From 9a2ffa8523952acf82ae3fc1765c2c241dfa241c Mon Sep 17 00:00:00 2001 From: Grace Wehner Date: Wed, 13 Mar 2024 16:00:32 -0700 Subject: [PATCH] build: onebranch migration (#778) --- .pipelines/OneBranch.Official.yml | 1180 +++++++++++++++++++++++++++ .pipelines/azure-pipeline-build.yml | 2 +- .trivyignore | 1 + 3 files changed, 1182 insertions(+), 1 deletion(-) create mode 100644 .pipelines/OneBranch.Official.yml diff --git a/.pipelines/OneBranch.Official.yml b/.pipelines/OneBranch.Official.yml new file mode 100644 index 000000000..ec1a9a72d --- /dev/null +++ b/.pipelines/OneBranch.Official.yml @@ -0,0 +1,1180 @@ +# This Yaml Document has been converted by ESAI Yaml Pipeline Conversion Tool. +# Please make sure to check all the converted content, it is your team's responsibility to make sure that the pipeline is still valid and functions as expected. +# The SBOM tasks have been removed because they are not required for the unofficial template. +# You can manually enable SBOM in the unofficial template if needed, othewise its automatically enabled when using official template. https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/features/sbom +# This pipeline will be extended to the OneBranch template +trigger: + branches: + include: + - main +pr: + autoCancel: true + branches: + include: + - main +variables: +- name: HELM_CHART_NAME + value: 'prometheus-collector' +- name: ARC_HELM_CHART_NAME + value: 'ama-metrics-arc' +- name: ACR_REGISTRY + value: 'containerinsightsprod.azurecr.io' +- name: ACR_REPOSITORY + value: '/public/azuremonitor/containerinsights/cidev/prometheus-collector/images' +- name: ACR_REPOSITORY_HELM + value: '/public/azuremonitor/containerinsights/cidev' +- name: MCR_REGISTRY + value: 'mcr.microsoft.com' +- name: MCR_REPOSITORY + value: '/azuremonitor/containerinsights/cidev/prometheus-collector/images' +- name: MCR_REPOSITORY_HELM + value: '/azuremonitor/containerinsights/cidev/prometheus-collector' +- name: MCR_REPOSITORY_HELM_DEPENDENCIES + value: '/azuremonitor/containerinsights/cidev' +- name: KUBE_STATE_METRICS_IMAGE + value: 'mcr.microsoft.com/oss/kubernetes/kube-state-metrics:v2.9.2' +- name: NODE_EXPORTER_IMAGE + value: 'mcr.microsoft.com/oss/prometheus/node-exporter:v1.6.0' +- name: IS_PR + value: $[eq(variables['Build.Reason'], 'PullRequest')] +- name: IS_MAIN_BRANCH + value: $[eq(variables['Build.SourceBranchName'], 'main')] +- name: LinuxContainerImage + value: onebranch.azurecr.io/linux/ubuntu-2004:latest +- name: WindowsContainerImage + value: onebranch.azurecr.io/windows/ltsc2019/vse2022:latest + +resources: + repositories: + - repository: onebranchTemplates + type: git + name: OneBranch.Pipelines/GovernedTemplates + ref: refs/heads/main + +extends: + template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates + parameters: + customTags: 'ES365AIMigrationTooling-BulkMigrated' + stages: + - stage: BuildAndDeploy + jobs: + - job: Image_Tags_and_Ev2_Artifacts + displayName: "Build: Set image tags and publish Ev2 artifacts" + pool: + name: Azure-Pipelines-CI-Test-EO + variables: + - name: skipComponentGovernanceDetection + value: true + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + steps: + - checkout: self + submodules: true + - bash: | + if [ $(IS_PR) == "True" ]; then + BRANCH_NAME=$(System.PullRequest.SourceBranch) + else + BRANCH_NAME=$(Build.SourceBranch) + BRANCH_NAME=${BRANCH_NAME#refs/heads/} + fi + BRANCH_NAME=$(echo $BRANCH_NAME | tr / - | tr . - | tr _ - | cut -c1-90) + COMMIT_SHA=$(echo $(Build.SourceVersion) | cut -b -8) + DATE=$(TZ=America/Los_Angeles date +%m-%d-%Y) + VERSION=$(cat $(Build.SourcesDirectory)/otelcollector/VERSION) + SEMVER=$VERSION-$BRANCH_NAME-$DATE-$COMMIT_SHA + + LINUX_IMAGE_TAG=$SEMVER + # Truncating to 128 characters as it is required by docker + LINUX_IMAGE_TAG=$(echo "${LINUX_IMAGE_TAG}" | cut -c1-128) + + #Truncating this to 124 to add the cfg suffix + LINUX_IMAGE_TAG_PREFIX=$(echo "${LINUX_IMAGE_TAG}" | cut -c1-124) + LINUX_CONFIG_READER_IMAGE_TAG=$LINUX_IMAGE_TAG_PREFIX-cfg + + #Truncating this to 113 to add the ref app suffices + LINUX_REF_APP_IMAGE_TAG_PREFIX=$(echo "${LINUX_IMAGE_TAG}" | cut -c1-113) + LINUX_REF_APP_GOLANG_IMAGE_TAG=$LINUX_REF_APP_IMAGE_TAG_PREFIX-ref-app-golang + LINUX_REF_APP_PYTHON_IMAGE_TAG=$LINUX_REF_APP_IMAGE_TAG_PREFIX-ref-app-python + + # Truncating to 115 characters as it is required by docker (4 characters used in -win and 9 characters used in -ltsc2019/-ltsc2022) + WINDOWS_IMAGE_TAG_PREFIX=$(echo "${LINUX_IMAGE_TAG}" | cut -c1-115) + WINDOWS_IMAGE_TAG=$WINDOWS_IMAGE_TAG_PREFIX-win + + #Truncating this to 112 characters to add the targetallocator suffix + TARGET_ALLOCATOR_IMAGE_TAG_PREFIX=$(echo "${LINUX_IMAGE_TAG}" | cut -c1-112) + TARGET_ALLOCATOR_IMAGE_TAG=$TARGET_ALLOCATOR_IMAGE_TAG_PREFIX-targetallocator + + #Truncating this to 113 to add the ref app suffices + WIN_REF_APP_IMAGE_TAG_PREFIX=$(echo "${LINUX_IMAGE_TAG}" | cut -c1-107) + WIN_REF_APP_GOLANG_IMAGE_TAG=$WIN_REF_APP_IMAGE_TAG_PREFIX-win-ref-app-golang + WIN_REF_APP_PYTHON_IMAGE_TAG=$WIN_REF_APP_IMAGE_TAG_PREFIX-win-ref-app-python + + # Truncating to 119 characters as it is required by docker (9 characters used in -ltsc2019/-ltsc2022) + WINDOWS_2019_BASE_IMAGE_VERSION=ltsc2019 + WINDOWS_2022_BASE_IMAGE_VERSION=ltsc2022 + + LINUX_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY:$LINUX_IMAGE_TAG + TARGET_ALLOCATOR_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY:$TARGET_ALLOCATOR_IMAGE_TAG + LINUX_CONFIG_READER_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY:$LINUX_CONFIG_READER_IMAGE_TAG + WINDOWS_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY:$WINDOWS_IMAGE_TAG + HELM_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY_HELM/$HELM_CHART_NAME:$SEMVER + ARC_HELM_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY_HELM/$ARC_HELM_CHART_NAME:$SEMVER + LINUX_REF_APP_GOLANG_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY:$LINUX_REF_APP_GOLANG_IMAGE_TAG + LINUX_REF_APP_PYTHON_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY:$LINUX_REF_APP_PYTHON_IMAGE_TAG + WINDOWS_REF_APP_GOLANG_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY:$WIN_REF_APP_GOLANG_IMAGE_TAG + WINDOWS_REF_APP_PYTHON_FULL_IMAGE_NAME=$ACR_REGISTRY$ACR_REPOSITORY:$WIN_REF_APP_PYTHON_IMAGE_TAG + + echo "##vso[build.updatebuildnumber]$SEMVER" + echo "##vso[task.setvariable variable=SEMVER;isOutput=true]$SEMVER" + echo "##vso[task.setvariable variable=LINUX_FULL_IMAGE_NAME;isOutput=true]$LINUX_FULL_IMAGE_NAME" + echo "##vso[task.setvariable variable=TARGET_ALLOCATOR_IMAGE_TAG;isOutput=true]$TARGET_ALLOCATOR_IMAGE_TAG" + echo "##vso[task.setvariable variable=TARGET_ALLOCATOR_FULL_IMAGE_NAME;isOutput=true]$TARGET_ALLOCATOR_FULL_IMAGE_NAME" + echo "##vso[task.setvariable variable=LINUX_CONFIG_READER_FULL_IMAGE_NAME;isOutput=true]$LINUX_CONFIG_READER_FULL_IMAGE_NAME" + echo "##vso[task.setvariable variable=WINDOWS_FULL_IMAGE_NAME;isOutput=true]$WINDOWS_FULL_IMAGE_NAME" + echo "##vso[task.setvariable variable=LINUX_REF_APP_GOLANG_FULL_IMAGE_NAME;isOutput=true]$LINUX_REF_APP_GOLANG_FULL_IMAGE_NAME" + echo "##vso[task.setvariable variable=LINUX_REF_APP_PYTHON_FULL_IMAGE_NAME;isOutput=true]$LINUX_REF_APP_PYTHON_FULL_IMAGE_NAME" + echo "##vso[task.setvariable variable=WINDOWS_REF_APP_GOLANG_FULL_IMAGE_NAME;isOutput=true]$WINDOWS_REF_APP_GOLANG_FULL_IMAGE_NAME" + echo "##vso[task.setvariable variable=WINDOWS_REF_APP_PYTHON_FULL_IMAGE_NAME;isOutput=true]$WINDOWS_REF_APP_PYTHON_FULL_IMAGE_NAME" + echo "##vso[task.setvariable variable=WINDOWS_IMAGE_TAG;isOutput=true]$WINDOWS_IMAGE_TAG" + echo "##vso[task.setvariable variable=WINDOWS_2019_BASE_IMAGE_VERSION;isOutput=true]$WINDOWS_2019_BASE_IMAGE_VERSION" + echo "##vso[task.setvariable variable=WINDOWS_2022_BASE_IMAGE_VERSION;isOutput=true]$WINDOWS_2022_BASE_IMAGE_VERSION" + echo "##vso[task.setvariable variable=HELM_CHART_NAME;isOutput=true]$HELM_CHART_NAME" + echo "##vso[task.setvariable variable=ARC_HELM_CHART_NAME;isOutput=true]$ARC_HELM_CHART_NAME" + echo "##vso[task.setvariable variable=HELM_FULL_IMAGE_NAME;isOutput=true]$HELM_FULL_IMAGE_NAME" + echo "##vso[task.setvariable variable=ARC_HELM_FULL_IMAGE_NAME;isOutput=true]$ARC_HELM_FULL_IMAGE_NAME" + displayName: 'Build: set image registry, repo, and tags' + name: setup + + - bash: | + cd $(Build.SourcesDirectory)/.pipelines/deployment/ServiceGroupRoot/Scripts + cp ../../../../otelcollector/deploy/chart/prometheus-collector prometheus-collector -r + cp ../../../../otelcollector/deploy/addon-chart/azure-monitor-metrics-addon ama-metrics-arc -r + export MCR_REPOSITORY='/azuremonitor/containerinsights/ciprod/prometheus-collector/images' + export MCR_REPOSITORY_HELM_DEPENDENCIES='/azuremonitor/containerinsights/ciprod' + export HELM_SEMVER=$SETUP_SEMVER + export IMAGE_TAG=$SETUP_SEMVER + export IMAGE_TAG_WINDOWS=$SETUP_WINDOWS_IMAGE_TAG + env + + envsubst < prometheus-collector/Chart-template.yaml > prometheus-collector/Chart.yaml && envsubst < prometheus-collector/values-template.yaml > prometheus-collector/values.yaml + export ARC_EXTENSION=true + export HELM_CHART_NAME=$ARC_HELM_CHART_NAME + envsubst < ama-metrics-arc/Chart-template.yaml > ama-metrics-arc/Chart.yaml && envsubst < ama-metrics-arc/values-template.yaml > ama-metrics-arc/values.yaml + tar -czvf ../artifacts.tar.gz pushAgentToAcr.sh pushChartToAcr.sh prometheus-collector ama-metrics-arc + + cd $(Build.ArtifactStagingDirectory) + cp $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon azure-monitor-metrics-addon -r + export HELM_CHART_NAME="ama-metrics" + export ARC_EXTENSION=false + export AKS_REGION="westeurope" + export AKS_RESOURCE_ID="/subscriptions/9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb/resourceGroups/ci-prod-aks-mac-weu-rg/providers/Microsoft.ContainerService/managedClusters/ci-prod-aks-mac-weu" + envsubst < azure-monitor-metrics-addon/Chart-template.yaml > azure-monitor-metrics-addon/Chart.yaml && envsubst < azure-monitor-metrics-addon/values-template.yaml > azure-monitor-metrics-addon/values.yaml + displayName: 'Ev2: package artifacts.tar.gz for prod release' + + - bash: | + cd $(Build.SourcesDirectory)/.pipelines/deployment/arc-extension-release/ServiceGroupRoot/Scripts + tar -czvf ../extension-artifacts.tar.gz arcExtensionRelease.sh + displayName: 'Ev2: package extension-artifacts.tar.gz for prod release' + + - task: CredScan@3 + displayName: "SDL : Run credscan" + + - task: CopyFiles@2 + displayName: "Ev2: copy Ev2 deployment artifacts to staging directory" + inputs: + SourceFolder: "$(Build.SourcesDirectory)/.pipelines/deployment" + Contents: | + **/* + TargetFolder: '$(Build.ArtifactStagingDirectory)/deploy' + + - task: CopyFiles@2 + displayName: "Copy Files for 'Ev2: publish Ev2 deployment artifacts' publish task" + inputs: + SourceFolder: '$(Build.ArtifactStagingDirectory)' + Contents: '**' + TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT/drop + + - job: Linux_Golang_Reference_App + displayName: "Build: linux golang reference app image" + pool: + name: Azure-Pipelines-CI-Test-EO + dependsOn: Image_Tags_and_Ev2_Artifacts + variables: + - name: skipComponentGovernanceDetection + value: true + - name: LINUX_REF_APP_GOLANG_FULL_IMAGE_NAME + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.LINUX_REF_APP_GOLANG_FULL_IMAGE_NAME'] ] + # This is necessary because of: https://github.com/moby/moby/issues/37965 + - name: DOCKER_BUILDKIT + value: 1 + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true)) + steps: + - checkout: self + persistCredentials: true + - bash: | + mkdir -p $(Build.ArtifactStagingDirectory)/refappgolanglinux + + docker buildx create --name dockerbuilder + docker buildx use dockerbuilder + docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) + docker buildx build . --file linux/Dockerfile -t $(LINUX_REF_APP_GOLANG_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/refappgolanglinux/metadata.json --push + docker pull $(LINUX_REF_APP_GOLANG_FULL_IMAGE_NAME) + workingDirectory: $(Build.SourcesDirectory)/internal/referenceapp/golang + displayName: "Build: build and push reference app golang linux image to dev ACR" + + - job: Linux_Python_Reference_App + displayName: "Build: linux python reference app image" + pool: + name: Azure-Pipelines-CI-Test-EO + dependsOn: Image_Tags_and_Ev2_Artifacts + variables: + - name: skipComponentGovernanceDetection + value: true + - name: LINUX_REF_APP_PYTHON_FULL_IMAGE_NAME + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.LINUX_REF_APP_PYTHON_FULL_IMAGE_NAME'] ] + - name: DOCKER_BUILDKIT + value: 1 + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true)) + steps: + - checkout: self + persistCredentials: true + - bash: | + mkdir -p $(Build.ArtifactStagingDirectory)/refapppythonlinux + + docker buildx create --name dockerbuilder + docker buildx use dockerbuilder + docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) + docker buildx build . --file linux/Dockerfile -t $(LINUX_REF_APP_PYTHON_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/refapppythonlinux/metadata.json --push + docker pull $(LINUX_REF_APP_PYTHON_FULL_IMAGE_NAME) + workingDirectory: $(Build.SourcesDirectory)/internal/referenceapp/python + displayName: "Build: build and push reference app python linux image to dev ACR" + + - job: Golang_Windows_Reference_App + displayName: "Build: windows golang reference app image" + pool: + name: Azure-Pipelines-Windows-CI-Test-EO + dependsOn: Image_Tags_and_Ev2_Artifacts + variables: + - name: WINDOWS_REF_APP_GOLANG_FULL_IMAGE_NAME + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.WINDOWS_REF_APP_GOLANG_FULL_IMAGE_NAME'] ] + - name: skipComponentGovernanceDetection + value: true + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true)) + steps: + - powershell: | + docker build . --isolation=hyperv --file windows/Dockerfile -t $(WINDOWS_REF_APP_GOLANG_FULL_IMAGE_NAME) + docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) + docker push $(WINDOWS_REF_APP_GOLANG_FULL_IMAGE_NAME) + displayName: "Build: build and push reference app golang windows image to dev ACR" + workingDirectory: $(Build.SourcesDirectory)/internal/referenceapp/golang + + - job: Windows_Python_Reference_App + displayName: "Build: windows python reference app image" + pool: + name: Azure-Pipelines-Windows-CI-Test-EO + dependsOn: Image_Tags_and_Ev2_Artifacts + variables: + - name: WINDOWS_REF_APP_PYTHON_FULL_IMAGE_NAME + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.WINDOWS_REF_APP_PYTHON_FULL_IMAGE_NAME'] ] + - name: skipComponentGovernanceDetection + value: true + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true)) + steps: + - powershell: | + docker build . --isolation=hyperv --file windows/Dockerfile -t $(WINDOWS_REF_APP_PYTHON_FULL_IMAGE_NAME) + docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) + docker push $(WINDOWS_REF_APP_PYTHON_FULL_IMAGE_NAME) + displayName: "Build: build and push reference app python windows image to dev ACR" + workingDirectory: $(Build.SourcesDirectory)/internal/referenceapp/python\ + + - job: SDL_Policheck_Scan + displayName: "SDL: policheck scanning" + pool: + name: Azure-Pipelines-Windows-CI-Test-EO + variables: + - name: skipComponentGovernanceDetection + value: true + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + steps: + - checkout: self + submodules: true + + - task: PoliCheck@2 + displayName: "SDL : Run PoliCheck" + inputs: + targetType: 'F' + targetArgument: '$(Build.SourcesDirectory)' + + - job: SDL_Binary_Scan + displayName: "SDL: linux binary scanning" + pool: + name: Azure-Pipelines-CI-Test-EO + variables: + - name: skipComponentGovernanceDetection + value: true + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + steps: + - checkout: self + submodules: true + + - task: CodeQL3000Init@0 + displayName: 'SDL: init codeql' + + - task: GoTool@0 + displayName: "Build: specify golang version" + inputs: + version: '1.21.5' + + - bash: | + sudo apt-get install build-essential -y + make + workingDirectory: $(Build.SourcesDirectory)/otelcollector/opentelemetry-collector-builder/ + displayName: "SDL: build otelcollector, promconfigvalidator, targetallocator, and fluent-bit plugin for scanning" + retryCountOnTaskFailure: 1 + + - task: BinSkim@4 + displayName: 'SDL: run binskim' + inputs: + InputType: 'CommandLine' + arguments: 'analyze --rich-return-code $(Build.SourcesDirectory)/otelcollector/opentelemetry-collector-builder/otelcollector $(Build.SourcesDirectory)/otelcollector/prom-config-validator-builder/promconfigvalidator $(Build.SourcesDirectory)/otelcollector/otel-allocator/targetallocator $(Build.SourcesDirectory)/otelcollector/fluent-bit/src/out_appinsights.so' + retryCountOnTaskFailure: 1 + + - task: Gosec@1 + displayName: 'SDL: run gosec' + inputs: + targetPattern: 'gosecPattern' + targetGosecPattern: '$(Build.SourcesDirectory)/otelcollector' + retryCountOnTaskFailure: 1 + + - bash: | + wget https://github.com/microsoft/DevSkim/releases/download/v0.6.9/DevSkim_linux_0.6.9.zip + unzip DevSkim_linux_0.6.9.zip + chmod 775 DevSkim_linux_0.6.9/devskim + ./DevSkim_linux_0.6.9/devskim analyze $(Build.SourcesDirectory)/otelcollector --ignore-globs **/deploy/dashboard/**,**/react/static/** --severity critical,important + displayName: 'SDL: run devskim' + workingDirectory: $(Build.SourcesDirectory) + retryCountOnTaskFailure: 1 + + - bash: | + sudo gem install brakeman -v 5.4.1 + brakeman $(Build.SourcesDirectory)/otelcollector/configmapparser --force + displayName: 'SDL: run brakeman' + retryCountOnTaskFailure: 1 + + - job: Linux_Prometheus_Collector + displayName: "Build: linux prometheus-collector image" + pool: + name: Azure-Pipelines-CI-Test-EO + dependsOn: Image_Tags_and_Ev2_Artifacts + variables: + - name: LINUX_FULL_IMAGE_NAME + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.LINUX_FULL_IMAGE_NAME'] ] + - name: DOCKER_BUILDKIT + value: 1 + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + steps: + - checkout: self + submodules: true + + - task: CodeQL3000Init@0 + displayName: 'SDL: init codeql' + + - task: GoTool@0 + displayName: "Build: specify golang version" + inputs: + version: '1.20' + + - bash: | + mkdir -p $(Build.ArtifactStagingDirectory)/linux + + # Necessary due to necessary due to https://stackoverflow.com/questions/60080264/docker-cannot-build-multi-platform-images-with-docker-buildx + sudo apt-get update && sudo apt-get -y install qemu binfmt-support qemu-user-static + docker system prune --volumes -y + + docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) + docker run --rm --privileged multiarch/qemu-user-static --reset -p yes + + docker buildx create --name dockerbuilder + docker buildx use dockerbuilder + docker buildx build . --platform=linux/amd64,linux/arm64 --file ./build/linux/Dockerfile -t $(LINUX_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json --push + docker pull $(LINUX_FULL_IMAGE_NAME) + workingDirectory: $(Build.SourcesDirectory)/otelcollector/ + displayName: "Build: build and push image to dev ACR" + + - bash: | + MEDIA_TYPE=$(docker manifest inspect -v $(LINUX_FULL_IMAGE_NAME) | jq '.Descriptor.mediaType') + DIGEST=$(docker manifest inspect -v $(LINUX_FULL_IMAGE_NAME) | jq '.Descriptor.digest') + SIZE=$(docker manifest inspect -v $(LINUX_FULL_IMAGE_NAME) | jq '.Descriptor.size') + cat <>$(Build.ArtifactStagingDirectory)/linux/payload.json + {"targetArtifact":{"mediaType":$MEDIA_TYPE,"digest":$DIGEST,"size":$SIZE}} + EOF + workingDirectory: $(Build.SourcesDirectory)/otelcollector/ + displayName: "Build: Set values in payload.json for signing" + condition: eq(variables.IS_MAIN_BRANCH, true) + + - task: EsrpCodeSigning@3 + displayName: "ESRP CodeSigning for Prometheus" + inputs: + ConnectedServiceName: "ESRPServiceConnectionForPrometheusImages" + FolderPath: $(Build.ArtifactStagingDirectory)/linux/ + Pattern: "*.json" + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keyCode": "CP-469451", + "operationSetCode": "NotaryCoseSign", + "parameters": [ + { + "parameterName": "CoseFlags", + "parameterValue": "chainunprotected" + } + ], + "toolName": "sign", + "toolVersion": "1.0" + } + ] + + - bash: | + set -euxo pipefail + curl -LO "https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_linux_amd64.tar.gz" + mkdir -p oras-install/ + tar -zxf oras_1.0.0_*.tar.gz -C oras-install/ + sudo mv oras-install/oras /usr/local/bin/ + rm -rf oras_1.0.0_*.tar.gz oras-install/ + oras attach $(LINUX_FULL_IMAGE_NAME) \ + --artifact-type 'application/vnd.cncf.notary.signature' \ + ./payload.json:application/cose \ + -a "io.cncf.notary.x509chain.thumbprint#S256=[\"79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\"]" + workingDirectory: $(Build.ArtifactStagingDirectory)/linux/ + displayName: "ORAS Push Artifacts in $(Build.ArtifactStagingDirectory)/linux/" + condition: eq(variables.IS_MAIN_BRANCH, true) + + - bash: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 $(LINUX_FULL_IMAGE_NAME) + if [ $? -ne 0 ]; then + exit 1 + fi + trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 $(KUBE_STATE_METRICS_IMAGE) + if [ $? -ne 0 ]; then + exit 1 + fi + trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 $(NODE_EXPORTER_IMAGE) + if [ $? -ne 0 ]; then + exit 1 + fi + workingDirectory: $(Build.SourcesDirectory) + displayName: "Build: run trivy scan" + + - task: CodeQL3000Finalize@0 + displayName: 'SDL: run codeql' + + - task: ComponentGovernanceComponentDetection@0 + displayName: "SDL: run component governance" + inputs: + scanType: 'Register' + verbosity: 'Verbose' + dockerImagesToScan: '$(LINUX_FULL_IMAGE_NAME)' + alertWarningLevel: 'High' + sourceScanPath: '$(Build.SourcesDirectory)/otelcollector' + ignoreDirectories: '$(Build.SourcesDirectory)/mixins,$(Build.SourcesDirectory)/tools,$(Build.SourcesDirectory)/otelcollector/react' + + - task: SdtReport@2 + displayName: 'SDL: generate report' + inputs: + GdnExportAllTools: false + GdnExportGdnToolBinSkim: true + GdnExportGdnToolBinSkimSeverity: 'Note' + GdnExportGdnToolGosec: true + GdnExportGdnToolGosecSeverity: 'Note' + GdnExportGdnToolSemmle: true + GdnExportGdnToolSemmleSeverity: 'Note' + + - task: PublishSecurityAnalysisLogs@3 + displayName: 'SDL: publish report' + inputs: + ArtifactName: 'CodeAnalysisLogs' + ArtifactType: 'Container' + PublishProcessedResults: true + AllTools: true + ToolLogsNotFoundAction: 'Standard' + + - task: CopyFiles@2 + displayName: "Copy Files for 'Ev2: Publish image artifacts' publish task" + condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true)) + inputs: + SourceFolder: '$(Build.ArtifactStagingDirectory)' + Contents: '**' + TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT/drop + + - task: PostAnalysis@2 + displayName: 'SDL: Post-Build Analysis' + inputs: + GdnBreakAllTools: false + GdnBreakGdnToolBinSkim: true + GdnBreakGdnToolBinSkimSeverity: 'Warning' + GdnBreakGdnToolGosec: true + GdnBreakGdnToolGosecSeverity: 'Warning' + GdnBreakGdnToolSemmle: true + GdnBreakGdnToolSemmleSeverity: 'Warning' + + - job: Linux_Target_Allocator + displayName: "Build: target allocator image" + pool: + name: Azure-Pipelines-CI-Test-EO + dependsOn: Image_Tags_and_Ev2_Artifacts + variables: + - name: TARGET_ALLOCATOR_FULL_IMAGE_NAME + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.TARGET_ALLOCATOR_FULL_IMAGE_NAME'] ] + - name: DOCKER_BUILDKIT + value: 1 + - name: skipComponentGovernanceDetection + value: true + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + steps: + - checkout: self + persistCredentials: true + - bash: | + mkdir -p $(Build.ArtifactStagingDirectory)/targetallocator + + # Necessary due to necessary due to https://stackoverflow.com/questions/60080264/docker-cannot-build-multi-platform-images-with-docker-buildx + sudo apt-get update && sudo apt-get -y install qemu binfmt-support qemu-user-static + docker run --rm --privileged multiarch/qemu-user-static --reset -p yes + + docker buildx create --name dockerbuilder + docker buildx use dockerbuilder + docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) + docker buildx build . --platform=linux/amd64,linux/arm64 --file Dockerfile -t $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/targetallocator/metadata.json --push + docker pull $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) + MEDIA_TYPE=$(docker manifest inspect -v $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) | jq '.Descriptor.mediaType') + DIGEST=$(docker manifest inspect -v $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) | jq '.Descriptor.digest') + SIZE=$(docker manifest inspect -v $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) | jq '.Descriptor.size') + cat <>$(Build.ArtifactStagingDirectory)/targetallocator/payload.json + {"targetArtifact":{"mediaType":$MEDIA_TYPE,"digest":$DIGEST,"size":$SIZE}} + EOF + workingDirectory: $(Build.SourcesDirectory)/otelcollector/otel-allocator + displayName: "Build: build and push target allocator image to dev ACR" + + - bash: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) + workingDirectory: $(Build.SourcesDirectory) + displayName: "Build: run trivy scan" + + + - task: EsrpCodeSigning@3 + displayName: "ESRP CodeSigning for TargetAllocator" + inputs: + ConnectedServiceName: "ESRPServiceConnectionForPrometheusImages" + FolderPath: $(Build.ArtifactStagingDirectory)/targetallocator/ + Pattern: "*.json" + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keyCode": "CP-469451", + "operationSetCode": "NotaryCoseSign", + "parameters": [ + { + "parameterName": "CoseFlags", + "parameterValue": "chainunprotected" + } + ], + "toolName": "sign", + "toolVersion": "1.0" + } + ] + + - bash: | + set -euxo pipefail + curl -LO "https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_linux_amd64.tar.gz" + mkdir -p oras-install/ + tar -zxf oras_1.0.0_*.tar.gz -C oras-install/ + sudo mv oras-install/oras /usr/local/bin/ + rm -rf oras_1.0.0_*.tar.gz oras-install/ + oras attach $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) \ + --artifact-type 'application/vnd.cncf.notary.signature' \ + ./payload.json:application/cose \ + -a "io.cncf.notary.x509chain.thumbprint#S256=[\"79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\"]" + workingDirectory: $(Build.ArtifactStagingDirectory)/targetallocator/ + displayName: "ORAS Push Artifacts in $(Build.ArtifactStagingDirectory)/targetallocator/" + condition: eq(variables.IS_MAIN_BRANCH, true) + + - job: Linux_Config_Reader + displayName: "Build: config reader image" + pool: + name: Azure-Pipelines-CI-Test-EO + dependsOn: Image_Tags_and_Ev2_Artifacts + variables: + - name: LINUX_CONFIG_READER_FULL_IMAGE_NAME + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.LINUX_CONFIG_READER_FULL_IMAGE_NAME'] ] + - name: DOCKER_BUILDKIT + value: 1 + - name: skipComponentGovernanceDetection + value: true + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + steps: + - bash: | + mkdir -p $(Build.ArtifactStagingDirectory)/linuxcfgreader + + # Necessary due to necessary due to https://stackoverflow.com/questions/60080264/docker-cannot-build-multi-platform-images-with-docker-buildx + sudo apt-get update && sudo apt-get -y install qemu binfmt-support qemu-user-static + docker run --rm --privileged multiarch/qemu-user-static --reset -p yes + + docker buildx create --name dockerbuilder + docker buildx use dockerbuilder + docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) + docker buildx build . --platform=linux/amd64,linux/arm64 --file ./build/linux/configuration-reader/Dockerfile -t $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/linux/configuration-reader/metadata.json --push + docker pull $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) + MEDIA_TYPE=$(docker manifest inspect -v $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) | jq '.Descriptor.mediaType') + DIGEST=$(docker manifest inspect -v $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) | jq '.Descriptor.digest') + SIZE=$(docker manifest inspect -v $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) | jq '.Descriptor.size') + cat <>$(Build.ArtifactStagingDirectory)/linuxcfgreader/payload.json + {"targetArtifact":{"mediaType":$MEDIA_TYPE,"digest":$DIGEST,"size":$SIZE}} + EOF + workingDirectory: $(Build.SourcesDirectory)/otelcollector/ + displayName: "Build: build and push configuration reader image to dev ACR" + + - bash: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) + workingDirectory: $(Build.SourcesDirectory) + displayName: "Build: run trivy scan" + + - task: EsrpCodeSigning@3 + displayName: "ESRP CodeSigning for Config Reader" + inputs: + ConnectedServiceName: "ESRPServiceConnectionForPrometheusImages" + FolderPath: $(Build.ArtifactStagingDirectory)/linuxcfgreader/ + Pattern: "*.json" + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keyCode": "CP-469451", + "operationSetCode": "NotaryCoseSign", + "parameters": [ + { + "parameterName": "CoseFlags", + "parameterValue": "chainunprotected" + } + ], + "toolName": "sign", + "toolVersion": "1.0" + } + ] + + - bash: | + set -euxo pipefail + curl -LO "https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_linux_amd64.tar.gz" + mkdir -p oras-install/ + tar -zxf oras_1.0.0_*.tar.gz -C oras-install/ + sudo mv oras-install/oras /usr/local/bin/ + rm -rf oras_1.0.0_*.tar.gz oras-install/ + oras attach $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) \ + --artifact-type 'application/vnd.cncf.notary.signature' \ + ./payload.json:application/cose \ + -a "io.cncf.notary.x509chain.thumbprint#S256=[\"79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\"]" + workingDirectory: $(Build.ArtifactStagingDirectory)/linuxcfgreader/ + displayName: "ORAS Push Artifacts in $(Build.ArtifactStagingDirectory)/linuxcfgreader/" + condition: eq(variables.IS_MAIN_BRANCH, true) + + - job: Windows2019_Prometheus_Collector + displayName: "Build: windows 2019 prometheus-collector image" + pool: + name: Azure-Pipelines-Windows-CI-Test-EO + timeoutInMinutes: 120 + dependsOn: + - Image_Tags_and_Ev2_Artifacts + variables: + - name: WINDOWS_FULL_IMAGE_NAME + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.WINDOWS_FULL_IMAGE_NAME'] ] + - name: WINDOWS_2019_BASE_IMAGE_VERSION + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.WINDOWS_2019_BASE_IMAGE_VERSION'] ] + - name: skipComponentGovernanceDetection + value: true + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + steps: + - task: GoTool@0 + displayName: "Build: specify golang version" + inputs: + version: '1.20' + + - powershell: | + ./makefile_windows.ps1 + workingDirectory: $(Build.SourcesDirectory)/otelcollector/opentelemetry-collector-builder/ + displayName: "Build: build otelcollector, promconfigvalidator, and fluent-bit plugin" + + - powershell: | + docker build . --isolation=hyperv --file ./build/windows/Dockerfile -t $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2019_BASE_IMAGE_VERSION) --build-arg WINDOWS_VERSION=$(WINDOWS_2019_BASE_IMAGE_VERSION) + workingDirectory: $(Build.SourcesDirectory)/otelcollector/ + displayName: "Build: build WS2019 image" + retryCountOnTaskFailure: 2 + + - powershell: | + docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) + docker push $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2019_BASE_IMAGE_VERSION) + displayName: "Build: push image to dev ACR" + + - job: Windows2022_Prometheus_Collector + displayName: "Build: windows 2022 prometheus-collector image" + pool: + name: Azure-Pipelines-Windows-CI-Test-EO + timeoutInMinutes: 120 + dependsOn: + - Image_Tags_and_Ev2_Artifacts + variables: + - name: WINDOWS_FULL_IMAGE_NAME + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.WINDOWS_FULL_IMAGE_NAME'] ] + - name: WINDOWS_2022_BASE_IMAGE_VERSION + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.WINDOWS_2022_BASE_IMAGE_VERSION'] ] + - name: skipComponentGovernanceDetection + value: true + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + steps: + - task: GoTool@0 + displayName: "Build: specify golang version" + inputs: + version: '1.20' + + - powershell: | + ./makefile_windows.ps1 + workingDirectory: $(Build.SourcesDirectory)/otelcollector/opentelemetry-collector-builder/ + displayName: "Build: build otelcollector, promconfigvalidator, and fluent-bit plugin" + + - powershell: | + docker build . --isolation=hyperv --file ./build/windows/Dockerfile -t $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2022_BASE_IMAGE_VERSION) --build-arg WINDOWS_VERSION=$(WINDOWS_2022_BASE_IMAGE_VERSION) + workingDirectory: $(Build.SourcesDirectory)/otelcollector/ + displayName: "Build: build WS2022 image" + retryCountOnTaskFailure: 2 + + - powershell: | + docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) + docker push $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2022_BASE_IMAGE_VERSION) + displayName: "Build: push image to dev ACR" + + - job: WindowsMultiArch_Prometheus_Collector + displayName: "Build: windows multi-arch prometheus-collector image" + pool: + name: Azure-Pipelines-Windows-CI-Test-EO + timeoutInMinutes: 120 + dependsOn: + - Image_Tags_and_Ev2_Artifacts + - Windows2019_Prometheus_Collector + - Windows2022_Prometheus_Collector + variables: + - name: WINDOWS_IMAGE_TAG + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.WINDOWS_IMAGE_TAG'] ] + - name: WINDOWS_FULL_IMAGE_NAME + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.WINDOWS_FULL_IMAGE_NAME'] ] + - name: WINDOWS_2019_BASE_IMAGE_VERSION + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.WINDOWS_2019_BASE_IMAGE_VERSION'] ] + - name: WINDOWS_2022_BASE_IMAGE_VERSION + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.WINDOWS_2022_BASE_IMAGE_VERSION'] ] + - name: skipComponentGovernanceDetection + value: true + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + steps: + - task: GoTool@0 + displayName: "Build: specify golang version" + inputs: + version: '1.20' + + - bash: | + export ACR_REPOSITORY_VAR="$(ACR_REPOSITORY)" + export ACR_REPOSITORY_WITHOUT_SLASH="${ACR_REPOSITORY_VAR:1}" + + export WINDOWS_2019_TAG="$(WINDOWS_IMAGE_TAG)-$(WINDOWS_2019_BASE_IMAGE_VERSION)" + docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) + docker pull $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2019_BASE_IMAGE_VERSION) + if [ $? -ne 0 ]; then + echo "Failed to pull $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2019_BASE_IMAGE_VERSION). Checking if MCR image is published." + IMAGES_ARE_PUBLISHED=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 + do + output=$(curl -s https://$(MCR_REGISTRY)/v2$(MCR_REPOSITORY)/tags/list) + if (echo $output | grep $WINDOWS_2019_TAG) + then + echo "Images are published to mcr" + IMAGES_ARE_PUBLISHED=1 + break + fi + sleep 30 + done + if [ IMAGES_ARE_PUBLISHED -eq 0 ]; then + echo "Images are not published to mcr within the timeout" + exit 1 + fi + + az acr import --name $(ACR_REGISTRY) --source $(MCR_REGISTRY)$(MCR_REPOSITORY):$(IMAGE_TAG) --image $(ACR_REPOSITORY_WITHOUT_SLASH):$(WINDOWS_2019_TAG) + fi + + export WINDOWS_2022_TAG="$(WINDOWS_IMAGE_TAG)-$(WINDOWS_2022_BASE_IMAGE_VERSION)" + docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) + docker pull $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2022_BASE_IMAGE_VERSION) + if [ $? -ne 0 ]; then + echo "Failed to pull $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2022_BASE_IMAGE_VERSION). Checking if MCR image is published." + IMAGES_ARE_PUBLISHED=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 + do + output=$(curl -s https://$(MCR_REGISTRY)/v2$(MCR_REPOSITORY)/tags/list) + if (echo $output | grep $WINDOWS_2022_TAG) + then + echo "Images are published to mcr" + IMAGES_ARE_PUBLISHED=1 + break + fi + sleep 30 + done + if [ IMAGES_ARE_PUBLISHED -eq 0 ]; then + echo "Images are not published to mcr within the timeout" + exit 1 + fi + + az acr import --name $(ACR_REGISTRY) --source $(MCR_REGISTRY)$(MCR_REPOSITORY):$(IMAGE_TAG) --image $(ACR_REPOSITORY_WITHOUT_SLASH):$(WINDOWS_2022_TAG) + fi + displayName: "Build: ensure images are present in ACR" + retryCountOnTaskFailure: 3 + + - powershell: | + New-Item -Path "$(Build.ArtifactStagingDirectory)" -Name "windows" -ItemType "directory" + @{"image.name"="$(WINDOWS_FULL_IMAGE_NAME)"} | ConvertTo-Json -Compress | Out-File -Encoding ascii $(Build.ArtifactStagingDirectory)/windows/metadata.json + docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) + docker manifest create $(WINDOWS_FULL_IMAGE_NAME) $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2019_BASE_IMAGE_VERSION) $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2022_BASE_IMAGE_VERSION) + docker manifest push $(WINDOWS_FULL_IMAGE_NAME) + workingDirectory: $(Build.SourcesDirectory)/otelcollector/ + displayName: "Build: Windows multi-arch manifest" + + - powershell: | + $output = docker manifest inspect -v $(WINDOWS_FULL_IMAGE_NAME) | ConvertFrom-Json + $firstManifest = $output[0] + $MEDIA_TYPE = $firstManifest.Descriptor.mediaType + $DIGEST = $firstManifest.Descriptor.digest + $SIZE = $firstManifest.Descriptor.size + $payload = @{ + targetArtifact = @{ + mediaType = $MEDIA_TYPE + digest = $DIGEST + size = $SIZE + } + } | ConvertTo-Json + + $payload | Out-File -FilePath "$(Build.ArtifactStagingDirectory)/windows/payload.json" + workingDirectory: $(Build.ArtifactStagingDirectory)/windows + displayName: "Build the payload json file" + + - task: EsrpCodeSigning@3 + displayName: 'ESRP CodeSigning for Prometheus' + inputs: + ConnectedServiceName: 'ESRPServiceConnectionForPrometheusImages' + FolderPath: '$(Build.ArtifactStagingDirectory)/windows' + Pattern: '*.json' + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keyCode": "CP-469451", + "operationSetCode": "NotaryCoseSign", + "parameters": [ + { + "parameterName": "CoseFlags", + "parameterValue": "chainunprotected" + } + ], + "toolName": "sign", + "toolVersion": "1.0" + } + ] + + - powershell: | + curl.exe -sLO "https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_windows_amd64.zip" + $currentDirectory = Get-Location + Expand-Archive -Path $currentDirectory\oras_1.0.0_windows_amd64.zip -DestinationPath . -Force + New-Item -ItemType Directory -Force -Path $env:USERPROFILE\bin + Copy-Item -Path $currentDirectory\oras.exe -Destination "$env:USERPROFILE\bin\" + $env:PATH = "$env:USERPROFILE\bin;$env:PATH" + oras attach $(WINDOWS_FULL_IMAGE_NAME) --artifact-type application/vnd.cncf.notary.signature ./payload.json:application/cose -a io.cncf.notary.x509chain.thumbprint#S256=[\""79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\""] + workingDirectory: $(Build.ArtifactStagingDirectory)/windows + displayName: "Download, install Oras and run oras attach" + condition: eq(variables.IS_MAIN_BRANCH, true) + + - task: CopyFiles@2 + condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true)) + displayName: "Copy Files for 'Ev2: publish image artifacts' publish task" + inputs: + SourceFolder: '$(Build.ArtifactStagingDirectory)' + Contents: '**' + TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT/drop + + - job: Arc_Helm_Chart + displayName: "Package: Arc helm chart" + pool: + name: Azure-Pipelines-CI-Test-EO + dependsOn: + - Image_Tags_and_Ev2_Artifacts + - Linux_Prometheus_Collector + variables: + - name: HELM_SEMVER + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.SEMVER'] ] + - name: IMAGE_TAG + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.SEMVER'] ] + - name: IMAGE_TAG_WINDOWS + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.WINDOWS_IMAGE_TAG'] ] + - name: ARC_HELM_FULL_IMAGE_NAME + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.ARC_HELM_FULL_IMAGE_NAME'] ] + - name: ARC_EXTENSION + value: true + - name: skipComponentGovernanceDetection + value: true + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + steps: + - task: HelmInstaller@1 + displayName: 'Build: install Helm version' + inputs: + helmVersionToInstall: 3.12.3 + + - bash: | + export HELM_CHART_NAME=$ARC_HELM_CHART_NAME + envsubst < $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/Chart-template.yaml > $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/Chart.yaml && envsubst < $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/values-template.yaml > $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/values.yaml + helm version + displayName: "Build: substitute chart version in Chart.yaml and values.yaml" + + - bash: | + helm dep update + workingDirectory: $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon + displayName: "Build: update helm dependencies" + + - bash: | + helm package ./azure-monitor-metrics-addon/ + workingDirectory: $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/ + displayName: "Build: package helm chart" + + - bash: | + helm registry login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) + helm push $(ARC_HELM_CHART_NAME)-$(HELM_SEMVER).tgz oci://$(ACR_REGISTRY)$(ACR_REPOSITORY_HELM) + mkdir -p $(Build.ArtifactStagingDirectory)/arc-chart + echo {\"image.name\":\"$(ARC_HELM_FULL_IMAGE_NAME)\"} > $(Build.ArtifactStagingDirectory)/arc-chart/metadata.json + workingDirectory: $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/ + displayName: "Build: push helm chart to dev ACR" + + - task: CopyFiles@2 + displayName: "Copy Files for 'Ev2: publish helm chart artifacts' publish task" + condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true)) + inputs: + SourceFolder: '$(Build.ArtifactStagingDirectory)' + Contents: '**' + TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT/drop + + - job: Deploy_Chart_ARC + displayName: "Deploy: Arc dev cluster" + condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true)) + pool: + name: Azure-Pipelines-CI-Test-EO + dependsOn: + - Image_Tags_and_Ev2_Artifacts + - Arc_Helm_Chart + variables: + - name: HELM_SEMVER + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.SEMVER'] ] + - name: skipComponentGovernanceDetection + value: true + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + steps: + - bash: | + # Create JSON request body + cat < "request.json" + { + "artifactEndpoints": [ + { + "Regions": [ + "westcentralus" + ], + "Releasetrains": [ + "pipeline" + ], + "FullPathToHelmChart": "https://mcr.microsoft.com/azuremonitor/containerinsights/cidev/ama-metrics-arc", + "ExtensionUpdateFrequencyInMinutes": 5, + "IsCustomerHidden": true, + "ReadyforRollout": true, + "RollbackVersion": null, + "PackageConfigName": "Microsoft.AzureMonitor.Containers.Metrics-Prom041823" + } + ] + } + EOF + + # Send Request + SUBSCRIPTION="b9842c7c-1a38-4385-8f39-a51314758bcf" + RESOURCE_AUDIENCE="c699bf69-fb1d-4eaf-999b-99e6b2ae4d85" + SPN_CLIENT_ID="9a4c55e9-576a-450a-88bd-53bd634db38d" + SPN_TENANT_ID="72f988bf-86f1-41af-91ab-2d7cd011db47" + METHOD="PUT" + + echo "Request parameter preparation, SUBSCRIPTION is $SUBSCRIPTION, RESOURCE_AUDIENCE is $RESOURCE_AUDIENCE, CHART_VERSION is $HELM_SEMVER, SPN_CLIENT_ID is $SPN_CLIENT_ID, SPN_TENANT_ID is $SPN_TENANT_ID" + + # MSI is not supported + echo "Login cli using spn" + az login --service-principal --username=$SPN_CLIENT_ID --password=$(ARC_SPN_SECRET) --tenant=$SPN_TENANT_ID + if [ $? -eq 0 ]; then + echo "Logged in successfully with spn" + else + echo "-e error failed to login to az with managed identity credentials" + exit 1 + fi + + ACCESS_TOKEN=$(az account get-access-token --resource $RESOURCE_AUDIENCE --query accessToken -o json) + if [ $? -eq 0 ]; then + echo "get access token from resource:$RESOURCE_AUDIENCE successfully." + else + echo "-e error get access token from resource:$RESOURCE_AUDIENCE failed." + exit 1 + fi + ACCESS_TOKEN=$(echo $ACCESS_TOKEN | tr -d '"' | tr -d '"\r\n') + + ARC_API_URL="https://eastus2euap.dp.kubernetesconfiguration.azure.com" + EXTENSION_NAME="microsoft.azuremonitor.containers.metrics" + API_VERSION="2021-05-01" + + echo "start send request" + az rest --method $METHOD --headers "{\"Authorization\": \"Bearer $ACCESS_TOKEN\", \"Content-Type\": \"application/json\"}" --body @request.json --uri $ARC_API_URL/subscriptions/$SUBSCRIPTION/extensionTypeRegistrations/$EXTENSION_NAME/versions/$HELM_SEMVER?api-version=$API_VERSION + if [ $? -eq 0 ]; then + echo "arc extension registered successfully" + else + echo "-e error failed to register arc extension" + exit 1 + fi + displayName: "Deploy: Release to dev release train" + + - task: AzureCLI@2 + displayName: "Deploy: wait for ci-dev-arc-wcus cluster to be ready" + inputs: + azureSubscription: 'ContainerInsights_Build_Subscription(9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb)' + scriptType: 'bash' + scriptLocation: 'inlineScript' + inlineScript: | + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 + do + state=$(az k8s-extension show --name azuremonitor-metrics --cluster-name ci-dev-arc-wcus --resource-group ci-dev-arc-wcus --cluster-type connectedClusters | jq -r '.provisioningState') + # We want to wait in case the status is 'Creating' or 'Updating' because of another PR merged shortly before the current one. + if [ "$state" = "Succeeded" ] || [ "$state" = "Failed" ] + then + echo "Cluster is ready to install extension" + exit 0 + fi + sleep 30 + done + echo "Cluster is installing a different version of the extension" + exit 1 + retryCountOnTaskFailure: 5 + + - task: AzureCLI@2 + displayName: "Deploy: ci-dev-arc-wcus cluster" + inputs: + azureSubscription: 'ContainerInsights_Build_Subscription(9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb)' + scriptType: 'bash' + scriptLocation: 'inlineScript' + inlineScript: | + az config set extension.use_dynamic_install=yes_without_prompt + az k8s-extension update --name azuremonitor-metrics --resource-group ci-dev-arc-wcus --cluster-name ci-dev-arc-wcus --cluster-type connectedClusters --version $HELM_SEMVER --release-train pipeline + + - job: Deploy_AKS_Chart + displayName: "Deploy: AKS dev cluster" + pool: + name: Azure-Pipelines-CI-Test-EO + condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true)) + dependsOn: + - Image_Tags_and_Ev2_Artifacts + - Linux_Prometheus_Collector + - WindowsMultiArch_Prometheus_Collector + variables: + - name: HELM_CHART_NAME + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.HELM_CHART_NAME'] ] + - name: HELM_SEMVER + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.SEMVER'] ] + - name: IMAGE_TAG + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.SEMVER'] ] + - name: IMAGE_TAG_WINDOWS + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.WINDOWS_IMAGE_TAG'] ] + - name: HELM_FULL_IMAGE_NAME + value: $[ dependencies.Image_Tags_and_Ev2_Artifacts.outputs['setup.HELM_FULL_IMAGE_NAME'] ] + - name: skipComponentGovernanceDetection + value: true + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + steps: + - checkout: self + submodules: true + persistCredentials: true + + - bash: | + git config --global user.name "AzureDevOps Agent" + git tag "v$(HELM_SEMVER)" + git push origin "v$(HELM_SEMVER)" + displayName: Tag commit with semver + + - task: HelmInstaller@1 + displayName: Install Helm version + inputs: + helmVersionToInstall: 3.12.3 + - bash: | + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 + do + sleep 30 + echo $(MCR_REGISTRY)$(MCR_REPOSITORY):$(IMAGE_TAG_WINDOWS) + echo $(MCR_REGISTRY)$(MCR_REPOSITORY_HELM):$(IMAGE_TAG) + + output=$(curl -s https://$(MCR_REGISTRY)/v2$(MCR_REPOSITORY)/tags/list) + if (echo $output | grep $(IMAGE_TAG_WINDOWS)) && (echo $output | grep $(IMAGE_TAG)) + then + echo "Images are published to mcr" + exit 0 + fi + done + echo "Images are not published to mcr within the timeout" + exit 1 + displayName: "Check images are pushed to dev MCR" + retryCountOnTaskFailure: 5 + + - bash: | + export AKS_REGION="eastus" + export AKS_RESOURCE_ID="/subscriptions/9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb/resourceGroups/ci-dev-aks-mac-eus-rg/providers/Microsoft.ContainerService/managedClusters/ci-dev-aks-mac-eus" + export ARC_EXTENSION="false" + envsubst < $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/Chart-template.yaml > $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/Chart.yaml && envsubst < $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/values-template.yaml > $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/values.yaml + ls $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon + cd $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon + helm dependency update + displayName: "Build: substitute chart version for 3p in Chart.yaml and values.yaml" + + - task: HelmDeploy@0 + displayName: "Deploy: ci-dev-aks-mac-eus cluster" + inputs: + connectionType: 'Azure Resource Manager' + azureSubscription: 'ContainerInsights_Build_Subscription(9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb)' + azureResourceGroup: 'ci-dev-aks-mac-eus-rg' + kubernetesCluster: 'ci-dev-aks-mac-eus' + namespace: 'default' + command: 'upgrade' + chartType: 'FilePath' + chartPath: '$(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/' + releaseName: 'ama-metrics' + waitForExecution: false + arguments: --dependency-update --values $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/values.yaml diff --git a/.pipelines/azure-pipeline-build.yml b/.pipelines/azure-pipeline-build.yml index cca895a98..0840ec11f 100644 --- a/.pipelines/azure-pipeline-build.yml +++ b/.pipelines/azure-pipeline-build.yml @@ -1082,4 +1082,4 @@ jobs: chartPath: '$(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/' releaseName: 'ama-metrics' waitForExecution: false - arguments: --dependency-update --values $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/values.yaml + arguments: --dependency-update --values $(Build.SourcesDirectory)/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/values.yaml \ No newline at end of file diff --git a/.trivyignore b/.trivyignore index 214aed770..7d97ef9f1 100644 --- a/.trivyignore +++ b/.trivyignore @@ -31,6 +31,7 @@ CVE-2023-3978 CVE-2023-44487 CVE-2023-50658 CVE-2024-28110 +CVE-2024-27289 # MEDIUM - go vulnerabilities # MEDIUM - mariner CVE-2023-5678