Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
e3b158b
feat(server): add ELF signing using delivery-kit-sdk
dmmordvi Jun 26, 2026
9bdb729
server: merge build tags so CGO coverage plugin keeps static+test_covera
dmmordvi Jun 29, 2026
f2b5470
ci: install delivery-kit-sdk C deps before e2e CGO builds
dmmordvi Jun 29, 2026
cc7034c
docs: document C-dep prerequisite for local e2e and coverpkg rationale
dmmordvi Jun 29, 2026
3ec030b
fix: e2e and lint fixes
dmmordvi Jun 29, 2026
8ad6201
fix: run `deps:install:c` for unit tests, disabled CGO for docs gener…
dmmordvi Jun 29, 2026
c2ceb69
docs: changed description
dmmordvi Jun 30, 2026
76144d6
docs: changed description
dmmordvi Jun 30, 2026
a1be7c0
test(e2e): verify ELF signing round-trip in complete_cycle
dmmordvi Jul 1, 2026
84ca881
fix(e2e): keep script.sh in linux dirs so clientUse resolves it
dmmordvi Jul 1, 2026
c63567e
fix(e2e): simplify ELF signature verification logic
dmmordvi Jul 1, 2026
2fe7e21
chore(e2e): drop misleading linux-arm64 ELF fixture, amd64 only
dmmordvi Jul 1, 2026
8b723c6
chore(e2e): drop redundant platform guard in ELF verify helper
dmmordvi Jul 1, 2026
4d6bef1
test(e2e): verify ELF signing round-trip in flow_vault via real plugin
dmmordvi Jul 1, 2026
015be6e
fix(e2e): add --expires flag to tuf add/timestamp/snapshot (fix for l…
dmmordvi Jul 1, 2026
50585c6
docs: add mention objcopy to description
dmmordvi Jul 1, 2026
3022519
Merge branch 'main' into feat/server/elf-signing
dmmordvi Jul 2, 2026
c699e95
docs: change operation description
dmmordvi Jul 2, 2026
780e3a6
refactor: simplify ELF checking, skip disk buffering non-ELF artifacts
dmmordvi Jul 2, 2026
9aa28e6
refactor: rename signing func
dmmordvi Jul 2, 2026
d51b4ec
chore: update trdl-builder docker image version
dmmordvi Jul 2, 2026
878d14c
feat: add validation for vault options in case of vault key ref
dmmordvi Jul 2, 2026
bfcccb4
feat: check empty key/cert fields
dmmordvi Jul 2, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: "1.23"
go-version: "1.24"

- name: Install Task
uses: go-task/setup-task@v2
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ jobs:
run: |
sudo apt-get update
sudo apt-get install -y gpg
task --yes server:deps:install:c

- name: Set up git config
run: task --yes ci:setup:git-config
Expand Down Expand Up @@ -90,6 +91,7 @@ jobs:
run: |
sudo apt-get update
sudo apt-get install -y gpg
task --yes server:deps:install:c

- name: Install 3p-git-signatures
run: task --yes ci:install:3p-git-signatures
Expand Down
6 changes: 6 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,8 +81,14 @@ You can also check the existing [issues](https://github.com/werf/trdl/issues), [
7. Testing:
1. Setup testing environment:
```shell
task server:deps:install:c
task server:setup:dev-environment
```

`server:deps:install:c` installs the C libraries required by
delivery-kit-sdk ELF signing. They must be present before building the
CGO server plugin or compiling the e2e tests (which instrument server
packages via `--coverpkg`).
2. Run tests:
```shell
task server:test:unit
Expand Down
1 change: 1 addition & 0 deletions Taskfile.dist.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ includes:
flatten: true
vars:
paths: "e2e"
golangciLintVersion: "v1.64.2"
actions:
taskfile: ./actions/Taskfile.yaml
dir: ./actions
Expand Down
1 change: 1 addition & 0 deletions client/Taskfile.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ includes:
vars:
paths: "cmd/** pkg/**"
golangciLintBinDir: "../bin"
golangciLintVersion: "v1.64.2"

vars:
version: '{{.version | default "dev"}}'
Expand Down
2 changes: 1 addition & 1 deletion client/trdl.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
docker_image: registry.werf.io/trdl/builder:51b030fe472ec6caa59b068a364bb835ea140588@sha256:f71af3da98446de12e5bb47a789517ba1a17cb19fb17cfc78699552ebcc2c3cf
dockerImage: registry.werf.io/trdl/builder:9aa28e60f251951a43ffc6096ac9f7fecc731ec7@sha256:eb081c2afd3d0607b670cc1c691f3e7833a719bd5232ad618fd10bbbd142a3b1
commands:
- TASK_X_REMOTE_TASKFILES=1 task --yes client:build:dist version={{ .Tag }}
- TASK_X_REMOTE_TASKFILES=1 task --yes client:verify:dist:binaries version={{ .Tag }}
Expand Down
2 changes: 2 additions & 0 deletions docs/Taskfile.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ tasks:
_regen_reference_vault_plugin:
internal: true
desc: "Regenerate reference Vault plugin."
env:
CGO_ENABLED: "0"
cmds:
- cd ../server && go install github.com/werf/trdl/server/cmd/vault-plugin-docs
- vault-plugin-docs generate-jekyll --base-pages-url /reference/vault_plugin --includes-dir _includes/reference/vault_plugin --pages-dir pages_en/reference/vault_plugin --sidebar-yml-path _data/sidebars/_vault_plugin.yml
Expand Down
2 changes: 2 additions & 0 deletions docs/_data/sidebars/_vault_plugin.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ _vault_plugin: &_vault_plugin
url: /reference/vault_plugin/configure/build/secrets.html
- title: /configure/build/secrets/:id
url: /reference/vault_plugin/configure/build/secrets/id.html
- title: /configure/delivery_kit_elf_signing
url: /reference/vault_plugin/configure/delivery_kit_elf_signing.html
- title: /configure/git_credential
url: /reference/vault_plugin/configure/git_credential.html
- title: /configure/last_published_git_commit
Expand Down
2 changes: 2 additions & 0 deletions docs/_data/sidebars/reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ _vault_plugin: &_vault_plugin
url: /reference/vault_plugin/configure/build/secrets.html
- title: /configure/build/secrets/:id
url: /reference/vault_plugin/configure/build/secrets/id.html
- title: /configure/delivery_kit_elf_signing
url: /reference/vault_plugin/configure/delivery_kit_elf_signing.html
- title: /configure/git_credential
url: /reference/vault_plugin/configure/git_credential.html
- title: /configure/last_published_git_commit
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
Configure ELF binary signing via Delivery Kit. Requires `objcopy` with multi-architecture support on the Vault server host (`binutils-multiarch` on Debian/Ubuntu).

## Configure ELF signing


| Method | Path |
|--------|------|
| `POST` | `/configure/delivery_kit_elf_signing` |

### Parameters

* `certificate` (string, required) — Certificate data base64 encoded.
* `intermediates` (string, optional) — Certificate chain (intermediates and root) base64 encoded, as a single PEM bundle.
* `key` (string, required) — Private key data base64 encoded or a Vault key reference in the form hashivault://<key>. When a hashivault:// reference is used, configure the vault_* parameters.
* `password` (string, optional) — Private key password. Ignored when key is a hashivault:// reference.
* `vault_addr` (string, optional) — Vault server address. Applies only when key is a hashivault:// reference.
* `vault_auth_path` (string, optional, default: `ar`) — Mount path of Vault auth method. Applies only when key is a hashivault:// reference.
* `vault_auth_role_id` (string, optional) — AppRole RoleID used to authenticate to Vault. Applies only when key is a hashivault:// reference.
* `vault_auth_secret_id` (string, optional) — AppRole SecretID used to authenticate to Vault. Applies only when key is a hashivault:// reference.
* `vault_transit_path` (string, optional) — Mount path of Vault transit engine. Applies only when key is a hashivault:// reference.

### Responses

* 200 — OK.


## Reset ELF signing


| Method | Path |
|--------|------|
| `DELETE` | `/configure/delivery_kit_elf_signing` |


### Responses

* 204 — empty body.
2 changes: 2 additions & 0 deletions docs/_includes/reference/vault_plugin/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ The trdl plugin builds and releases software versions, publishes the release cha

* [`/configure/build/secrets/:id`]({{ "/reference/vault_plugin/configure/build/secrets/id.html" | true_relative_url }}) — delete a build secret.

* [`/configure/delivery_kit_elf_signing`]({{ "/reference/vault_plugin/configure/delivery_kit_elf_signing.html" | true_relative_url }}) — configure elf binary signing via delivery kit.

* [`/configure/git_credential`]({{ "/reference/vault_plugin/configure/git_credential.html" | true_relative_url }}) — configure git credentials.

* [`/configure/last_published_git_commit`]({{ "/reference/vault_plugin/configure/last_published_git_commit.html" | true_relative_url }}) — read or delete the last published git commit.
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
title: /configure/delivery_kit_elf_signing
permalink: reference/vault_plugin/configure/delivery_kit_elf_signing.html
---

{% include /reference/vault_plugin/configure/delivery_kit_elf_signing.md %}
3 changes: 3 additions & 0 deletions e2e/Taskfile.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,13 @@ includes:
vars:
paths: "tests/**"
golangciLintBinDir: "../bin"
golangciLintVersion: "v1.64.2"

tasks:
test:e2e:
desc: "Run client e2e test."
# coverpkg pulls in server packages, so this test binary compiles the CGO
# delivery-kit-sdk ELF signer and needs the C libs from server:deps:install:c.
cmd: ginkgo --vv --keep-going --cover --covermode=atomic --coverpkg=github.com/werf/trdl/client/...,github.com/werf/trdl/server/... --output-dir={{.outputDir}} ./...
vars:
outputDir: '{{.outputDir | default "../tests_coverage/e2e" }}'
70 changes: 42 additions & 28 deletions e2e/go.mod
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
module github.com/werf/trdl/e2e

go 1.23.2
go 1.24.10

require (
github.com/deckhouse/delivery-kit-sdk v1.2.1
github.com/hashicorp/go-hclog v1.6.3
github.com/hashicorp/vault/sdk v0.8.1
github.com/onsi/ginkgo/v2 v2.22.0
Expand All @@ -13,11 +14,6 @@ require (
gopkg.in/yaml.v2 v2.4.0
)

require (
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/stretchr/testify v1.10.0 // indirect
)

require (
dario.cat/mergo v1.0.0 // indirect
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
Expand All @@ -28,8 +24,9 @@ require (
github.com/armon/go-metrics v0.3.9 // indirect
github.com/armon/go-radix v1.0.0 // indirect
github.com/avelino/slugify v0.0.0-20180501145920-855f152bd774 // indirect
github.com/aws/aws-sdk-go v1.44.221 // indirect
github.com/cenkalti/backoff/v4 v4.3.0 // indirect
github.com/aws/aws-sdk-go v1.46.4 // indirect
github.com/cenkalti/backoff/v3 v3.0.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/cloudflare/circl v1.3.7 // indirect
github.com/cyphar/filepath-securejoin v0.2.5 // indirect
github.com/distribution/reference v0.6.0 // indirect
Expand All @@ -46,79 +43,96 @@ require (
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
github.com/go-git/go-billy/v5 v5.6.0 // indirect
github.com/go-git/go-git/v5 v5.12.0 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
github.com/google/certificate-transparency-go v1.1.7 // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/google/go-containerregistry v0.20.1 // indirect
github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad // indirect
github.com/gookit/color v1.5.4 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0 // indirect
github.com/hashicorp/go-kms-wrapping/v2 v2.0.7 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/go-plugin v1.4.5 // indirect
github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
github.com/hashicorp/go-rootcerts v1.0.2 // indirect
github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 // indirect
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
github.com/hashicorp/go-sockaddr v1.0.2 // indirect
github.com/hashicorp/go-uuid v1.0.2 // indirect
github.com/hashicorp/go-version v1.2.0 // indirect
github.com/hashicorp/golang-lru v0.5.4 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/hashicorp/vault/api v1.14.0 // indirect
github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/jellydator/ttlcache/v3 v3.4.0 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/go-testing-interface v1.0.0 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/oklog/run v1.0.0 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0 // indirect
github.com/opencontainers/image-spec v1.1.1 // indirect
github.com/otiai10/copy v1.9.0 // indirect
github.com/pierrec/lz4 v2.5.2+incompatible // indirect
github.com/pjbgf/sha1cd v0.3.0 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/samber/lo v1.37.0 // indirect
github.com/samber/lo v1.51.0 // indirect
github.com/satori/go.uuid v1.2.0 // indirect
github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
github.com/sigstore/sigstore v1.8.8 // indirect
github.com/skeema/knownhosts v1.2.2 // indirect
github.com/spaolacci/murmur3 v1.1.0 // indirect
github.com/theupdateframework/go-tuf v0.5.2 // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/werf/lockgate v0.1.1 // indirect
github.com/werf/logboek v0.6.1 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
go.opentelemetry.io/otel v1.28.0 // indirect
go.opentelemetry.io/otel v1.39.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
go.opentelemetry.io/otel/metric v1.28.0 // indirect
go.opentelemetry.io/otel/trace v1.28.0 // indirect
go.opentelemetry.io/otel/metric v1.39.0 // indirect
go.opentelemetry.io/otel/trace v1.39.0 // indirect
go.opentelemetry.io/proto/otlp v1.3.1 // indirect
go.uber.org/atomic v1.9.0 // indirect
golang.org/x/crypto v0.32.0 // indirect
golang.org/x/crypto v0.46.0 // indirect
golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
golang.org/x/net v0.34.0 // indirect
golang.org/x/sys v0.29.0 // indirect
golang.org/x/term v0.28.0 // indirect
golang.org/x/text v0.21.0 // indirect
golang.org/x/tools v0.26.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
google.golang.org/grpc v1.66.3 // indirect
google.golang.org/protobuf v1.35.1 // indirect
golang.org/x/net v0.48.0 // indirect
golang.org/x/sync v0.19.0 // indirect
golang.org/x/sys v0.39.0 // indirect
golang.org/x/term v0.38.0 // indirect
golang.org/x/text v0.32.0 // indirect
golang.org/x/time v0.6.0 // indirect
golang.org/x/tools v0.39.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
google.golang.org/grpc v1.79.3 // indirect
google.golang.org/protobuf v1.36.10 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.120.1 // indirect
k8s.io/utils v0.0.0-20240310230437-4693a0247e57 // indirect
)

replace (
Expand Down
Loading
Loading