grafana/scripts/drone/vault.star

pull_secret = 'dockerconfigjson'
drone_token = 'drone_token'
prerelease_bucket = 'prerelease_bucket'
gcp_upload_artifacts_key = 'gcp_upload_artifacts_key'
azure_sp_app_id = 'azure_sp_app_id'
azure_sp_app_pw = 'azure_sp_app_pw'
azure_tenant = 'azure_tenant'


def from_secret(secret):
    return {'from_secret': secret}


def vault_secret(name, path, key):
    return {
        'kind': 'secret',
        'name': name,
        'get': {
            'path': path,
            'name': key,
        },
    }


def secrets():
    return [
        vault_secret(pull_secret, 'secret/data/common/gcr', '.dockerconfigjson'),
        vault_secret('github_token', 'infra/data/ci/github/grafanabot', 'pat'),
        vault_secret(drone_token, 'infra/data/ci/drone', 'machine-user-token'),
        vault_secret(prerelease_bucket, 'infra/data/ci/grafana/prerelease', 'bucket'),
        vault_secret(
            gcp_upload_artifacts_key,
            'infra/data/ci/grafana/releng/artifacts-uploader-service-account',
            'credentials.json',
        ),
        vault_secret(
            azure_sp_app_id,
            'infra/data/ci/datasources/cpp-azure-resourcemanager-credentials',
            'application_id',
        ),
        vault_secret(
            azure_sp_app_pw,
            'infra/data/ci/datasources/cpp-azure-resourcemanager-credentials',
            'application_secret',
        ),
        vault_secret(
            azure_tenant,
            'infra/data/ci/datasources/cpp-azure-resourcemanager-credentials',
            'tenant_id',
        ),
        # Package publishing
        vault_secret(
            'packages_gpg_public_key',
            'infra/data/ci/packages-publish/gpg',
            'public-key-b64',
        ),
        vault_secret(
            'packages_gpg_private_key',
            'infra/data/ci/packages-publish/gpg',
            'private-key-b64',
        ),
        vault_secret(
            'packages_gpg_passphrase',
            'infra/data/ci/packages-publish/gpg',
            'passphrase',
        ),
        vault_secret(
            'packages_service_account',
            'infra/data/ci/packages-publish/service-account',
            'credentials.json',
        ),
        vault_secret(
            'packages_access_key_id',
            'infra/data/ci/packages-publish/bucket-credentials',
            'AccessID',
        ),
        vault_secret(
            'packages_secret_access_key',
            'infra/data/ci/packages-publish/bucket-credentials',
            'Secret',
        ),
        vault_secret(
            'aws_region',
            'secret/data/common/aws-marketplace',
            'aws_region',
        ),
        vault_secret(
            'aws_access_key_id',
            'secret/data/common/aws-marketplace',
            'aws_access_key_id',
        ),
        vault_secret(
            'aws_secret_access_key',
            'secret/data/common/aws-marketplace',
            'aws_secret_access_key',
        ),
    ]
Enterprise changes to the Drone pipelines (#33773) * Enterprise changes to the Drone pipelines This is basically a no-op in this repository, except for the fact that the grafanabot personal access token will now be fetched from Vault instead of repository secrets This will pave the way for us to fetch all secrets from Vault * Update star files from enterprise * Add missingn newline 2021-05-12 21:30:05 +08:00			`pull_secret = 'dockerconfigjson'`
Drone: Retrieve the machine-user from a Vault secret (#35489) This will remove the need to use a Drone repository secret 2021-06-10 18:22:03 +08:00			`drone_token = 'drone_token'`
Package release before publishing (#42218) * Package separately to publish * Fix interpolation * Windows format envvars * More descriptive msg * Won't publish from here * Resolve docker issues in PR build * Rename package docker step * Correct npm release JSON structure 2021-11-30 18:53:07 +08:00			`prerelease_bucket = 'prerelease_bucket'`
feat(e2e-artifacts): upload e2e artifacts to a gcs bucket (#43210) feat(e2e-artifacts): upload e2e artifacts to a gcs bucket 2021-12-24 17:43:32 +08:00			`gcp_upload_artifacts_key = 'gcp_upload_artifacts_key'`
AzureMonitor - E2E tests drone update (#57100) * Update e2e command with video flag * Add Cloud Plugins E2E tests to drone * Update env variable names * Add vault Azure secrets * Update e2e steps * Update secrets path * Update image and rebuild drone file * Readd drone changes * Rebuild drone * Remake drone * Correct reference to secret * Remake drone file * Remove unneeded step * Clear values in Arg query 2022-11-08 18:27:54 +08:00			`azure_sp_app_id = 'azure_sp_app_id'`
			`azure_sp_app_pw = 'azure_sp_app_pw'`
			`azure_tenant = 'azure_tenant'`
Enterprise changes to the Drone pipelines (#33773) * Enterprise changes to the Drone pipelines This is basically a no-op in this repository, except for the fact that the grafanabot personal access token will now be fetched from Vault instead of repository secrets This will pave the way for us to fetch all secrets from Vault * Update star files from enterprise * Add missingn newline 2021-05-12 21:30:05 +08:00
Build: Drone starlark file cleanup (#59919) * format drone starlark files with black * clean up unused params * more simplification * more cleanup * more cleanup 2022-12-07 15:13:57 +08:00
Enterprise changes to the Drone pipelines (#33773) * Enterprise changes to the Drone pipelines This is basically a no-op in this repository, except for the fact that the grafanabot personal access token will now be fetched from Vault instead of repository secrets This will pave the way for us to fetch all secrets from Vault * Update star files from enterprise * Add missingn newline 2021-05-12 21:30:05 +08:00			`def from_secret(secret):`
Build: Drone starlark file cleanup (#59919) * format drone starlark files with black * clean up unused params * more simplification * more cleanup * more cleanup 2022-12-07 15:13:57 +08:00			`return {'from_secret': secret}`

Enterprise changes to the Drone pipelines (#33773) * Enterprise changes to the Drone pipelines This is basically a no-op in this repository, except for the fact that the grafanabot personal access token will now be fetched from Vault instead of repository secrets This will pave the way for us to fetch all secrets from Vault * Update star files from enterprise * Add missingn newline 2021-05-12 21:30:05 +08:00
			`def vault_secret(name, path, key):`
			`return {`
			`'kind': 'secret',`
			`'name': name,`
			`'get': {`
			`'path': path,`
			`'name': key,`
Build: Drone starlark file cleanup (#59919) * format drone starlark files with black * clean up unused params * more simplification * more cleanup * more cleanup 2022-12-07 15:13:57 +08:00			`},`
Enterprise changes to the Drone pipelines (#33773) * Enterprise changes to the Drone pipelines This is basically a no-op in this repository, except for the fact that the grafanabot personal access token will now be fetched from Vault instead of repository secrets This will pave the way for us to fetch all secrets from Vault * Update star files from enterprise * Add missingn newline 2021-05-12 21:30:05 +08:00			`}`

Build: Drone starlark file cleanup (#59919) * format drone starlark files with black * clean up unused params * more simplification * more cleanup * more cleanup 2022-12-07 15:13:57 +08:00
Enterprise changes to the Drone pipelines (#33773) * Enterprise changes to the Drone pipelines This is basically a no-op in this repository, except for the fact that the grafanabot personal access token will now be fetched from Vault instead of repository secrets This will pave the way for us to fetch all secrets from Vault * Update star files from enterprise * Add missingn newline 2021-05-12 21:30:05 +08:00			`def secrets():`
			`return [`
			`vault_secret(pull_secret, 'secret/data/common/gcr', '.dockerconfigjson'),`
Build: Drone starlark file cleanup (#59919) * format drone starlark files with black * clean up unused params * more simplification * more cleanup * more cleanup 2022-12-07 15:13:57 +08:00			`vault_secret('github_token', 'infra/data/ci/github/grafanabot', 'pat'),`
Drone: Retrieve the machine-user from a Vault secret (#35489) This will remove the need to use a Drone repository secret 2021-06-10 18:22:03 +08:00			`vault_secret(drone_token, 'infra/data/ci/drone', 'machine-user-token'),`
Package release before publishing (#42218) * Package separately to publish * Fix interpolation * Windows format envvars * More descriptive msg * Won't publish from here * Resolve docker issues in PR build * Rename package docker step * Correct npm release JSON structure 2021-11-30 18:53:07 +08:00			`vault_secret(prerelease_bucket, 'infra/data/ci/grafana/prerelease', 'bucket'),`
Build: Drone starlark file cleanup (#59919) * format drone starlark files with black * clean up unused params * more simplification * more cleanup * more cleanup 2022-12-07 15:13:57 +08:00			`vault_secret(`
			`gcp_upload_artifacts_key,`
			`'infra/data/ci/grafana/releng/artifacts-uploader-service-account',`
			`'credentials.json',`
			`),`
			`vault_secret(`
			`azure_sp_app_id,`
			`'infra/data/ci/datasources/cpp-azure-resourcemanager-credentials',`
			`'application_id',`
			`),`
			`vault_secret(`
			`azure_sp_app_pw,`
			`'infra/data/ci/datasources/cpp-azure-resourcemanager-credentials',`
			`'application_secret',`
			`),`
			`vault_secret(`
			`azure_tenant,`
			`'infra/data/ci/datasources/cpp-azure-resourcemanager-credentials',`
			`'tenant_id',`
			`),`
Add package publishing step (#53553) Issue: https://github.com/grafana/deployment_tools/issues/36289 Based on the new image: https://github.com/grafana/deployment_tools/tree/master/docker/package-publish This is a new step meant to replace the store-packages command. It will greatly improve publishing performace and it publishes to a common repository shared with all Grafana products Co-authored-by: dsotirakis <dimitrios.sotirakis@grafana.com> 2022-09-01 19:13:44 +08:00			`# Package publishing`
Build: Drone starlark file cleanup (#59919) * format drone starlark files with black * clean up unused params * more simplification * more cleanup * more cleanup 2022-12-07 15:13:57 +08:00			`vault_secret(`
			`'packages_gpg_public_key',`
			`'infra/data/ci/packages-publish/gpg',`
Packaging: Use base64 key (#61802) The tools in this repo need base64 but not in most other tools. I had to revert the change I made to the key I created another key for base64 that we can use here Follow-up to https://github.com/grafana/grafana/pull/61784 2023-01-20 06:03:19 +08:00			`'public-key-b64',`
Build: Drone starlark file cleanup (#59919) * format drone starlark files with black * clean up unused params * more simplification * more cleanup * more cleanup 2022-12-07 15:13:57 +08:00			`),`
			`vault_secret(`
			`'packages_gpg_private_key',`
			`'infra/data/ci/packages-publish/gpg',`
Packaging: Use base64 key (#61802) The tools in this repo need base64 but not in most other tools. I had to revert the change I made to the key I created another key for base64 that we can use here Follow-up to https://github.com/grafana/grafana/pull/61784 2023-01-20 06:03:19 +08:00			`'private-key-b64',`
Build: Drone starlark file cleanup (#59919) * format drone starlark files with black * clean up unused params * more simplification * more cleanup * more cleanup 2022-12-07 15:13:57 +08:00			`),`
			`vault_secret(`
			`'packages_gpg_passphrase',`
			`'infra/data/ci/packages-publish/gpg',`
			`'passphrase',`
			`),`
			`vault_secret(`
			`'packages_service_account',`
			`'infra/data/ci/packages-publish/service-account',`
			`'credentials.json',`
			`),`
			`vault_secret(`
			`'packages_access_key_id',`
			`'infra/data/ci/packages-publish/bucket-credentials',`
			`'AccessID',`
			`),`
			`vault_secret(`
			`'packages_secret_access_key',`
			`'infra/data/ci/packages-publish/bucket-credentials',`
			`'Secret',`
			`),`
CI: Add `aws-marketplace` pipeline (#60484) * Add aws marketplace automation # Conflicts: # .drone.yml * Fix secret paths # Conflicts: # .drone.yml * Add docker socket # Conflicts: # .drone.yml # Conflicts: # .drone.yml * s/enterprise2/enterprise * Add dependency on the enterprise docker publish # Conflicts: # .drone.yml * Replace testing args with prod args # Conflicts: # .drone.yml * Fix path # Conflicts: # .drone.yml 2022-12-20 00:25:48 +08:00			`vault_secret(`
			`'aws_region',`
			`'secret/data/common/aws-marketplace',`
			`'aws_region',`
			`),`
			`vault_secret(`
			`'aws_access_key_id',`
			`'secret/data/common/aws-marketplace',`
			`'aws_access_key_id',`
			`),`
			`vault_secret(`
			`'aws_secret_access_key',`
			`'secret/data/common/aws-marketplace',`
			`'aws_secret_access_key',`
			`),`
Enterprise changes to the Drone pipelines (#33773) * Enterprise changes to the Drone pipelines This is basically a no-op in this repository, except for the fact that the grafanabot personal access token will now be fetched from Vault instead of repository secrets This will pave the way for us to fetch all secrets from Vault * Update star files from enterprise * Add missingn newline 2021-05-12 21:30:05 +08:00			`]`