
+-->
+
+- [ ] The change is covered with automated tests
+
+#### Testing instructions
+
+<!--
+If the change isn't covered with automated tests, provide a detailed list of steps for the reviewer to test it. You may remove this section in case of automated tests.
+-->
+
+## Rollback
+
+- [ ] The change can be automatically rolled back
+
+#### Rollback instructions
+
+<!--
+If the rollback cannot be performed automatically, provide a detailed list of the steps needed to complete a rollback. Add any relevant link to the documentation if applicable. You may remove this section in case of support for automated rollback.
+-->

.gitignore

@@ -118,3 +118,5 @@ msgfile/
 
 # Dockerized builds generate .pnpm-store in the root, so ignore it
 .pnpm-store
+
+.terraform.lock.hcl

Makefile

@@ -481,6 +481,7 @@ endif
 .PHONY: rdpclient
 rdpclient:
 ifeq ("$(with_rdpclient)", "yes")
+	cargo clean
 	$(RDPCLIENT_ENV) \
 		cargo build -p rdp-client $(if $(FIPS),--features=fips) --release --locked $(CARGO_TARGET)
 endif

README.md

@@ -1,3 +1,5 @@
+> This fork is maintained by Loadsmart to compile Teleport CE from source under the AGPLv3 license to avoid the commercial restrictions of the Apache 2.0-licensed binaries. A CircleCI-powered pipeline automates the compilation, builds a distroless image, and pushes it to a private registry.
+
 Teleport provides connectivity, authentication, access controls and audit for infrastructure.
 
 Here is why you might use Teleport:

atlantis.yaml

@@ -0,0 +1,3 @@
+version: 3
+automerge: false
+projects: []

build.assets/Makefile

@@ -76,7 +76,7 @@ build: buildbox-centos7 webassets
 .PHONY:build-binaries
 build-binaries: buildbox-centos7 webassets
 	docker run $(DOCKERFLAGS) $(NOROOT) $(BUILDBOX_CENTOS7) \
-		make -C $(SRCDIR) ADDFLAGS='$(ADDFLAGS)' PIV=$(PIV) full
+		scl enable $(DEVTOOLSET) "make -C $(SRCDIR) ADDFLAGS='$(ADDFLAGS)' PIV=$(PIV) full"
 
 #
 # Build 'teleport' Enterprise release inside a docker container

terraform/general/circleci.tf

@@ -0,0 +1,45 @@
+module "circleci" {
+  source = "git@github.com:loadsmart/terraform-modules.git//circleci-app"
+
+  project = local.project
+
+  allow_aws_access = true
+
+  providers = {
+    aws.main = aws
+    aws.dev  = aws.dev
+  }
+}
+
+data "aws_iam_policy_document" "ecr_push" {
+  statement {
+    sid = "AllowPushToECR"
+
+    actions = [
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload",
+      "ecr:PutImage",
+    ]
+
+    resources = [
+      module.ecr_teleport.arn,
+      "${module.ecr_teleport.arn}/*",
+    ]
+  }
+}
+
+resource "aws_iam_policy" "ecr_push" {
+  name   = "circleci-teleport-ECRPusher"
+  policy = data.aws_iam_policy_document.ecr_push.json
+}
+
+resource "aws_iam_user_policy_attachment" "ecr_push" {
+  user       = module.circleci.user_name
+  policy_arn = aws_iam_policy.ecr_push.arn
+}
+
+resource "aws_iam_user_policy_attachment" "ecr_readonly" {
+  user       = module.circleci.user_name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+}

terraform/general/config.tf

@@ -0,0 +1,11 @@
+terraform {
+  backend "s3" {
+    bucket         = "loadsmart-terraform"
+    key            = "teleport/general/terraform.tfstate"
+    region         = "us-east-1"
+    encrypt        = true
+    kms_key_id     = "arn:aws:kms:us-east-1:845156828388:key/a18b304d-d85b-4deb-b5b2-67771cff721a"
+    dynamodb_table = "terraform_locks"
+    profile        = "loadsmart-main"
+  }
+}

terraform/general/ecr.tf

@@ -0,0 +1,6 @@
+module "ecr_teleport" {
+  source = "git@github.com:loadsmart/terraform-modules.git//aws-ecr"
+
+  project = "platform/teleport"
+  squad   = local.squad
+}

terraform/general/locals.tf

@@ -0,0 +1,4 @@
+locals {
+  project = "teleport"
+  squad   = "platform-operations"
+}

terraform/general/providers.tf

@@ -0,0 +1,10 @@
+provider "aws" {
+  region  = "us-east-1"
+  profile = "loadsmart-main"
+}
+
+provider "aws" {
+  alias   = "dev"
+  region  = "us-east-1"
+  profile = "loadsmart-dev"
+}

terraform/general/versions.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.14"
+}