Improve CI/CD for multi-arch

.gitignore

@@ -23,7 +23,7 @@ intermediate
 *.dll
 *.obj
 # ignore docker provider shell bundle
-kubernetes/linux/Linux_ULINUX_1.0_x64_64_Release
+kubernetes/linux/Linux_ULINUX_1.0_*_64_Release
 # ignore generated .h files for go
 source/plugins/go/src/*.h
 *_mock.go

.pipelines/azure_pipeline_dev.yaml

@@ -4,7 +4,15 @@
 # https://aka.ms/yaml
 
 trigger:
-- ci_dev
+  batch: true
+  branches:
+    include:
+    - ci_dev
+
+pr:
+  branches:
+    include:
+    - ci_dev
 
 pool:
   name: Azure-Pipelines-CI-Test-EO
@@ -14,13 +22,14 @@ variables:
   subscription: '9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb'
   containerRegistry: 'containerinsightsprod'
   repoImageName: '${{ variables.containerRegistry }}.azurecr.io/public/azuremonitor/containerinsights/cidev'
+  IS_PR: $[eq(variables['Build.Reason'], 'PullRequest')]
 
 steps:
 - bash: |
     commit=$(git rev-parse --short HEAD)
     echo "##vso[task.setvariable variable=commit;]$commit"
 
-    datetime=$(date +'%Y%m%d%s')
+    datetime=$(date +'%m%d%Y')
     echo "##vso[task.setvariable variable=datetime;]$datetime"
 
     cd $(Build.SourcesDirectory)/deployment/multiarch-agent-deployment/ServiceGroupRoot/Scripts
@@ -42,7 +51,7 @@ steps:
   inputs:
     SourceFolder: "$(Build.SourcesDirectory)/.pipelines"
     Contents: |
-      *.sh
+      **/*.sh
     TargetFolder: '$(Build.ArtifactStagingDirectory)/build'
 
 - task: CopyFiles@2
@@ -88,12 +97,24 @@ steps:
       az account set -s ${{ variables.subscription }}
       az acr login -n ${{ variables.containerRegistry }}
 
-      docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=$(datetime)-$(commit) --push .
+      if [ "$(Build.Reason)" != "PullRequest" ]; then
+        docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=$(datetime)-$(commit) --push .
+
+        docker pull ${{ variables.repoImageName }}:$(datetime)-$(commit)
+      else
+        docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=$(datetime)-$(commit) .
+      fi
 
-      docker pull ${{ variables.repoImageName }}:$(datetime)-$(commit)
+- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+  displayName: 'Generation Task'
+  condition: eq(variables.IS_PR, true)
+  inputs:
+    BuildDropPath: '$(Build.ArtifactStagingDirectory)'
+    DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04'
 
 - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
   displayName: 'Generation Task'
+  condition: eq(variables.IS_PR, false)
   inputs:
     BuildDropPath: '$(Build.ArtifactStagingDirectory)'
     DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04, ${{ variables.repoImageName }}:$(datetime)-$(commit)'

.pipelines/azure_pipeline_prod.yaml

@@ -4,7 +4,15 @@
 # https://aka.ms/yaml
 
 trigger:
-- ci_prod
+  batch: true
+  branches:
+    include:
+    - ci_prod
+
+pr:
+  branches:
+    include:
+    - ci_prod
 
 pool:
   name: Azure-Pipelines-CI-Prod-EO
@@ -14,13 +22,14 @@ variables:
   subscription: '30c56c3a-54da-46ea-b004-06eb33432687'
   containerRegistry: 'containerinsightsbuild'
   repoImageName: '${{ variables.containerRegistry }}.azurecr.io/official/linux'
+  IS_PR: $[eq(variables['Build.Reason'], 'PullRequest')]
 
 steps:
 - bash: |
     commit=$(git rev-parse --short HEAD)
     echo "##vso[task.setvariable variable=commit;]$commit"
 
-    datetime=$(date +'%Y%m%d%s')
+    datetime=$(date +'%m%d%Y')
     echo "##vso[task.setvariable variable=datetime;]$datetime"
 
     cd $(Build.SourcesDirectory)/deployment/multiarch-agent-deployment/ServiceGroupRoot/Scripts
@@ -88,12 +97,25 @@ steps:
       az account set -s ${{ variables.subscription }}
       az acr login -n ${{ variables.containerRegistry }}
 
-      docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --build-arg IMAGE_TAG=ciprod-$(datetime)-$(commit) --push .
+      if [ "$(Build.Reason)" != "PullRequest" ]; then
+        docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json --push .
+
+        docker pull ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit)
+      else
+        docker buildx build --platform linux/amd64,linux/arm64 --tag ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit) -f kubernetes/linux/Dockerfile.multiarch --metadata-file $(Build.ArtifactStagingDirectory)/metadata.json .
+      fi
 
-      docker pull ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit)
 
 - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
   displayName: 'Generation Task'
+  condition: eq(variables.IS_PR, true)
+  inputs:
+    BuildDropPath: '$(Build.ArtifactStagingDirectory)'
+    DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04'
+
+- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+  displayName: 'Generation Task'
+  condition: eq(variables.IS_PR, false)
   inputs:
     BuildDropPath: '$(Build.ArtifactStagingDirectory)'
     DockerImagesToScan: 'golang:1.15.14, ubuntu:18.04, ${{ variables.repoImageName }}:ciprod-$(datetime)-$(commit)'

kubernetes/linux/Dockerfile.multiarch

@@ -35,5 +35,12 @@ ENV AGENT_VERSION ${IMAGE_TAG}
 WORKDIR ${tmpdir}
 
 RUN chmod 775 $tmpdir/*.sh; sync; $tmpdir/setup.sh ${TARGETARCH}
-CMD [ "/opt/main.sh" ]
 
+# Do vulnerability scan in a seperate stage to avoid adding layer
+FROM base_image AS vulnscan
+COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
+RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL --skip-files "/usr/sbin/telegraf" --skip-files "/opt/telegraf" --skip-files "/usr/local/bin/trivy" /
+
+# Revert to base layer before vulnscan
+FROM base_image AS ContainerInsights
+CMD [ "/opt/main.sh" ]

kubernetes/linux/dockerbuild/build-and-publish-docker-image.sh

@@ -138,7 +138,7 @@ echo "source code base directory: $baseDir"
 echo "build directory for docker provider: $buildDir"
 echo "docker file directory: $dockerFileDir"
 
-if [ "$multi" -eq "1" ]; then
+if [ -n "$multi" ] && [ "$multi" -eq "1" ]; then
   echo "building multiarch"
   cd $baseDir
   docker buildx build --platform linux/arm64/v8,linux/amd64 -t $image --build-arg IMAGE_TAG=$imageTag -f $linuxDir/Dockerfile.multiarch --push .