diff --git a/.gitignore b/.gitignore index b0467519c..b6e2f8979 100644 --- a/.gitignore +++ b/.gitignore @@ -23,7 +23,7 @@ intermediate *.dll *.obj # ignore docker provider shell bundle -kubernetes/linux/Linux_ULINUX_1.0_x64_64_Release +kubernetes/linux/Linux_ULINUX_1.0_*_64_Release # ignore generated .h files for go source/plugins/go/src/*.h *_mock.go diff --git a/.pipelines/azure_pipeline_dev.yaml b/.pipelines/azure_pipeline_dev.yaml index ba8a530fc..395fafebf 100644 --- a/.pipelines/azure_pipeline_dev.yaml +++ b/.pipelines/azure_pipeline_dev.yaml @@ -4,7 +4,15 @@ # https://aka.ms/yaml trigger: -- ci_dev + batch: true + branches: + include: + - ci_dev + +pr: + branches: + include: + - ci_dev pool: name: Azure-Pipelines-CI-Test-EO @@ -14,13 +22,14 @@ variables: subscription: '9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb' containerRegistry: 'containerinsightsprod' repoImageName: '${{ variables.containerRegistry }}.azurecr.io/public/azuremonitor/containerinsights/cidev' + IS_PR: $[eq(variables['Build.Reason'], 'PullRequest')] steps: - bash: | commit=$(git rev-parse --short HEAD) echo "##vso[task.setvariable variable=commit;]$commit" - datetime=$(date +'%Y%m%d%s') + datetime=$(date +'%m%d%Y') echo "##vso[task.setvariable variable=datetime;]$datetime" cd $(Build.SourcesDirectory)/deployment/multiarch-agent-deployment/ServiceGroupRoot/Scripts @@ -42,7 +51,7 @@ steps: inputs: SourceFolder: "$(Build.SourcesDirectory)/.pipelines" Contents: | - *.sh + **/*.sh TargetFolder: '$(Build.ArtifactStagingDirectory)/build' - task: CopyFiles@2 @@ -88,12 +97,24 @@ steps: az account set -s ${{ variables.subscription }} az acr login -n ${{ variables.containerRegistry }} - docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=$(datetime)-$(commit) --push . + if [ "$(Build.Reason)" != "PullRequest" ]; then + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=$(datetime)-$(commit) --push . + + docker pull ${{ variables.repoImageName }}:$(datetime)-$(commit) + else + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=$(datetime)-$(commit) . + fi - docker pull ${{ variables.repoImageName }}:$(datetime)-$(commit) +- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 + displayName: 'Generation Task' + condition: eq(variables.IS_PR, true) + inputs: + BuildDropPath: '$(Build.ArtifactStagingDirectory)' + DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04' - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 displayName: 'Generation Task' + condition: eq(variables.IS_PR, false) inputs: BuildDropPath: '$(Build.ArtifactStagingDirectory)' DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04, ${{ variables.repoImageName }}:$(datetime)-$(commit)' diff --git a/.pipelines/azure_pipeline_prod.yaml b/.pipelines/azure_pipeline_prod.yaml index 6f5d8bd45..e1c3a9db2 100644 --- a/.pipelines/azure_pipeline_prod.yaml +++ b/.pipelines/azure_pipeline_prod.yaml @@ -4,7 +4,15 @@ # https://aka.ms/yaml trigger: -- ci_prod + batch: true + branches: + include: + - ci_prod + +pr: + branches: + include: + - ci_prod pool: name: Azure-Pipelines-CI-Prod-EO @@ -14,13 +22,14 @@ variables: subscription: '30c56c3a-54da-46ea-b004-06eb33432687' containerRegistry: 'containerinsightsbuild' repoImageName: '${{ variables.containerRegistry }}.azurecr.io/official/linux' + IS_PR: $[eq(variables['Build.Reason'], 'PullRequest')] steps: - bash: | commit=$(git rev-parse --short HEAD) echo "##vso[task.setvariable variable=commit;]$commit" - datetime=$(date +'%Y%m%d%s') + datetime=$(date +'%m%d%Y') echo "##vso[task.setvariable variable=datetime;]$datetime" cd $(Build.SourcesDirectory)/deployment/multiarch-agent-deployment/ServiceGroupRoot/Scripts @@ -88,12 +97,25 @@ steps: az account set -s ${{ variables.subscription }} az acr login -n ${{ variables.containerRegistry }} - docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=ciprod-$(datetime)-$(commit) --push . + if [ "$(Build.Reason)" != "PullRequest" ]; then + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --push . + + docker pull ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) + else + docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json . + fi - docker pull ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 displayName: 'Generation Task' + condition: eq(variables.IS_PR, true) + inputs: + BuildDropPath: '$(Build.ArtifactStagingDirectory)' + DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04' + +- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 + displayName: 'Generation Task' + condition: eq(variables.IS_PR, false) inputs: BuildDropPath: '$(Build.ArtifactStagingDirectory)' DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04, ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit)' diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch index df8b04d19..e94bf71bb 100644 --- a/kubernetes/linux/Dockerfile.multiarch +++ b/kubernetes/linux/Dockerfile.multiarch @@ -35,5 +35,12 @@ ENV AGENT_VERSION ${IMAGE_TAG} WORKDIR ${tmpdir} RUN chmod 775 $tmpdir/*.sh; sync; $tmpdir/setup.sh ${TARGETARCH} -CMD [ "/opt/main.sh" ] +# Do vulnerability scan in a seperate stage to avoid adding layer +FROM base_image AS vulnscan +COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy +RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL --skip-files "/usr/sbin/telegraf" --skip-files "/opt/telegraf" --skip-files "/usr/local/bin/trivy" / + +# Revert to base layer before vulnscan +FROM base_image AS ContainerInsights +CMD [ "/opt/main.sh" ] \ No newline at end of file diff --git a/kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh b/kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh index 580b158c9..638236507 100755 --- a/kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh +++ b/kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh @@ -138,7 +138,7 @@ echo "source code base directory: $baseDir" echo "build directory for docker provider: $buildDir" echo "docker file directory: $dockerFileDir" -if [ "$multi" -eq "1" ]; then +if [ -n "$multi" ] && [ "$multi" -eq "1" ]; then echo "building multiarch" cd $baseDir docker buildx build --platform linux/arm64/v8,linux/amd64 -t $image --build-arg IMAGE_TAG=$imageTag -f $linuxDir/Dockerfile.multiarch --push .