diff --git a/.pipelines/azure_pipeline_mergedbranches.yaml b/.pipelines/azure_pipeline_mergedbranches.yaml index 69dc054d2a..68cc705205 100644 --- a/.pipelines/azure_pipeline_mergedbranches.yaml +++ b/.pipelines/azure_pipeline_mergedbranches.yaml @@ -97,8 +97,12 @@ extends: tar -czvf ../artifacts.tar.gz pushAgentToAcr.sh cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts tar -czvf ../artifacts.tar.gz ../../../../charts/azuremonitor-containers/ ../../../../charts/azuremonitor-containerinsights/ pushChartToAcr.sh + cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Scripts + tar -czvf ../artifacts.tar.gz ../../../../charts/azuremonitor-containers/ ../../../../charts/azuremonitor-containerinsights/ pushChartToAcr.sh cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension-release-v2/ServiceGroupRoot/Scripts tar -czvf ../artifacts.tar.gz arcExtensionRelease.sh + cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Scripts + tar -czvf ../artifacts.tar.gz arcExtensionRelease.sh windowsAMAUrl="" if [ -z "$WINDOWS_AMA_URL" ] then diff --git a/.pipelines/ci-arc-k8s-extension-prod-release.yaml b/.pipelines/ci-arc-k8s-extension-prod-release.yaml index d790481872..08470e39ca 100644 --- a/.pipelines/ci-arc-k8s-extension-prod-release.yaml +++ b/.pipelines/ci-arc-k8s-extension-prod-release.yaml @@ -1,1706 +1,1724 @@ -trigger: none -name: $(Date:yyyyMMdd).$(Rev:r) -variables: -- name: ACRName - value: $(VAR_ACR_NAME) -- name: ADMIN_SUBSCRIPTION_ID - value: $(VAR_ADMIN_SUBSCRIPTION_ID) -- name: CHART_VERSION - value: $(VAR_CHART_VERSION) -- name: IS_CUSTOMER_HIDDEN - value: $(VAR_IS_CUSTOMER_HIDDEN) -- name: MANAGED_IDENTITY - value: $(VAR_MANAGED_IDENTITY) -- name: REGISTER_REGIONS_CANARY - value: $(VAR_REGISTER_REGIONS_CANARY) -- name: RELEASE_TRAINS_PREVIEW_PATH - value: $(VAR_RELEASE_TRAINS_PREVIEW_PATH) -- name: RELEASE_TRAINS_STABLE_PATH - value: $(VAR_RELEASE_TRAINS_STABLE_PATH) -- name: RepoType - value: $(VAR_REPO_TYPE) -- name: RESOURCE_AUDIENCE - value: $(VAR_RESOURCE_AUDIENCE) -- name: ServiceTreeGuid - value: $(VAR_SERVICE_TREE_GUID) -- name: SPN_CLIENT_ID - value: $(VAR_SPN_CLIENT_ID) -- name: SPN_SECRET - value: '' -- name: SPN_TENANT_ID - value: $(VAR_SPN_TENANT_ID) -resources: - containers: [] - pipelines: - - pipeline: '_ci-arc-k8s-extension-prod-release' - project: 'microsoft' - source: 'CDPX\docker-provider\ContainerInsights-MultiArch-MergedBranches' - repositories: - - repository: 1ESPipelineTemplates - type: git - name: 1ESPipelineTemplates/1ESPipelineTemplates - ref: refs/tags/release -extends: - template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates - parameters: - settings: - networkIsolationPolicy: Permissive,CFSClean - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - sdl: - sourceAnalysisPool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - customBuildTags: - - ES365AIMigrationTooling - stages: - - stage: Stage_1 - displayName: ci-arc-k8s-extension-all-regions-prod-release(MCR) - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: releaseGating - displayName: Release Gating - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - job: approval - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Approval - pool: - name: server - timeoutInMinutes: 7200 - dependsOn: - - releaseGating - steps: - - task: ApprovalTask@1 - inputs: - environment: $(ev2Environment) - servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 - - job: Ev2_rollout_ev2_rollout - displayName: Agent Job - Ev2 Ev2 Rollout - timeoutInMinutes: '0' - condition: succeeded() - dependsOn: - - approval - variables: - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: https://azureservicedeploy.msft.net/api/monitorrollout - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) - definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) - pipeline: _ci-arc-k8s-extension-prod-release - targetPath: $(Pipeline.Workspace)/ev2Artifact - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace)/ev2Artifact - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - target: - container: host - - task: vsrm-ev2.vss-services-ev2.adm-release-task.ExpressV2Internal@1 - inputs: - UseServerMonitorTask: true - EndpointProviderType: ApprovalService - ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootLocation: LinkedArtifact - RolloutSpecType: RSPath - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension/ServiceGroupRoot/RolloutSpecs/Public.Pilot.RolloutSpec.json - OutputRolloutId: RolloutId - OutputServiceGroupName: ServiceGroupName - OutputRolloutStatus: RolloutStatus - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Pilot", "bindings": [ { "find": "__ACR_NAME__", "replaceWith": "$(ACRName)" }, { "find": "__REPO_TYPE__", "replaceWith": "$(RepoType)" }, { "find": "__CHART_VERSION__", "replaceWith": "$(CHART_VERSION)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(MANAGED_IDENTITY)" } ] } ] }' - env: - ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 - target: - container: host - displayName: Ev2 Classic - Deploy - - job: Ev2_rollout_ev2_monitoring - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Agent Job - Ev2 Ev2 Monitoring - pool: - name: server - dependsOn: - - Ev2_rollout_ev2_rollout - timeoutInMinutes: '0' - steps: - - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 - displayName: Ev2 - Monitoring - inputs: - Ev2MonintoringUrl: $(Ev2MonintoringUrl) - - stage: Stage_2 - displayName: Pilot Regions - trigger: manual - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: releaseGating - displayName: Release Gating - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - job: approval - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Approval - pool: - name: server - timeoutInMinutes: 7200 - dependsOn: - - releaseGating - steps: - - task: ApprovalTask@1 - inputs: - environment: $(ev2Environment) - servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 - - job: Ev2_rollout_ev2_rollout - displayName: Agent job - Ev2 Ev2 Rollout - timeoutInMinutes: '0' - condition: succeeded() - dependsOn: - - approval - variables: - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: https://azureservicedeploy.msft.net/api/monitorrollout - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) - definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) - pipeline: _ci-arc-k8s-extension-prod-release - targetPath: $(Pipeline.Workspace)/ev2Artifact - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace)/ev2Artifact - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - target: - container: host - - task: vsrm-ev2.vss-services-ev2.adm-release-task.ExpressV2Internal@1 - inputs: - UseServerMonitorTask: true - EndpointProviderType: ApprovalService - ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootLocation: LinkedArtifact - RolloutSpecType: RSPath - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot/RolloutSpecs/Public.Stable.RolloutSpec.json - OutputRolloutId: RolloutId - OutputServiceGroupName: ServiceGroupName - OutputRolloutStatus: RolloutStatus - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Stable", "bindings": [ { "find": "__RELEASE_STAGE__", "replaceWith": "Stable" }, { "find": "__ADMIN_SUBSCRIPTION_ID__", "replaceWith": "$(ADMIN_SUBSCRIPTION_ID)" }, { "find": "__CHART_VERSION__", "replaceWith": "$(CHART_VERSION)" }, { "find": "__IS_CUSTOMER_HIDDEN__", "replaceWith": "$(IS_CUSTOMER_HIDDEN)" }, { "find": "__REGISTER_REGIONS_CANARY__", "replaceWith": "$(REGISTER_REGIONS_CANARY)" }, { "find": "__RELEASE_TRAINS_PREVIEW_PATH__", "replaceWith": "$(RELEASE_TRAINS_PREVIEW_PATH)" }, { "find": "__RELEASE_TRAINS_STABLE_PATH__", "replaceWith": "$(RELEASE_TRAINS_STABLE_PATH)" }, { "find": "__REGISTER_REGIONS_BATCH__", "replaceWith": "westcentralus" }, { "find": "__RESOURCE_AUDIENCE__", "replaceWith": "$(RESOURCE_AUDIENCE)" }, { "find": "__SPN_CLIENT_ID__", "replaceWith": "$(SPN_CLIENT_ID)" }, { "find": "__SPN_SECRET__", "replaceWith": "$(SPN_SECRET)" }, { "find": "__SPN_TENANT_ID__", "replaceWith": "$(SPN_TENANT_ID)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(MANAGED_IDENTITY)" } ] } ] } ' - env: - ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 - target: - container: host - displayName: Ev2 Classic - Deploy - - job: Ev2_rollout_ev2_monitoring - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Agent job - Ev2 Ev2 Monitoring - pool: - name: server - dependsOn: - - Ev2_rollout_ev2_rollout - timeoutInMinutes: '0' - steps: - - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 - displayName: Ev2 - Monitoring - inputs: - Ev2MonintoringUrl: $(Ev2MonintoringUrl) - - stage: Wait_After_Stage_2 - displayName: Wait after Pilot Region - dependsOn: Stage_2 - jobs: - - job: WaitJob - displayName: Wait for Bake Time - timeoutInMinutes: 1600 - pool: server - steps: - - task: Delay@1 - inputs: - delayForMinutes: 1500 - - stage: Stage_3 - displayName: Light Load Region - dependsOn: - - Wait_After_Stage_2 - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: releaseGating - displayName: Release Gating - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - job: approval - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Approval - pool: - name: server - timeoutInMinutes: 7200 - dependsOn: - - releaseGating - steps: - - task: ApprovalTask@1 - inputs: - environment: $(ev2Environment) - servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 - - job: Ev2_rollout_ev2_rollout - displayName: Agent job - Ev2 Ev2 Rollout - timeoutInMinutes: '0' - condition: succeeded() - dependsOn: - - approval - variables: - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: https://azureservicedeploy.msft.net/api/monitorrollout - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) - definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) - pipeline: _ci-arc-k8s-extension-prod-release - targetPath: $(Pipeline.Workspace)/ev2Artifact - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace)/ev2Artifact - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - target: - container: host - - task: vsrm-ev2.vss-services-ev2.adm-release-task.ExpressV2Internal@1 - inputs: - UseServerMonitorTask: true - EndpointProviderType: ApprovalService - ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootLocation: LinkedArtifact - RolloutSpecType: RSPath - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot/RolloutSpecs/Public.Stable.RolloutSpec.json - OutputRolloutId: RolloutId - OutputServiceGroupName: ServiceGroupName - OutputRolloutStatus: RolloutStatus - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Stable", "bindings": [ { "find": "__RELEASE_STAGE__", "replaceWith": "Stable" }, { "find": "__ADMIN_SUBSCRIPTION_ID__", "replaceWith": "$(ADMIN_SUBSCRIPTION_ID)" }, { "find": "__CHART_VERSION__", "replaceWith": "$(CHART_VERSION)" }, { "find": "__IS_CUSTOMER_HIDDEN__", "replaceWith": "$(IS_CUSTOMER_HIDDEN)" }, { "find": "__REGISTER_REGIONS_CANARY__", "replaceWith": "$(REGISTER_REGIONS_CANARY)" }, { "find": "__RELEASE_TRAINS_PREVIEW_PATH__", "replaceWith": "$(RELEASE_TRAINS_PREVIEW_PATH)" }, { "find": "__RELEASE_TRAINS_STABLE_PATH__", "replaceWith": "$(RELEASE_TRAINS_STABLE_PATH)" }, { "find": "__REGISTER_REGIONS_BATCH__", "replaceWith": "westcentralus,southcentralus,southeastasia,uksouth" }, { "find": "__RESOURCE_AUDIENCE__", "replaceWith": "$(RESOURCE_AUDIENCE)" }, { "find": "__SPN_CLIENT_ID__", "replaceWith": "$(SPN_CLIENT_ID)" }, { "find": "__SPN_SECRET__", "replaceWith": "$(SPN_SECRET)" }, { "find": "__SPN_TENANT_ID__", "replaceWith": "$(SPN_TENANT_ID)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(MANAGED_IDENTITY)" } ] } ] } ' - env: - ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 - target: - container: host - displayName: Ev2 Classic - Deploy - - job: Ev2_rollout_ev2_monitoring - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Agent job - Ev2 Ev2 Monitoring - pool: - name: server - dependsOn: - - Ev2_rollout_ev2_rollout - timeoutInMinutes: '0' - steps: - - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 - displayName: Ev2 - Monitoring - inputs: - Ev2MonintoringUrl: $(Ev2MonintoringUrl) - - stage: Wait_After_Stage_3 - displayName: Wait after Light Load Region - dependsOn: Stage_3 - jobs: - - job: WaitJob - displayName: Wait for Bake Time - timeoutInMinutes: 1600 - pool: server - steps: - - task: Delay@1 - inputs: - delayForMinutes: 1500 - - stage: Stage_4 - displayName: Medium Load Region - dependsOn: - - Wait_After_Stage_3 - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: releaseGating - displayName: Release Gating - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - job: approval - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Approval - pool: - name: server - timeoutInMinutes: 7200 - dependsOn: - - releaseGating - steps: - - task: ApprovalTask@1 - inputs: - environment: $(ev2Environment) - servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 - - job: Ev2_rollout_ev2_rollout - displayName: Agent job - Ev2 Ev2 Rollout - timeoutInMinutes: '0' - condition: succeeded() - dependsOn: - - approval - variables: - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: https://azureservicedeploy.msft.net/api/monitorrollout - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) - definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) - pipeline: _ci-arc-k8s-extension-prod-release - targetPath: $(Pipeline.Workspace)/ev2Artifact - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace)/ev2Artifact - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - target: - container: host - - task: vsrm-ev2.vss-services-ev2.adm-release-task.ExpressV2Internal@1 - inputs: - UseServerMonitorTask: true - EndpointProviderType: ApprovalService - ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootLocation: LinkedArtifact - RolloutSpecType: RSPath - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot/RolloutSpecs/Public.Stable.RolloutSpec.json - OutputRolloutId: RolloutId - OutputServiceGroupName: ServiceGroupName - OutputRolloutStatus: RolloutStatus - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Stable", "bindings": [ { "find": "__RELEASE_STAGE__", "replaceWith": "Stable" }, { "find": "__ADMIN_SUBSCRIPTION_ID__", "replaceWith": "$(ADMIN_SUBSCRIPTION_ID)" }, { "find": "__CHART_VERSION__", "replaceWith": "$(CHART_VERSION)" }, { "find": "__IS_CUSTOMER_HIDDEN__", "replaceWith": "$(IS_CUSTOMER_HIDDEN)" }, { "find": "__REGISTER_REGIONS_CANARY__", "replaceWith": "$(REGISTER_REGIONS_CANARY)" }, { "find": "__RELEASE_TRAINS_PREVIEW_PATH__", "replaceWith": "$(RELEASE_TRAINS_PREVIEW_PATH)" }, { "find": "__RELEASE_TRAINS_STABLE_PATH__", "replaceWith": "$(RELEASE_TRAINS_STABLE_PATH)" }, { "find": "__REGISTER_REGIONS_BATCH__", "replaceWith": "westcentralus,southcentralus,southeastasia,uksouth,westus2,australiaeast,eastus2,northcentralus,koreacentral,eastasia,japaneast" }, { "find": "__RESOURCE_AUDIENCE__", "replaceWith": "$(RESOURCE_AUDIENCE)" }, { "find": "__SPN_CLIENT_ID__", "replaceWith": "$(SPN_CLIENT_ID)" }, { "find": "__SPN_SECRET__", "replaceWith": "$(SPN_SECRET)" }, { "find": "__SPN_TENANT_ID__", "replaceWith": "$(SPN_TENANT_ID)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(MANAGED_IDENTITY)" } ] } ] } ' - env: - ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 - target: - container: host - displayName: Ev2 Classic - Deploy - - job: Ev2_rollout_ev2_monitoring - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Agent job - Ev2 Ev2 Monitoring - pool: - name: server - dependsOn: - - Ev2_rollout_ev2_rollout - timeoutInMinutes: '0' - steps: - - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 - displayName: Ev2 - Monitoring - inputs: - Ev2MonintoringUrl: $(Ev2MonintoringUrl) - - stage: Wait_After_Stage_4 - displayName: Wait after Medium Load Region - dependsOn: Stage_4 - jobs: - - job: WaitJob - displayName: Wait for Bake Time - timeoutInMinutes: 1600 - pool: server - steps: - - task: Delay@1 - inputs: - delayForMinutes: 1500 - - stage: Stage_5 - displayName: High Load Region - dependsOn: - - Wait_After_Stage_4 - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: releaseGating - displayName: Release Gating - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - job: approval - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Approval - pool: - name: server - timeoutInMinutes: 7200 - dependsOn: - - releaseGating - steps: - - task: ApprovalTask@1 - inputs: - environment: $(ev2Environment) - servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 - - job: Ev2_rollout_ev2_rollout - displayName: Agent job - Ev2 Ev2 Rollout - timeoutInMinutes: '0' - condition: succeeded() - dependsOn: - - approval - variables: - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: https://azureservicedeploy.msft.net/api/monitorrollout - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) - definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) - pipeline: _ci-arc-k8s-extension-prod-release - targetPath: $(Pipeline.Workspace)/ev2Artifact - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace)/ev2Artifact - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - target: - container: host - - task: vsrm-ev2.vss-services-ev2.adm-release-task.ExpressV2Internal@1 - inputs: - UseServerMonitorTask: true - EndpointProviderType: ApprovalService - ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootLocation: LinkedArtifact - RolloutSpecType: RSPath - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot/RolloutSpecs/Public.Stable.RolloutSpec.json - OutputRolloutId: RolloutId - OutputServiceGroupName: ServiceGroupName - OutputRolloutStatus: RolloutStatus - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Stable", "bindings": [ { "find": "__RELEASE_STAGE__", "replaceWith": "Stable" }, { "find": "__ADMIN_SUBSCRIPTION_ID__", "replaceWith": "$(ADMIN_SUBSCRIPTION_ID)" }, { "find": "__CHART_VERSION__", "replaceWith": "$(CHART_VERSION)" }, { "find": "__IS_CUSTOMER_HIDDEN__", "replaceWith": "$(IS_CUSTOMER_HIDDEN)" }, { "find": "__REGISTER_REGIONS_CANARY__", "replaceWith": "$(REGISTER_REGIONS_CANARY)" }, { "find": "__RELEASE_TRAINS_PREVIEW_PATH__", "replaceWith": "$(RELEASE_TRAINS_PREVIEW_PATH)" }, { "find": "__RELEASE_TRAINS_STABLE_PATH__", "replaceWith": "$(RELEASE_TRAINS_STABLE_PATH)" }, { "find": "__REGISTER_REGIONS_BATCH__", "replaceWith": "westcentralus,southcentralus,southeastasia,uksouth,westus2,australiaeast,eastus2,northcentralus,koreacentral,eastasia,japaneast,westeurope,northeurope,eastus,francecentral,westus,centralus,canadacentral,westus3,australiacentral,australiacentral2,australiasoutheast,brazilsouth,brazilsoutheast,canadaeast,centralindia,francesouth,germanycentral,germanynorth,germanynortheast,germanywestcentral,italynorth,japanwest,jioindiacentral,jioindiawest,koreasouth,norwayeast,norwaywest,polandcentral,qatarcentral,southafricanorth,southafricawest,southindia,swedencentral,swedensouth,switzerlandnorth,switzerlandwest,uaecentral,uaenorth,uknorth,uksouth2,ukwest,westindia" }, { "find": "__RESOURCE_AUDIENCE__", "replaceWith": "$(RESOURCE_AUDIENCE)" }, { "find": "__SPN_CLIENT_ID__", "replaceWith": "$(SPN_CLIENT_ID)" }, { "find": "__SPN_SECRET__", "replaceWith": "$(SPN_SECRET)" }, { "find": "__SPN_TENANT_ID__", "replaceWith": "$(SPN_TENANT_ID)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(MANAGED_IDENTITY)" } ] } ] } ' - env: - ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 - target: - container: host - displayName: Ev2 Classic - Deploy - - job: Ev2_rollout_ev2_monitoring - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Agent job - Ev2 Ev2 Monitoring - pool: - name: server - dependsOn: - - Ev2_rollout_ev2_rollout - timeoutInMinutes: '0' - steps: - - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 - displayName: Ev2 - Monitoring - inputs: - Ev2MonintoringUrl: $(Ev2MonintoringUrl) - - stage: Stage_6 - displayName: 'Fairfax & Mooncake: Create Escort JIT' - trigger: manual - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: Job_1 - displayName: Agentless job - condition: succeeded() - timeoutInMinutes: 7200 - pool: - name: server - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - steps: [] - - stage: Stage_7 - displayName: Fairfax Region Testing - trigger: manual - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: releaseGating - displayName: Release Gating - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - job: approval - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Approval - pool: - name: server - timeoutInMinutes: 7200 - dependsOn: - - releaseGating - steps: - - task: ApprovalTask@1 - inputs: - environment: $(ev2Environment) - servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 - - job: Ev2_rollout_ev2_rollout - displayName: Agent job - Ev2 Ev2 Rollout - timeoutInMinutes: '0' - condition: succeeded() - dependsOn: - - approval - variables: - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: https://azureservicedeploy.msft.net/api/monitorrollout - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) - definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) - pipeline: _ci-arc-k8s-extension-prod-release - targetPath: $(Pipeline.Workspace)/ev2Artifact - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace)/ev2Artifact - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - target: - container: host - - task: vsrm-ev2.vss-services-ev2.adm-release-task.ExpressV2Internal@1 - inputs: - UseServerMonitorTask: true - EndpointProviderType: ApprovalService - ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootLocation: LinkedArtifact - RolloutSpecType: RSPath - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot/RolloutSpecs/Public.Stable.RolloutSpec.json - OutputRolloutId: RolloutId - OutputServiceGroupName: ServiceGroupName - OutputRolloutStatus: RolloutStatus - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Stable", "bindings": [ { "find": "__RELEASE_STAGE__", "replaceWith": "Stable" }, { "find": "__ADMIN_SUBSCRIPTION_ID__", "replaceWith": "$(ADMIN_SUBSCRIPTION_ID)" }, { "find": "__CHART_VERSION__", "replaceWith": "$(CHART_VERSION)" }, { "find": "__IS_CUSTOMER_HIDDEN__", "replaceWith": "$(IS_CUSTOMER_HIDDEN)" }, { "find": "__REGISTER_REGIONS_CANARY__", "replaceWith": "$(REGISTER_REGIONS_CANARY)" }, { "find": "__RELEASE_TRAINS_PREVIEW_PATH__", "replaceWith": "$(RELEASE_TRAINS_PREVIEW_PATH)" }, { "find": "__RELEASE_TRAINS_STABLE_PATH__", "replaceWith": "$(RELEASE_TRAINS_STABLE_PATH)" }, { "find": "__REGISTER_REGIONS_BATCH__", "replaceWith": "westcentralus,southcentralus,southeastasia,uksouth,westus2,australiaeast,eastus2,northcentralus,koreacentral,eastasia,japaneast,westeurope,northeurope,eastus,francecentral,westus,centralus,canadacentral,westus3,australiacentral,australiacentral2,australiasoutheast,brazilsouth,brazilsoutheast,canadaeast,centralindia,francesouth,germanycentral,germanynorth,germanynortheast,germanywestcentral,italynorth,japanwest,jioindiacentral,jioindiawest,koreasouth,norwayeast,norwaywest,polandcentral,qatarcentral,southafricanorth,southafricawest,southindia,swedencentral,swedensouth,switzerlandnorth,switzerlandwest,uaecentral,uaenorth,uknorth,uksouth2,ukwest,westindia,usgovvirginia" }, { "find": "__RESOURCE_AUDIENCE__", "replaceWith": "$(RESOURCE_AUDIENCE)" }, { "find": "__SPN_CLIENT_ID__", "replaceWith": "$(SPN_CLIENT_ID)" }, { "find": "__SPN_SECRET__", "replaceWith": "$(SPN_SECRET)" }, { "find": "__SPN_TENANT_ID__", "replaceWith": "$(SPN_TENANT_ID)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(MANAGED_IDENTITY)" } ] } ] } ' - env: - ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 - target: - container: host - displayName: Ev2 Classic - Deploy - - job: Ev2_rollout_ev2_monitoring - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Agent job - Ev2 Ev2 Monitoring - pool: - name: server - dependsOn: - - Ev2_rollout_ev2_rollout - timeoutInMinutes: '0' - steps: - - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 - displayName: Ev2 - Monitoring - inputs: - Ev2MonintoringUrl: $(Ev2MonintoringUrl) +trigger: none +name: $(Date:yyyyMMdd).$(Rev:r) +variables: +- name: ACRName + value: $(VAR_ACR_NAME) +- name: ADMIN_SUBSCRIPTION_ID + value: $(VAR_ADMIN_SUBSCRIPTION_ID) +- name: CHART_VERSION + value: $(VAR_CHART_VERSION) +- name: IS_CUSTOMER_HIDDEN + value: $(VAR_IS_CUSTOMER_HIDDEN) +- name: MANAGED_IDENTITY + value: $(VAR_MANAGED_IDENTITY) +- name: REGISTER_REGIONS_CANARY + value: $(VAR_REGISTER_REGIONS_CANARY) +- name: RELEASE_TRAINS_PREVIEW_PATH + value: $(VAR_RELEASE_TRAINS_PREVIEW_PATH) +- name: RELEASE_TRAINS_STABLE_PATH + value: $(VAR_RELEASE_TRAINS_STABLE_PATH) +- name: RepoType + value: $(VAR_REPO_TYPE) +- name: RESOURCE_AUDIENCE + value: $(VAR_RESOURCE_AUDIENCE) +- name: ServiceTreeGuid + value: $(VAR_SERVICE_TREE_GUID) +- name: SPN_CLIENT_ID + value: $(VAR_SPN_CLIENT_ID) +- name: SPN_SECRET + value: '' +- name: SPN_TENANT_ID + value: $(VAR_SPN_TENANT_ID) +- name: REGISTER_REGIONS_BATCH + value: '' +- name: RELEASE_STAGE_NAME + value: 'Stable' +- name: configurationOverrides + value: '{"ConfigurationSpecification":{"Settings":{"adminSubscriptionId":"$(ADMIN_SUBSCRIPTION_ID)","chartVersion":"$(CHART_VERSION)","isCustomerHidden":"$(IS_CUSTOMER_HIDDEN)","registerRegionsCanary":"$(REGISTER_REGIONS_CANARY)","releaseTrainsPreviewPath":"$(RELEASE_TRAINS_PREVIEW_PATH)","releaseTrainsStablePath":"$(RELEASE_TRAINS_STABLE_PATH)","registerRegionsBatch":"$(REGISTER_REGIONS_BATCH)","resourceAudience":"$(RESOURCE_AUDIENCE)","spnClientId":"$(SPN_CLIENT_ID)","spnSecret":"$(SPN_SECRET)","spnTenantId":"$(SPN_TENANT_ID)","managedIdentity":"$(MANAGED_IDENTITY)","releaseStage":"$(RELEASE_STAGE_NAME)","acrName":"$(ACRName)","repoType":"$(RepoType)"}}}' +resources: + containers: [] + pipelines: + - pipeline: '_ci-arc-k8s-extension-prod-release' + project: 'microsoft' + source: 'CDPX\docker-provider\ContainerInsights-MultiArch-MergedBranches' + repositories: + - repository: 1ESPipelineTemplates + type: git + name: 1ESPipelineTemplates/1ESPipelineTemplates + ref: refs/tags/release +extends: + template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates + parameters: + settings: + networkIsolationPolicy: Permissive,CFSClean + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + sdl: + sourceAnalysisPool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + customBuildTags: + - ES365AIMigrationTooling + stages: + - stage: Stage_1 + displayName: ci-arc-k8s-extension-all-regions-prod-release(MCR) + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: releaseGating + displayName: Release Gating + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + steps: + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + - task: 1ESGPTRunTask@3.0.376 + displayName: Branch Validation (1ES PT) + continueOnError: true + target: + container: host + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + BUILD_SOURCEBRANCH: $(Build.SourceBranch) + BUILD_REPOSITORY_NAME: $(Build.Repository.Name) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) + BUILD_SOURCEVERSION: $(Build.SourceVersion) + TASK_MODE: audit + inputs: + repoId: microsoft/Docker-Provider + path: release_gating.py + - job: approval + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Approval + pool: + name: server + timeoutInMinutes: 7200 + dependsOn: + - releaseGating + steps: + - task: ApprovalTask@1 + inputs: + environment: $(ev2Environment) + servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 + - job: Ev2_rollout_ev2_rollout + displayName: Agent Job - Ev2 Ev2 Rollout + timeoutInMinutes: '0' + condition: succeeded() + dependsOn: + - approval + variables: + - name: ev2Environment + value: Production + - name: RELEASE_STAGE_NAME + value: Pilot + - name: Ev2MonintoringUrl + value: https://azureservicedeploy.msft.net/api/monitorrollout + - name: OneESPT.JobType + value: releaseJob + readonly: true + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + - name: OneES_targetName + value: host + steps: + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Hosted Pool Information (1ES PT) + continueOnError: false + target: + container: host + env: + HOST_ARCHITECTURE: amd64 + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_DEFINITIONID: $(System.DefinitionId) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] + PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] + BUILD_REASON: $(Build.Reason) + inputs: + repoId: microsoft/Docker-Provider + path: validateHostedPool.ps1 + arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline + - task: DownloadPipelineArtifact@2 + displayName: ⏬ Pipeline Artifact Download + inputs: + buildType: specific + project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) + definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) + allowFailedBuilds: false + buildVersionToDownload: specific + pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) + pipeline: _ci-arc-k8s-extension-prod-release + targetPath: $(Pipeline.Workspace)/ev2Artifact + target: + container: host + - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 + displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" + condition: succeeded() + continueOnError: False + timeoutInMinutes: 30 + env: + SBOMVALIDATOR_TEMPIGNOREMISSING: true + inputs: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + ValidateSignature: True + Verbosity: 'Verbose' + - task: 1ESGPTRunTask@3.0.376 + displayName: Post-SBoM Validation (1ES PT) + continueOnError: true + target: + container: host + condition: succeeded() + env: + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + inputs: + repoId: microsoft/Docker-Provider + path: post_sbom_validation.py + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Source Build (1ES PT) + continueOnError: false + target: + container: host + env: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + IsProduction: True + OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) + inputs: + repoId: microsoft/Docker-Provider + path: validate_source_build.py + - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 + displayName: "\U0001F6E1 Guardian: CodeSign Validation" + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + continueOnError: true + timeoutInMinutes: 10 + inputs: + Path: $(Pipeline.Workspace)/ev2Artifact + MaxThreads: $(OneES_UsableProcessorCount) + FailIfNoTargetsFound: false + ExcludePassesFromLog: False + Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; + - task: 1ESGPTRunTask@3.0.376 + displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" + continueOnError: true + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + env: + OneES_PipelineWorkspace: $(Pipeline.Workspace) + OneES_DeleteCodeSignValidationResult: True + OneES_CustomPolicyFile: '' + inputs: + repoId: microsoft/Docker-Provider + path: check_csv_results.ps1 + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + target: + container: host + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Chart Push + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + UseServerMonitorTask: true + SkipRegistrationIfExists: True + ForceRegistration: true + ApprovalServiceEnvironment: $(ev2Environment) + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) + ConfigurationOverrides: $(configurationOverrides) + env: + ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 + target: + container: host + - job: Ev2_rollout_ev2_monitoring + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Agent Job - Ev2 Ev2 Monitoring + pool: + name: server + dependsOn: + - Ev2_rollout_ev2_rollout + timeoutInMinutes: '0' + steps: + - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 + displayName: Ev2 - Monitoring + inputs: + Ev2MonintoringUrl: $(Ev2MonintoringUrl) + - stage: Stage_2 + displayName: Pilot Regions + trigger: manual + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: releaseGating + displayName: Release Gating + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + steps: + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + - task: 1ESGPTRunTask@3.0.376 + displayName: Branch Validation (1ES PT) + continueOnError: true + target: + container: host + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + BUILD_SOURCEBRANCH: $(Build.SourceBranch) + BUILD_REPOSITORY_NAME: $(Build.Repository.Name) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) + BUILD_SOURCEVERSION: $(Build.SourceVersion) + TASK_MODE: audit + inputs: + repoId: microsoft/Docker-Provider + path: release_gating.py + - job: approval + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Approval + pool: + name: server + timeoutInMinutes: 7200 + dependsOn: + - releaseGating + steps: + - task: ApprovalTask@1 + inputs: + environment: $(ev2Environment) + servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 + - job: Ev2_rollout_ev2_rollout + displayName: Agent job - Ev2 Ev2 Rollout + timeoutInMinutes: '0' + condition: succeeded() + dependsOn: + - approval + variables: + - name: ev2Environment + value: Production + - name: REGISTER_REGIONS_BATCH + value: "westcentralus" + - name: Ev2MonintoringUrl + value: https://azureservicedeploy.msft.net/api/monitorrollout + - name: OneESPT.JobType + value: releaseJob + readonly: true + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + - name: OneES_targetName + value: host + steps: + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Hosted Pool Information (1ES PT) + continueOnError: false + target: + container: host + env: + HOST_ARCHITECTURE: amd64 + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_DEFINITIONID: $(System.DefinitionId) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] + PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] + BUILD_REASON: $(Build.Reason) + inputs: + repoId: microsoft/Docker-Provider + path: validateHostedPool.ps1 + arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline + - task: DownloadPipelineArtifact@2 + displayName: ⏬ Pipeline Artifact Download + inputs: + buildType: specific + project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) + definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) + allowFailedBuilds: false + buildVersionToDownload: specific + pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) + pipeline: _ci-arc-k8s-extension-prod-release + targetPath: $(Pipeline.Workspace)/ev2Artifact + target: + container: host + - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 + displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" + condition: succeeded() + continueOnError: False + timeoutInMinutes: 30 + env: + SBOMVALIDATOR_TEMPIGNOREMISSING: true + inputs: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + ValidateSignature: True + Verbosity: 'Verbose' + - task: 1ESGPTRunTask@3.0.376 + displayName: Post-SBoM Validation (1ES PT) + continueOnError: true + target: + container: host + condition: succeeded() + env: + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + inputs: + repoId: microsoft/Docker-Provider + path: post_sbom_validation.py + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Source Build (1ES PT) + continueOnError: false + target: + container: host + env: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + IsProduction: True + OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) + inputs: + repoId: microsoft/Docker-Provider + path: validate_source_build.py + - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 + displayName: "\U0001F6E1 Guardian: CodeSign Validation" + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + continueOnError: true + timeoutInMinutes: 10 + inputs: + Path: $(Pipeline.Workspace)/ev2Artifact + MaxThreads: $(OneES_UsableProcessorCount) + FailIfNoTargetsFound: false + ExcludePassesFromLog: False + Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; + - task: 1ESGPTRunTask@3.0.376 + displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" + continueOnError: true + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + env: + OneES_PipelineWorkspace: $(Pipeline.Workspace) + OneES_DeleteCodeSignValidationResult: True + OneES_CustomPolicyFile: '' + inputs: + repoId: microsoft/Docker-Provider + path: check_csv_results.ps1 + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + target: + container: host + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Deploy + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + UseServerMonitorTask: true + SkipRegistrationIfExists: True + ForceRegistration: true + ApprovalServiceEnvironment: $(ev2Environment) + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) + ConfigurationOverrides: $(configurationOverrides) + env: + ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 + target: + container: host + - job: Ev2_rollout_ev2_monitoring + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Agent job - Ev2 Ev2 Monitoring + pool: + name: server + dependsOn: + - Ev2_rollout_ev2_rollout + timeoutInMinutes: '0' + steps: + - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 + displayName: Ev2 - Monitoring + inputs: + Ev2MonintoringUrl: $(Ev2MonintoringUrl) + - stage: Wait_After_Stage_2 + displayName: Wait after Pilot Region + dependsOn: Stage_2 + jobs: + - job: WaitJob + displayName: Wait for Bake Time + timeoutInMinutes: 1600 + pool: server + steps: + - task: Delay@1 + inputs: + delayForMinutes: 1500 + - stage: Stage_3 + displayName: Light Load Region + dependsOn: + - Wait_After_Stage_2 + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: releaseGating + displayName: Release Gating + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + steps: + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + - task: 1ESGPTRunTask@3.0.376 + displayName: Branch Validation (1ES PT) + continueOnError: true + target: + container: host + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + BUILD_SOURCEBRANCH: $(Build.SourceBranch) + BUILD_REPOSITORY_NAME: $(Build.Repository.Name) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) + BUILD_SOURCEVERSION: $(Build.SourceVersion) + TASK_MODE: audit + inputs: + repoId: microsoft/Docker-Provider + path: release_gating.py + - job: approval + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Approval + pool: + name: server + timeoutInMinutes: 7200 + dependsOn: + - releaseGating + steps: + - task: ApprovalTask@1 + inputs: + environment: $(ev2Environment) + servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 + - job: Ev2_rollout_ev2_rollout + displayName: Agent job - Ev2 Ev2 Rollout + timeoutInMinutes: '0' + condition: succeeded() + dependsOn: + - approval + variables: + - name: ev2Environment + value: Production + - name: REGISTER_REGIONS_BATCH + value: "westcentralus,southcentralus,southeastasia,uksouth" + - name: Ev2MonintoringUrl + value: https://azureservicedeploy.msft.net/api/monitorrollout + - name: OneESPT.JobType + value: releaseJob + readonly: true + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + - name: OneES_targetName + value: host + steps: + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Hosted Pool Information (1ES PT) + continueOnError: false + target: + container: host + env: + HOST_ARCHITECTURE: amd64 + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_DEFINITIONID: $(System.DefinitionId) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] + PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] + BUILD_REASON: $(Build.Reason) + inputs: + repoId: microsoft/Docker-Provider + path: validateHostedPool.ps1 + arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline + - task: DownloadPipelineArtifact@2 + displayName: ⏬ Pipeline Artifact Download + inputs: + buildType: specific + project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) + definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) + allowFailedBuilds: false + buildVersionToDownload: specific + pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) + pipeline: _ci-arc-k8s-extension-prod-release + targetPath: $(Pipeline.Workspace)/ev2Artifact + target: + container: host + - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 + displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" + condition: succeeded() + continueOnError: False + timeoutInMinutes: 30 + env: + SBOMVALIDATOR_TEMPIGNOREMISSING: true + inputs: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + ValidateSignature: True + Verbosity: 'Verbose' + - task: 1ESGPTRunTask@3.0.376 + displayName: Post-SBoM Validation (1ES PT) + continueOnError: true + target: + container: host + condition: succeeded() + env: + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + inputs: + repoId: microsoft/Docker-Provider + path: post_sbom_validation.py + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Source Build (1ES PT) + continueOnError: false + target: + container: host + env: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + IsProduction: True + OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) + inputs: + repoId: microsoft/Docker-Provider + path: validate_source_build.py + - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 + displayName: "\U0001F6E1 Guardian: CodeSign Validation" + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + continueOnError: true + timeoutInMinutes: 10 + inputs: + Path: $(Pipeline.Workspace)/ev2Artifact + MaxThreads: $(OneES_UsableProcessorCount) + FailIfNoTargetsFound: false + ExcludePassesFromLog: False + Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; + - task: 1ESGPTRunTask@3.0.376 + displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" + continueOnError: true + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + env: + OneES_PipelineWorkspace: $(Pipeline.Workspace) + OneES_DeleteCodeSignValidationResult: True + OneES_CustomPolicyFile: '' + inputs: + repoId: microsoft/Docker-Provider + path: check_csv_results.ps1 + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + target: + container: host + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Deploy + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + UseServerMonitorTask: true + SkipRegistrationIfExists: True + ForceRegistration: true + ApprovalServiceEnvironment: $(ev2Environment) + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) + ConfigurationOverrides: $(configurationOverrides) + env: + ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 + target: + container: host + - job: Ev2_rollout_ev2_monitoring + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Agent job - Ev2 Ev2 Monitoring + pool: + name: server + dependsOn: + - Ev2_rollout_ev2_rollout + timeoutInMinutes: '0' + steps: + - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 + displayName: Ev2 - Monitoring + inputs: + Ev2MonintoringUrl: $(Ev2MonintoringUrl) + - stage: Wait_After_Stage_3 + displayName: Wait after Light Load Region + dependsOn: Stage_3 + jobs: + - job: WaitJob + displayName: Wait for Bake Time + timeoutInMinutes: 1600 + pool: server + steps: + - task: Delay@1 + inputs: + delayForMinutes: 1500 + - stage: Stage_4 + displayName: Medium Load Region + dependsOn: + - Wait_After_Stage_3 + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: releaseGating + displayName: Release Gating + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + steps: + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + - task: 1ESGPTRunTask@3.0.376 + displayName: Branch Validation (1ES PT) + continueOnError: true + target: + container: host + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + BUILD_SOURCEBRANCH: $(Build.SourceBranch) + BUILD_REPOSITORY_NAME: $(Build.Repository.Name) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) + BUILD_SOURCEVERSION: $(Build.SourceVersion) + TASK_MODE: audit + inputs: + repoId: microsoft/Docker-Provider + path: release_gating.py + - job: approval + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Approval + pool: + name: server + timeoutInMinutes: 7200 + dependsOn: + - releaseGating + steps: + - task: ApprovalTask@1 + inputs: + environment: $(ev2Environment) + servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 + - job: Ev2_rollout_ev2_rollout + displayName: Agent job - Ev2 Ev2 Rollout + timeoutInMinutes: '0' + condition: succeeded() + dependsOn: + - approval + variables: + - name: ev2Environment + value: Production + - name: REGISTER_REGIONS_BATCH + value: "westcentralus,southcentralus,southeastasia,uksouth,westus2,australiaeast,eastus2,northcentralus,koreacentral,eastasia,japaneast" + - name: Ev2MonintoringUrl + value: https://azureservicedeploy.msft.net/api/monitorrollout + - name: OneESPT.JobType + value: releaseJob + readonly: true + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + - name: OneES_targetName + value: host + steps: + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Hosted Pool Information (1ES PT) + continueOnError: false + target: + container: host + env: + HOST_ARCHITECTURE: amd64 + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_DEFINITIONID: $(System.DefinitionId) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] + PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] + BUILD_REASON: $(Build.Reason) + inputs: + repoId: microsoft/Docker-Provider + path: validateHostedPool.ps1 + arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline + - task: DownloadPipelineArtifact@2 + displayName: ⏬ Pipeline Artifact Download + inputs: + buildType: specific + project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) + definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) + allowFailedBuilds: false + buildVersionToDownload: specific + pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) + pipeline: _ci-arc-k8s-extension-prod-release + targetPath: $(Pipeline.Workspace)/ev2Artifact + target: + container: host + - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 + displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" + condition: succeeded() + continueOnError: False + timeoutInMinutes: 30 + env: + SBOMVALIDATOR_TEMPIGNOREMISSING: true + inputs: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + ValidateSignature: True + Verbosity: 'Verbose' + - task: 1ESGPTRunTask@3.0.376 + displayName: Post-SBoM Validation (1ES PT) + continueOnError: true + target: + container: host + condition: succeeded() + env: + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + inputs: + repoId: microsoft/Docker-Provider + path: post_sbom_validation.py + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Source Build (1ES PT) + continueOnError: false + target: + container: host + env: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + IsProduction: True + OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) + inputs: + repoId: microsoft/Docker-Provider + path: validate_source_build.py + - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 + displayName: "\U0001F6E1 Guardian: CodeSign Validation" + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + continueOnError: true + timeoutInMinutes: 10 + inputs: + Path: $(Pipeline.Workspace)/ev2Artifact + MaxThreads: $(OneES_UsableProcessorCount) + FailIfNoTargetsFound: false + ExcludePassesFromLog: False + Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; + - task: 1ESGPTRunTask@3.0.376 + displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" + continueOnError: true + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + env: + OneES_PipelineWorkspace: $(Pipeline.Workspace) + OneES_DeleteCodeSignValidationResult: True + OneES_CustomPolicyFile: '' + inputs: + repoId: microsoft/Docker-Provider + path: check_csv_results.ps1 + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + target: + container: host + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Deploy + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + UseServerMonitorTask: true + SkipRegistrationIfExists: True + ForceRegistration: true + ApprovalServiceEnvironment: $(ev2Environment) + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) + ConfigurationOverrides: $(configurationOverrides) + env: + ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 + target: + container: host + - job: Ev2_rollout_ev2_monitoring + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Agent job - Ev2 Ev2 Monitoring + pool: + name: server + dependsOn: + - Ev2_rollout_ev2_rollout + timeoutInMinutes: '0' + steps: + - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 + displayName: Ev2 - Monitoring + inputs: + Ev2MonintoringUrl: $(Ev2MonintoringUrl) + - stage: Wait_After_Stage_4 + displayName: Wait after Medium Load Region + dependsOn: Stage_4 + jobs: + - job: WaitJob + displayName: Wait for Bake Time + timeoutInMinutes: 1600 + pool: server + steps: + - task: Delay@1 + inputs: + delayForMinutes: 1500 + - stage: Stage_5 + displayName: High Load Region + dependsOn: + - Wait_After_Stage_4 + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: releaseGating + displayName: Release Gating + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + steps: + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + - task: 1ESGPTRunTask@3.0.376 + displayName: Branch Validation (1ES PT) + continueOnError: true + target: + container: host + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + BUILD_SOURCEBRANCH: $(Build.SourceBranch) + BUILD_REPOSITORY_NAME: $(Build.Repository.Name) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) + BUILD_SOURCEVERSION: $(Build.SourceVersion) + TASK_MODE: audit + inputs: + repoId: microsoft/Docker-Provider + path: release_gating.py + - job: approval + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Approval + pool: + name: server + timeoutInMinutes: 7200 + dependsOn: + - releaseGating + steps: + - task: ApprovalTask@1 + inputs: + environment: $(ev2Environment) + servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 + - job: Ev2_rollout_ev2_rollout + displayName: Agent job - Ev2 Ev2 Rollout + timeoutInMinutes: '0' + condition: succeeded() + dependsOn: + - approval + variables: + - name: ev2Environment + value: Production + - name: REGISTER_REGIONS_BATCH + value: "westcentralus,southcentralus,southeastasia,uksouth,westus2,australiaeast,eastus2,northcentralus,koreacentral,eastasia,japaneast,westeurope,northeurope,eastus,francecentral,westus,centralus,canadacentral,westus3,australiacentral,australiacentral2,australiasoutheast,brazilsouth,brazilsoutheast,canadaeast,centralindia,francesouth,germanycentral,germanynorth,germanynortheast,germanywestcentral,italynorth,japanwest,jioindiacentral,jioindiawest,koreasouth,norwayeast,norwaywest,polandcentral,qatarcentral,southafricanorth,southafricawest,southindia,swedencentral,swedensouth,switzerlandnorth,switzerlandwest,uaecentral,uaenorth,uknorth,uksouth2,ukwest,westindia" + - name: Ev2MonintoringUrl + value: https://azureservicedeploy.msft.net/api/monitorrollout + - name: OneESPT.JobType + value: releaseJob + readonly: true + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + - name: OneES_targetName + value: host + steps: + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Hosted Pool Information (1ES PT) + continueOnError: false + target: + container: host + env: + HOST_ARCHITECTURE: amd64 + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_DEFINITIONID: $(System.DefinitionId) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] + PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] + BUILD_REASON: $(Build.Reason) + inputs: + repoId: microsoft/Docker-Provider + path: validateHostedPool.ps1 + arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline + - task: DownloadPipelineArtifact@2 + displayName: ⏬ Pipeline Artifact Download + inputs: + buildType: specific + project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) + definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) + allowFailedBuilds: false + buildVersionToDownload: specific + pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) + pipeline: _ci-arc-k8s-extension-prod-release + targetPath: $(Pipeline.Workspace)/ev2Artifact + target: + container: host + - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 + displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" + condition: succeeded() + continueOnError: False + timeoutInMinutes: 30 + env: + SBOMVALIDATOR_TEMPIGNOREMISSING: true + inputs: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + ValidateSignature: True + Verbosity: 'Verbose' + - task: 1ESGPTRunTask@3.0.376 + displayName: Post-SBoM Validation (1ES PT) + continueOnError: true + target: + container: host + condition: succeeded() + env: + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + inputs: + repoId: microsoft/Docker-Provider + path: post_sbom_validation.py + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Source Build (1ES PT) + continueOnError: false + target: + container: host + env: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + IsProduction: True + OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) + inputs: + repoId: microsoft/Docker-Provider + path: validate_source_build.py + - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 + displayName: "\U0001F6E1 Guardian: CodeSign Validation" + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + continueOnError: true + timeoutInMinutes: 10 + inputs: + Path: $(Pipeline.Workspace)/ev2Artifact + MaxThreads: $(OneES_UsableProcessorCount) + FailIfNoTargetsFound: false + ExcludePassesFromLog: False + Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; + - task: 1ESGPTRunTask@3.0.376 + displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" + continueOnError: true + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + env: + OneES_PipelineWorkspace: $(Pipeline.Workspace) + OneES_DeleteCodeSignValidationResult: True + OneES_CustomPolicyFile: '' + inputs: + repoId: microsoft/Docker-Provider + path: check_csv_results.ps1 + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + target: + container: host + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Deploy + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + UseServerMonitorTask: true + SkipRegistrationIfExists: True + ForceRegistration: true + ApprovalServiceEnvironment: $(ev2Environment) + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) + ConfigurationOverrides: $(configurationOverrides) + env: + ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 + target: + container: host + - job: Ev2_rollout_ev2_monitoring + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Agent job - Ev2 Ev2 Monitoring + pool: + name: server + dependsOn: + - Ev2_rollout_ev2_rollout + timeoutInMinutes: '0' + steps: + - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 + displayName: Ev2 - Monitoring + inputs: + Ev2MonintoringUrl: $(Ev2MonintoringUrl) + - stage: Stage_6 + displayName: 'Fairfax & Mooncake: Create Escort JIT' + trigger: manual + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: Job_1 + displayName: Agentless job + condition: succeeded() + timeoutInMinutes: 7200 + pool: + name: server + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + steps: [] + - stage: Stage_7 + displayName: Fairfax Region Testing + trigger: manual + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: releaseGating + displayName: Release Gating + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + steps: + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + - task: 1ESGPTRunTask@3.0.376 + displayName: Branch Validation (1ES PT) + continueOnError: true + target: + container: host + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + BUILD_SOURCEBRANCH: $(Build.SourceBranch) + BUILD_REPOSITORY_NAME: $(Build.Repository.Name) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) + BUILD_SOURCEVERSION: $(Build.SourceVersion) + TASK_MODE: audit + inputs: + repoId: microsoft/Docker-Provider + path: release_gating.py + - job: approval + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Approval + pool: + name: server + timeoutInMinutes: 7200 + dependsOn: + - releaseGating + steps: + - task: ApprovalTask@1 + inputs: + environment: $(ev2Environment) + servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 + - job: Ev2_rollout_ev2_rollout + displayName: Agent job - Ev2 Ev2 Rollout + timeoutInMinutes: '0' + condition: succeeded() + dependsOn: + - approval + variables: + - name: ev2Environment + value: Production + - name: REGISTER_REGIONS_BATCH + value: "westcentralus,southcentralus,southeastasia,uksouth,westus2,australiaeast,eastus2,northcentralus,koreacentral,eastasia,japaneast,westeurope,northeurope,eastus,francecentral,westus,centralus,canadacentral,westus3,australiacentral,australiacentral2,australiasoutheast,brazilsouth,brazilsoutheast,canadaeast,centralindia,francesouth,germanycentral,germanynorth,germanynortheast,germanywestcentral,italynorth,japanwest,jioindiacentral,jioindiawest,koreasouth,norwayeast,norwaywest,polandcentral,qatarcentral,southafricanorth,southafricawest,southindia,swedencentral,swedensouth,switzerlandnorth,switzerlandwest,uaecentral,uaenorth,uknorth,uksouth2,ukwest,westindia,usgovvirginia" + - name: Ev2MonintoringUrl + value: https://azureservicedeploy.msft.net/api/monitorrollout + - name: OneESPT.JobType + value: releaseJob + readonly: true + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + - name: OneES_targetName + value: host + steps: + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Hosted Pool Information (1ES PT) + continueOnError: false + target: + container: host + env: + HOST_ARCHITECTURE: amd64 + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_DEFINITIONID: $(System.DefinitionId) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] + PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] + BUILD_REASON: $(Build.Reason) + inputs: + repoId: microsoft/Docker-Provider + path: validateHostedPool.ps1 + arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline + - task: DownloadPipelineArtifact@2 + displayName: ⏬ Pipeline Artifact Download + inputs: + buildType: specific + project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) + definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) + allowFailedBuilds: false + buildVersionToDownload: specific + pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) + pipeline: _ci-arc-k8s-extension-prod-release + targetPath: $(Pipeline.Workspace)/ev2Artifact + target: + container: host + - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 + displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" + condition: succeeded() + continueOnError: False + timeoutInMinutes: 30 + env: + SBOMVALIDATOR_TEMPIGNOREMISSING: true + inputs: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + ValidateSignature: True + Verbosity: 'Verbose' + - task: 1ESGPTRunTask@3.0.376 + displayName: Post-SBoM Validation (1ES PT) + continueOnError: true + target: + container: host + condition: succeeded() + env: + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + inputs: + repoId: microsoft/Docker-Provider + path: post_sbom_validation.py + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Source Build (1ES PT) + continueOnError: false + target: + container: host + env: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + IsProduction: True + OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) + inputs: + repoId: microsoft/Docker-Provider + path: validate_source_build.py + - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 + displayName: "\U0001F6E1 Guardian: CodeSign Validation" + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + continueOnError: true + timeoutInMinutes: 10 + inputs: + Path: $(Pipeline.Workspace)/ev2Artifact + MaxThreads: $(OneES_UsableProcessorCount) + FailIfNoTargetsFound: false + ExcludePassesFromLog: False + Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; + - task: 1ESGPTRunTask@3.0.376 + displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" + continueOnError: true + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + env: + OneES_PipelineWorkspace: $(Pipeline.Workspace) + OneES_DeleteCodeSignValidationResult: True + OneES_CustomPolicyFile: '' + inputs: + repoId: microsoft/Docker-Provider + path: check_csv_results.ps1 + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + target: + container: host + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Deploy + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + UseServerMonitorTask: true + SkipRegistrationIfExists: True + ForceRegistration: true + ApprovalServiceEnvironment: $(ev2Environment) + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) + ConfigurationOverrides: $(configurationOverrides) + env: + ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 + target: + container: host + - job: Ev2_rollout_ev2_monitoring + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Agent job - Ev2 Ev2 Monitoring + pool: + name: server + dependsOn: + - Ev2_rollout_ev2_rollout + timeoutInMinutes: '0' + steps: + - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 + displayName: Ev2 - Monitoring + inputs: + Ev2MonintoringUrl: $(Ev2MonintoringUrl) diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json new file mode 100644 index 0000000000..be1b63d73c --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json @@ -0,0 +1,38 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/ConfigurationSpecification.json", + "Settings": { + "tenantId": "33e01921-4d64-4f8c-a055-5bdaffd5e33d", + "environment": "Prod", + "releaseStage": "Pilot", + "adminSubscriptionId": "", + "chartVersion": "0.0.1", + "isCustomerHidden": "", + "registerRegionsCanary": "", + "releaseTrainsPreviewPath": "", + "releaseTrainsStablePath": "", + "registerRegionsBatch": "", + "resourceAudience": "", + "spnClientId": "", + "spnSecret": "", + "spnTenantId": "", + "managedIdentity": "/subscriptions/30c56c3a-54da-46ea-b004-06eb33432687/resourceGroups/containerinsightsprod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ev2-agent-release", + "acrName": "containerinsightsprod", + "repoType": "stable" + }, + "Geographies": [ + { + "Name": "United States", + "Settings": {}, + "Regions": [ + { + "Name": "eastus2", + "Settings": { + "stampCount": 1, + "azureResourceGroup": "ContainerInsightsExtension-ChartPush", + "subscriptionkey": "ContainerInsights-30c56c3a-54da-46ea-b004-06eb33432687" + } + } + ] + } + ] +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Parameters/ChartPush.Parameters.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Parameters/ChartPush.Parameters.json new file mode 100644 index 0000000000..daee1b4a23 --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Parameters/ChartPush.Parameters.json @@ -0,0 +1,50 @@ +{ + "$schema": "http://schema.express.azure.com/schemas/2022-01-01/RolloutParameters.json", + "contentVersion": "1.0.0.0", + "shellExtensions": [ + { + "name": "PushChartToACR", + "type": "ShellExtensionType", + "properties": { + "maxExecutionTime": "PT1H", + "useFallBackLocations": true, + "skipDeleteAfterExecution": false + }, + "package": { + "reference": { + "path": "artifacts.tar.gz" + } + }, + "launch": { + "command": [ + "/bin/bash", + "pushChartToAcr.sh" + ], + "environmentVariables": [ + { + "name": "RELEASE_STAGE", + "value": "__RELEASE_STAGE__" + }, + { + "name": "ACR_NAME", + "value": "__ACR_NAME__" + }, + { + "name": "REPO_TYPE", + "value": "__REPO_TYPE__" + }, + { + "name": "CHART_VERSION", + "value": "__CHART_VERSION__" + } + ], + "identity": { + "type": "userAssigned", + "userAssignedIdentities": [ + "__MANAGED_IDENTITY__" + ] + } + } + } + ] +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/RolloutSpec.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/RolloutSpec.json new file mode 100644 index 0000000000..562f0bedc9 --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/RolloutSpec.json @@ -0,0 +1,41 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-04-01/RegionAgnosticRolloutSpecification.json", + "contentVersion": "1.0.0.0", + "rolloutMetadata": { + "serviceModelPath": "ServiceModel.json", + "scopeBindingsPath": "ScopeBindings.json", + "name": "ContainerInsightsExtension-ChartPush", + "configuration": { + "serviceGroupScope": { + "specPath": "Configurations.Public.Prod.json" + } + }, + "rolloutType": "Major", + "buildSource": { + "parameters": { + "versionFile": "buildver.txt" + } + }, + "notification": { + "email": { + "to": "omscontainers@microsoft.com", + "options": { + "when": [ + "onError" + ] + } + } + } + }, + "orchestratedSteps": [ + { + "name": "Rollout.PushChartToACR", + "targetType": "ServiceResourceDefinition", + "targetName": "ShellExtension", + "actions": [ + "shell/PushChartToACR" + ], + "dependsOn": [] + } + ] +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ScopeBindings.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ScopeBindings.json new file mode 100644 index 0000000000..da07610949 --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ScopeBindings.json @@ -0,0 +1,31 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", + "contentVersion": "0.0.0.1", + "scopeBindings": [ + { + "scopeTagName": "Stable", + "bindings": [ + { + "find": "__RELEASE_STAGE__", + "replaceWith": "$config(releaseStage)" + }, + { + "find": "__ACR_NAME__", + "replaceWith": "$config(acrName)" + }, + { + "find": "__REPO_TYPE__", + "replaceWith": "$config(repoType)" + }, + { + "find": "__CHART_VERSION__", + "replaceWith": "$config(chartVersion)" + }, + { + "find": "__MANAGED_IDENTITY__", + "replaceWith": "$config(managedIdentity)" + } + ] + } + ] +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Scripts/pushChartToAcr.sh b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Scripts/pushChartToAcr.sh new file mode 100644 index 0000000000..0199023544 --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Scripts/pushChartToAcr.sh @@ -0,0 +1,187 @@ +#!/bin/bash + +export HELM_EXPERIMENTAL_OCI=1 +export MCR_NAME="mcr.microsoft.com" + +# for prod-> stable and for test -> preview +# by default is preview, for the prod release piepline, pass the stable value in the Variables +if [ -z "$REPO_TYPE" ]; then + REPO_TYPE="preview" +fi + +# repo paths for arc k8s extension roll-out +# canary region +export CANARY_REGION_REPO_PATH="azuremonitor/containerinsights/canary/${REPO_TYPE}" +# pilot region +export PILOT_REGION_REPO_PATH="azuremonitor/containerinsights/prod1/${REPO_TYPE}" +# light load regions +export LIGHT_LOAD_REGION_REPO_PATH="azuremonitor/containerinsights/prod2/${REPO_TYPE}" +# medium load regions +export MEDIUM_LOAD_REGION_REPO_PATH="azuremonitor/containerinsights/prod3/${REPO_TYPE}" +# high load regions +export HIGH_LOAD_REGION_REPO_PATH="azuremonitor/containerinsights/prod4/${REPO_TYPE}" +# FairFax regions +export FF_REGION_REPO_PATH="azuremonitor/containerinsights/prod5/${REPO_TYPE}" +# Mooncake regions +export MC_REGION_REPO_PATH="azuremonitor/containerinsights/prod6/${REPO_TYPE}" + +export CHART_NAME="azuremonitor-containers" + +# pull chart from previous stage mcr and push chart to next stage acr +pull_chart_from_source_mcr_to_push_to_dest_acr() { + srcMcrFullPath=${1} + destAcrFullPath=${2} + + if [ -z $srcMcrFullPath ]; then + echo "-e error source mcr path must be provided " + exit 1 + fi + + if [ -z $destAcrFullPath ]; then + echo "-e error dest acr path must be provided " + exit 1 + fi + + echo "Pulling chart from MCR:${srcMcrFullPath} ..." + helm pull ${srcMcrFullPath} --version ${CHART_VERSION} + if [ $? -eq 0 ]; then + echo "Pulling chart from MCR:${srcMcrFullPath} completed successfully." + else + echo "-e error Pulling chart from MCR:${srcMcrFullPath} failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 + fi + + echo "pushing the azuremonitor-containers chart version: ${CHART_VERSION} to acr path: ${destAcrFullPath} ..." + helm push azuremonitor-containers-${CHART_VERSION}.tgz ${destAcrFullPath} + if [ $? -eq 0 ]; then + echo "pushing the azuremonitor-containers chart version ${CHART_VERSION} to acr path: ${destAcrFullPath} completed successfully." + else + echo "-e error pushing the azuremonitor-containers chart version ${CHART_VERSION} to acr path: ${destAcrFullPath} failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 + fi +} + +# push to local release candidate chart to canary region +push_local_chart_to_acr() { + destAcrFullPath=${1} + if [ -z $destAcrFullPath ]; then + echo "-e error dest acr path must be provided " + exit 1 + fi + + echo "generate chart package file" + export CHART_FILE=$(helm package charts/azuremonitor-containerinsights/ --version ${CHART_VERSION} | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') + if [ $? -eq 0 ]; then + echo "chart package file generated successfully." + else + echo "-e error package generation failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 + fi + + echo "chart package file: ${CHART_FILE}" + + + echo "pushing the chart to acr path: ${destAcrFullPath} ..." + helm push $CHART_FILE $destAcrFullPath + if [ $? -eq 0 ]; then + echo "pushing the chart ${CHART_FILE} to acr path: ${destAcrFullPath} completed successfully." + else + echo "-e error pushing the chart ${CHART_FILE} to acr path: ${destAcrFullPath} failed.Please review Ev2 pipeline logs for more details on the error." + exit 1 + fi +} + +echo "START - Release stage : ${RELEASE_STAGE}" + +# login to acr +echo "Using acr : ${ACR_NAME}" +echo "Using acr repo type: ${REPO_TYPE}" + +#Login to az cli and authenticate to acr +echo "Login cli using managed identity" +az login --identity +if [ $? -eq 0 ]; then + echo "Logged in successfully" +else + echo "-e error az login with managed identity credentials failed. Please review the Ev2 pipeline logs for more details on the error." + exit 1 +fi + +ACCESS_TOKEN=$(az acr login --name ${ACR_NAME} --expose-token --output tsv --query accessToken) +if [ $? -ne 0 ]; then + echo "-e error az acr login failed. Please review the Ev2 pipeline logs for more details on the error." + exit 1 +fi + +echo "login to acr:${ACR_NAME} using helm ..." +echo $ACCESS_TOKEN | helm registry login $ACR_NAME -u 00000000-0000-0000-0000-000000000000 --password-stdin +if [ $? -eq 0 ]; then + echo "login to acr:${ACR_NAME} using helm completed successfully." +else + echo "-e error login to acr:${ACR_NAME} using helm failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 +fi + +case $RELEASE_STAGE in + + Canary) + echo "START: Release stage - Canary" + destAcrFullPath=oci://${ACR_NAME}/public/${CANARY_REGION_REPO_PATH} + push_local_chart_to_acr $destAcrFullPath + echo "END: Release stage - Canary" + ;; + + Pilot | Prod1) + echo "START: Release stage - Pilot" + destAcrFullPath=oci://${ACR_NAME}/public/${PILOT_REGION_REPO_PATH} + push_local_chart_to_acr $destAcrFullPath + echo "END: Release stage - Pilot" + ;; + + LightLoad | Pord2) + echo "START: Release stage - Light Load Regions" + srcMcrFullPath=oci://${MCR_NAME}/${PILOT_REGION_REPO_PATH}/${CHART_NAME} + destAcrFullPath=oci://${ACR_NAME}/public/${LIGHT_LOAD_REGION_REPO_PATH} + pull_chart_from_source_mcr_to_push_to_dest_acr $srcMcrFullPath $destAcrFullPath + echo "END: Release stage - Light Load Regions" + ;; + + MediumLoad | Prod3) + echo "START: Release stage - Medium Load Regions" + srcMcrFullPath=oci://${MCR_NAME}/${LIGHT_LOAD_REGION_REPO_PATH}/${CHART_NAME} + destAcrFullPath=oci://${ACR_NAME}/public/${MEDIUM_LOAD_REGION_REPO_PATH} + pull_chart_from_source_mcr_to_push_to_dest_acr $srcMcrFullPath $destAcrFullPath + echo "END: Release stage - Medium Load Regions" + ;; + + HighLoad | Prod4) + echo "START: Release stage - High Load Regions" + srcMcrFullPath=oci://${MCR_NAME}/${MEDIUM_LOAD_REGION_REPO_PATH}/${CHART_NAME} + destAcrFullPath=oci://${ACR_NAME}/public/${HIGH_LOAD_REGION_REPO_PATH} + pull_chart_from_source_mcr_to_push_to_dest_acr $srcMcrFullPath $destAcrFullPath + echo "END: Release stage - High Load Regions" + ;; + + FF | Prod5) + echo "START: Release stage - FF" + srcMcrFullPath=oci://${MCR_NAME}/${HIGH_LOAD_REGION_REPO_PATH}/${CHART_NAME} + destAcrFullPath=oci://${ACR_NAME}/public/${FF_REGION_REPO_PATH} + pull_chart_from_source_mcr_to_push_to_dest_acr $srcMcrFullPath $destAcrFullPath + echo "END: Release stage - FF" + ;; + + MC | Prod6) + echo "START: Release stage - MC" + srcMcrFullPath=oci://${MCR_NAME}/${FF_REGION_REPO_PATH}/${CHART_NAME} + destAcrFullPath=oci://${ACR_NAME}/public/${MC_REGION_REPO_PATH} + pull_chart_from_source_mcr_to_push_to_dest_acr $srcMcrFullPath $destAcrFullPath + echo "END: Release stage - MC" + ;; + + *) + echo -n "unknown release stage" + exit 1 + ;; +esac + +echo "END - Release stage : ${RELEASE_STAGE}" diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json new file mode 100644 index 0000000000..7a88a8a1be --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json @@ -0,0 +1,6 @@ +{ + "name": "Microsoft.ContainerInsights.Extension.ChartPush", + "description": "Container Insights Extension Chart Push", + "ownerGroupContactEmail": "omscontainers@microsoft.com", + "contentVersion": "1.0.0.0" +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceModel.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceModel.json new file mode 100644 index 0000000000..e06b90af73 --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceModel.json @@ -0,0 +1,51 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-04-01/RegionAgnosticServiceModel.json", + "contentVersion": "1.0.0.0", + "serviceMetadata": { + "serviceGroup": "Microsoft.ContainerInsights.Extension.ChartPush", + "serviceIdentifier": "3170cdd2-19f0-4027-912b-1027311691a2", + "tenantId": "$config(tenantId)", + "environment": "$config(environment)", + "displayName": "ContainerInsightsExtension-ChartPush", + "buildout": { + "isForAutomatedBuildout": "True" + }, + "serviceSpecificationPath": "ServiceSpec.json", + "serviceGroupSpecificationPath": "ServiceGroupSpec.json" + }, + "serviceResourceGroupDefinitions": [ + { + "name": "SRG.ShellExtension", + "azureResourceGroupName": "$config(azureResourceGroup)", + "scopeTags": [ + { + "name": "Stable" + } + ], + "subscriptionKey": "$config(subscriptionkey)", + "stamps": { + "count": "$config(stampCount)" + }, + "serviceResourceDefinitions": [ + { + "name": "ShellExtension", + "composedOf": { + "extension": { + "rolloutParametersPath": "Parameters\\ChartPush.Parameters.json", + "shell": [ + { + "type": "ShellExtensionType", + "properties": { + "imageName": "adm-ubuntu-2004-l", + "imageVersion": "v8" + } + } + ] + } + }, + "scopeTags": [] + } + ] + } + ] +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceSpec.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceSpec.json new file mode 100644 index 0000000000..e34bb5fcf5 --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceSpec.json @@ -0,0 +1,8 @@ +{ + "providerType": "ServiceTree", + "identifier": "3170cdd2-19f0-4027-912b-1027311691a2", + "description": "Container Insights Extension", + "ownerGroupContactEmail": "omscontainers@microsoft.com", + "policyCheckEnabled": true, + "contentVersion": "1.0.0.0" +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/buildver.txt b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/buildver.txt new file mode 100644 index 0000000000..b289f7bed4 --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/buildver.txt @@ -0,0 +1 @@ +1.0.0.1 diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json new file mode 100644 index 0000000000..7812a84379 --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json @@ -0,0 +1,38 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/ConfigurationSpecification.json", + "Settings": { + "tenantId": "33e01921-4d64-4f8c-a055-5bdaffd5e33d", + "environment": "Prod", + "releaseStage": "Stable", + "adminSubscriptionId": "", + "chartVersion": "", + "isCustomerHidden": "", + "registerRegionsCanary": "", + "releaseTrainsPreviewPath": "", + "releaseTrainsStablePath": "", + "registerRegionsBatch": "", + "resourceAudience": "", + "spnClientId": "", + "spnSecret": "", + "spnTenantId": "", + "managedIdentity": "", + "acrName": "", + "repoType": "" + }, + "Geographies": [ + { + "Name": "United States", + "Settings": {}, + "Regions": [ + { + "Name": "eastus2", + "Settings": { + "stampCount": 1, + "azureResourceGroup": "ContainerInsightsExtension-Pilot-Release", + "subscriptionkey": "ContainerInsights-30c56c3a-54da-46ea-b004-06eb33432687" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml new file mode 100644 index 0000000000..d5b80b82bf --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml @@ -0,0 +1,90 @@ +trigger: none +resources: + pipelines: + - pipeline: build-artifacts + source: CDPX\docker-provider-arc\ARC-K8S-Extension-MergedBranches + repositories: + - repository: templates + type: git + name: OneBranch.Pipelines/GovernedTemplates + ref: refs/heads/main +parameters: +- name: rolloutType + displayName: Rollout Type + type: string + default: normal + values: + - normal + - emergency + - globaloutage +- name: overrideManagedValidationDuration + displayName: Override standard SDP duration? + type: boolean + default: false + values: + - true + - false +- name: managedValidationOverrideDurationInHours + displayName: Managed validation override duration in hours + type: number + default: 0 + values: +- name: icmIncidentId + displayName: ICM Incident Id + type: number + default: 0 + values: +- name: ServiceRootPath + displayName: Service Root Path + type: string + default: $(Pipeline.Workspace)/build-artifacts/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot + values: +- name: RolloutSpecPath + displayName: Rollout Spec Path + type: string + default: $(Pipeline.Workspace)/build-artifacts/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + values: +- name: select + displayName: Select + type: string + default: regions(*) + values: +variables: +- name: configurationOverrides + value: '{}' +extends: + template: v2/OneBranch.Official.CrossPlat.yml@templates + parameters: + stages: + - stage: PROD_Prod_Managed_SDP + displayName: 'Production: Managed SDP' + dependsOn: [] + variables: + ob_release_environment: Production + jobs: + - job: PROD_Prod_Managed_SDP + displayName: PROD_Prod_Managed_SDP + pool: + type: release + condition: + dependsOn: + steps: + - download: build-artifacts + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP Rollout + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + SkipRegistrationIfExists: True + ForceRegistration: true + ServiceRootPath: ${{parameters.ServiceRootPath}} + RolloutSpecPath: ${{parameters.RolloutSpecPath}} + StageMapName: Microsoft.Azure.SDP.Standard + Select: ${{parameters.select}} + ApprovalServiceEnvironment: Production + ConfigurationOverrides: $(configurationOverrides) + ev2ManagedSdpRolloutConfig: + rolloutType: ${{parameters.rolloutType}} + overrideManagedValidationDuration: ${{parameters.overrideManagedValidationDuration}} + managedValidationOverrideDurationInHours: ${{parameters.managedValidationOverrideDurationInHours}} + icmIncidentId: ${{parameters.icmIncidentId}} diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Parameters/RolloutParameter.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Parameters/RolloutParameter.json new file mode 100644 index 0000000000..f5c3102853 --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Parameters/RolloutParameter.json @@ -0,0 +1,90 @@ +{ + "$schema": "http://schema.express.azure.com/schemas/2022-01-01/RolloutParameters.json", + "contentVersion": "1.0.0.0", + "shellExtensions": [ + { + "name": "ArcExtensionRelease", + "type": "ShellExtensionType", + "properties": { + "maxExecutionTime": "PT1H", + "useFallBackLocations": false, + "skipDeleteAfterExecution": false + }, + "package": { + "reference": { + "path": "artifacts.tar.gz" + } + }, + "launch": { + "command": [ + "/bin/bash", + "arcExtensionRelease.sh" + ], + "environmentVariables": [ + { + "name": "RELEASE_STAGE", + "value": "__RELEASE_STAGE__" + }, + { + "name": "ADMIN_SUBSCRIPTION_ID", + "value": "__ADMIN_SUBSCRIPTION_ID__" + }, + { + "name": "CHART_VERSION", + "value": "__CHART_VERSION__" + }, + { + "name": "IS_CUSTOMER_HIDDEN", + "value": "__IS_CUSTOMER_HIDDEN__" + }, + { + "name": "REGISTER_REGIONS_CANARY", + "value": "__REGISTER_REGIONS_CANARY__" + }, + { + "name": "RELEASE_TRAINS_PREVIEW_PATH", + "value": "__RELEASE_TRAINS_PREVIEW_PATH__" + }, + { + "name": "RELEASE_TRAINS_STABLE_PATH", + "value": "__RELEASE_TRAINS_STABLE_PATH__" + }, + { + "name": "REGISTER_REGIONS_BATCH", + "value": "__REGISTER_REGIONS_BATCH__" + }, + { + "name": "RESOURCE_AUDIENCE", + "value": "__RESOURCE_AUDIENCE__" + }, + { + "name": "SPN_CLIENT_ID", + "value": "__SPN_CLIENT_ID__" + }, + { + "name": "SPN_SECRET", + "value": "__SPN_SECRET__" + }, + { + "name": "SPN_TENANT_ID", + "value": "__SPN_TENANT_ID__" + } + ], + "identity": { + "type": "userAssigned", + "userAssignedIdentities": [ + "__MANAGED_IDENTITY__" + ] + } + } + } + ], + "wait": [ + { + "name": "waitSdpBakeTime", + "properties": { + "duration": "PT24H" + } + } + ] +} \ No newline at end of file diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json new file mode 100644 index 0000000000..37387c2042 --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json @@ -0,0 +1,41 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-04-01/RegionAgnosticRolloutSpecification.json", + "contentVersion": "1.0.0.0", + "rolloutMetadata": { + "serviceModelPath": "ServiceModel.json", + "scopeBindingsPath": "ScopeBindings.json", + "name": "ContainerInsightsExtension-Release", + "configuration": { + "serviceGroupScope": { + "specPath": "Configurations.Public.Prod.json" + } + }, + "rolloutType": "Major", + "buildSource": { + "parameters": { + "versionFile": "buildver.txt" + } + }, + "notification": { + "email": { + "to": "omscontainers@microsoft.com", + "options": { + "when": [ + "onError" + ] + } + } + } + }, + "orchestratedSteps": [ + { + "name": "Rollout.ArcExtensionRelease", + "targetType": "ServiceResourceDefinition", + "targetName": "ShellExtension", + "actions": [ + "shell/ArcExtensionRelease" + ], + "dependsOn": [] + } + ] +} \ No newline at end of file diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ScopeBindings.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ScopeBindings.json new file mode 100644 index 0000000000..86f89c46ee --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ScopeBindings.json @@ -0,0 +1,63 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", + "contentVersion": "0.0.0.1", + "scopeBindings": [ + { + "scopeTagName": "Stable", + "bindings": [ + { + "find": "__RELEASE_STAGE__", + "replaceWith": "$config(releaseStage)" + }, + { + "find": "__ADMIN_SUBSCRIPTION_ID__", + "replaceWith": "$config(adminSubscriptionId)" + }, + { + "find": "__CHART_VERSION__", + "replaceWith": "$config(chartVersion)" + }, + { + "find": "__IS_CUSTOMER_HIDDEN__", + "replaceWith": "$config(isCustomerHidden)" + }, + { + "find": "__REGISTER_REGIONS_CANARY__", + "replaceWith": "$config(registerRegionsCanary)" + }, + { + "find": "__RELEASE_TRAINS_PREVIEW_PATH__", + "replaceWith": "$config(releaseTrainsPreviewPath)" + }, + { + "find": "__RELEASE_TRAINS_STABLE_PATH__", + "replaceWith": "$config(releaseTrainsStablePath)" + }, + { + "find": "__REGISTER_REGIONS_BATCH__", + "replaceWith": "$config(registerRegionsBatch)" + }, + { + "find": "__RESOURCE_AUDIENCE__", + "replaceWith": "$config(resourceAudience)" + }, + { + "find": "__SPN_CLIENT_ID__", + "replaceWith": "$config(spnClientId)" + }, + { + "find": "__SPN_SECRET__", + "replaceWith": "$config(spnSecret)" + }, + { + "find": "__SPN_TENANT_ID__", + "replaceWith": "$config(spnTenantId)" + }, + { + "find": "__MANAGED_IDENTITY__", + "replaceWith": "$config(managedIdentity)" + } + ] + } + ] +} \ No newline at end of file diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Scripts/arcExtensionRelease.sh b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Scripts/arcExtensionRelease.sh new file mode 100644 index 0000000000..3416e2d39f --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Scripts/arcExtensionRelease.sh @@ -0,0 +1,266 @@ +#!/bin/bash +# Register azuremonitor-containers extension with Arc Registration API +export HELM_EXPERIMENTAL_OCI=1 + +REGISTER_REGIONS_CANARY='"'$(echo "$REGISTER_REGIONS_CANARY" | sed 's/,/","/g')'"' +RELEASE_TRAINS_PREVIEW_PATH='"'$(echo "$RELEASE_TRAINS_PREVIEW_PATH" | sed 's/,/","/g')'"' +RELEASE_TRAINS_STABLE_PATH='"'$(echo "$RELEASE_TRAINS_STABLE_PATH" | sed 's/,/","/g')'"' +REGISTER_REGIONS_BATCH='"'$(echo "$REGISTER_REGIONS_BATCH" | sed 's/,/","/g')'"' +IS_CUSTOMER_HIDDEN=$IS_CUSTOMER_HIDDEN +CHART_VERSION=${CHART_VERSION} + +PACKAGE_CONFIG_NAME="${PACKAGE_CONFIG_NAME:-microsoft.azuremonitor.containers-pkg092025}" +API_VERSION="${API_VERSION:-2021-05-01}" +METHOD="${METHOD:-put}" +REGISTRY_PATH_CANARY_STABLE="https://mcr.microsoft.com/azuremonitor/containerinsights/canary/stable/azuremonitor-containers" +REGISTRY_PATH_PROD_STABLE="https://mcr.microsoft.com/azuremonitor/containerinsights/prod1/stable/azuremonitor-containers" + +if [ -z "$REGISTER_REGIONS_CANARY" ]; then + echo "-e error release region must be provided " + exit 1 +fi +if [ -z "$IS_CUSTOMER_HIDDEN" ]; then + echo "-e error is_customer_hidden must be provided " + exit 1 +fi +if [ -z "$CHART_VERSION" ]; then + echo "-e error chart version must be provided " + exit 1 +fi + +echo "Start arc extension release stage ${RELEASE_STAGE}, REGISTER_REGIONS is $REGISTER_REGIONS_CANARY, RELEASE_TRAINS are $RELEASE_TRAINS_PREVIEW_PATH, $RELEASE_TRAINS_STABLE_PATH, PACKAGE_CONFIG_NAME is $PACKAGE_CONFIG_NAME, API_VERSION is $API_VERSION, METHOD is $METHOD" + +case $RELEASE_STAGE in + + CanaryPreview) +if [ -z "$RELEASE_TRAINS_PREVIEW_PATH" ]; then + echo "-e error preview release train must be provided " + exit 1 +fi +MCR_NAME_PATH="oci://mcr.microsoft.com/azuremonitor/containerinsights/canary/stable/azuremonitor-containers" +echo "Pulling chart from MCR:${MCR_NAME_PATH}" +helm pull ${MCR_NAME_PATH} --version ${CHART_VERSION} +if [ $? -eq 0 ]; then + echo "Pulling chart from MCR:${MCR_NAME_PATH}:${CHART_VERSION} completed successfully." +else + echo "-e error Pulling chart from MCR:${MCR_NAME_PATH}:${CHART_VERSION} failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 +fi +# Create JSON request body +cat < "request.json" +{ + "artifactEndpoints": [ + { + "Regions": [ + $REGISTER_REGIONS_CANARY + ], + "Releasetrains": [ + $RELEASE_TRAINS_PREVIEW_PATH + ], + "FullPathToHelmChart": "$REGISTRY_PATH_CANARY_STABLE", + "ExtensionUpdateFrequencyInMinutes": 60, + "IsCustomerHidden": $IS_CUSTOMER_HIDDEN, + "ReadyforRollout": true, + "RollbackVersion": null, + "PackageConfigName": "$PACKAGE_CONFIG_NAME" + }, +EOF +sed -i '$ s/.$//' request.json +cat <> "request.json" + ] +} +EOF + ;; + + CanaryStable) +if [ -z "$RELEASE_TRAINS_PREVIEW_PATH" ]; then + echo "-e error preview release train must be provided " + exit 1 +fi +if [ -z "$RELEASE_TRAINS_STABLE_PATH" ]; then + echo "-e error stable release train must be provided " + exit 1 +fi +MCR_NAME_PATH="oci://mcr.microsoft.com/azuremonitor/containerinsights/canary/stable/azuremonitor-containers" +echo "Pulling chart from MCR:${MCR_NAME_PATH}" +helm pull ${MCR_NAME_PATH} --version ${CHART_VERSION} +if [ $? -eq 0 ]; then + echo "Pulling chart from MCR:${MCR_NAME_PATH}:${CHART_VERSION} completed successfully." +else + echo "-e error Pulling chart from MCR:${MCR_NAME_PATH}:${CHART_VERSION} failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 +fi +# Create JSON request body +cat < "request.json" +{ + "artifactEndpoints": [ + { + "Regions": [ + $REGISTER_REGIONS_CANARY + ], + "Releasetrains": [ + $RELEASE_TRAINS_PREVIEW_PATH + ], + "FullPathToHelmChart": "$REGISTRY_PATH_CANARY_STABLE", + "ExtensionUpdateFrequencyInMinutes": 60, + "IsCustomerHidden": $IS_CUSTOMER_HIDDEN, + "ReadyforRollout": true, + "RollbackVersion": null, + "PackageConfigName": "$PACKAGE_CONFIG_NAME" + }, +EOF +cat <> "request.json" + { + "Regions": [ + $REGISTER_REGIONS_CANARY + ], + "Releasetrains": [ + $RELEASE_TRAINS_STABLE_PATH + ], + "FullPathToHelmChart": "$REGISTRY_PATH_CANARY_STABLE", + "ExtensionUpdateFrequencyInMinutes": 60, + "IsCustomerHidden": $IS_CUSTOMER_HIDDEN, + "ReadyforRollout": true, + "RollbackVersion": null, + "PackageConfigName": "$PACKAGE_CONFIG_NAME" + }, +EOF +sed -i '$ s/.$//' request.json +cat <> "request.json" + ] +} +EOF + ;; + + Stable) +if [ -z "$RELEASE_TRAINS_PREVIEW_PATH" ]; then + echo "-e error preview release train must be provided " + exit 1 +fi +if [ -z "$RELEASE_TRAINS_STABLE_PATH" ]; then + echo "-e error stable release train must be provided " + exit 1 +fi +if [ -z "$REGISTER_REGIONS_BATCH" ]; then + echo "-e error stable release regions must be provided " + exit 1 +fi +MCR_NAME_PATH="oci://mcr.microsoft.com/azuremonitor/containerinsights/prod1/stable/azuremonitor-containers" +echo "Pulling chart from MCR:${MCR_NAME_PATH}" +helm pull ${MCR_NAME_PATH} --version ${CHART_VERSION} +if [ $? -eq 0 ]; then + echo "Pulling chart from MCR:${MCR_NAME_PATH}:${CHART_VERSION} completed successfully." +else + echo "-e error Pulling chart from MCR:${MCR_NAME_PATH}:${CHART_VERSION} failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 +fi +# Create JSON request body +cat < "request.json" +{ + "artifactEndpoints": [ + { + "Regions": [ + $REGISTER_REGIONS_CANARY + ], + "Releasetrains": [ + $RELEASE_TRAINS_PREVIEW_PATH + ], + "FullPathToHelmChart": "$REGISTRY_PATH_CANARY_STABLE", + "ExtensionUpdateFrequencyInMinutes": 60, + "IsCustomerHidden": $IS_CUSTOMER_HIDDEN, + "ReadyforRollout": true, + "RollbackVersion": null, + "PackageConfigName": "$PACKAGE_CONFIG_NAME" + }, +EOF +cat <> "request.json" + { + "Regions": [ + $REGISTER_REGIONS_CANARY + ], + "Releasetrains": [ + $RELEASE_TRAINS_STABLE_PATH + ], + "FullPathToHelmChart": "$REGISTRY_PATH_CANARY_STABLE", + "ExtensionUpdateFrequencyInMinutes": 60, + "IsCustomerHidden": $IS_CUSTOMER_HIDDEN, + "ReadyforRollout": true, + "RollbackVersion": null, + "PackageConfigName": "$PACKAGE_CONFIG_NAME" + }, +EOF +cat <> "request.json" + { + "Regions": [ + $REGISTER_REGIONS_BATCH + ], + "Releasetrains": [ + $RELEASE_TRAINS_STABLE_PATH + ], + "FullPathToHelmChart": "$REGISTRY_PATH_PROD_STABLE", + "ExtensionUpdateFrequencyInMinutes": 60, + "IsCustomerHidden": $IS_CUSTOMER_HIDDEN, + "ReadyforRollout": true, + "RollbackVersion": null, + "PackageConfigName": "$PACKAGE_CONFIG_NAME" + }, +EOF +sed -i '$ s/.$//' request.json +cat <> "request.json" + ] +} +EOF + ;; + + *) + echo -n "unknown release stage" + exit 1 + ;; +esac + +cat request.json | jq + +# Send Request +SUBSCRIPTION=${ADMIN_SUBSCRIPTION_ID} +RESOURCE_AUDIENCE=${RESOURCE_AUDIENCE} + +echo "Request parameter preparation, SUBSCRIPTION is $SUBSCRIPTION, RESOURCE_AUDIENCE is $RESOURCE_AUDIENCE, CHART_VERSION is $CHART_VERSION, SPN_CLIENT_ID is $SPN_CLIENT_ID, SPN_TENANT_ID is $SPN_TENANT_ID" + +echo "Login cli using Managed Identity" +# Retries needed due to: https://stackoverflow.microsoft.com/questions/195032 +n=0 +signInExitCode=-1 +until [ "$n" -ge 5 ] +do + az login --identity --allow-no-subscriptions && signInExitCode=0 && break + n=$((n+1)) + sleep 15 +done + +if [ $signInExitCode -eq 0 ]; then + echo "Logged in successfully" +else + echo "-e error failed to login to az with managed identity credentials" + exit 1 +fi + +ACCESS_TOKEN=$(az account get-access-token --resource $RESOURCE_AUDIENCE --query accessToken -o json) +if [ $? -eq 0 ]; then + echo "get access token from resource:$RESOURCE_AUDIENCE successfully." +else + echo "-e error get access token from resource:$RESOURCE_AUDIENCE failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 +fi +ACCESS_TOKEN=$(echo $ACCESS_TOKEN | tr -d '"' | tr -d '"\r\n') + +ARC_API_URL="https://eastus2euap.dp.kubernetesconfiguration.azure.com" +EXTENSION_NAME="microsoft.azuremonitor.containers" + +echo "start send request" +az rest --method $METHOD --headers "{\"Authorization\": \"Bearer $ACCESS_TOKEN\", \"Content-Type\": \"application/json\"}" --body @request.json --uri $ARC_API_URL/subscriptions/$SUBSCRIPTION/extensionTypeRegistrations/$EXTENSION_NAME/versions/$CHART_VERSION?api-version=$API_VERSION +if [ $? -eq 0 ]; then + echo "arc extension registered successfully" +else + echo "-e error failed to register arc extension" + exit 1 +fi \ No newline at end of file diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json new file mode 100644 index 0000000000..d5f4dad46b --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json @@ -0,0 +1,6 @@ +{ + "name": "Microsoft.ContainerInsights.Extension", + "description": "Container Insights Arc K8s Extension Release", + "ownerGroupContactEmail": "omscontainers@microsoft.com", + "contentVersion": "1.0.0.0" +} diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceModel.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceModel.json new file mode 100644 index 0000000000..46ecef8b8d --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceModel.json @@ -0,0 +1,51 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-04-01/RegionAgnosticServiceModel.json", + "contentVersion": "1.0.0.0", + "serviceMetadata": { + "serviceGroup": "Microsoft.ContainerInsights.Extension", + "serviceIdentifier": "3170cdd2-19f0-4027-912b-1027311691a2", + "tenantId": "$config(tenantId)", + "environment": "$config(environment)", + "displayName": "ContainerInsightsExtension", + "buildout": { + "isForAutomatedBuildout": "True" + }, + "serviceSpecificationPath": "ServiceSpec.json", + "serviceGroupSpecificationPath": "ServiceGroupSpec.json" + }, + "serviceResourceGroupDefinitions": [ + { + "name": "SRG.ShellExtension", + "azureResourceGroupName": "$config(azureResourceGroup)", + "scopeTags": [ + { + "name": "Stable" + } + ], + "subscriptionKey": "$config(subscriptionkey)", + "stamps": { + "count": "$config(stampCount)" + }, + "serviceResourceDefinitions": [ + { + "name": "ShellExtension", + "composedOf": { + "extension": { + "rolloutParametersPath": "Parameters\\RolloutParameter.json", + "shell": [ + { + "type": "ShellExtensionType", + "properties": { + "imageName": "adm-ubuntu-2004-l", + "imageVersion": "v8" + } + } + ] + } + }, + "scopeTags": [] + } + ] + } + ] +} \ No newline at end of file diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceSpec.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceSpec.json new file mode 100644 index 0000000000..e34bb5fcf5 --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceSpec.json @@ -0,0 +1,8 @@ +{ + "providerType": "ServiceTree", + "identifier": "3170cdd2-19f0-4027-912b-1027311691a2", + "description": "Container Insights Extension", + "ownerGroupContactEmail": "omscontainers@microsoft.com", + "policyCheckEnabled": true, + "contentVersion": "1.0.0.0" +} diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/buildver.txt b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/buildver.txt new file mode 100644 index 0000000000..53afb9e07d --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/buildver.txt @@ -0,0 +1 @@ +1.0.0.1 diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh index 25dc091e8f..e14e0dd251 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh @@ -62,7 +62,7 @@ pull_chart_from_source_mcr_to_push_to_dest_acr() { } # push to local release candidate chart to canary region -push_local_chart_to_canary_region() { +push_local_chart_to_acr() { destAcrFullPath=${1} if [ -z $destAcrFullPath ]; then echo "-e error dest acr path must be provided " @@ -70,7 +70,7 @@ push_local_chart_to_canary_region() { fi echo "generate chart package file" - export CHART_FILE=$(helm package charts/azuremonitor-containers/ | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') + export CHART_FILE=$(helm package charts/azuremonitor-containerinsights/ | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') if [ $? -eq 0 ]; then echo "chart package file generated successfully." else @@ -127,15 +127,14 @@ case $RELEASE_STAGE in Canary) echo "START: Release stage - Canary" destAcrFullPath=oci://${ACR_NAME}/public/${CANARY_REGION_REPO_PATH} - push_local_chart_to_canary_region $destAcrFullPath + push_local_chart_to_acr $destAcrFullPath echo "END: Release stage - Canary" ;; Pilot | Prod1) echo "START: Release stage - Pilot" - srcMcrFullPath=oci://${MCR_NAME}/${CANARY_REGION_REPO_PATH}/${CHART_NAME} destAcrFullPath=oci://${ACR_NAME}/public/${PILOT_REGION_REPO_PATH} - pull_chart_from_source_mcr_to_push_to_dest_acr $srcMcrFullPath $destAcrFullPath + push_local_chart_to_acr $destAcrFullPath echo "END: Release stage - Pilot" ;;