Fixes#208. As a prerequisite, #212 must be merged before.
This PR configure an AppVeyor pipeline to build and publish native Windows
containers of Pebble and Challtestsrv on Docker Hub. This pipeline execute
the same logic that his Linux counterpart on Travis CI: go build, go
test using chisel2 and `acme` module from Certbot, then docker build +
docker push.
The CI part (build + test) is executed for every commit on every branch
(including pull requests). The CD part (docker deploy) is executed
only for tags pushed on Pebble repository. When triggered, the CD will
publish two native Windows dockers on the `letsencrypt/pebble` and
`letsencrypt/pebble-challtestsrv` Docker Hub projects: * the pinned
release tag `X.X.X-nanoserver-sac2016`, that corresponds to the tag
released on the GIT repository (Linux counterpart is `X.X.X`) * the
rolling release tag `nanoserver-sac2016` that is the latest pinned release
(Linux counterpart is `latest`)
Aside AppVeyor configuration, I also modified chisel2 to be runnable on
both Python 2.x and Python 3.x, because Certbot needs to run on Python
3.x on Windows. I also made some lights corrections on the Travis CI
pipeline to make it live nicely with AppVeyor.
Once this PR have been merged, one thing will need to be done from
the Pebble maintainers that I cannot do myself. Indeed, two secured
environment variables are required by this pipeline: `DOCKER_USER` and
`DOCKER_PASS` that are the Docker Hub credentials used to push the image
triggered by a GIT tag push, to trigger a release.
These credentials need to be set with the login/password
of a user authorized to push to `letsencrypt/pebble` and
`letsencrypt/pebble-challtestsrv` Docker Hub projects. To do so, go to
the AppVeyor Pebble project > Settings > Environment, and add the two
environment variables (name + value) in the "Environment variables"
section. **Be sure to check the lock "Toggle variable encryption" for
each environment variable.**
This can be done later after this PR have been merged, because as I said,
the credentials are required only when a tag, and so a new release of
Pebble, is pushed.
I had added verify_ssl=False a while ago and forgotten about it. This removes
that, and adds REQUESTS_CA_BUNDLE to CI so we trust the Pebble minica.
Additional changes:
- Update chisel2.py to use `josepy`, which was factored out from the `acme` library.
- Stop setting `$DIRECTORY`, since the default in chisel2.py works fine.
- Use certbot-auto instead of letsencrypt-auto to install os packages. This is essentially the same, but follows the certbot development setup instructions more closely.
Since Pebble has a lower review standard than Boulder (one review rather than
two), it's easier to keep this copy up-to-date with changes in the Certbot
acme-v2 repo, and therefore keep the tests running.
Shiloh Heurich
Adrien Ferrand
Jacob Hoffman-Andrews