local publicSecrets = [ 'ssh-host', 'ssh-user', 'ssh-root-user', ]; local secretSecrets = [ 'ssh-password', ]; local util = { // the head of an array head(array): array[0], // the tail of an array tail(array): std.makeArray( std.length(array) -1, function(x) array[x + 1], ), // compose an array of functions compose(functions): local compose(functions) = if std.length(functions) == 0 then local ret(object) = object; ret else local ret(object) = compose( util.tail( functions, ) )( util.head( functions, )(object) ); ret; compose(functions), fromSecret(secret): { from_secret: secret, }, secret(secret): std.asciiLower( std.strReplace( secret, '_', '-', ), ), environment(secret): std.asciiUpper( std.strReplace( secret, '-', '_', ), ), env(secret): std.asciiLower( std.strReplace( secret, '-', '_', ), ), envSet(env): function(step) step { environment +: { [util.environment(env)]: util.fromSecret( util.secret(env) ), }, settings +: { envs +: [ util.env(env), ], }, }, printEnv(file, env): function(step) util.compose([ util.envSet(env), function(step) step { settings +: { script +: [ 'echo "export %(environment)s=\'$${%(environment)s}\'" >> %(file)s # "%(secret)s"' % { environment: util.environment(env), file: file, secret: util.secret(env), }, ], }, }, ])(step), }; local images = { docker: { name: 'docker', image: 'docker:dind', }, scp(target): { name: 'scp', image: 'appleboy/drone-scp', settings: { host: { from_secret: 'ssh-host', }, username: { from_secret: 'ssh-user', }, password: { from_secret: 'ssh-password', }, port: { from_secret: 'ssh-port', }, command_timeout: '2m', target: target, source: [ '.', ], }, }, ssh: { image: 'appleboy/drone-ssh', settings: { host: util.fromSecret("ssh-host"), port: util.fromSecret("ssh-port"), username: util.fromSecret("ssh-user"), password: util.fromSecret("ssh-password"), envs: [ 'drone_tag', 'drone_commit', 'drone_build_number', 'drone_repo_name', 'drone_repo_namespace', ], script: [], }, }, wait(delay): { image: 'alpine', name: 'wait', commands: [ 'sleep %s' % delay, ], } }; [ { kind: 'pipeline', type: 'docker', name: 'build', clone: { disable: false, depth: 0, }, services: [ images.docker { privileged: true, volumes: [ { name: 'dockersock', path: '/var/run', }, { name: 'ca', path: '/etc/docker/certs.d', }, ], }, ], volumes: [ { name: 'dockersock', temp: {}, }, { name: 'ca', host: { path: '/etc/docker/certs.d', }, }, ], steps:[ images.scp( '/stack/squid' ), images.wait(15), util.compose( std.map( function(secret) util.printEnv('afile', secret), publicSecrets, ) )( images.ssh { name: 'will print ssh-host again', settings +: { script +: [ 'rm afile' ], }, }, ), util.compose( std.map( function(s) util.envSet(s), publicSecrets + secretSecrets ) + std.map( function(s) function(step) step { settings +: { script +: [ 'export %(env)s="$${%(env)s}"' % { env: util.environment(s), }, 'echo "$${%s}"' % util.environment(s), ], }, }, publicSecrets + secretSecrets ) ) ( images.ssh { name: 'deploy squid', settings +: { //username: util.fromSecret("ssh-root-user"), //password: util.fromSecret("ssh-root-password"), script +: [ 'set -e', "docker network prune -f", "cd /stack/squid/myCA", 'openssl genrsa -out CA_key.pem 2048', 'openssl req -x509 -days 600 -new -nodes -key CA_key.pem -out CA_crt.pem -extensions v3_ca -config openssl.cnf -subj "/C=US/ST=California/L=Mountain View/O=Google/OU=Enterprise/CN=MyCA"', 'cd ..', "docker stack rm squid", "sleep 30", "docker stack deploy -c docker-compose.yml squid", ] } } ), ], } ]