.azure-pipelines/templates/stages/deploy-stage.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

parameters:
- name: snapReleaseChannel
  type: string
  default: edge
  values:
  - edge
  - beta

stages:
  - stage: Deploy
    jobs:
      # This job relies on credentials used to publish the Certbot snaps. This
      # credential file was created by running:
      #
      #   snapcraft logout
      #   snapcraft export-login --channels=beta,edge snapcraft.cfg
      #     (provide the shared snapcraft credentials when prompted)
      #
      # Then the file was added as a secure file in Azure pipelines
      # with the name snapcraft.cfg by following the instructions at
      # https://docs.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=azure-devops
      # including authorizing the file for use in the "nightly" and "release"
      # pipelines as described at
      # https://docs.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=azure-devops#q-how-do-i-authorize-a-secure-file-for-use-in-a-specific-pipeline.
      #
      # This file has a maximum lifetime of one year and the current
      # file will expire on 2023-06-17 which is also tracked by
      # https://github.com/certbot/certbot/issues/7931. The file will
      # need to be updated before then to prevent automated deploys
      # from breaking.
      #
      # Revoking these credentials can be done by changing the password of the
      # account used to generate the credentials. See
      # https://forum.snapcraft.io/t/revoking-exported-credentials/19031 for
      # more info.
      - job: publish_snap
        pool:
          vmImage: ubuntu-22.04
        variables:
          - group: certbot-common
        strategy:
          matrix:
            amd64:
              SNAP_ARCH: amd64
            arm32v6:
              SNAP_ARCH: armhf
            arm64v8:
              SNAP_ARCH: arm64
        steps:
          - bash: |
              set -e
              sudo apt-get update
              sudo apt-get install -y --no-install-recommends snapd
              sudo snap install --classic snapcraft
            displayName: Install dependencies
          - task: DownloadPipelineArtifact@2
            inputs:
              artifact: snaps_$(SNAP_ARCH)
              path: $(Build.SourcesDirectory)/snap
            displayName: Retrieve Certbot snaps
          - task: DownloadSecureFile@1
            name: snapcraftCfg
            inputs:
              secureFile: snapcraft.cfg
          - bash: |
              set -e
              export SNAPCRAFT_STORE_CREDENTIALS=$(cat $(snapcraftCfg.secureFilePath))
              for SNAP_FILE in snap/*.snap; do
                tools/retry.sh eval snapcraft upload --release=${{ parameters.snapReleaseChannel }} "${SNAP_FILE}"
              done
            displayName: Publish to Snap store
      - job: publish_docker
        pool:
          vmImage: ubuntu-22.04
        strategy:
          matrix:
            amd64:
              DOCKER_ARCH: amd64
            arm32v6:
              DOCKER_ARCH: arm32v6
            arm64v8:
              DOCKER_ARCH: arm64v8
        steps:
          - task: DownloadPipelineArtifact@2
            inputs:
              artifact: docker_$(DOCKER_ARCH)
              path: $(Build.SourcesDirectory)
            displayName: Retrieve Docker images
          - bash: set -e && docker load --input $(Build.SourcesDirectory)/images.tar
            displayName: Load Docker images
          - task: Docker@2
            inputs:
              command: login
              # The credentials used here are for the shared certbotbot account
              # on Docker Hub. The credentials are stored in a service account
              # which was created by following the instructions at
              # https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#sep-docreg.
              # The name given to this service account must match the value
              # given to containerRegistry below. The authentication used when
              # creating this service account was a personal access token
              # rather than a password to bypass 2FA. When Brad set this up,
              # Azure Pipelines failed to verify the credentials with an error
              # like "access is forbidden with a JWT issued from a personal
              # access token", but after saving them without verification, the
              # access token worked when the pipeline actually ran. "Grant
              # access to all pipelines" should also be checked on the service
              # account. The access token can be deleted on Docker Hub if
              # these credentials need to be revoked.
              containerRegistry: docker-hub
            displayName: Login to Docker Hub
          - bash: set -e && tools/docker/deploy.sh $(dockerTag) $DOCKER_ARCH
            displayName: Deploy the Docker images