Skip to content

Commit 477e418

Browse files
moskybmoskyb
committed
Add signing parameters to cfn template
1 parent 08d2cd0 commit 477e418

File tree

3 files changed

+99
-0
lines changed

3 files changed

+99
-0
lines changed

packer/linux/conf/bin/bk-install-elastic-stack.sh

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -254,6 +254,7 @@ else
254254
BUILDKITE_AGENT_TIMESTAMPS_LINES="false"
255255
BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS="false"
256256
fi
257+
257258
echo Setting \$BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS to \$BUILDKITE_AGENT_TIMESTAMP_LINES
258259
echo "BUILDKITE_AGENT_TIMESTAMP_LINES is $BUILDKITE_AGENT_TIMESTAMPS_LINES"
259260
echo "BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS is $BUILDKITE_AGENT_NO_ANSI_TIMESTAMPS"
@@ -292,6 +293,44 @@ tracing-backend=${BUILDKITE_AGENT_TRACING_BACKEND}
292293
cancel-grace-period=${BUILDKITE_AGENT_CANCEL_GRACE_PERIOD}
293294
EOF
294295

296+
if [[ -n "$BUILDKITE_AGENT_SIGNING_KEY_PATH" ]]; then
297+
echo "Fetching signing key from ssm: $BUILDKITE_AGENT_SIGNING_KEY_PATH..."
298+
299+
keyfile=/etc/buildkite-agent/signing-key.json
300+
301+
aws ssm get-parameter \
302+
--name "$BUILDKITE_AGENT_SIGNING_KEY_PATH" \
303+
--with-decryption \
304+
--query Parameter.Value \
305+
--output text >"$keyfile"
306+
307+
echo "Setting ownership of $keyfile to buildkite-agent..."
308+
chown buildkite-agent: "$keyfile"
309+
310+
echo "signing-jwks-file=$keyfile" >>/etc/buildkite-agent/buildkite-agent.cfg
311+
fi
312+
313+
if [[ -n "$BUILDKITE_AGENT_SIGNING_KEY_ID" ]]; then
314+
echo "signing-jwks-key-id=$BUILDKITE_AGENT_SIGNING_KEY_ID" >>/etc/buildkite-agent/buildkite-agent.cfg
315+
fi
316+
317+
if [[ -n "$BUILDKITE_AGENT_VERIFICATION_KEY_PATH" ]]; then
318+
echo "Fetching signing key from ssm: $BUILDKITE_AGENT_VERIFICATION_KEY_PATH..."
319+
320+
keyfile=/etc/buildkite-agent/verification-key.json
321+
322+
aws ssm get-parameter \
323+
--name "$BUILDKITE_AGENT_VERIFICATION_KEY_PATH" \
324+
--with-decryption \
325+
--query Parameter.Value \
326+
--output text >"$keyfile"
327+
328+
echo "Setting ownership of $keyfile to buildkite-agent..."
329+
chown buildkite-agent: "$keyfile"
330+
331+
echo "verification-jwks-file=$keyfile" >>/etc/buildkite-agent/buildkite-agent.cfg
332+
fi
333+
295334
if [[ "${BUILDKITE_ENV_FILE_URL}" != "" ]]; then
296335
echo "Fetching env file from ${BUILDKITE_ENV_FILE_URL}..."
297336
/usr/local/bin/bk-fetch.sh "${BUILDKITE_ENV_FILE_URL}" /var/lib/buildkite-agent/env

packer/windows/conf/bin/bk-install-elastic-stack.ps1

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,38 @@ tracing-backend=${Env:BUILDKITE_AGENT_TRACING_BACKEND}
150150
"@
151151
$OFS=" "
152152

153+
If (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_SIGNING_KEY_PATH)) {
154+
Write-Output "Fetching signing key from ssm: $Env:BUILDKITE_AGENT_SIGNING_KEY_PATH..."
155+
156+
$keyfile=C:\buildkite-agent\signing-key.json
157+
158+
aws ssm get-parameter `
159+
--name "$Env:BUILDKITE_AGENT_SIGNING_KEY_PATH" `
160+
--with-decryption `
161+
--query Parameter.Value `
162+
--output text >"$keyfile"
163+
164+
Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "signing-jwks-file=$keyfile"
165+
}
166+
167+
if (![string]::IsNullOrEmpty)($Env:BUILDKITE_AGENT_SIGNING_KEY_ID) {
168+
Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "signing-jwks-key-id=$Env:BUILDKITE_AGENT_SIGNING_KEY_ID"
169+
}
170+
171+
if (![string]::IsNullOrEmpty($Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH)) {
172+
Write-Output "Fetching verification key from ssm: $Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH..."
173+
174+
$keyfile=C:\buildkite-agent\verification-key.json
175+
176+
aws ssm get-parameter `
177+
--name "$Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH" `
178+
--with-decryption `
179+
--query Parameter.Value `
180+
--output text >"$keyfile"
181+
182+
Add-Content -Path C:\buildkite-agent\buildkite-agent.cfg -Value "verification-jwks-file=$keyfile"
183+
}
184+
153185
nssm set lifecycled AppEnvironmentExtra +AWS_REGION=$Env:AWS_REGION
154186
nssm set lifecycled AppEnvironmentExtra +LIFECYCLED_HANDLER="C:\buildkite-agent\bin\stop-agent-gracefully.ps1"
155187
Restart-Service lifecycled

templates/aws-stack.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,9 @@ Metadata:
4949
- BuildkiteWindowsAdministrator
5050
- BuildkiteAgentScalerServerlessARN
5151
- BuildkiteAgentScalerVersion
52+
- BuildkiteAgentSigningKeySSMParameter
53+
- BuildkiteAgentSigningKeyID
54+
- BuildkiteAgentVerificationKeySSMParameter
5255

5356
- Label:
5457
default: Network Configuration
@@ -195,6 +198,25 @@ Parameters:
195198
- "opentelemetry"
196199
Default: ""
197200

201+
BuildkiteAgentSigningKeySSMParameter:
202+
Description: Existing SSM Parameter Store path to the to a JSON Web Key Set (JWKS) containing a key to sign jobs with.
203+
Type: String
204+
Default: ""
205+
AllowedPattern: "^$|^/[a-zA-Z0-9_.\\-/]+$"
206+
ConstraintDescription: "Expects a leading forward slash"
207+
208+
BuildkiteAgentSigningKeyID:
209+
Description: The ID of the key in the JWKS to use for signing jobs. If not specified, and the JWKS contains only one key, that key will be used.
210+
Type: String
211+
Default: ""
212+
213+
BuildkiteAgentVerificationKeySSMParameter:
214+
Description: Existing SSM Parameter Store path to the to a JSON Web Key Set (JWKS) containing keys with which to verify jobs.
215+
Type: String
216+
Default: ""
217+
AllowedPattern: "^$|^/[a-zA-Z0-9_.\\-/]+$"
218+
ConstraintDescription: "Expects a leading forward slash"
219+
198220
BuildkiteAgentCancelGracePeriod:
199221
Description: The number of seconds a canceled or timed out job is given to gracefully terminate and upload its artifacts.
200222
Type: Number
@@ -1179,6 +1201,9 @@ Resources:
11791201
$Env:BUILDKITE_AGENT_TIMESTAMP_LINES="${BuildkiteAgentTimestampLines}"
11801202
$Env:BUILDKITE_AGENT_EXPERIMENTS="${BuildkiteAgentExperiments}"
11811203
$Env:BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}"
1204+
$Env:BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}" \
1205+
$Env:BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyID}" \
1206+
$Env:BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}" \
11821207
$Env:BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}"
11831208
$Env:BUILDKITE_QUEUE="${BuildkiteQueue}"
11841209
$Env:BUILDKITE_AGENT_ENABLE_GIT_MIRRORS="${BuildkiteAgentEnableGitMirrors}"
@@ -1236,6 +1261,9 @@ Resources:
12361261
BUILDKITE_AGENT_TIMESTAMP_LINES="${BuildkiteAgentTimestampLines}" \
12371262
BUILDKITE_AGENT_EXPERIMENTS="${BuildkiteAgentExperiments}" \
12381263
BUILDKITE_AGENT_TRACING_BACKEND="${BuildkiteAgentTracingBackend}" \
1264+
BUILDKITE_AGENT_SIGNING_KEY_PATH="${BuildkiteAgentSigningKeySSMParameter}" \
1265+
BUILDKITE_AGENT_SIGNING_KEY_ID="${BuildkiteAgentSigningKeyID}" \
1266+
BUILDKITE_AGENT_VERIFICATION_KEY_PATH="${BuildkiteAgentVerificationKeySSMParameter}" \
12391267
BUILDKITE_AGENT_RELEASE="${BuildkiteAgentRelease}" \
12401268
BUILDKITE_AGENT_CANCEL_GRACE_PERIOD="${BuildkiteAgentCancelGracePeriod}" \
12411269
BUILDKITE_QUEUE="${BuildkiteQueue}" \

0 commit comments

Comments
 (0)