##
## spire.spec -- OpenPKG RPM Package Specification
## Copyright (c) 2000-2021 OpenPKG Project
##
## Permission to use, copy, modify, and distribute this software for
## any purpose with or without fee is hereby granted, provided that
## the above copyright notice and this permission notice appear in all
## copies.
##
## THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
## WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
## MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
## IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
## CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
## LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
## USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
## ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
## OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
## OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
## SUCH DAMAGE.
##
# package version
%define V_opkg 1.1.2
%define V_dist 20211218
# package information
Name: spire
Summary: SPIFFE Runtime Environment (SPIRE)
URL: https://github.com/spiffe/spire
Vendor: Scytale
Packager: OpenPKG Project
Distribution: OpenPKG Community
Class: EVAL
Group: Cryptography
License: Apache
Version: %{V_opkg}.%{V_dist}
Release: 20211218
# package options
%option with_agent yes
%option with_server yes
# list of sources
Source0: http://download.openpkg.org/components/versioned/spire/spire-%{V_dist}.tar.xz
Source1: rc.spire
Source2: spire-server.conf
Source3: spire-agent.conf
Source4: spire-ca.sh
# build information
BuildPreReq: OpenPKG, openpkg >= 20160101, go
PreReq: OpenPKG, openpkg >= 20160101, openssl
%description
SPIRE (the SPIFFE Runtime Environment) is a tool-chain for
establishing trust between software systems across a wide variety
of hosting platforms. Concretely, SPIRE exposes the SPIFFE Workload
API, which can attest running software systems and issue SPIFFE IDs
and SVIDs to them. This in turn allows two workloads to establish
trust between each other, for example by establishing an mTLS
connection or by signing and verifying a JWT token.
%track
prog spire:release = {
version = %{V_opkg}
url = https://github.com/spiffe/spire/releases
regex = (__VER__)\.tar\.gz
}
prog spire:snapshot = {
version = %{V_dist}
url = http://download.openpkg.org/components/versioned/spire/
regex = spire-(__VER__)\.tar\.xz
}
%prep
%setup -q -n spire
%build
# adjust paths
%{l_shtool} subst \
-e 's;/tmp/agent\.sock;%{l_prefix}/var/spire/run/spire-agent.sock;g' \
src/github.com/spiffe/spire/cmd/spire-agent/cli/api/watch.go \
src/github.com/spiffe/spire/cmd/spire-agent/cli/common/defaults.go \
src/github.com/spiffe/spire/api/workload/v2/workload.go
# build program
export GOPATH=`pwd`
cd src/github.com/spiffe/spire
go build -v -o spire-agent cmd/spire-agent/main.go
go build -v -o spire-server cmd/spire-server/main.go
%install
# create installation hierarchy
%{l_shtool} mkdir -f -p -m 755 \
$RPM_BUILD_ROOT%{l_prefix}/etc/rc.d \
$RPM_BUILD_ROOT%{l_prefix}/etc/spire/spire-server.d \
$RPM_BUILD_ROOT%{l_prefix}/etc/spire/spire-agent.d \
$RPM_BUILD_ROOT%{l_prefix}/sbin \
$RPM_BUILD_ROOT%{l_prefix}/var/spire/run \
$RPM_BUILD_ROOT%{l_prefix}/var/spire/log \
$RPM_BUILD_ROOT%{l_prefix}/var/spire/data/spire-server.d \
$RPM_BUILD_ROOT%{l_prefix}/var/spire/data/spire-agent.d
# install program
%{l_shtool} install -c -s -m 755 \
src/github.com/spiffe/spire/spire-agent \
$RPM_BUILD_ROOT%{l_prefix}/sbin/
%{l_shtool} install -c -s -m 755 \
src/github.com/spiffe/spire/spire-server \
$RPM_BUILD_ROOT%{l_prefix}/sbin/
# install utility
%{l_shtool} install -c -m 755 %{l_value -s -a} \
-e 's;@l_bash@;%{l_bash};g' \
%{SOURCE spire-ca.sh} $RPM_BUILD_ROOT%{l_prefix}/sbin/spire-ca
# install default configuration
%{l_shtool} install -c -m 644 %{l_value -s -a} \
%{SOURCE spire-server.conf} \
%{SOURCE spire-agent.conf} \
$RPM_BUILD_ROOT%{l_prefix}/etc/spire/
# install run-command script
%if "%{with_server}" == "yes"
daemons="${daemons}${daemons+ }server"
%endif
%if "%{with_agent}" == "yes"
daemons="${daemons}${daemons+ }agent"
%endif
%{l_shtool} install -c -m 755 %{l_value -s -a} \
-e "s;@daemons@;$daemons;g" \
%{SOURCE rc.spire} $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/
# determine installation files
%{l_rpmtool} files -v -ofiles -r$RPM_BUILD_ROOT \
%{l_files_std} \
'%config %{l_prefix}/etc/spire/*' \
'%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/spire/*' \
'%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/spire/*/*'
%files -f files
%clean
%post
if [ $1 -eq 1 ]; then
# on initial installation, generate CA certificate/key pair
echo "Generating SPIRE CA Certificates/Keys" | %{l_rpmtool} msg -b -t notice
$RPM_INSTALL_PREFIX/sbin/spire-ca example.com
( echo "SPIRE was configured with a standard CA certificate/key pair."
echo "for \"example.com\". For production use, you usually let"
echo "SPIRE use a real SPIFFE Trust Domain name For this the SPIRE"
echo "CA certificate/key pair has to be regenerated with:"
echo " \$ $RPM_INSTALL_PREFIX/sbin/spire-ca "
) | %{l_rpmtool} msg -b -t notice
elif [ $1 -eq 2 ]; then
# after upgrade, restart service
eval `%{l_rc} spire status 2>/dev/null`
[ ".$spire_active" = .yes ] && %{l_rc} spire restart
fi
exit 0
%preun
if [ $1 -eq 0 ]; then
# before erase, stop service and remove log files
%{l_rc} spire stop 2>/dev/null
rm -f $RPM_INSTALL_PREFIX/etc/spire/spire-ca.* >/dev/null 2>&1 || true
rm -rf $RPM_INSTALL_PREFIX/var/spire/log/* >/dev/null 2>&1 || true
rm -rf $RPM_INSTALL_PREFIX/var/spire/run/* >/dev/null 2>&1 || true
rm -rf $RPM_INSTALL_PREFIX/var/spire/data/* >/dev/null 2>&1 || true
fi
exit 0