Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin' into grace/build-fix
Browse files Browse the repository at this point in the history
  • Loading branch information
gracewehner committed Oct 19, 2023
2 parents fab6ac1 + 68b555a commit 4cb17c4
Show file tree
Hide file tree
Showing 786 changed files with 330,502 additions and 2,463 deletions.
Empty file added .gitmodules
Empty file.
200 changes: 195 additions & 5 deletions .pipelines/azure-pipeline-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ trigger:
branches:
include:
- main

pr:
autoCancel: true
branches:
Expand Down Expand Up @@ -29,6 +30,8 @@ jobs:
pool:
name: Azure-Pipelines-CI-Test-EO
steps:
- checkout: self
submodules: true
- bash: |
if [ $(IS_PR) == "True" ]; then
BRANCH_NAME=$(System.PullRequest.SourceBranch)
Expand All @@ -46,6 +49,10 @@ jobs:
# Truncating to 128 characters as it is required by docker
LINUX_IMAGE_TAG=$(echo "${LINUX_IMAGE_TAG}" | cut -c1-128)
#Truncating this to 124 to add the cfg suffix
LINUX_IMAGE_TAG_PREFIX=$(echo "${LINUX_IMAGE_TAG}" | cut -c1-124)
LINUX_CONFIG_READER_IMAGE_TAG=$LINUX_IMAGE_TAG_PREFIX-cfg
#Truncating this to 113 to add the ref app suffices
LINUX_REF_APP_IMAGE_TAG_PREFIX=$(echo "${LINUX_IMAGE_TAG}" | cut -c1-113)
LINUX_REF_APP_GOLANG_IMAGE_TAG=$LINUX_REF_APP_IMAGE_TAG_PREFIX-ref-app-golang
Expand All @@ -55,6 +62,11 @@ jobs:
WINDOWS_IMAGE_TAG_PREFIX=$(echo "${LINUX_IMAGE_TAG}" | cut -c1-115)
WINDOWS_IMAGE_TAG=$WINDOWS_IMAGE_TAG_PREFIX-win
#Truncating this to 112 characters to add the targetallocator suffix
TARGET_ALLOCATOR_IMAGE_TAG_PREFIX=$(echo "${LINUX_IMAGE_TAG}" | cut -c1-124)
TARGET_ALLOCATOR_IMAGE_TAG=$TARGET_ALLOCATOR_IMAGE_TAG_PREFIX-targetallocator
#Truncating this to 113 to add the ref app suffices
WIN_REF_APP_IMAGE_TAG_PREFIX=$(echo "${LINUX_IMAGE_TAG}" | cut -c1-107)
WIN_REF_APP_GOLANG_IMAGE_TAG=$WIN_REF_APP_IMAGE_TAG_PREFIX-win-ref-app-golang
Expand All @@ -65,6 +77,8 @@ jobs:
WINDOWS_2022_BASE_IMAGE_VERSION=ltsc2022
LINUX_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY:$LINUX_IMAGE_TAG
TARGET_ALLOCATOR_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY:$TARGET_ALLOCATOR_IMAGE_TAG
LINUX_CONFIG_READER_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY:$LINUX_CONFIG_READER_IMAGE_TAG
WINDOWS_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY:$WINDOWS_IMAGE_TAG
HELM_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY_HELM/$HELM_CHART_NAME:$SEMVER
ARC_HELM_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY_HELM/$ARC_HELM_CHART_NAME:$SEMVER
Expand All @@ -76,6 +90,9 @@ jobs:
echo "##vso[build.updatebuildnumber]$SEMVER"
echo "##vso[task.setvariable variable=SEMVER;isOutput=true]$SEMVER"
echo "##vso[task.setvariable variable=LINUX_FULL_IMAGE_NAME;isOutput=true]$LINUX_FULL_IMAGE_NAME"
echo "##vso[task.setvariable variable=TARGET_ALLOCATOR_IMAGE_TAG;isOutput=true]$TARGET_ALLOCATOR_IMAGE_TAG"
echo "##vso[task.setvariable variable=TARGET_ALLOCATOR_FULL_IMAGE_NAME;isOutput=true]$TARGET_ALLOCATOR_FULL_IMAGE_NAME"
echo "##vso[task.setvariable variable=LINUX_CONFIG_READER_FULL_IMAGE_NAME;isOutput=true]$LINUX_CONFIG_READER_FULL_IMAGE_NAME"
echo "##vso[task.setvariable variable=WINDOWS_FULL_IMAGE_NAME;isOutput=true]$WINDOWS_FULL_IMAGE_NAME"
echo "##vso[task.setvariable variable=LINUX_REF_APP_GOLANG_FULL_IMAGE_NAME;isOutput=true]$LINUX_REF_APP_GOLANG_FULL_IMAGE_NAME"
echo "##vso[task.setvariable variable=LINUX_REF_APP_PYTHON_FULL_IMAGE_NAME;isOutput=true]$LINUX_REF_APP_PYTHON_FULL_IMAGE_NAME"
Expand Down Expand Up @@ -227,6 +244,8 @@ jobs:
# This is necessary because of: https://github.com/moby/moby/issues/37965
DOCKER_BUILDKIT: 1
steps:
- checkout: self
submodules: true

- task: CodeQL3000Init@0
displayName: 'SDL: init codeql'
Expand All @@ -242,14 +261,14 @@ jobs:
make
condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true))
workingDirectory: $(Build.SourcesDirectory)/otelcollector/opentelemetry-collector-builder/
displayName: "SDL: build otelcollector, promconfigvalidator, and fluent-bit plugin for scanning"
displayName: "SDL: build otelcollector, promconfigvalidator, targetallocator, and fluent-bit plugin for scanning"
- task: BinSkim@4
displayName: 'SDL: run binskim'
condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true))
inputs:
InputType: 'CommandLine'
arguments: 'analyze --rich-return-code $(Build.SourcesDirectory)/otelcollector/opentelemetry-collector-builder/otelcollector $(Build.SourcesDirectory)/otelcollector/prom-config-validator-builder/promconfigvalidator $(Build.SourcesDirectory)/otelcollector/fluent-bit/src/out_appinsights.so'
arguments: 'analyze --rich-return-code $(Build.SourcesDirectory)/otelcollector/opentelemetry-collector-builder/otelcollector $(Build.SourcesDirectory)/otelcollector/prom-config-validator-builder/promconfigvalidator $(Build.SourcesDirectory)/otelcollector/otel-allocator/targetallocator $(Build.SourcesDirectory)/otelcollector/fluent-bit/src/out_appinsights.so'

- task: Gosec@1
displayName: 'SDL: run gosec'
Expand Down Expand Up @@ -425,6 +444,176 @@ jobs:
GdnBreakGdnToolSemmle: true
GdnBreakGdnToolSemmleSeverity: 'Warning'

- job: TargetAllocator
displayName: Build target allocator image
pool:
name: Azure-Pipelines-CI-Test-EO
dependsOn: common
variables:
TARGET_ALLOCATOR_FULL_IMAGE_NAME: $[ dependencies.common.outputs['setup.TARGET_ALLOCATOR_FULL_IMAGE_NAME'] ]
# This is necessary because of: https://github.com/moby/moby/issues/37965
DOCKER_BUILDKIT: 1
steps:
- checkout: self
persistCredentials: true
- bash: |
mkdir -p $(Build.ArtifactStagingDirectory)/targetallocator
# Necessary due to necessary due to https://stackoverflow.com/questions/60080264/docker-cannot-build-multi-platform-images-with-docker-buildx
sudo apt-get update && sudo apt-get -y install qemu binfmt-support qemu-user-static
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
docker buildx create --name dockerbuilder
docker buildx use dockerbuilder
docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD)
if [ "$(Build.Reason)" != "PullRequest" ]; then
docker buildx build . --platform=linux/amd64,linux/arm64 --file Dockerfile -t $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/targetallocator/metadata.json --push
docker pull $(TARGET_ALLOCATOR_FULL_IMAGE_NAME)
else
# Build multiarch image to make sure there are no issues
docker buildx build . --platform=linux/amd64,linux/arm64 --file Dockerfile -t $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/targetallocator/metadata.json
# Load in amd64 image to run vulnerability scan
docker buildx build . --file Dockerfile -t $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/targetallocator/metadata.json
fi
MEDIA_TYPE=$(docker manifest inspect -v $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) | jq '.Descriptor.mediaType')
DIGEST=$(docker manifest inspect -v $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) | jq '.Descriptor.digest')
SIZE=$(docker manifest inspect -v $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) | jq '.Descriptor.size')
cat <<EOF >>$(Build.ArtifactStagingDirectory)/targetallocator/payload.json
{"targetArtifact":{"mediaType":$MEDIA_TYPE,"digest":$DIGEST,"size":$SIZE}}
EOF
workingDirectory: $(Build.SourcesDirectory)/otelcollector/otel-allocator
displayName: "Build: build and push target allocator image to dev ACR"
- bash: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 $(TARGET_ALLOCATOR_FULL_IMAGE_NAME)
workingDirectory: $(Build.SourcesDirectory)
displayName: "Build: run trivy scan"
condition: eq(variables.IS_PR, false)
- task: EsrpCodeSigning@3
displayName: "ESRP CodeSigning for TargetAllocator"
inputs:
ConnectedServiceName: "ESRPServiceConnectionForPrometheusImages"
FolderPath: $(Build.ArtifactStagingDirectory)/targetallocator/
Pattern: "*.json"
signConfigType: inlineSignParams
inlineOperation: |
[
{
"keyCode": "CP-469451",
"operationSetCode": "NotaryCoseSign",
"parameters": [
{
"parameterName": "CoseFlags",
"parameterValue": "chainunprotected"
}
],
"toolName": "sign",
"toolVersion": "1.0"
}
]
- bash: |
set -euxo pipefail
curl -LO "https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_linux_amd64.tar.gz"
mkdir -p oras-install/
tar -zxf oras_1.0.0_*.tar.gz -C oras-install/
sudo mv oras-install/oras /usr/local/bin/
rm -rf oras_1.0.0_*.tar.gz oras-install/
oras attach $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) \
--artifact-type 'application/vnd.cncf.notary.signature' \
./payload.json:application/cose \
-a "io.cncf.notary.x509chain.thumbprint#S256=[\"79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\"]"
workingDirectory: $(Build.ArtifactStagingDirectory)/targetallocator/
displayName: "ORAS Push Artifacts in $(Build.ArtifactStagingDirectory)/targetallocator/"
condition: eq(variables.IS_MAIN_BRANCH, true)
- job: Linux_ConfigReader
displayName: Build linux image for config reader
pool:
name: Azure-Pipelines-CI-Test-EO
dependsOn: common
variables:
LINUX_CONFIG_READER_FULL_IMAGE_NAME: $[ dependencies.common.outputs['setup.LINUX_CONFIG_READER_FULL_IMAGE_NAME'] ]
# This is necessary because of: https://github.com/moby/moby/issues/37965
DOCKER_BUILDKIT: 1
steps:
- bash: |
mkdir -p $(Build.ArtifactStagingDirectory)/linuxcfgreader
# Necessary due to necessary due to https://stackoverflow.com/questions/60080264/docker-cannot-build-multi-platform-images-with-docker-buildx
sudo apt-get update && sudo apt-get -y install qemu binfmt-support qemu-user-static
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
docker buildx create --name dockerbuilder
docker buildx use dockerbuilder
docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD)
if [ "$(Build.Reason)" != "PullRequest" ]; then
docker buildx build . --platform=linux/amd64,linux/arm64 --file ./build/linux/configuration-reader/Dockerfile -t $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/linux/configuration-reader/metadata.json --push
docker pull $(LINUX_CONFIG_READER_FULL_IMAGE_NAME)
else
# Build multiarch image to make sure there are no issues
docker buildx build . --platform=linux/amd64,linux/arm64 --file ./build/linux/configuration-reader/Dockerfile -t $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/linux/configuration-reader/metadata.json
# Load in amd64 image to run vulnerability scan
docker buildx build . --file ./build/linux/configuration-reader/Dockerfile -t $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/linux/configuration-reader/metadata.json
fi
MEDIA_TYPE=$(docker manifest inspect -v $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) | jq '.Descriptor.mediaType')
DIGEST=$(docker manifest inspect -v $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) | jq '.Descriptor.digest')
SIZE=$(docker manifest inspect -v $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) | jq '.Descriptor.size')
cat <<EOF >>$(Build.ArtifactStagingDirectory)/linuxcfgreader/payload.json
{"targetArtifact":{"mediaType":$MEDIA_TYPE,"digest":$DIGEST,"size":$SIZE}}
EOF
workingDirectory: $(Build.SourcesDirectory)/otelcollector/
displayName: "Build: build and push configuration reader image to dev ACR"
- bash: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 $(LINUX_CONFIG_READER_FULL_IMAGE_NAME)
trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 $(KUBE_STATE_METRICS_IMAGE)
workingDirectory: $(Build.SourcesDirectory)
displayName: "Build: run trivy scan"
condition: eq(variables.IS_PR, false)
- task: EsrpCodeSigning@3
displayName: "ESRP CodeSigning for Config Reader"
inputs:
ConnectedServiceName: "ESRPServiceConnectionForPrometheusImages"
FolderPath: $(Build.ArtifactStagingDirectory)/linuxcfgreader/
Pattern: "*.json"
signConfigType: inlineSignParams
inlineOperation: |
[
{
"keyCode": "CP-469451",
"operationSetCode": "NotaryCoseSign",
"parameters": [
{
"parameterName": "CoseFlags",
"parameterValue": "chainunprotected"
}
],
"toolName": "sign",
"toolVersion": "1.0"
}
]
- bash: |
set -euxo pipefail
curl -LO "https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_linux_amd64.tar.gz"
mkdir -p oras-install/
tar -zxf oras_1.0.0_*.tar.gz -C oras-install/
sudo mv oras-install/oras /usr/local/bin/
rm -rf oras_1.0.0_*.tar.gz oras-install/
oras attach $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) \
--artifact-type 'application/vnd.cncf.notary.signature' \
./payload.json:application/cose \
-a "io.cncf.notary.x509chain.thumbprint#S256=[\"79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\"]"
workingDirectory: $(Build.ArtifactStagingDirectory)/linuxcfgreader/
displayName: "ORAS Push Artifacts in $(Build.ArtifactStagingDirectory)/linuxcfgreader/"
condition: eq(variables.IS_MAIN_BRANCH, true)
- job: Windows2019
displayName: "Build windows 2019 image"
pool:
Expand Down Expand Up @@ -743,15 +932,15 @@ jobs:
else
echo "-e error failed to login to az with managed identity credentials"
exit 1
fi
fi
ACCESS_TOKEN=$(az account get-access-token --resource $RESOURCE_AUDIENCE --query accessToken -o json)
if [ $? -eq 0 ]; then
echo "get access token from resource:$RESOURCE_AUDIENCE successfully."
else
echo "-e error get access token from resource:$RESOURCE_AUDIENCE failed."
exit 1
fi
fi
ACCESS_TOKEN=$(echo $ACCESS_TOKEN | tr -d '"' | tr -d '"\r\n')
ARC_API_URL="https://eastus2euap.dp.kubernetesconfiguration.azure.com"
Expand All @@ -772,7 +961,7 @@ jobs:
inputs:
azureSubscription: 'ContainerInsights_Build_Subscription(9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb)'
scriptType: 'bash'
scriptLocation: 'inlineScript'
scriptLocation: 'inlineScript'
inlineScript: |
az config set extension.use_dynamic_install=yes_without_prompt
az k8s-extension update --name azuremonitor-metrics --resource-group ci-dev-arc-wcus --cluster-name ci-dev-arc-wcus --cluster-type connectedClusters --version $HELM_SEMVER --release-train pipeline
Expand All @@ -795,6 +984,7 @@ jobs:
HELM_FULL_IMAGE_NAME: $[ dependencies.common.outputs['setup.HELM_FULL_IMAGE_NAME'] ]
steps:
- checkout: self
submodules: true
persistCredentials: true

- bash: |
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
{
"$schema": "http://schema.express.azure.com/schemas/2015-01-01-alpha/RolloutParameters.json",
"contentVersion": "1.0.0.0",
"wait": [
{
"name": "waitSdpBakeTime",
"properties": {
"duration": "PT24H"
}
}
],
"shellExtensions": [
{
"name": "PushAgentToACR",
"type": "ShellExtensionType",
"properties": {
"maxexecutiontime": "PT1H"
},
"package": {
"reference": {
"path": "artifacts.tar.gz"
}
},
"launch": {
"command": [
"/bin/bash",
"pushAgentToAcr.sh"
],
"environmentVariables": [
{
"name": "ACR_REGISTRY",
"value": "__ACR_REGISTRY__"
},
{
"name": "PROD_ACR_REPOSITORY",
"value": "__PROD_ACR_AGENT_REPOSITORY__"
},
{
"name": "MCR_REGISTRY",
"value": "__MCR_REGISTRY__"
},
{
"name": "PROD_MCR_REPOSITORY",
"value": "__PROD_MCR_AGENT_REPOSITORY__"
},
{
"name": "DEV_MCR_REPOSITORY",
"value": "__DEV_MCR_AGENT_REPOSITORY__"
},
{
"name": "IMAGE_TAG",
"value": "__CONFIGREADER_TAG__"
}
],
"identity": {
"type": "userAssigned",
"userAssignedIdentities": [
"__MANAGED_IDENTITY__"
]
}
}
}
]
}
Loading

0 comments on commit 4cb17c4

Please sign in to comment.