diff --git a/.pipelines/azure-pipeline-build.yml b/.pipelines/azure-pipeline-build.yml index 18ba8157..06b49033 100644 --- a/.pipelines/azure-pipeline-build.yml +++ b/.pipelines/azure-pipeline-build.yml @@ -1222,11 +1222,152 @@ stages: displayName: "Build: build otelcollector, promconfigvalidator, and fluent-bit plugin" - powershell: | - docker build . --isolation=hyperv --file ./build/windows/Dockerfile -t $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2019_BASE_IMAGE_VERSION) --build-arg WINDOWS_VERSION=$(WINDOWS_2019_BASE_IMAGE_VERSION) + docker build . --isolation=hyperv --file ./build/windows/Dockerfile -t $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2019_BASE_IMAGE_VERSION)-unsigned --build-arg WINDOWS_VERSION=$(WINDOWS_2019_BASE_IMAGE_VERSION) workingDirectory: $(Build.SourcesDirectory)/otelcollector/ displayName: "Build: build WS2019 image" retryCountOnTaskFailure: 2 + - task: PowerShell@2 + displayName: Extract files to sign + inputs: + targetType: 'inline' + script: | + echo "Creating docker container..." + docker create --name signingContainer $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2019_BASE_IMAGE_VERSION)-unsigned + + echo "Creating fist party directory..." + mkdir -p $(Build.ArtifactStagingDirectory)/fpSigning + cd $(Build.ArtifactStagingDirectory)/fpSigning + + echo "Extract LivenessProbe" + docker cp signingContainer:C:\opt\microsoft\scripts\livenessprobe.cmd . + + echo "Extract OtelCollector" + docker cp signingContainer:C:\opt\microsoft\otelcollector\otelcollector.exe . + + echo "Creating OSS directory..." + mkdir -p $(Build.ArtifactStagingDirectory)/ossSigning + cd $(Build.ArtifactStagingDirectory)/ossSigning + + echo "Extract fluent-bit" + docker cp signingContainer:C:\opt\fluent-bit . + + echo "Extract Ruby" + docker cp signingContainer:C:\ruby26 . + + echo "Extract telegraf" + docker cp signingContainer:C:\opt\telegraf\telegraf.exe . + + echo "Extract promconfigvalidator" + docker cp signingContainer:C:\opt\promconfigvalidator.exe . + + echo "Removing container..." + docker rm signingContainer + + echo "List ArtifactStagingDirectory" + ls $(Build.ArtifactStagingDirectory) + ls . + + - script: dir $(Build.ArtifactStagingDirectory) + displayName: 'List files in Staging Directory' + + - task: EsrpCodeSigning@5 + inputs: + ConnectedServiceName: 'ESRPServiceConnectionPrometheus' + AppRegistrationClientId: '73f8d5f9-b507-497f-b698-4ed00fcba5a3' + AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47' + AuthAKVName: 'ESRPPrometheusKVProd' + AuthCertName: 'ESRPContainerImageSignCert' + AuthSignCertName: 'ESRPReqPrometheusProdCert' + FolderPath: '$(Build.ArtifactStagingDirectory)/fpSigning' + Pattern: '*.dll,*.exe,*.so,*.ps1' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + displayName: 'EsrpCodeSigning for first party binaries' + + - task: EsrpCodeSigning@5 + inputs: + ConnectedServiceName: 'ESRPServiceConnectionPrometheus' + AppRegistrationClientId: '73f8d5f9-b507-497f-b698-4ed00fcba5a3' + AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47' + AuthAKVName: 'ESRPPrometheusKVProd' + AuthCertName: 'ESRPContainerImageSignCert' + AuthSignCertName: 'ESRPReqPrometheusProdCert' + FolderPath: '$(Build.ArtifactStagingDirectory)/ossSigning' + Pattern: '*.dll,*.exe,*.so' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-231522", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "Append" : "/as", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-231522", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + displayName: 'EsrpCodeSigning for OSS binaries' + + - task: PowerShell@2 + displayName: Replace files in origin Image + inputs: + targetType: 'inline' + script: | + docker create --name pushContainer $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2019_BASE_IMAGE_VERSION)-unsigned + + echo "Copy Signed binaries/folders back to docker image..." + docker cp $(Build.ArtifactStagingDirectory)/fpSigning/livenessprobe.cmd pushContainer:C:\opt\microsoft\scripts\livenessprobe.cmd + docker cp $(Build.ArtifactStagingDirectory)/fpSigning/otelcollector.exe pushContainer:C:\opt\microsoft\otelcollector\otelcollector.exe + docker cp $(Build.ArtifactStagingDirectory)/ossSigning/fluent-bit/. pushContainer:C:\opt\fluent-bit/ + docker cp $(Build.ArtifactStagingDirectory)/ossSigning/ruby26/. pushContainer:C:\ruby26/ + docker cp $(Build.ArtifactStagingDirectory)/ossSigning/telegraf.exe pushContainer:C:\opt\telegraf\telegraf.exe + docker cp $(Build.ArtifactStagingDirectory)/ossSigning/promconfigvalidator.exe pushContainer:C:\opt\promconfigvalidator.exe + + docker commit pushContainer $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2019_BASE_IMAGE_VERSION) + docker rm pushContainer + - powershell: | docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) docker push $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2019_BASE_IMAGE_VERSION) @@ -1256,11 +1397,153 @@ stages: displayName: "Build: build otelcollector, promconfigvalidator, and fluent-bit plugin" - powershell: | - docker build . --isolation=hyperv --file ./build/windows/Dockerfile -t $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2022_BASE_IMAGE_VERSION) --build-arg WINDOWS_VERSION=$(WINDOWS_2022_BASE_IMAGE_VERSION) + docker build . --isolation=hyperv --file ./build/windows/Dockerfile -t $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2022_BASE_IMAGE_VERSION)-unsigned --build-arg WINDOWS_VERSION=$(WINDOWS_2022_BASE_IMAGE_VERSION) workingDirectory: $(Build.SourcesDirectory)/otelcollector/ displayName: "Build: build WS2022 image" retryCountOnTaskFailure: 2 + - task: PowerShell@2 + displayName: Extract files to sign + inputs: + targetType: 'inline' + script: | + echo "Creating docker container..." + docker create --name signingContainer $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2022_BASE_IMAGE_VERSION)-unsigned + + echo "Creating fist party directory..." + mkdir -p $(Build.ArtifactStagingDirectory)/fpSigning + cd $(Build.ArtifactStagingDirectory)/fpSigning + + echo "Extract LivenessProbe" + docker cp signingContainer:C:\opt\microsoft\scripts\livenessprobe.cmd . + + echo "Extract OtelCollector" + docker cp signingContainer:C:\opt\microsoft\otelcollector\otelcollector.exe . + + echo "Creating OSS directory..." + mkdir -p $(Build.ArtifactStagingDirectory)/ossSigning + cd $(Build.ArtifactStagingDirectory)/ossSigning + + echo "Extract fluent-bit" + docker cp signingContainer:C:\opt\fluent-bit . + + echo "Extract Ruby" + docker cp signingContainer:C:\ruby26 . + + echo "Extract telegraf" + docker cp signingContainer:C:\opt\telegraf\telegraf.exe . + + echo "Extract promconfigvalidator" + docker cp signingContainer:C:\opt\promconfigvalidator.exe . + + echo "Removing container..." + docker rm signingContainer + + echo "List ArtifactStagingDirectory" + ls $(Build.ArtifactStagingDirectory) + ls . + + + - script: dir $(Build.ArtifactStagingDirectory) + displayName: 'List files in Staging Directory' + + - task: EsrpCodeSigning@5 + inputs: + ConnectedServiceName: 'ESRPServiceConnectionPrometheus' + AppRegistrationClientId: '73f8d5f9-b507-497f-b698-4ed00fcba5a3' + AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47' + AuthAKVName: 'ESRPPrometheusKVProd' + AuthCertName: 'ESRPContainerImageSignCert' + AuthSignCertName: 'ESRPReqPrometheusProdCert' + FolderPath: '$(Build.ArtifactStagingDirectory)/fpSigning' + Pattern: '*.dll,*.exe,*.so,*.ps1' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + displayName: 'EsrpCodeSigning for first party binaries' + + - task: EsrpCodeSigning@5 + inputs: + ConnectedServiceName: 'ESRPServiceConnectionPrometheus' + AppRegistrationClientId: '73f8d5f9-b507-497f-b698-4ed00fcba5a3' + AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47' + AuthAKVName: 'ESRPPrometheusKVProd' + AuthCertName: 'ESRPContainerImageSignCert' + AuthSignCertName: 'ESRPReqPrometheusProdCert' + FolderPath: '$(Build.ArtifactStagingDirectory)/ossSigning' + Pattern: '*.dll,*.exe,*.so' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-231522", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "Append" : "/as", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-231522", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + displayName: 'EsrpCodeSigning for OSS binaries' + + - task: PowerShell@2 + displayName: Replace files in origin Image + inputs: + targetType: 'inline' + script: | + docker create --name pushContainer $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2022_BASE_IMAGE_VERSION)-unsigned + + echo "Copy Signed binaries/folders back to docker image..." + docker cp $(Build.ArtifactStagingDirectory)/fpSigning/livenessprobe.cmd pushContainer:C:\opt\microsoft\scripts\livenessprobe.cmd + docker cp $(Build.ArtifactStagingDirectory)/fpSigning/otelcollector.exe pushContainer:C:\opt\microsoft\otelcollector\otelcollector.exe + docker cp $(Build.ArtifactStagingDirectory)/ossSigning/fluent-bit/. pushContainer:C:\opt\fluent-bit/ + docker cp $(Build.ArtifactStagingDirectory)/ossSigning/ruby26/. pushContainer:C:\ruby26/ + docker cp $(Build.ArtifactStagingDirectory)/ossSigning/telegraf.exe pushContainer:C:\opt\telegraf\telegraf.exe + docker cp $(Build.ArtifactStagingDirectory)/ossSigning/promconfigvalidator.exe pushContainer:C:\opt\promconfigvalidator.exe + + docker commit pushContainer $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2022_BASE_IMAGE_VERSION) + docker rm pushContainer + - powershell: | docker login containerinsightsprod.azurecr.io -u $(ACR_USERNAME) -p $(ACR_PASSWORD) docker push $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2022_BASE_IMAGE_VERSION)