Skip to content

Commit 050f993

Browse files
moskybmoskyb
committed
Add signing parameters to cfn template
1 parent 57008d2 commit 050f993

File tree

3 files changed

+99
-0
lines changed

3 files changed

+99
-0
lines changed

packer/linux/conf/bin/bk-install-elastic-stack.sh

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -254,6 +254,7 @@ else
254254
BUILDKITE_AGENT_TIMESTAMPS_LINES="false"
255255
BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS="false"
256256
fi
257+
257258
echo Setting \$BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS to \$BUILDKITE_AGENT_TIMESTAMP_LINES
258259
echo "BUILDKITE_AGENT_TIMESTAMP_LINES is $BUILDKITE_AGENT_TIMESTAMPS_LINES"
259260
echo "BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS is $BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS"
@@ -292,6 +293,44 @@ tracing-backend=${BUILDKITE_AGENT_TRACING_BACKEND}
292293
cancel-grace-period=${BUILDKITE_AGENT_CANCEL_GRACE_PERIOD}
293294
EOF
294295

296+
if [[ -n "$BUILDKITE_AGENT_SIGNING_KEY_PATH" ]]; then
297+
echo "Fetching signing key from ssm: $BUILDKITE_AGENT_SIGNING_KEY_PATH..."
298+
299+
keyfile=/etc/buildkite-agent/signing-key.json
300+
301+
aws ssm get-parameter \
302+
--name "$BUILDKITE_AGENT_SIGNING_KEY_PATH" \
303+
--with-decryption \
304+
--query Parameter.Value \
305+
--output text >"$keyfile"
306+
307+
echo "Setting ownership of $keyfile to buildkite-agent..."
308+
chown buildkite-agent: "$keyfile"
309+
310+
echo "signing-jwks-file=$keyfile" >>/etc/buildkite-agent/buildkite-agent.cfg
311+
fi
312+
313+
if [[ -n "$BUILDKITE_AGENT_SIGNING_KEY_ID" ]]; then
314+
echo "signing-jwks-key-id=$BUILDKITE_AGENT_SIGNING_KEY_ID" >>/etc/buildkite-agent/buildkite-agent.cfg
315+
fi
316+
317+
if [[ -n "$BUILDKITE_AGENT_VERIFICATION_KEY_PATH" ]]; then
318+
echo "Fetching signing key from ssm: $BUILDKITE_AGENT_VERIFICATION_KEY_PATH..."
319+
320+
keyfile=/etc/buildkite-agent/verification-key.json
321+
322+
aws ssm get-parameter \
323+
--name "$BUILDKITE_AGENT_VERIFICATION_KEY_PATH" \
324+
--with-decryption \
325+
--query Parameter.Value \
326+
--output text >"$keyfile"
327+
328+
echo "Setting ownership of $keyfile to buildkite-agent..."
329+
chown buildkite-agent: "$keyfile"
330+
331+
echo "verification-jwks-file=$keyfile" >>/etc/buildkite-agent/buildkite-agent.cfg
332+
fi
333+
295334
if [[ "${BUILDKITE_ENV_FILE_URL}" != "" ]]; then
296335
echo "Fetching env file from ${BUILDKITE_ENV_FILE_URL}..."
297336
/usr/local/bin/bk-fetch.sh "${BUILDKITE_ENV_FILE_URL}" /var/lib/buildkite-agent/env

packer/windows/conf/bin/bk-install-elastic-stack.ps1

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,38 @@ tracing-backend=${Env:BUILDKITE_AGENT_TRACING_BACKEND}
150150
"@
151151
$OFS=" "
152152

153+
If (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_SIGNING_KEY_PATH)) {
154+
Write-Output "Fetching signing key from ssm: $Env:BUILDKITE_AGENT_SIGNING_KEY_PATH..."
155+
156+
$keyfile=C:\buildkite-agent\signing-key.json
157+
158+
aws ssm get-parameter `
159+
--name "$Env:BUILDKITE_AGENT_SIGNING_KEY_PATH" `
160+
--with-decryption `
161+
--query Parameter.Value `
162+
--output text >"$keyfile"
163+
164+
Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "signing-jwks-file=$keyfile"
165+
}
166+
167+
if (![string]::IsNullOrEmpty)($Env:BUILDKITE_AGENT_SIGNING_KEY_ID) {
168+
Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "signing-jwks-key-id=$Env:BUILDKITE_AGENT_SIGNING_KEY_ID"
169+
}
170+
171+
if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH)) {
172+
Write-Output "Fetching verification key from ssm: $Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH..."
173+
174+
$keyfile=C:\buildkite-agent\verification-key.json
175+
176+
aws ssm get-parameter `
177+
--name "$Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH" `
178+
--with-decryption `
179+
--query Parameter.Value `
180+
--output text >"$keyfile"
181+
182+
Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "verification-jwks-file=$keyfile"
183+
}
184+
153185
nssm set lifecycled AppEnvironmentExtra +AWS_REGION=$Env:AWS_REGION
154186
nssm set lifecycled AppEnvironmentExtra +LIFECYCLED_HANDLER="C:\buildkite-agent\bin\stop-agent-gracefully.ps1"
155187
Restart-Service lifecycled

templates/aws-stack.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,9 @@ Metadata:
5050
- BuildkiteAgentScalerServerlessARN
5151
- BuildkiteAgentScalerVersion
5252
- LogRetentionDays
53+
- BuildkiteAgentSigningKeySSMParameter
54+
- BuildkiteAgentSigningKeyID
55+
- BuildkiteAgentVerificationKeySSMParameter
5356

5457
- Label:
5558
default: Network Configuration
@@ -202,6 +205,25 @@ Parameters:
202205
- "opentelemetry"
203206
Default: ""
204207

208+
BuildkiteAgentSigningKeySSMParameter:
209+
Description: Existing SSM Parameter Store path to the to a JSON Web Key Set (JWKS) containing a key to sign jobs with.
210+
Type: String
211+
Default: ""
212+
AllowedPattern: "^$|^/[a-zA-Z0-9_.\\-/]+$"
213+
ConstraintDescription: "Expects a leading forward slash"
214+
215+
BuildkiteAgentSigningKeyID:
216+
Description: The ID of the key in the JWKS to use for signing jobs. If not specified, and the JWKS contains only one key, that key will be used.
217+
Type: String
218+
Default: ""
219+
220+
BuildkiteAgentVerificationKeySSMParameter:
221+
Description: Existing SSM Parameter Store path to the to a JSON Web Key Set (JWKS) containing keys with which to verify jobs.
222+
Type: String
223+
Default: ""
224+
AllowedPattern: "^$|^/[a-zA-Z0-9_.\\-/]+$"
225+
ConstraintDescription: "Expects a leading forward slash"
226+
205227
BuildkiteAgentCancelGracePeriod:
206228
Description: The number of seconds a canceled or timed out job is given to gracefully terminate and upload its artifacts.
207229
Type: Number
@@ -1218,6 +1240,9 @@ Resources:
12181240
$Env:BUILDKITE_AGENT_TIMESTAMP_LINES="${BuildkiteAgentTimestampLines}"
12191241
$Env:BUILDKITE_AGENT_EXPERIMENTS="${BuildkiteAgentExperiments}"
12201242
$Env:BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}"
1243+
$Env:BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}" \
1244+
$Env:BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyID}" \
1245+
$Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}" \
12211246
$Env:BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}"
12221247
$Env:BUILDKITE_QUEUE="${BuildkiteQueue}"
12231248
$Env:BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}"
@@ -1276,6 +1301,9 @@ Resources:
12761301
BUILDKITE_AGENT_TIMESTAMP_LINES="${BuildkiteAgentTimestampLines}" \
12771302
BUILDKITE_AGENT_EXPERIMENTS="${BuildkiteAgentExperiments}" \
12781303
BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}" \
1304+
BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}" \
1305+
BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyID}" \
1306+
BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}" \
12791307
BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}" \
12801308
BUILDKITE_AGENT_CANCEL_GRACE_PERIOD="${BuildkiteAgentCancelGracePeriod}" \
12811309
BUILDKITE_QUEUE="${BuildkiteQueue}" \

0 commit comments

Comments
 (0)