From 9667ca2ea353fc011c991c20ec25bc694903a18e Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Tue, 31 Mar 2026 15:35:55 -0700 Subject: [PATCH 01/30] release pipeline sdp migration --- .pipelines/ci-aks-prod-release.yaml | 52 ++----- .../Configurations.Public.Prod.json | 26 ++++ .../ManagedSDPReleasePipeline.yml | 85 +++++++++++ .../Parameters/RolloutParameter.json | 132 ++++++++++++++++++ .../ServiceGroupRoot/RolloutSpec.json | 42 ++++++ .../ServiceGroupRoot/ScopeBindings.json | 39 ++++++ .../Scripts/pushAgentToAcr.sh | 98 +++++++++++++ .../ServiceGroupRoot/ServiceModel.json | 49 +++++++ .../ServiceGroupRoot/buildver.txt | 1 + 9 files changed, 481 insertions(+), 43 deletions(-) create mode 100644 deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json create mode 100644 deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml create mode 100644 deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Parameters/RolloutParameter.json create mode 100644 deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json create mode 100644 deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ScopeBindings.json create mode 100644 deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Scripts/pushAgentToAcr.sh create mode 100644 deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceModel.json create mode 100644 deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/buildver.txt diff --git a/.pipelines/ci-aks-prod-release.yaml b/.pipelines/ci-aks-prod-release.yaml index 42c961bb91..0c17a6e8f0 100644 --- a/.pipelines/ci-aks-prod-release.yaml +++ b/.pipelines/ci-aks-prod-release.yaml @@ -268,8 +268,6 @@ extends: variables: - name: ev2Environment value: Production - - name: Ev2MonintoringUrl - value: https://azureservicedeploy.msft.net/api/monitorrollout - name: OneESPT.JobType value: releaseJob readonly: true @@ -283,7 +281,7 @@ extends: value: windows readonly: true - name: OneESPT.Workflow - value: ev2-classic + value: ev2-managed-sdp readonly: true - name: runCodesignValidationInjection value: false @@ -428,53 +426,21 @@ extends: workingDirectory: $(Pipeline.Workspace)/ev2Artifact/windows-drop/windows failOnStderr: true - - task: vsrm-ev2.vss-services-ev2.adm-release-task.ExpressV2Internal@1 + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Deploy inputs: - UseServerMonitorTask: true EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + SkipRegistrationIfExists: True ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootLocation: LinkedArtifact - RolloutSpecType: RSPath - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/mergebranch-multiarch-agent-deployment/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/mergebranch-multiarch-agent-deployment/ServiceGroupRoot/RolloutSpecs/RolloutSpecs.json - OutputRolloutId: RolloutId - OutputServiceGroupName: ServiceGroupName - OutputRolloutStatus: RolloutStatus - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Global", "bindings": [ { "find": "__ACR_NAME__", "replaceWith": "$(ACRName)" }, { "find": "__AGENT_RELEASE__", "replaceWith": "$(AgentRelease)" }, { "find": "__AGENT_IMAGE_TAG_SUFFIX__", "replaceWith": "$(AgentImageTagSuffix)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(ManagedIdentity)" }, { "find": "__CDPX_LINUX_TAG__", "replaceWith": "$(CDPXLinuxTag)" }, { "find": "__CDPX_WINDOWS_TAG__", "replaceWith": "$(CDPXWindowsTag)" }, { "find": "__OVERRIDE_TAG__", "replaceWith": "$(OverrideTag)" } ] } ] }' + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) env: ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 target: container: host - displayName: Ev2 Classic - Deploy - - job: Ev2_rollout_ev2_monitoring - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Agent job - Ev2 Ev2 Monitoring - pool: - name: server - dependsOn: - - Ev2_rollout_ev2_rollout - timeoutInMinutes: '0' - steps: - - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 - displayName: Ev2 - Monitoring - inputs: - Ev2MonintoringUrl: $(Ev2MonintoringUrl) # ============================================================================= diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json new file mode 100644 index 0000000000..ce14591b0b --- /dev/null +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json @@ -0,0 +1,26 @@ +{ + "Settings": { + "environment": "Prod", + "tenantid": "33e01921-4d64-4f8c-a055-5bdaffd5e33d" + }, + "Geographies": [ + { + "Name": "United States", + "Settings": {}, + "Regions": [ + { + "Name": "eastus2", + "Settings": { + "stampSettings": { + "stamp_1": {}, + "stamp_2": {} + }, + "stampCount": 2, + "azureResourceGroup": "ContainerInsights-MultiArch-Agent-Release", + "subscriptionkey": "ContainerInsights-30c56c3a-54da-46ea-b004-06eb33432687" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml new file mode 100644 index 0000000000..b8c85a760a --- /dev/null +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml @@ -0,0 +1,85 @@ +trigger: none +resources: + pipelines: + - pipeline: build-artifacts + source: CDPX\docker-provider\ContainerInsights-MultiArch-MergedBranches + repositories: + - repository: templates + type: git + name: OneBranch.Pipelines/GovernedTemplates + ref: refs/heads/main +parameters: +- name: rolloutType + displayName: Rollout Type + type: string + default: normal + values: + - normal + - emergency + - globaloutage +- name: overrideManagedValidationDuration + displayName: Override standard SDP duration? + type: boolean + default: false + values: + - true + - false +- name: managedValidationOverrideDurationInHours + displayName: Managed validation override duration in hours + type: number + default: 0 + values: +- name: icmIncidentId + displayName: ICM Incident Id + type: number + default: 0 + values: +- name: ServiceRootPath + displayName: Service Root Path + type: string + default: $(Pipeline.Workspace)/build-artifacts/drop/build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot + values: +- name: RolloutSpecPath + displayName: Rollout Spec Path + type: string + default: $(Pipeline.Workspace)/build-artifacts/drop/build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + values: +- name: select + displayName: Select + type: string + default: regions(*) + values: +extends: + template: v2/OneBranch.Official.CrossPlat.yml@templates + parameters: + stages: + - stage: PROD_Prod_Managed_SDP + displayName: 'Production: Managed SDP' + dependsOn: [] + variables: + ob_release_environment: Production + jobs: + - job: PROD_Prod_Managed_SDP + displayName: PROD_Prod_Managed_SDP + pool: + type: release + condition: + dependsOn: + steps: + - download: build-artifacts + displayName: Ev2 Managed SDP Rollout + task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + SkipRegistrationIfExists: True + ServiceRootPath: ${{parameters.ServiceRootPath}} + RolloutSpecPath: ${{parameters.RolloutSpecPath}} + StageMapName: Microsoft.Azure.SDP.Standard + Select: ${{parameters.select}} + ApprovalServiceEnvironment: Production + ev2ManagedSdpRolloutConfig: + rolloutType: ${{parameters.rolloutType}} + overrideManagedValidationDuration: ${{parameters.overrideManagedValidationDuration}} + managedValidationOverrideDurationInHours: ${{parameters.managedValidationOverrideDurationInHours}} + icmIncidentId: ${{parameters.icmIncidentId}} diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Parameters/RolloutParameter.json b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Parameters/RolloutParameter.json new file mode 100644 index 0000000000..5af4623a6b --- /dev/null +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Parameters/RolloutParameter.json @@ -0,0 +1,132 @@ +{ + "$schema": "http://schema.express.azure.com/schemas/2022-01-01/RolloutParameters.json", + "contentVersion": "1.0.0.0", + "shellExtensions": [ + { + "name": "PushAgentToACR", + "type": "ShellExtensionType", + "properties": { + "maxExecutionTime": "PT1H", + "useFallBackLocations": false, + "skipDeleteAfterExecution": false + }, + "package": { + "reference": { + "path": "artifacts.tar.gz" + } + }, + "launch": { + "command": [ + "/bin/bash", + "pushAgentToAcr.sh" + ], + "environmentVariables": [ + { + "name": "ACR_NAME", + "value": "__ACR_NAME__" + }, + { + "name": "AGENT_RELEASE", + "value": "__AGENT_RELEASE__" + }, + { + "name": "AGENT_IMAGE_TAG_SUFFIX", + "value": "__AGENT_IMAGE_TAG_SUFFIX__" + }, + { + "name": "AGENT_IMAGE_FULL_PATH", + "value": "public/azuremonitor/containerinsights/__AGENT_RELEASE__:__AGENT_IMAGE_TAG_SUFFIX__" + }, + { + "name": "CDPX_TAG", + "value": "__CDPX_LINUX_TAG__" + }, + { + "name": "SOURCE_IMAGE_FULL_PATH", + "value": "mcr.microsoft.com/azuremonitor/containerinsights/cidev:__CDPX_LINUX_TAG__" + }, + { + "name": "OVERRIDE_TAG", + "value": "__OVERRIDE_TAG__" + } + ], + "identity": { + "type": "userAssigned", + "userAssignedIdentities": [ + "__MANAGED_IDENTITY__" + ] + } + } + }, + { + "name": "PushAgentToACR-1", + "type": "ShellExtensionType", + "properties": { + "maxExecutionTime": "PT1H", + "useFallBackLocations": false, + "skipDeleteAfterExecution": false + }, + "package": { + "reference": { + "path": "artifacts.tar.gz" + } + }, + "launch": { + "command": [ + "/bin/bash", + "pushAgentToAcr.sh" + ], + "environmentVariables": [ + { + "name": "ACR_NAME", + "value": "__ACR_NAME__" + }, + { + "name": "AGENT_RELEASE", + "value": "__AGENT_RELEASE__" + }, + { + "name": "AGENT_IMAGE_TAG_SUFFIX", + "value": "__AGENT_IMAGE_TAG_SUFFIX__" + }, + { + "name": "AGENT_IMAGE_FULL_PATH", + "value": "public/azuremonitor/containerinsights/__AGENT_RELEASE__:win-__AGENT_IMAGE_TAG_SUFFIX__" + }, + { + "name": "CDPX_TAG", + "value": "__CDPX_WINDOWS_TAG__" + }, + { + "name": "SOURCE_IMAGE_FULL_PATH", + "value": "mcr.microsoft.com/azuremonitor/containerinsights/cidev:__CDPX_WINDOWS_TAG__" + }, + { + "name": "OVERRIDE_TAG", + "value": "__OVERRIDE_TAG__" + } + ], + "identity": { + "type": "userAssigned", + "userAssignedIdentities": [ + "__MANAGED_IDENTITY__" + ] + } + } + } + ], + "wait": [ + { + "name": "waitSdpBakeTime", + "properties": { + "duration": "PT24H" + } + }, + { + "name": "waitSdpBakeTime-1", + "properties": { + "duration": "PT24H" + } + } + ] +} \ No newline at end of file diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json new file mode 100644 index 0000000000..24eba45c62 --- /dev/null +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json @@ -0,0 +1,42 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-04-01/RegionAgnosticRolloutSpecification.json", + "contentVersion": "1.0.0.0", + "rolloutMetadata": { + "serviceModelPath": "ServiceModel.json", + "scopeBindingsPath": "ScopeBindings.json", + "name": "ContainerInsightsAgent", + "configuration": { + "serviceGroupScope": { + "specPath": "Configurations.Public.Prod.json" + } + }, + "rolloutType": "Major", + "buildSource": { + "parameters": { + "versionFile": "buildver.txt" + } + }, + "notification": { + "email": { + "to": "omscontainers@microsoft.com", + "options": { + "when": [ + "onError" + ] + } + } + } + }, + "orchestratedSteps": [ + { + "name": "Rollout.PushinAgent", + "targetType": "ServiceResourceDefinition", + "targetName": "ShellExtension", + "actions": [ + "shell/PushAgentToACR", + "shell/PushAgentToACR-1" + ], + "dependsOn": [] + } + ] +} \ No newline at end of file diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ScopeBindings.json b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ScopeBindings.json new file mode 100644 index 0000000000..d38e3cf0fe --- /dev/null +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ScopeBindings.json @@ -0,0 +1,39 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", + "contentVersion": "0.0.0.1", + "scopeBindings": [ + { + "scopeTagName": "Global", + "bindings": [ + { + "find": "__ACR_NAME__", + "replaceWith": "$(ACRName)" + }, + { + "find": "__AGENT_RELEASE__", + "replaceWith": "$(AgentRelease)" + }, + { + "find": "__AGENT_IMAGE_TAG_SUFFIX__", + "replaceWith": "$(AgentImageTagSuffix)" + }, + { + "find": "__MANAGED_IDENTITY__", + "replaceWith": "$(ManagedIdentity)" + }, + { + "find": "__CDPX_LINUX_TAG__", + "replaceWith": "$(CDPXLinuxTag)" + }, + { + "find": "__CDPX_WINDOWS_TAG__", + "replaceWith": "$(CDPXWindowsTag)" + }, + { + "find": "__OVERRIDE_TAG__", + "replaceWith": "$(OverrideTag)" + } + ] + } + ] +} \ No newline at end of file diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Scripts/pushAgentToAcr.sh b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Scripts/pushAgentToAcr.sh new file mode 100644 index 0000000000..78047f55fe --- /dev/null +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Scripts/pushAgentToAcr.sh @@ -0,0 +1,98 @@ +#!/bin/bash +set -e + +# Note - This script used in the pipeline as inline script + +if [ -z $AGENT_IMAGE_TAG_SUFFIX ]; then + echo "-e error value of AGENT_IMAGE_TAG_SUFFIX variable shouldnt be empty. check release variables" + exit 1 +fi + +if [ -z $AGENT_RELEASE ]; then + echo "-e error AGENT_RELEASE shouldnt be empty. check release variables" + exit 1 +fi + +#Make sure that tag being pushed will not overwrite an existing tag in mcr +MCR_TAG_RESULT="`wget -qO- https://mcr.microsoft.com/v2/azuremonitor/containerinsights/ciprod/tags/list`" +if [ $? -ne 0 ]; then + echo "-e error unable to get list of mcr tags for azuremonitor/containerinsights/ciprod repository" + exit 1 +fi + +TAG_EXISTS_STATUS=0 #Default value for the condition when the echo fails below + +if [[ "$AGENT_IMAGE_FULL_PATH" == *"win-"* ]]; then + echo "checking windows tags" + echo $MCR_TAG_RESULT | jq '.tags' | grep -q \"win-"$AGENT_IMAGE_TAG_SUFFIX"\" || TAG_EXISTS_STATUS=$? +else + echo "checking linux tags" + echo $MCR_TAG_RESULT | jq '.tags' | grep -q \""$AGENT_IMAGE_TAG_SUFFIX"\" || TAG_EXISTS_STATUS=$? +fi + +echo "TAG_EXISTS_STATUS = $TAG_EXISTS_STATUS; OVERRIDE_TAG = $OVERRIDE_TAG" + +if [[ "$OVERRIDE_TAG" == "true" ]]; then + echo "OverrideTag set to true. Will override ${AGENT_IMAGE_TAG_SUFFIX} image" +elif [ "$TAG_EXISTS_STATUS" -eq 0 ]; then + echo "-e error ${AGENT_IMAGE_TAG_SUFFIX} already exists in mcr. make sure the image tag is unique" + exit 1 +fi + +if [ -z $AGENT_IMAGE_FULL_PATH ]; then + echo "-e error AGENT_IMAGE_FULL_PATH shouldnt be empty. check release variables" + exit 1 +fi + +if [ -z $CDPX_TAG ]; then + echo "-e error value of CDPX_TAG shouldn't be empty. check release variables" + exit 1 +fi + +if [ -z $ACR_NAME ]; then + echo "-e error value of ACR_NAME shouldn't be empty. check release variables" + exit 1 +fi + +if [ -z $SOURCE_IMAGE_FULL_PATH ]; then + echo "-e error value of SOURCE_IMAGE_FULL_PATH shouldn't be empty. check release variables" + exit 1 +fi + + +#Login to az cli and authenticate to acr +echo "Login cli using managed identity" +az login --identity +if [ $? -eq 0 ]; then + echo "az logged in successfully" +else + echo "-e error failed to login to az with managed identity credentials" + exit 1 +fi + +TOKEN=$(az acr login --name $ACR_NAME --expose-token --output tsv --query accessToken) +if [ $? -eq 0 ]; then + echo "az acr logged in successfully with token" +else + echo "-e error failed to login to az acr with managed identity credentials for containerinsights" + exit 1 +fi + +if [ "$OVERRIDE_TAG" == "true" ] || [ "$TAG_EXISTS_STATUS" -ne 0 ]; then + echo $TOKEN | oras login --password-stdin $ACR_NAME + if [ $? -eq 0 ]; then + echo "oras logged in successfully" + else + echo "-e error failed to login to oras with managed identity credentials for containerinsights" + exit 1 + fi + + echo "Copying ${SOURCE_IMAGE_FULL_PATH} to ${ACR_NAME}/${AGENT_IMAGE_FULL_PATH}" + oras copy -r $SOURCE_IMAGE_FULL_PATH $ACR_NAME/$AGENT_IMAGE_FULL_PATH + if [ $? -eq 0 ]; then + echo "Retagged and pushed image and artifact successfully" + else + echo "-e error failed to retag and push image to destination ACR" + exit 1 + fi +fi diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceModel.json b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceModel.json new file mode 100644 index 0000000000..787bbce66f --- /dev/null +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceModel.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-04-01/RegionAgnosticServiceModel.json", + "contentVersion": "1.0.0.0", + "serviceMetadata": { + "serviceGroup": "ContainerInsightsAgent", + "serviceIdentifier": "3170cdd2-19f0-4027-912b-1027311691a2", + "tenantId": "$config(tenantid)", + "environment": "$config(environment)", + "displayName": "ContainerInsightsAgent", + "buildout": { + "isForAutomatedBuildout": "True" + } + }, + "serviceResourceGroupDefinitions": [ + { + "name": "SRG.ShellExtension", + "azureResourceGroupName": "$config(azureResourceGroup)", + "scopeTags": [ + { + "name": "Global" + } + ], + "subscriptionKey": "$config(subscriptionkey)", + "stamps": { + "count": "$config(stampCount)" + }, + "serviceResourceDefinitions": [ + { + "name": "ShellExtension", + "composedOf": { + "extension": { + "rolloutParametersPath": "Parameters\\RolloutParameter.json", + "shell": [ + { + "type": "ShellExtensionType", + "properties": { + "imageName": "adm-ubuntu-2004-l", + "imageVersion": "v4" + } + } + ] + } + }, + "scopeTags": [] + } + ] + } + ] +} \ No newline at end of file diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/buildver.txt b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/buildver.txt new file mode 100644 index 0000000000..bd2666abb3 --- /dev/null +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/buildver.txt @@ -0,0 +1 @@ +1.0.0.0 \ No newline at end of file From 7ac6b4ac1bbe5c16e5b94cbd6ade7a0af30781e1 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Tue, 31 Mar 2026 15:41:33 -0700 Subject: [PATCH 02/30] release pipeline sdp migration --- .pipelines/azure_pipeline_mergedbranches.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/azure_pipeline_mergedbranches.yaml b/.pipelines/azure_pipeline_mergedbranches.yaml index 2e8d3cf518..ad7a531b29 100644 --- a/.pipelines/azure_pipeline_mergedbranches.yaml +++ b/.pipelines/azure_pipeline_mergedbranches.yaml @@ -87,7 +87,7 @@ extends: echo "authAKVName is $AUTH_AKV_NAME" echo "authCertName is $AUTH_CERT_NAME" echo "authSignCertName is $AUTH_SIGN_CERT_NAME" - cd $(Build.SourcesDirectory)/deployment/mergebranch-multiarch-agent-deployment/ServiceGroupRoot/Scripts + cd $(Build.SourcesDirectory)/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Scripts tar -czvf ../artifacts.tar.gz pushAgentToAcr.sh cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts tar -czvf ../artifacts.tar.gz ../../../../charts/azuremonitor-containers/ pushChartToAcr.sh From 395918609547a189ac21aabca9dc807a30bd0853 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Wed, 1 Apr 2026 13:21:08 -0700 Subject: [PATCH 03/30] update trivy ignore --- .trivyignore | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/.trivyignore b/.trivyignore index e4ff696d3b..d557e8926b 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,2 +1,23 @@ # to merge trivy scan PR, temporarily ignore CVE-2026-24051 until a fix is available -CVE-2026-24051 \ No newline at end of file +CVE-2026-24051 + +# nats-server: Identity spoofing via Nats-Request-Info header +CVE-2026-33223 + +# nats-server: Client identity spoofing via Nats-Request-Info header manipulation +CVE-2026-33246 + +# nats-server: Authentication bypass due to incorrect Subject DN matching +CVE-2026-33248 + +# nats-server: Unauthorized trace message redirection via message tracing headers +CVE-2026-33249 + +# google.golang.org/grpc: Authorization bypass due to improper HTTP/2 path validation +CVE-2026-33186 + +# stdlib: Incorrect parsing of IPv6 host literals in net/url +CVE-2026-25679 + +# stdlib: html/template URLs in meta content attribute actions issue +CVE-2026-27142 \ No newline at end of file From 370355ce24b07e5dc8ed9fafba134600563159f0 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Wed, 1 Apr 2026 14:10:34 -0700 Subject: [PATCH 04/30] update trivy ignore --- .trivyignore | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/.trivyignore b/.trivyignore index d557e8926b..b02534c288 100644 --- a/.trivyignore +++ b/.trivyignore @@ -20,4 +20,40 @@ CVE-2026-33186 CVE-2026-25679 # stdlib: html/template URLs in meta content attribute actions issue -CVE-2026-27142 \ No newline at end of file +CVE-2026-27142 + +# github.com/antchfx/xpath: Denial of Service due to infinite loop via boolean XPath +CVE-2026-32287 + +# Moby: AuthZ plugin bypass when provided oversized request bodies +CVE-2026-34040 + +# Moby: Privilege validation bypass during plugin installation +CVE-2026-33997 + +# nats-server: Denial of Service via malformed WebSockets frame +CVE-2026-27889 + +# nats-server: Denial of Service via leafnode compression +CVE-2026-29785 + +# nats-server: Information disclosure of MQTT passwords through monitoring endpoints +CVE-2026-33216 + +# nats-server: Access control bypass via unapplied ACLs in MQTT namespace +CVE-2026-33217 + +# nats-server: Denial of Service via malformed message pre-authentication on leafnode +CVE-2026-33218 + +# nats-server: Information disclosure of credentials via monitoring port and command-line arguments +CVE-2026-33247 + +# nats-server: Session and message hijacking via MQTT Client ID malfeasance +CVE-2026-33215 + +# nats-server: Denial of Service via unbounded memory use in WebSockets +CVE-2026-33219 + +# nats-server: Unauthorized data modification via JetStream stream restore +CVE-2026-33222 \ No newline at end of file From a82aaada308f7c56b52acac5ca3652f37c4b1d9e Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 2 Apr 2026 11:42:17 -0700 Subject: [PATCH 05/30] address win build --- kubernetes/windows/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/windows/Dockerfile b/kubernetes/windows/Dockerfile index 1e192e58a0..5605198fac 100644 --- a/kubernetes/windows/Dockerfile +++ b/kubernetes/windows/Dockerfile @@ -23,6 +23,7 @@ RUN powershell -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; iex ( RUN choco install -y ruby --version 3.1.1.1 --params "'/InstallDir:C:\ruby31'" \ && choco install -y msys2 --version 20240113.0.0 --params "'/NoPath /NoUpdate /InstallDir:C:\ruby31\msys64'" RUN refreshenv \ +&& C:\ruby31\msys64\usr\bin\bash.exe -lc "pacman -Syu --noconfirm" \ && ridk install 3 \ && echo gem: --no-document >> C:\ProgramData\gemrc \ # Install fluentd and its dependencies From 1563a83dd2eeba68bbbf7d66a2b00282ac8a01fe Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 2 Apr 2026 13:56:02 -0700 Subject: [PATCH 06/30] address win build --- kubernetes/windows/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kubernetes/windows/Dockerfile b/kubernetes/windows/Dockerfile index 5605198fac..f9fafcdbb5 100644 --- a/kubernetes/windows/Dockerfile +++ b/kubernetes/windows/Dockerfile @@ -22,6 +22,8 @@ RUN powershell -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; iex ( # so need to review the installed version of rexml, and uninstall it. RUN choco install -y ruby --version 3.1.1.1 --params "'/InstallDir:C:\ruby31'" \ && choco install -y msys2 --version 20240113.0.0 --params "'/NoPath /NoUpdate /InstallDir:C:\ruby31\msys64'" +# gem extensions compiled against Ruby 3.1 headers. Suppress it during builds. +ENV CFLAGS=-Wno-incompatible-pointer-types RUN refreshenv \ && C:\ruby31\msys64\usr\bin\bash.exe -lc "pacman -Syu --noconfirm" \ && ridk install 3 \ From 7ad7b1b1fa5a4312a6c4c811cae2e71c60c0333a Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 2 Apr 2026 14:44:21 -0700 Subject: [PATCH 07/30] address win build --- kubernetes/windows/Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/kubernetes/windows/Dockerfile b/kubernetes/windows/Dockerfile index f9fafcdbb5..368fe86615 100644 --- a/kubernetes/windows/Dockerfile +++ b/kubernetes/windows/Dockerfile @@ -22,14 +22,13 @@ RUN powershell -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; iex ( # so need to review the installed version of rexml, and uninstall it. RUN choco install -y ruby --version 3.1.1.1 --params "'/InstallDir:C:\ruby31'" \ && choco install -y msys2 --version 20240113.0.0 --params "'/NoPath /NoUpdate /InstallDir:C:\ruby31\msys64'" -# gem extensions compiled against Ruby 3.1 headers. Suppress it during builds. -ENV CFLAGS=-Wno-incompatible-pointer-types RUN refreshenv \ && C:\ruby31\msys64\usr\bin\bash.exe -lc "pacman -Syu --noconfirm" \ && ridk install 3 \ && echo gem: --no-document >> C:\ProgramData\gemrc \ # Install fluentd and its dependencies -&& gem install oj -v 3.16.1 \ +# --with-cflags suppresses GCC 14 -Wincompatible-pointer-types error against Ruby 3.1 headers +&& gem install oj -v 3.16.1 -- --with-cflags=-Wno-incompatible-pointer-types \ && gem install fluentd -v 1.16.3 \ && gem install win32-service -v 2.3.2 \ && gem install win32-ipc -v 0.7.0 \ From 63b674dfef82c313d4e00b0524deeeaa50807615 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 2 Apr 2026 16:15:57 -0700 Subject: [PATCH 08/30] update --- kubernetes/windows/Dockerfile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/kubernetes/windows/Dockerfile b/kubernetes/windows/Dockerfile index 368fe86615..784ee83fdd 100644 --- a/kubernetes/windows/Dockerfile +++ b/kubernetes/windows/Dockerfile @@ -23,12 +23,10 @@ RUN powershell -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; iex ( RUN choco install -y ruby --version 3.1.1.1 --params "'/InstallDir:C:\ruby31'" \ && choco install -y msys2 --version 20240113.0.0 --params "'/NoPath /NoUpdate /InstallDir:C:\ruby31\msys64'" RUN refreshenv \ -&& C:\ruby31\msys64\usr\bin\bash.exe -lc "pacman -Syu --noconfirm" \ && ridk install 3 \ && echo gem: --no-document >> C:\ProgramData\gemrc \ # Install fluentd and its dependencies -# --with-cflags suppresses GCC 14 -Wincompatible-pointer-types error against Ruby 3.1 headers -&& gem install oj -v 3.16.1 -- --with-cflags=-Wno-incompatible-pointer-types \ +&& gem install oj -v 3.16.1 \ && gem install fluentd -v 1.16.3 \ && gem install win32-service -v 2.3.2 \ && gem install win32-ipc -v 0.7.0 \ @@ -124,4 +122,4 @@ Remove-Item -Recurse -Force 'C:\ruby31\lib\ruby\3.1.0\rdoc\generator\template\js Remove-Item -Recurse -Force 'C:\ruby31\lib\ruby\3.1.0\rdoc\generator\template\darkfish\js'; \ Remove-Item -Force 'C:\ruby31\bin\ridk.ps1'" -ENTRYPOINT ["powershell", "C:\\opt\\amalogswindows\\scripts\\powershell\\main.ps1"] +ENTRYPOINT ["powershell", "C:\\opt\\amalogswindows\\scripts\\powershell\\main.ps1"] \ No newline at end of file From 51f663ff5fee1fdb9c68b83260c19af191ef329a Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Tue, 7 Apr 2026 12:02:55 -0700 Subject: [PATCH 09/30] update service Group name per guide --- .../ServiceGroupRoot/RolloutSpec.json | 2 +- .../ServiceGroupRoot/ServiceModel.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json index 24eba45c62..46feb4dd50 100644 --- a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json @@ -4,7 +4,7 @@ "rolloutMetadata": { "serviceModelPath": "ServiceModel.json", "scopeBindingsPath": "ScopeBindings.json", - "name": "ContainerInsightsAgent", + "name": "Microsoft.ContainerInsights.Agent", "configuration": { "serviceGroupScope": { "specPath": "Configurations.Public.Prod.json" diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceModel.json b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceModel.json index 787bbce66f..2a74086308 100644 --- a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceModel.json +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceModel.json @@ -2,7 +2,7 @@ "$schema": "https://ev2schema.azure.net/schemas/2020-04-01/RegionAgnosticServiceModel.json", "contentVersion": "1.0.0.0", "serviceMetadata": { - "serviceGroup": "ContainerInsightsAgent", + "serviceGroup": "Microsoft.ContainerInsights.Agent", "serviceIdentifier": "3170cdd2-19f0-4027-912b-1027311691a2", "tenantId": "$config(tenantid)", "environment": "$config(environment)", From 7fd94950fb993f17a788e2bc8c844cf286d33cf5 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Tue, 7 Apr 2026 14:00:21 -0700 Subject: [PATCH 10/30] update trivy --- .trivyignore | 43 +++---------------------------------------- 1 file changed, 3 insertions(+), 40 deletions(-) diff --git a/.trivyignore b/.trivyignore index b02534c288..066c5c1378 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,59 +1,22 @@ -# to merge trivy scan PR, temporarily ignore CVE-2026-24051 until a fix is available +# Telegraf CVE-2026-24051 - -# nats-server: Identity spoofing via Nats-Request-Info header CVE-2026-33223 - -# nats-server: Client identity spoofing via Nats-Request-Info header manipulation CVE-2026-33246 - -# nats-server: Authentication bypass due to incorrect Subject DN matching CVE-2026-33248 - -# nats-server: Unauthorized trace message redirection via message tracing headers CVE-2026-33249 - -# google.golang.org/grpc: Authorization bypass due to improper HTTP/2 path validation CVE-2026-33186 - -# stdlib: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25679 - -# stdlib: html/template URLs in meta content attribute actions issue CVE-2026-27142 - -# github.com/antchfx/xpath: Denial of Service due to infinite loop via boolean XPath CVE-2026-32287 - -# Moby: AuthZ plugin bypass when provided oversized request bodies CVE-2026-34040 - -# Moby: Privilege validation bypass during plugin installation CVE-2026-33997 - -# nats-server: Denial of Service via malformed WebSockets frame CVE-2026-27889 - -# nats-server: Denial of Service via leafnode compression CVE-2026-29785 - -# nats-server: Information disclosure of MQTT passwords through monitoring endpoints CVE-2026-33216 - -# nats-server: Access control bypass via unapplied ACLs in MQTT namespace CVE-2026-33217 - -# nats-server: Denial of Service via malformed message pre-authentication on leafnode CVE-2026-33218 - -# nats-server: Information disclosure of credentials via monitoring port and command-line arguments CVE-2026-33247 - -# nats-server: Session and message hijacking via MQTT Client ID malfeasance CVE-2026-33215 - -# nats-server: Denial of Service via unbounded memory use in WebSockets CVE-2026-33219 - -# nats-server: Unauthorized data modification via JetStream stream restore -CVE-2026-33222 \ No newline at end of file +CVE-2026-33222 +CVE-2026-34986 \ No newline at end of file From ce485330c2cc985dd2679418eed4fc91d1d609ff Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 9 Apr 2026 15:03:23 -0700 Subject: [PATCH 11/30] update pipeline address non-bocking issue --- .pipelines/ci-aks-prod-release.yaml | 274 +++------------------------- 1 file changed, 22 insertions(+), 252 deletions(-) diff --git a/.pipelines/ci-aks-prod-release.yaml b/.pipelines/ci-aks-prod-release.yaml index 0c17a6e8f0..9bc04c2361 100644 --- a/.pipelines/ci-aks-prod-release.yaml +++ b/.pipelines/ci-aks-prod-release.yaml @@ -74,6 +74,7 @@ extends: name: Azure-Pipelines-CI-Test-EO image: ci-1es-managed-windows-2022 os: windows + serviceTreeId: $(ServiceTreeGuid) customBuildTags: - ES365AIMigrationTooling stages: @@ -187,260 +188,29 @@ extends: name: Azure-Pipelines-CI-Test-EO image: ci-1es-managed-windows-2022 os: windows + templateContext: + cloud: Public + isProduction: true + approval: + workflow: approvalService jobs: - - job: releaseGating - displayName: Release Gating - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - job: approval - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Approval - pool: - name: server - timeoutInMinutes: 7200 - dependsOn: - - releaseGating - steps: - - task: ApprovalTask@1 - inputs: - environment: $(ev2Environment) - servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 - - job: Ev2_rollout_ev2_rollout - displayName: Agent job - Ev2 Ev2 Rollout - timeoutInMinutes: '0' - condition: succeeded() - dependsOn: - - approval - variables: - - name: ev2Environment - value: Production - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-managed-sdp - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-aks-prod-release.projectID) - definition: $(resources.pipeline._ci-aks-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-aks-prod-release.runID) + - job: ev2_rollout + displayName: Ev2 Managed SDP - Deploy + templateContext: + type: releaseJob + isProduction: true + workflow: ev2-ra + inputs: + - input: pipelineArtifact pipeline: _ci-aks-prod-release - targetPath: $(Pipeline.Workspace)/ev2Artifact - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace)/ev2Artifact - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - target: - container: host - - task: Bash@3 - displayName: Set CDPX Linux Tag - inputs: - targetType: inline - script: | - # Write your commands here - - LINUX_TAG=$(jq '."image.name"' metadata.json | tr -d '"' | cut -d':' -f2) - echo $LINUX_TAG - - set +x - echo "##vso[task.setvariable variable=CDPXLinuxTag;]$LINUX_TAG" - set -x - workingDirectory: $(Pipeline.Workspace)/ev2Artifact/linux-drop/linux - failOnStderr: true - - task: Bash@3 - displayName: Set CDPX Windows Tag - inputs: - targetType: inline - script: |+ - # Write your commands here - - WINDOWS_TAG=$(jq '."image.name"' metadata.json | tr -d '"' | cut -d':' -f2) - echo $WINDOWS_TAG - - set +x - echo "##vso[task.setvariable variable=CDPXWindowsTag;]$WINDOWS_TAG" - set -x - - workingDirectory: $(Pipeline.Workspace)/ev2Artifact/windows-drop/windows - failOnStderr: true - - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 - displayName: Ev2 Managed SDP - Deploy - inputs: - EndpointProviderType: ApprovalService - TaskAction: RegisterAndRollout - SkipRegistrationIfExists: True - ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json - StageMapName: Microsoft.Azure.SDP.Standard - Select: regions(*) - env: - ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 - target: - container: host + artifactName: drop + ev2: + rolloutInfra: Prod + serviceRootPath: build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot + rolloutSpecPath: RolloutSpec.json + skipRegistrationIfExists: true + stageMapName: Microsoft.Azure.SDP.Standard + select: regions(*) # ============================================================================= From fb21269aa6ae036f9af12e65a4845a792826d779 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 9 Apr 2026 15:31:37 -0700 Subject: [PATCH 12/30] update --- .pipelines/ci-aks-prod-release.yaml | 274 +++++++++++++++++++++++++--- 1 file changed, 252 insertions(+), 22 deletions(-) diff --git a/.pipelines/ci-aks-prod-release.yaml b/.pipelines/ci-aks-prod-release.yaml index 9bc04c2361..0c17a6e8f0 100644 --- a/.pipelines/ci-aks-prod-release.yaml +++ b/.pipelines/ci-aks-prod-release.yaml @@ -74,7 +74,6 @@ extends: name: Azure-Pipelines-CI-Test-EO image: ci-1es-managed-windows-2022 os: windows - serviceTreeId: $(ServiceTreeGuid) customBuildTags: - ES365AIMigrationTooling stages: @@ -188,29 +187,260 @@ extends: name: Azure-Pipelines-CI-Test-EO image: ci-1es-managed-windows-2022 os: windows - templateContext: - cloud: Public - isProduction: true - approval: - workflow: approvalService jobs: - - job: ev2_rollout - displayName: Ev2 Managed SDP - Deploy - templateContext: - type: releaseJob - isProduction: true - workflow: ev2-ra - inputs: - - input: pipelineArtifact + - job: releaseGating + displayName: Release Gating + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + steps: + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + - task: 1ESGPTRunTask@3.0.376 + displayName: Branch Validation (1ES PT) + continueOnError: true + target: + container: host + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + BUILD_SOURCEBRANCH: $(Build.SourceBranch) + BUILD_REPOSITORY_NAME: $(Build.Repository.Name) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) + BUILD_SOURCEVERSION: $(Build.SourceVersion) + TASK_MODE: audit + inputs: + repoId: microsoft/Docker-Provider + path: release_gating.py + - job: approval + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Approval + pool: + name: server + timeoutInMinutes: 7200 + dependsOn: + - releaseGating + steps: + - task: ApprovalTask@1 + inputs: + environment: $(ev2Environment) + servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 + - job: Ev2_rollout_ev2_rollout + displayName: Agent job - Ev2 Ev2 Rollout + timeoutInMinutes: '0' + condition: succeeded() + dependsOn: + - approval + variables: + - name: ev2Environment + value: Production + - name: OneESPT.JobType + value: releaseJob + readonly: true + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-managed-sdp + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + - name: OneES_targetName + value: host + steps: + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Hosted Pool Information (1ES PT) + continueOnError: false + target: + container: host + env: + HOST_ARCHITECTURE: amd64 + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_DEFINITIONID: $(System.DefinitionId) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] + PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] + BUILD_REASON: $(Build.Reason) + inputs: + repoId: microsoft/Docker-Provider + path: validateHostedPool.ps1 + arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline + - task: DownloadPipelineArtifact@2 + displayName: ⏬ Pipeline Artifact Download + inputs: + buildType: specific + project: $(resources.pipeline._ci-aks-prod-release.projectID) + definition: $(resources.pipeline._ci-aks-prod-release.pipelineID) + allowFailedBuilds: false + buildVersionToDownload: specific + pipelineId: $(resources.pipeline._ci-aks-prod-release.runID) pipeline: _ci-aks-prod-release - artifactName: drop - ev2: - rolloutInfra: Prod - serviceRootPath: build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot - rolloutSpecPath: RolloutSpec.json - skipRegistrationIfExists: true - stageMapName: Microsoft.Azure.SDP.Standard - select: regions(*) + targetPath: $(Pipeline.Workspace)/ev2Artifact + target: + container: host + - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 + displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" + condition: succeeded() + continueOnError: False + timeoutInMinutes: 30 + env: + SBOMVALIDATOR_TEMPIGNOREMISSING: true + inputs: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + ValidateSignature: True + Verbosity: 'Verbose' + - task: 1ESGPTRunTask@3.0.376 + displayName: Post-SBoM Validation (1ES PT) + continueOnError: true + target: + container: host + condition: succeeded() + env: + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + inputs: + repoId: microsoft/Docker-Provider + path: post_sbom_validation.py + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Source Build (1ES PT) + continueOnError: false + target: + container: host + env: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + IsProduction: True + OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) + inputs: + repoId: microsoft/Docker-Provider + path: validate_source_build.py + - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 + displayName: "\U0001F6E1 Guardian: CodeSign Validation" + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + continueOnError: true + timeoutInMinutes: 10 + inputs: + Path: $(Pipeline.Workspace)/ev2Artifact + MaxThreads: $(OneES_UsableProcessorCount) + FailIfNoTargetsFound: false + ExcludePassesFromLog: False + Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; + - task: 1ESGPTRunTask@3.0.376 + displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" + continueOnError: true + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + env: + OneES_PipelineWorkspace: $(Pipeline.Workspace) + OneES_DeleteCodeSignValidationResult: True + OneES_CustomPolicyFile: '' + inputs: + repoId: microsoft/Docker-Provider + path: check_csv_results.ps1 + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + target: + container: host + - task: Bash@3 + displayName: Set CDPX Linux Tag + inputs: + targetType: inline + script: | + # Write your commands here + + LINUX_TAG=$(jq '."image.name"' metadata.json | tr -d '"' | cut -d':' -f2) + echo $LINUX_TAG + + set +x + echo "##vso[task.setvariable variable=CDPXLinuxTag;]$LINUX_TAG" + set -x + workingDirectory: $(Pipeline.Workspace)/ev2Artifact/linux-drop/linux + failOnStderr: true + - task: Bash@3 + displayName: Set CDPX Windows Tag + inputs: + targetType: inline + script: |+ + # Write your commands here + + WINDOWS_TAG=$(jq '."image.name"' metadata.json | tr -d '"' | cut -d':' -f2) + echo $WINDOWS_TAG + + set +x + echo "##vso[task.setvariable variable=CDPXWindowsTag;]$WINDOWS_TAG" + set -x + + workingDirectory: $(Pipeline.Workspace)/ev2Artifact/windows-drop/windows + failOnStderr: true + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Deploy + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + SkipRegistrationIfExists: True + ApprovalServiceEnvironment: $(ev2Environment) + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) + env: + ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 + target: + container: host # ============================================================================= From 0307a4ac3aadcbf0375e8dc9dd9b8ff095e88dff Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 9 Apr 2026 15:40:18 -0700 Subject: [PATCH 13/30] update --- .pipelines/ci-aks-prod-release.yaml | 30 +++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/.pipelines/ci-aks-prod-release.yaml b/.pipelines/ci-aks-prod-release.yaml index 0c17a6e8f0..91c57a1df9 100644 --- a/.pipelines/ci-aks-prod-release.yaml +++ b/.pipelines/ci-aks-prod-release.yaml @@ -437,10 +437,40 @@ extends: RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json StageMapName: Microsoft.Azure.SDP.Standard Select: regions(*) + InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Global", "bindings": [ { "find": "__ACR_NAME__", "replaceWith": "$(ACRName)" }, { "find": "__AGENT_RELEASE__", "replaceWith": "$(AgentRelease)" }, { "find": "__AGENT_IMAGE_TAG_SUFFIX__", "replaceWith": "$(AgentImageTagSuffix)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(ManagedIdentity)" }, { "find": "__CDPX_LINUX_TAG__", "replaceWith": "$(CDPXLinuxTag)" }, { "find": "__CDPX_WINDOWS_TAG__", "replaceWith": "$(CDPXWindowsTag)" }, { "find": "__OVERRIDE_TAG__", "replaceWith": "$(OverrideTag)" } ] } ] }' env: ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 target: container: host + - job: Ev2_rollout_ev2_monitoring + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-managed-sdp + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Agent job - Ev2 Ev2 Monitoring + pool: + name: server + dependsOn: + - Ev2_rollout_ev2_rollout + timeoutInMinutes: '0' + steps: + - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 + displayName: Ev2 - Monitoring + inputs: + Ev2MonintoringUrl: $(Ev2MonintoringUrl) # ============================================================================= From f8f292448b5ead5f9477ea0075de6d6b57a450cd Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 9 Apr 2026 15:47:36 -0700 Subject: [PATCH 14/30] update --- .pipelines/ci-aks-prod-release.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.pipelines/ci-aks-prod-release.yaml b/.pipelines/ci-aks-prod-release.yaml index 91c57a1df9..79214734c1 100644 --- a/.pipelines/ci-aks-prod-release.yaml +++ b/.pipelines/ci-aks-prod-release.yaml @@ -74,6 +74,7 @@ extends: name: Azure-Pipelines-CI-Test-EO image: ci-1es-managed-windows-2022 os: windows + serviceTreeId: $(ServiceTreeGuid) customBuildTags: - ES365AIMigrationTooling stages: @@ -431,6 +432,7 @@ extends: inputs: EndpointProviderType: ApprovalService TaskAction: RegisterAndRollout + UseServerMonitorTask: true SkipRegistrationIfExists: True ApprovalServiceEnvironment: $(ev2Environment) ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot From 630e6530c448c0aaf64f951da07054bfe9121869 Mon Sep 17 00:00:00 2001 From: Long Wan Date: Fri, 10 Apr 2026 15:01:33 -0700 Subject: [PATCH 15/30] Update .trivyignore --- .trivyignore | 24 +----------------------- 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/.trivyignore b/.trivyignore index 004695969d..3cc07a34f4 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,27 +1,6 @@ -# Telegraf -CVE-2026-24051 -CVE-2026-33223 -CVE-2026-33246 -CVE-2026-33248 -CVE-2026-33249 -CVE-2026-33186 -CVE-2026-25679 -CVE-2026-27142 -CVE-2026-32287 +# telegraf cves for which fix is not yet available CVE-2026-34040 CVE-2026-33997 -<<<<<<< HEAD -CVE-2026-27889 -CVE-2026-29785 -CVE-2026-33216 -CVE-2026-33217 -CVE-2026-33218 -CVE-2026-33247 -CVE-2026-33215 -CVE-2026-33219 -CVE-2026-33222 -CVE-2026-34986 -======= CVE-2026-34986 # telegraf aws-sdk-go-v2 DoS vulnerability (MEDIUM) - fix not yet available in telegraf package @@ -34,4 +13,3 @@ CVE-2026-39883 CVE-2026-32281 CVE-2026-32288 CVE-2026-32289 ->>>>>>> 6eb6f0ac341a8a2e9b1efe994cff73ba9f8dc526 From f655048e72606d11b1145879112aa29c3ef376c5 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 16 Apr 2026 11:15:20 -0700 Subject: [PATCH 16/30] update release pipeline with service definition --- .../ServiceGroupRoot/ServiceGroupSpec.json | 6 ++++++ .../ServiceGroupRoot/ServiceModel.json | 4 +++- .../ServiceGroupRoot/ServiceSpec.json | 8 ++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json create mode 100644 deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceSpec.json diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json new file mode 100644 index 0000000000..cb91bcf335 --- /dev/null +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json @@ -0,0 +1,6 @@ +{ + "name": "Microsoft.ContainerInsights.Agent", + "description": "Container Insights Agent Deployment", + "ownerGroupContactEmail": "omscontainers@microsoft.com", + "contentVersion": "1.0.0.0" +} diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceModel.json b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceModel.json index 2a74086308..302fb8a275 100644 --- a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceModel.json +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceModel.json @@ -9,7 +9,9 @@ "displayName": "ContainerInsightsAgent", "buildout": { "isForAutomatedBuildout": "True" - } + }, + "serviceSpecificationPath": "ServiceSpec.json", + "serviceGroupSpecificationPath": "ServiceGroupSpec.json" }, "serviceResourceGroupDefinitions": [ { diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceSpec.json b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceSpec.json new file mode 100644 index 0000000000..8eaf388f67 --- /dev/null +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ServiceSpec.json @@ -0,0 +1,8 @@ +{ + "providerType": "ServiceTree", + "identifier": "3170cdd2-19f0-4027-912b-1027311691a2", + "description": "Azure Monitor Container Insights Agent", + "ownerGroupContactEmail": "omscontainers@microsoft.com", + "policyCheckEnabled": true, + "contentVersion": "1.0.0.0" +} From 6b31b635631226b8aa99f5c9905b73d705d7d846 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 16 Apr 2026 11:16:29 -0700 Subject: [PATCH 17/30] address conflict --- .trivyignore | 27 +-------------------------- 1 file changed, 1 insertion(+), 26 deletions(-) diff --git a/.trivyignore b/.trivyignore index 004695969d..9e833056a1 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,27 +1,3 @@ -# Telegraf -CVE-2026-24051 -CVE-2026-33223 -CVE-2026-33246 -CVE-2026-33248 -CVE-2026-33249 -CVE-2026-33186 -CVE-2026-25679 -CVE-2026-27142 -CVE-2026-32287 -CVE-2026-34040 -CVE-2026-33997 -<<<<<<< HEAD -CVE-2026-27889 -CVE-2026-29785 -CVE-2026-33216 -CVE-2026-33217 -CVE-2026-33218 -CVE-2026-33247 -CVE-2026-33215 -CVE-2026-33219 -CVE-2026-33222 -CVE-2026-34986 -======= CVE-2026-34986 # telegraf aws-sdk-go-v2 DoS vulnerability (MEDIUM) - fix not yet available in telegraf package @@ -33,5 +9,4 @@ CVE-2026-39883 # telegraf medium cves - fix not yet available in telegraf package CVE-2026-32281 CVE-2026-32288 -CVE-2026-32289 ->>>>>>> 6eb6f0ac341a8a2e9b1efe994cff73ba9f8dc526 +CVE-2026-32289 \ No newline at end of file From d6a91d341c4117fbddc0e647a3fa935d5c2e7faf Mon Sep 17 00:00:00 2001 From: Long Wan Date: Thu, 16 Apr 2026 11:18:56 -0700 Subject: [PATCH 18/30] Update .trivyignore --- .trivyignore | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.trivyignore b/.trivyignore index 811a8c37ae..3cc07a34f4 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,9 +1,6 @@ -<<<<<<< HEAD -======= # telegraf cves for which fix is not yet available CVE-2026-34040 CVE-2026-33997 ->>>>>>> 630e6530c448c0aaf64f951da07054bfe9121869 CVE-2026-34986 # telegraf aws-sdk-go-v2 DoS vulnerability (MEDIUM) - fix not yet available in telegraf package @@ -15,8 +12,4 @@ CVE-2026-39883 # telegraf medium cves - fix not yet available in telegraf package CVE-2026-32281 CVE-2026-32288 -<<<<<<< HEAD CVE-2026-32289 -======= -CVE-2026-32289 ->>>>>>> 630e6530c448c0aaf64f951da07054bfe9121869 From ce06a62c0f28dedd59beccf75c162d6d1596fb84 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 16 Apr 2026 11:20:21 -0700 Subject: [PATCH 19/30] address conflict --- .trivyignore | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.trivyignore b/.trivyignore index 811a8c37ae..3cc07a34f4 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,9 +1,6 @@ -<<<<<<< HEAD -======= # telegraf cves for which fix is not yet available CVE-2026-34040 CVE-2026-33997 ->>>>>>> 630e6530c448c0aaf64f951da07054bfe9121869 CVE-2026-34986 # telegraf aws-sdk-go-v2 DoS vulnerability (MEDIUM) - fix not yet available in telegraf package @@ -15,8 +12,4 @@ CVE-2026-39883 # telegraf medium cves - fix not yet available in telegraf package CVE-2026-32281 CVE-2026-32288 -<<<<<<< HEAD CVE-2026-32289 -======= -CVE-2026-32289 ->>>>>>> 630e6530c448c0aaf64f951da07054bfe9121869 From 439820f60ccb3ef32e12158b34701b440f1bb76e Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Fri, 17 Apr 2026 14:39:08 -0700 Subject: [PATCH 20/30] update --- .../Configurations.Public.Prod.json | 9 ++++++++- .../ServiceGroupRoot/ManagedSDPReleasePipeline.yml | 12 ++++++++++++ .../ServiceGroupRoot/ScopeBindings.json | 14 +++++++------- .../ServiceGroupRoot/buildver.txt | 2 +- 4 files changed, 28 insertions(+), 9 deletions(-) diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json index ce14591b0b..f5e7c8ca25 100644 --- a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json @@ -1,7 +1,14 @@ { "Settings": { "environment": "Prod", - "tenantid": "33e01921-4d64-4f8c-a055-5bdaffd5e33d" + "tenantid": "33e01921-4d64-4f8c-a055-5bdaffd5e33d", + "acrName": "containerinsights.azurecr.io", + "managedIdentity": "/subscriptions/30c56c3a-54da-46ea-b004-06eb33432687/resourceGroups/containerinsightsprod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ev2-agent-release", + "agentRelease": "ciprod", + "agentImageTagSuffix": "", + "cdpxLinuxTag": "", + "cdpxWindowsTag": "", + "overrideTag": "false" }, "Geographies": [ { diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml index b8c85a760a..b0623aa642 100644 --- a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml @@ -58,6 +58,17 @@ extends: dependsOn: [] variables: ob_release_environment: Production + configurationOverrides: | + { + "ConfigurationSpecification": { + "Settings": { + "agentImageTagSuffix": "$(VAR_AGENT_IMAGE_TAG_SUFFIX)", + "cdpxLinuxTag": "$(VAR_CDPX_LINUX_TAG)", + "cdpxWindowsTag": "$(VAR_CDPX_WINDOWS_TAG)", + "overrideTag": "$(VAR_OVERRIDE_TAG)" + } + } + } jobs: - job: PROD_Prod_Managed_SDP displayName: PROD_Prod_Managed_SDP @@ -78,6 +89,7 @@ extends: StageMapName: Microsoft.Azure.SDP.Standard Select: ${{parameters.select}} ApprovalServiceEnvironment: Production + ConfigurationOverrides: $(configurationOverrides) ev2ManagedSdpRolloutConfig: rolloutType: ${{parameters.rolloutType}} overrideManagedValidationDuration: ${{parameters.overrideManagedValidationDuration}} diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ScopeBindings.json b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ScopeBindings.json index d38e3cf0fe..b6d8506b62 100644 --- a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ScopeBindings.json +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ScopeBindings.json @@ -7,31 +7,31 @@ "bindings": [ { "find": "__ACR_NAME__", - "replaceWith": "$(ACRName)" + "replaceWith": "$config(acrName)" }, { "find": "__AGENT_RELEASE__", - "replaceWith": "$(AgentRelease)" + "replaceWith": "$config(agentRelease)" }, { "find": "__AGENT_IMAGE_TAG_SUFFIX__", - "replaceWith": "$(AgentImageTagSuffix)" + "replaceWith": "$config(agentImageTagSuffix)" }, { "find": "__MANAGED_IDENTITY__", - "replaceWith": "$(ManagedIdentity)" + "replaceWith": "$config(managedIdentity)" }, { "find": "__CDPX_LINUX_TAG__", - "replaceWith": "$(CDPXLinuxTag)" + "replaceWith": "$config(cdpxLinuxTag)" }, { "find": "__CDPX_WINDOWS_TAG__", - "replaceWith": "$(CDPXWindowsTag)" + "replaceWith": "$config(cdpxWindowsTag)" }, { "find": "__OVERRIDE_TAG__", - "replaceWith": "$(OverrideTag)" + "replaceWith": "$config(overrideTag)" } ] } diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/buildver.txt b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/buildver.txt index bd2666abb3..217625a1c5 100644 --- a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/buildver.txt +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/buildver.txt @@ -1 +1 @@ -1.0.0.0 \ No newline at end of file +1.0.0.1 \ No newline at end of file From ce65d538846603d24b430eebdf85b60e006a40a6 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Fri, 17 Apr 2026 17:17:48 -0700 Subject: [PATCH 21/30] update move sdp vars to above --- .../ManagedSDPReleasePipeline.yml | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml index b0623aa642..60bf7a0e4a 100644 --- a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml @@ -49,6 +49,19 @@ parameters: type: string default: regions(*) values: +variables: +- name: configurationOverrides + value: | + { + "ConfigurationSpecification": { + "Settings": { + "agentImageTagSuffix": "$(VAR_AGENT_IMAGE_TAG_SUFFIX)", + "cdpxLinuxTag": "$(VAR_CDPX_LINUX_TAG)", + "cdpxWindowsTag": "$(VAR_CDPX_WINDOWS_TAG)", + "overrideTag": "$(VAR_OVERRIDE_TAG)" + } + } + } extends: template: v2/OneBranch.Official.CrossPlat.yml@templates parameters: @@ -58,17 +71,6 @@ extends: dependsOn: [] variables: ob_release_environment: Production - configurationOverrides: | - { - "ConfigurationSpecification": { - "Settings": { - "agentImageTagSuffix": "$(VAR_AGENT_IMAGE_TAG_SUFFIX)", - "cdpxLinuxTag": "$(VAR_CDPX_LINUX_TAG)", - "cdpxWindowsTag": "$(VAR_CDPX_WINDOWS_TAG)", - "overrideTag": "$(VAR_OVERRIDE_TAG)" - } - } - } jobs: - job: PROD_Prod_Managed_SDP displayName: PROD_Prod_Managed_SDP From 25b9d85c42949c2b4bbac8f45689bb0bb3cfb23b Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Tue, 12 May 2026 14:11:24 -0700 Subject: [PATCH 22/30] update --- .../ServiceGroupRoot/Configurations.Public.Prod.json | 1 + .../ServiceGroupRoot/ManagedSDPReleasePipeline.yml | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json index f5e7c8ca25..0c5295c952 100644 --- a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json @@ -1,4 +1,5 @@ { + "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/ConfigurationSpecification.json", "Settings": { "environment": "Prod", "tenantid": "33e01921-4d64-4f8c-a055-5bdaffd5e33d", diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml index 60bf7a0e4a..df73af3a3d 100644 --- a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml @@ -80,12 +80,17 @@ extends: dependsOn: steps: - download: build-artifacts + - script: | + echo "configurationOverrides value:" + echo "$(configurationOverrides)" + displayName: Debug - Print ConfigurationOverrides + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 displayName: Ev2 Managed SDP Rollout - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 inputs: EndpointProviderType: ApprovalService TaskAction: RegisterAndRollout SkipRegistrationIfExists: True + ForceRegistration: true ServiceRootPath: ${{parameters.ServiceRootPath}} RolloutSpecPath: ${{parameters.RolloutSpecPath}} StageMapName: Microsoft.Azure.SDP.Standard From 9bebf30178a3571c87429fc83377353cd4b8db3d Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Wed, 13 May 2026 10:51:17 -0700 Subject: [PATCH 23/30] update var --- .../ManagedSDPReleasePipeline.yml | 25 +++++++++++++------ .../ServiceGroupRoot/buildver.txt | 2 +- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml index df73af3a3d..47b686c7ad 100644 --- a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml @@ -49,16 +49,29 @@ parameters: type: string default: regions(*) values: +- name: agentImageTagSuffix + displayName: Agent Image Tag Suffix + type: string +- name: cdpxLinuxTag + displayName: CDPX Linux Tag + type: string +- name: cdpxWindowsTag + displayName: CDPX Windows Tag + type: string +- name: overrideTag + displayName: Override Tag + type: string + default: 'false' variables: - name: configurationOverrides value: | { "ConfigurationSpecification": { "Settings": { - "agentImageTagSuffix": "$(VAR_AGENT_IMAGE_TAG_SUFFIX)", - "cdpxLinuxTag": "$(VAR_CDPX_LINUX_TAG)", - "cdpxWindowsTag": "$(VAR_CDPX_WINDOWS_TAG)", - "overrideTag": "$(VAR_OVERRIDE_TAG)" + "agentImageTagSuffix": "${{ parameters.agentImageTagSuffix }}", + "cdpxLinuxTag": "${{ parameters.cdpxLinuxTag }}", + "cdpxWindowsTag": "${{ parameters.cdpxWindowsTag }}", + "overrideTag": "${{ parameters.overrideTag }}" } } } @@ -80,10 +93,6 @@ extends: dependsOn: steps: - download: build-artifacts - - script: | - echo "configurationOverrides value:" - echo "$(configurationOverrides)" - displayName: Debug - Print ConfigurationOverrides - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 displayName: Ev2 Managed SDP Rollout inputs: diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/buildver.txt b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/buildver.txt index 217625a1c5..e1e1dc2002 100644 --- a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/buildver.txt +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/buildver.txt @@ -1 +1 @@ -1.0.0.1 \ No newline at end of file +1.0.0.3 \ No newline at end of file From d3a25551f9a63ef64eb7b2b3edf734d6355156ee Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Wed, 13 May 2026 11:27:06 -0700 Subject: [PATCH 24/30] update var binding --- .pipelines/ci-aks-prod-release.yaml | 5 +++- .../ManagedSDPReleasePipeline.yml | 29 ++++++++----------- 2 files changed, 16 insertions(+), 18 deletions(-) diff --git a/.pipelines/ci-aks-prod-release.yaml b/.pipelines/ci-aks-prod-release.yaml index 97c74677de..a8e7f5c1a0 100644 --- a/.pipelines/ci-aks-prod-release.yaml +++ b/.pipelines/ci-aks-prod-release.yaml @@ -45,6 +45,8 @@ variables: value: $(VAR_MANAGED_IDENTITY) - name: OverrideTag value: $(VAR_OVERRIDE_TAG) +- name: configurationOverrides + value: '{"ConfigurationSpecification":{"Settings":{"agentImageTagSuffix":"$(AgentImageTagSuffix)","cdpxLinuxTag":"$(CDPXLinuxTag)","cdpxWindowsTag":"$(CDPXWindowsTag)","overrideTag":"$(OverrideTag)"}}}' - name: ServiceTreeGuid value: $(VAR_SERVICE_TREE_GUID) - name: UserAssignedIdentityClientId @@ -438,12 +440,13 @@ extends: TaskAction: RegisterAndRollout UseServerMonitorTask: true SkipRegistrationIfExists: True + ForceRegistration: true ApprovalServiceEnvironment: $(ev2Environment) ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/RolloutSpec.json StageMapName: Microsoft.Azure.SDP.Standard Select: regions(*) - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Global", "bindings": [ { "find": "__ACR_NAME__", "replaceWith": "$(ACRName)" }, { "find": "__AGENT_RELEASE__", "replaceWith": "$(AgentRelease)" }, { "find": "__AGENT_IMAGE_TAG_SUFFIX__", "replaceWith": "$(AgentImageTagSuffix)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(ManagedIdentity)" }, { "find": "__CDPX_LINUX_TAG__", "replaceWith": "$(CDPXLinuxTag)" }, { "find": "__CDPX_WINDOWS_TAG__", "replaceWith": "$(CDPXWindowsTag)" }, { "find": "__OVERRIDE_TAG__", "replaceWith": "$(OverrideTag)" } ] } ] }' + ConfigurationOverrides: $(configurationOverrides) env: ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 target: diff --git a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml index 47b686c7ad..454191ebc4 100644 --- a/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml +++ b/deployment/mergebranch-multiarch-agent-deployment-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml @@ -49,29 +49,24 @@ parameters: type: string default: regions(*) values: -- name: agentImageTagSuffix - displayName: Agent Image Tag Suffix - type: string -- name: cdpxLinuxTag - displayName: CDPX Linux Tag - type: string -- name: cdpxWindowsTag - displayName: CDPX Windows Tag - type: string -- name: overrideTag - displayName: Override Tag - type: string - default: 'false' variables: +- name: agentImageTagSuffixValue + value: $(VAR_AGENT_IMAGE_TAG_SUFFIX) +- name: cdpxLinuxTagValue + value: $(VAR_CDPX_LINUX_TAG) +- name: cdpxWindowsTagValue + value: $(VAR_CDPX_WINDOWS_TAG) +- name: overrideTagValue + value: $(VAR_OVERRIDE_TAG) - name: configurationOverrides value: | { "ConfigurationSpecification": { "Settings": { - "agentImageTagSuffix": "${{ parameters.agentImageTagSuffix }}", - "cdpxLinuxTag": "${{ parameters.cdpxLinuxTag }}", - "cdpxWindowsTag": "${{ parameters.cdpxWindowsTag }}", - "overrideTag": "${{ parameters.overrideTag }}" + "agentImageTagSuffix": "$(agentImageTagSuffixValue)", + "cdpxLinuxTag": "$(cdpxLinuxTagValue)", + "cdpxWindowsTag": "$(cdpxWindowsTagValue)", + "overrideTag": "$(overrideTagValue)" } } } From 04614c6f4c049a7d661f0270bf8a553844c76152 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Wed, 13 May 2026 13:52:39 -0700 Subject: [PATCH 25/30] update --- kubernetes/windows/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/windows/Dockerfile b/kubernetes/windows/Dockerfile index eb1dc379b7..3ca6cfdc82 100644 --- a/kubernetes/windows/Dockerfile +++ b/kubernetes/windows/Dockerfile @@ -123,4 +123,4 @@ Remove-Item -Recurse -Force 'C:\ruby31\lib\ruby\3.1.0\rdoc\generator\template\js Remove-Item -Recurse -Force 'C:\ruby31\lib\ruby\3.1.0\rdoc\generator\template\darkfish\js'; \ Remove-Item -Force 'C:\ruby31\bin\ridk.ps1'" -ENTRYPOINT ["powershell", "C:\\opt\\amalogswindows\\scripts\\powershell\\main.ps1"] \ No newline at end of file +ENTRYPOINT ["powershell", "C:\\opt\\amalogswindows\\scripts\\powershell\\main.ps1"] From 8bcfd65284723ec8cc773f67eb6ee179a19e5642 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Wed, 13 May 2026 14:39:33 -0700 Subject: [PATCH 26/30] sync chart from extension --- .pipelines/ci-arc-k8s-extension-canary-release.yaml | 2 ++ .pipelines/ci-arc-k8s-extension-prod-release.yaml | 2 ++ .../ServiceGroupRoot/Scripts/pushChartToAcr.sh | 9 ++++----- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.pipelines/ci-arc-k8s-extension-canary-release.yaml b/.pipelines/ci-arc-k8s-extension-canary-release.yaml index bb721e2658..45888e6e75 100644 --- a/.pipelines/ci-arc-k8s-extension-canary-release.yaml +++ b/.pipelines/ci-arc-k8s-extension-canary-release.yaml @@ -43,6 +43,8 @@ resources: extends: template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates parameters: + settings: + networkIsolationPolicy: Permissive,CFSClean pool: name: Azure-Pipelines-CI-Test-EO image: ci-1es-managed-windows-2022 diff --git a/.pipelines/ci-arc-k8s-extension-prod-release.yaml b/.pipelines/ci-arc-k8s-extension-prod-release.yaml index ca710b81d3..d790481872 100644 --- a/.pipelines/ci-arc-k8s-extension-prod-release.yaml +++ b/.pipelines/ci-arc-k8s-extension-prod-release.yaml @@ -43,6 +43,8 @@ resources: extends: template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates parameters: + settings: + networkIsolationPolicy: Permissive,CFSClean pool: name: Azure-Pipelines-CI-Test-EO image: ci-1es-managed-windows-2022 diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh index 25dc091e8f..e14e0dd251 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh @@ -62,7 +62,7 @@ pull_chart_from_source_mcr_to_push_to_dest_acr() { } # push to local release candidate chart to canary region -push_local_chart_to_canary_region() { +push_local_chart_to_acr() { destAcrFullPath=${1} if [ -z $destAcrFullPath ]; then echo "-e error dest acr path must be provided " @@ -70,7 +70,7 @@ push_local_chart_to_canary_region() { fi echo "generate chart package file" - export CHART_FILE=$(helm package charts/azuremonitor-containers/ | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') + export CHART_FILE=$(helm package charts/azuremonitor-containerinsights/ | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') if [ $? -eq 0 ]; then echo "chart package file generated successfully." else @@ -127,15 +127,14 @@ case $RELEASE_STAGE in Canary) echo "START: Release stage - Canary" destAcrFullPath=oci://${ACR_NAME}/public/${CANARY_REGION_REPO_PATH} - push_local_chart_to_canary_region $destAcrFullPath + push_local_chart_to_acr $destAcrFullPath echo "END: Release stage - Canary" ;; Pilot | Prod1) echo "START: Release stage - Pilot" - srcMcrFullPath=oci://${MCR_NAME}/${CANARY_REGION_REPO_PATH}/${CHART_NAME} destAcrFullPath=oci://${ACR_NAME}/public/${PILOT_REGION_REPO_PATH} - pull_chart_from_source_mcr_to_push_to_dest_acr $srcMcrFullPath $destAcrFullPath + push_local_chart_to_acr $destAcrFullPath echo "END: Release stage - Pilot" ;; From 6cc8c328f3df2058f3d8b40e14357cbfd64dc277 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 14 May 2026 11:16:24 -0700 Subject: [PATCH 27/30] arc pipeline migration --- .pipelines/azure_pipeline_mergedbranches.yaml | 4 + .../ci-arc-k8s-extension-prod-release.yaml | 3430 +++++++++-------- .../Configurations.Public.Prod.json | 38 + .../Parameters/ChartPush.Parameters.json | 50 + .../ServiceGroupRoot/RolloutSpec.json | 41 + .../ServiceGroupRoot/ScopeBindings.json | 31 + .../Scripts/pushChartToAcr.sh | 187 + .../ServiceGroupRoot/ServiceGroupSpec.json | 6 + .../ServiceGroupRoot/ServiceModel.json | 51 + .../ServiceGroupRoot/ServiceSpec.json | 8 + .../ServiceGroupRoot/buildver.txt | 1 + .../Configurations.Public.Prod.json | 38 + .../ManagedSDPReleasePipeline.yml | 90 + .../Parameters/RolloutParameter.json | 90 + .../ServiceGroupRoot/RolloutSpec.json | 41 + .../ServiceGroupRoot/ScopeBindings.json | 63 + .../Scripts/arcExtensionRelease.sh | 266 ++ .../ServiceGroupRoot/ServiceGroupSpec.json | 6 + .../ServiceGroupRoot/ServiceModel.json | 51 + .../ServiceGroupRoot/ServiceSpec.json | 8 + .../ServiceGroupRoot/buildver.txt | 1 + 21 files changed, 2795 insertions(+), 1706 deletions(-) create mode 100644 deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json create mode 100644 deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Parameters/ChartPush.Parameters.json create mode 100644 deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/RolloutSpec.json create mode 100644 deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ScopeBindings.json create mode 100644 deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Scripts/pushChartToAcr.sh create mode 100644 deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json create mode 100644 deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceModel.json create mode 100644 deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceSpec.json create mode 100644 deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/buildver.txt create mode 100644 deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json create mode 100644 deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml create mode 100644 deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Parameters/RolloutParameter.json create mode 100644 deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json create mode 100644 deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ScopeBindings.json create mode 100644 deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Scripts/arcExtensionRelease.sh create mode 100644 deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json create mode 100644 deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceModel.json create mode 100644 deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceSpec.json create mode 100644 deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/buildver.txt diff --git a/.pipelines/azure_pipeline_mergedbranches.yaml b/.pipelines/azure_pipeline_mergedbranches.yaml index b3ff63ff05..621e753e09 100644 --- a/.pipelines/azure_pipeline_mergedbranches.yaml +++ b/.pipelines/azure_pipeline_mergedbranches.yaml @@ -93,8 +93,12 @@ extends: tar -czvf ../artifacts.tar.gz pushAgentToAcr.sh cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts tar -czvf ../artifacts.tar.gz ../../../../charts/azuremonitor-containers/ pushChartToAcr.sh + cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Scripts + tar -czvf ../artifacts.tar.gz ../../../../charts/azuremonitor-containers/ ../../../../charts/azuremonitor-containerinsights/ pushChartToAcr.sh cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension-release-v2/ServiceGroupRoot/Scripts tar -czvf ../artifacts.tar.gz arcExtensionRelease.sh + cd $(Build.SourcesDirectory)/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Scripts + tar -czvf ../artifacts.tar.gz arcExtensionRelease.sh windowsAMAUrl="" if [ -z "$WINDOWS_AMA_URL" ] then diff --git a/.pipelines/ci-arc-k8s-extension-prod-release.yaml b/.pipelines/ci-arc-k8s-extension-prod-release.yaml index d790481872..08470e39ca 100644 --- a/.pipelines/ci-arc-k8s-extension-prod-release.yaml +++ b/.pipelines/ci-arc-k8s-extension-prod-release.yaml @@ -1,1706 +1,1724 @@ -trigger: none -name: $(Date:yyyyMMdd).$(Rev:r) -variables: -- name: ACRName - value: $(VAR_ACR_NAME) -- name: ADMIN_SUBSCRIPTION_ID - value: $(VAR_ADMIN_SUBSCRIPTION_ID) -- name: CHART_VERSION - value: $(VAR_CHART_VERSION) -- name: IS_CUSTOMER_HIDDEN - value: $(VAR_IS_CUSTOMER_HIDDEN) -- name: MANAGED_IDENTITY - value: $(VAR_MANAGED_IDENTITY) -- name: REGISTER_REGIONS_CANARY - value: $(VAR_REGISTER_REGIONS_CANARY) -- name: RELEASE_TRAINS_PREVIEW_PATH - value: $(VAR_RELEASE_TRAINS_PREVIEW_PATH) -- name: RELEASE_TRAINS_STABLE_PATH - value: $(VAR_RELEASE_TRAINS_STABLE_PATH) -- name: RepoType - value: $(VAR_REPO_TYPE) -- name: RESOURCE_AUDIENCE - value: $(VAR_RESOURCE_AUDIENCE) -- name: ServiceTreeGuid - value: $(VAR_SERVICE_TREE_GUID) -- name: SPN_CLIENT_ID - value: $(VAR_SPN_CLIENT_ID) -- name: SPN_SECRET - value: '' -- name: SPN_TENANT_ID - value: $(VAR_SPN_TENANT_ID) -resources: - containers: [] - pipelines: - - pipeline: '_ci-arc-k8s-extension-prod-release' - project: 'microsoft' - source: 'CDPX\docker-provider\ContainerInsights-MultiArch-MergedBranches' - repositories: - - repository: 1ESPipelineTemplates - type: git - name: 1ESPipelineTemplates/1ESPipelineTemplates - ref: refs/tags/release -extends: - template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates - parameters: - settings: - networkIsolationPolicy: Permissive,CFSClean - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - sdl: - sourceAnalysisPool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - customBuildTags: - - ES365AIMigrationTooling - stages: - - stage: Stage_1 - displayName: ci-arc-k8s-extension-all-regions-prod-release(MCR) - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: releaseGating - displayName: Release Gating - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - job: approval - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Approval - pool: - name: server - timeoutInMinutes: 7200 - dependsOn: - - releaseGating - steps: - - task: ApprovalTask@1 - inputs: - environment: $(ev2Environment) - servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 - - job: Ev2_rollout_ev2_rollout - displayName: Agent Job - Ev2 Ev2 Rollout - timeoutInMinutes: '0' - condition: succeeded() - dependsOn: - - approval - variables: - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: https://azureservicedeploy.msft.net/api/monitorrollout - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) - definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) - pipeline: _ci-arc-k8s-extension-prod-release - targetPath: $(Pipeline.Workspace)/ev2Artifact - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace)/ev2Artifact - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - target: - container: host - - task: vsrm-ev2.vss-services-ev2.adm-release-task.ExpressV2Internal@1 - inputs: - UseServerMonitorTask: true - EndpointProviderType: ApprovalService - ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootLocation: LinkedArtifact - RolloutSpecType: RSPath - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension/ServiceGroupRoot/RolloutSpecs/Public.Pilot.RolloutSpec.json - OutputRolloutId: RolloutId - OutputServiceGroupName: ServiceGroupName - OutputRolloutStatus: RolloutStatus - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Pilot", "bindings": [ { "find": "__ACR_NAME__", "replaceWith": "$(ACRName)" }, { "find": "__REPO_TYPE__", "replaceWith": "$(RepoType)" }, { "find": "__CHART_VERSION__", "replaceWith": "$(CHART_VERSION)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(MANAGED_IDENTITY)" } ] } ] }' - env: - ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 - target: - container: host - displayName: Ev2 Classic - Deploy - - job: Ev2_rollout_ev2_monitoring - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Agent Job - Ev2 Ev2 Monitoring - pool: - name: server - dependsOn: - - Ev2_rollout_ev2_rollout - timeoutInMinutes: '0' - steps: - - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 - displayName: Ev2 - Monitoring - inputs: - Ev2MonintoringUrl: $(Ev2MonintoringUrl) - - stage: Stage_2 - displayName: Pilot Regions - trigger: manual - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: releaseGating - displayName: Release Gating - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - job: approval - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Approval - pool: - name: server - timeoutInMinutes: 7200 - dependsOn: - - releaseGating - steps: - - task: ApprovalTask@1 - inputs: - environment: $(ev2Environment) - servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 - - job: Ev2_rollout_ev2_rollout - displayName: Agent job - Ev2 Ev2 Rollout - timeoutInMinutes: '0' - condition: succeeded() - dependsOn: - - approval - variables: - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: https://azureservicedeploy.msft.net/api/monitorrollout - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) - definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) - pipeline: _ci-arc-k8s-extension-prod-release - targetPath: $(Pipeline.Workspace)/ev2Artifact - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace)/ev2Artifact - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - target: - container: host - - task: vsrm-ev2.vss-services-ev2.adm-release-task.ExpressV2Internal@1 - inputs: - UseServerMonitorTask: true - EndpointProviderType: ApprovalService - ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootLocation: LinkedArtifact - RolloutSpecType: RSPath - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot/RolloutSpecs/Public.Stable.RolloutSpec.json - OutputRolloutId: RolloutId - OutputServiceGroupName: ServiceGroupName - OutputRolloutStatus: RolloutStatus - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Stable", "bindings": [ { "find": "__RELEASE_STAGE__", "replaceWith": "Stable" }, { "find": "__ADMIN_SUBSCRIPTION_ID__", "replaceWith": "$(ADMIN_SUBSCRIPTION_ID)" }, { "find": "__CHART_VERSION__", "replaceWith": "$(CHART_VERSION)" }, { "find": "__IS_CUSTOMER_HIDDEN__", "replaceWith": "$(IS_CUSTOMER_HIDDEN)" }, { "find": "__REGISTER_REGIONS_CANARY__", "replaceWith": "$(REGISTER_REGIONS_CANARY)" }, { "find": "__RELEASE_TRAINS_PREVIEW_PATH__", "replaceWith": "$(RELEASE_TRAINS_PREVIEW_PATH)" }, { "find": "__RELEASE_TRAINS_STABLE_PATH__", "replaceWith": "$(RELEASE_TRAINS_STABLE_PATH)" }, { "find": "__REGISTER_REGIONS_BATCH__", "replaceWith": "westcentralus" }, { "find": "__RESOURCE_AUDIENCE__", "replaceWith": "$(RESOURCE_AUDIENCE)" }, { "find": "__SPN_CLIENT_ID__", "replaceWith": "$(SPN_CLIENT_ID)" }, { "find": "__SPN_SECRET__", "replaceWith": "$(SPN_SECRET)" }, { "find": "__SPN_TENANT_ID__", "replaceWith": "$(SPN_TENANT_ID)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(MANAGED_IDENTITY)" } ] } ] } ' - env: - ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 - target: - container: host - displayName: Ev2 Classic - Deploy - - job: Ev2_rollout_ev2_monitoring - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Agent job - Ev2 Ev2 Monitoring - pool: - name: server - dependsOn: - - Ev2_rollout_ev2_rollout - timeoutInMinutes: '0' - steps: - - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 - displayName: Ev2 - Monitoring - inputs: - Ev2MonintoringUrl: $(Ev2MonintoringUrl) - - stage: Wait_After_Stage_2 - displayName: Wait after Pilot Region - dependsOn: Stage_2 - jobs: - - job: WaitJob - displayName: Wait for Bake Time - timeoutInMinutes: 1600 - pool: server - steps: - - task: Delay@1 - inputs: - delayForMinutes: 1500 - - stage: Stage_3 - displayName: Light Load Region - dependsOn: - - Wait_After_Stage_2 - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: releaseGating - displayName: Release Gating - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - job: approval - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Approval - pool: - name: server - timeoutInMinutes: 7200 - dependsOn: - - releaseGating - steps: - - task: ApprovalTask@1 - inputs: - environment: $(ev2Environment) - servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 - - job: Ev2_rollout_ev2_rollout - displayName: Agent job - Ev2 Ev2 Rollout - timeoutInMinutes: '0' - condition: succeeded() - dependsOn: - - approval - variables: - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: https://azureservicedeploy.msft.net/api/monitorrollout - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) - definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) - pipeline: _ci-arc-k8s-extension-prod-release - targetPath: $(Pipeline.Workspace)/ev2Artifact - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace)/ev2Artifact - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - target: - container: host - - task: vsrm-ev2.vss-services-ev2.adm-release-task.ExpressV2Internal@1 - inputs: - UseServerMonitorTask: true - EndpointProviderType: ApprovalService - ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootLocation: LinkedArtifact - RolloutSpecType: RSPath - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot/RolloutSpecs/Public.Stable.RolloutSpec.json - OutputRolloutId: RolloutId - OutputServiceGroupName: ServiceGroupName - OutputRolloutStatus: RolloutStatus - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Stable", "bindings": [ { "find": "__RELEASE_STAGE__", "replaceWith": "Stable" }, { "find": "__ADMIN_SUBSCRIPTION_ID__", "replaceWith": "$(ADMIN_SUBSCRIPTION_ID)" }, { "find": "__CHART_VERSION__", "replaceWith": "$(CHART_VERSION)" }, { "find": "__IS_CUSTOMER_HIDDEN__", "replaceWith": "$(IS_CUSTOMER_HIDDEN)" }, { "find": "__REGISTER_REGIONS_CANARY__", "replaceWith": "$(REGISTER_REGIONS_CANARY)" }, { "find": "__RELEASE_TRAINS_PREVIEW_PATH__", "replaceWith": "$(RELEASE_TRAINS_PREVIEW_PATH)" }, { "find": "__RELEASE_TRAINS_STABLE_PATH__", "replaceWith": "$(RELEASE_TRAINS_STABLE_PATH)" }, { "find": "__REGISTER_REGIONS_BATCH__", "replaceWith": "westcentralus,southcentralus,southeastasia,uksouth" }, { "find": "__RESOURCE_AUDIENCE__", "replaceWith": "$(RESOURCE_AUDIENCE)" }, { "find": "__SPN_CLIENT_ID__", "replaceWith": "$(SPN_CLIENT_ID)" }, { "find": "__SPN_SECRET__", "replaceWith": "$(SPN_SECRET)" }, { "find": "__SPN_TENANT_ID__", "replaceWith": "$(SPN_TENANT_ID)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(MANAGED_IDENTITY)" } ] } ] } ' - env: - ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 - target: - container: host - displayName: Ev2 Classic - Deploy - - job: Ev2_rollout_ev2_monitoring - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Agent job - Ev2 Ev2 Monitoring - pool: - name: server - dependsOn: - - Ev2_rollout_ev2_rollout - timeoutInMinutes: '0' - steps: - - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 - displayName: Ev2 - Monitoring - inputs: - Ev2MonintoringUrl: $(Ev2MonintoringUrl) - - stage: Wait_After_Stage_3 - displayName: Wait after Light Load Region - dependsOn: Stage_3 - jobs: - - job: WaitJob - displayName: Wait for Bake Time - timeoutInMinutes: 1600 - pool: server - steps: - - task: Delay@1 - inputs: - delayForMinutes: 1500 - - stage: Stage_4 - displayName: Medium Load Region - dependsOn: - - Wait_After_Stage_3 - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: releaseGating - displayName: Release Gating - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - job: approval - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Approval - pool: - name: server - timeoutInMinutes: 7200 - dependsOn: - - releaseGating - steps: - - task: ApprovalTask@1 - inputs: - environment: $(ev2Environment) - servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 - - job: Ev2_rollout_ev2_rollout - displayName: Agent job - Ev2 Ev2 Rollout - timeoutInMinutes: '0' - condition: succeeded() - dependsOn: - - approval - variables: - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: https://azureservicedeploy.msft.net/api/monitorrollout - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) - definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) - pipeline: _ci-arc-k8s-extension-prod-release - targetPath: $(Pipeline.Workspace)/ev2Artifact - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace)/ev2Artifact - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - target: - container: host - - task: vsrm-ev2.vss-services-ev2.adm-release-task.ExpressV2Internal@1 - inputs: - UseServerMonitorTask: true - EndpointProviderType: ApprovalService - ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootLocation: LinkedArtifact - RolloutSpecType: RSPath - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot/RolloutSpecs/Public.Stable.RolloutSpec.json - OutputRolloutId: RolloutId - OutputServiceGroupName: ServiceGroupName - OutputRolloutStatus: RolloutStatus - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Stable", "bindings": [ { "find": "__RELEASE_STAGE__", "replaceWith": "Stable" }, { "find": "__ADMIN_SUBSCRIPTION_ID__", "replaceWith": "$(ADMIN_SUBSCRIPTION_ID)" }, { "find": "__CHART_VERSION__", "replaceWith": "$(CHART_VERSION)" }, { "find": "__IS_CUSTOMER_HIDDEN__", "replaceWith": "$(IS_CUSTOMER_HIDDEN)" }, { "find": "__REGISTER_REGIONS_CANARY__", "replaceWith": "$(REGISTER_REGIONS_CANARY)" }, { "find": "__RELEASE_TRAINS_PREVIEW_PATH__", "replaceWith": "$(RELEASE_TRAINS_PREVIEW_PATH)" }, { "find": "__RELEASE_TRAINS_STABLE_PATH__", "replaceWith": "$(RELEASE_TRAINS_STABLE_PATH)" }, { "find": "__REGISTER_REGIONS_BATCH__", "replaceWith": "westcentralus,southcentralus,southeastasia,uksouth,westus2,australiaeast,eastus2,northcentralus,koreacentral,eastasia,japaneast" }, { "find": "__RESOURCE_AUDIENCE__", "replaceWith": "$(RESOURCE_AUDIENCE)" }, { "find": "__SPN_CLIENT_ID__", "replaceWith": "$(SPN_CLIENT_ID)" }, { "find": "__SPN_SECRET__", "replaceWith": "$(SPN_SECRET)" }, { "find": "__SPN_TENANT_ID__", "replaceWith": "$(SPN_TENANT_ID)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(MANAGED_IDENTITY)" } ] } ] } ' - env: - ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 - target: - container: host - displayName: Ev2 Classic - Deploy - - job: Ev2_rollout_ev2_monitoring - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Agent job - Ev2 Ev2 Monitoring - pool: - name: server - dependsOn: - - Ev2_rollout_ev2_rollout - timeoutInMinutes: '0' - steps: - - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 - displayName: Ev2 - Monitoring - inputs: - Ev2MonintoringUrl: $(Ev2MonintoringUrl) - - stage: Wait_After_Stage_4 - displayName: Wait after Medium Load Region - dependsOn: Stage_4 - jobs: - - job: WaitJob - displayName: Wait for Bake Time - timeoutInMinutes: 1600 - pool: server - steps: - - task: Delay@1 - inputs: - delayForMinutes: 1500 - - stage: Stage_5 - displayName: High Load Region - dependsOn: - - Wait_After_Stage_4 - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: releaseGating - displayName: Release Gating - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - job: approval - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Approval - pool: - name: server - timeoutInMinutes: 7200 - dependsOn: - - releaseGating - steps: - - task: ApprovalTask@1 - inputs: - environment: $(ev2Environment) - servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 - - job: Ev2_rollout_ev2_rollout - displayName: Agent job - Ev2 Ev2 Rollout - timeoutInMinutes: '0' - condition: succeeded() - dependsOn: - - approval - variables: - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: https://azureservicedeploy.msft.net/api/monitorrollout - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) - definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) - pipeline: _ci-arc-k8s-extension-prod-release - targetPath: $(Pipeline.Workspace)/ev2Artifact - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace)/ev2Artifact - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - target: - container: host - - task: vsrm-ev2.vss-services-ev2.adm-release-task.ExpressV2Internal@1 - inputs: - UseServerMonitorTask: true - EndpointProviderType: ApprovalService - ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootLocation: LinkedArtifact - RolloutSpecType: RSPath - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot/RolloutSpecs/Public.Stable.RolloutSpec.json - OutputRolloutId: RolloutId - OutputServiceGroupName: ServiceGroupName - OutputRolloutStatus: RolloutStatus - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Stable", "bindings": [ { "find": "__RELEASE_STAGE__", "replaceWith": "Stable" }, { "find": "__ADMIN_SUBSCRIPTION_ID__", "replaceWith": "$(ADMIN_SUBSCRIPTION_ID)" }, { "find": "__CHART_VERSION__", "replaceWith": "$(CHART_VERSION)" }, { "find": "__IS_CUSTOMER_HIDDEN__", "replaceWith": "$(IS_CUSTOMER_HIDDEN)" }, { "find": "__REGISTER_REGIONS_CANARY__", "replaceWith": "$(REGISTER_REGIONS_CANARY)" }, { "find": "__RELEASE_TRAINS_PREVIEW_PATH__", "replaceWith": "$(RELEASE_TRAINS_PREVIEW_PATH)" }, { "find": "__RELEASE_TRAINS_STABLE_PATH__", "replaceWith": "$(RELEASE_TRAINS_STABLE_PATH)" }, { "find": "__REGISTER_REGIONS_BATCH__", "replaceWith": "westcentralus,southcentralus,southeastasia,uksouth,westus2,australiaeast,eastus2,northcentralus,koreacentral,eastasia,japaneast,westeurope,northeurope,eastus,francecentral,westus,centralus,canadacentral,westus3,australiacentral,australiacentral2,australiasoutheast,brazilsouth,brazilsoutheast,canadaeast,centralindia,francesouth,germanycentral,germanynorth,germanynortheast,germanywestcentral,italynorth,japanwest,jioindiacentral,jioindiawest,koreasouth,norwayeast,norwaywest,polandcentral,qatarcentral,southafricanorth,southafricawest,southindia,swedencentral,swedensouth,switzerlandnorth,switzerlandwest,uaecentral,uaenorth,uknorth,uksouth2,ukwest,westindia" }, { "find": "__RESOURCE_AUDIENCE__", "replaceWith": "$(RESOURCE_AUDIENCE)" }, { "find": "__SPN_CLIENT_ID__", "replaceWith": "$(SPN_CLIENT_ID)" }, { "find": "__SPN_SECRET__", "replaceWith": "$(SPN_SECRET)" }, { "find": "__SPN_TENANT_ID__", "replaceWith": "$(SPN_TENANT_ID)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(MANAGED_IDENTITY)" } ] } ] } ' - env: - ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 - target: - container: host - displayName: Ev2 Classic - Deploy - - job: Ev2_rollout_ev2_monitoring - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Agent job - Ev2 Ev2 Monitoring - pool: - name: server - dependsOn: - - Ev2_rollout_ev2_rollout - timeoutInMinutes: '0' - steps: - - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 - displayName: Ev2 - Monitoring - inputs: - Ev2MonintoringUrl: $(Ev2MonintoringUrl) - - stage: Stage_6 - displayName: 'Fairfax & Mooncake: Create Escort JIT' - trigger: manual - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: Job_1 - displayName: Agentless job - condition: succeeded() - timeoutInMinutes: 7200 - pool: - name: server - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - steps: [] - - stage: Stage_7 - displayName: Fairfax Region Testing - trigger: manual - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: releaseGating - displayName: Release Gating - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - job: approval - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Approval - pool: - name: server - timeoutInMinutes: 7200 - dependsOn: - - releaseGating - steps: - - task: ApprovalTask@1 - inputs: - environment: $(ev2Environment) - servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 - - job: Ev2_rollout_ev2_rollout - displayName: Agent job - Ev2 Ev2 Rollout - timeoutInMinutes: '0' - condition: succeeded() - dependsOn: - - approval - variables: - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: https://azureservicedeploy.msft.net/api/monitorrollout - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) - definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) - pipeline: _ci-arc-k8s-extension-prod-release - targetPath: $(Pipeline.Workspace)/ev2Artifact - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace)/ev2Artifact - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - target: - container: host - - task: vsrm-ev2.vss-services-ev2.adm-release-task.ExpressV2Internal@1 - inputs: - UseServerMonitorTask: true - EndpointProviderType: ApprovalService - ApprovalServiceEnvironment: $(ev2Environment) - ServiceRootLocation: LinkedArtifact - RolloutSpecType: RSPath - ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot - RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2/ServiceGroupRoot/RolloutSpecs/Public.Stable.RolloutSpec.json - OutputRolloutId: RolloutId - OutputServiceGroupName: ServiceGroupName - OutputRolloutStatus: RolloutStatus - InlineDynamicBindingOverrides: '{ "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", "contentVersion": "0.0.0.1", "scopeBindings": [ { "scopeTagName": "Stable", "bindings": [ { "find": "__RELEASE_STAGE__", "replaceWith": "Stable" }, { "find": "__ADMIN_SUBSCRIPTION_ID__", "replaceWith": "$(ADMIN_SUBSCRIPTION_ID)" }, { "find": "__CHART_VERSION__", "replaceWith": "$(CHART_VERSION)" }, { "find": "__IS_CUSTOMER_HIDDEN__", "replaceWith": "$(IS_CUSTOMER_HIDDEN)" }, { "find": "__REGISTER_REGIONS_CANARY__", "replaceWith": "$(REGISTER_REGIONS_CANARY)" }, { "find": "__RELEASE_TRAINS_PREVIEW_PATH__", "replaceWith": "$(RELEASE_TRAINS_PREVIEW_PATH)" }, { "find": "__RELEASE_TRAINS_STABLE_PATH__", "replaceWith": "$(RELEASE_TRAINS_STABLE_PATH)" }, { "find": "__REGISTER_REGIONS_BATCH__", "replaceWith": "westcentralus,southcentralus,southeastasia,uksouth,westus2,australiaeast,eastus2,northcentralus,koreacentral,eastasia,japaneast,westeurope,northeurope,eastus,francecentral,westus,centralus,canadacentral,westus3,australiacentral,australiacentral2,australiasoutheast,brazilsouth,brazilsoutheast,canadaeast,centralindia,francesouth,germanycentral,germanynorth,germanynortheast,germanywestcentral,italynorth,japanwest,jioindiacentral,jioindiawest,koreasouth,norwayeast,norwaywest,polandcentral,qatarcentral,southafricanorth,southafricawest,southindia,swedencentral,swedensouth,switzerlandnorth,switzerlandwest,uaecentral,uaenorth,uknorth,uksouth2,ukwest,westindia,usgovvirginia" }, { "find": "__RESOURCE_AUDIENCE__", "replaceWith": "$(RESOURCE_AUDIENCE)" }, { "find": "__SPN_CLIENT_ID__", "replaceWith": "$(SPN_CLIENT_ID)" }, { "find": "__SPN_SECRET__", "replaceWith": "$(SPN_SECRET)" }, { "find": "__SPN_TENANT_ID__", "replaceWith": "$(SPN_TENANT_ID)" }, { "find": "__MANAGED_IDENTITY__", "replaceWith": "$(MANAGED_IDENTITY)" } ] } ] } ' - env: - ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 - target: - container: host - displayName: Ev2 Classic - Deploy - - job: Ev2_rollout_ev2_monitoring - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: OneESPT.Workflow - value: ev2-classic - readonly: true - - name: ev2Environment - value: Production - - name: Ev2MonintoringUrl - value: 'https://azureservicedeploy.msft.net/api/monitorrollout' - displayName: Agent job - Ev2 Ev2 Monitoring - pool: - name: server - dependsOn: - - Ev2_rollout_ev2_rollout - timeoutInMinutes: '0' - steps: - - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 - displayName: Ev2 - Monitoring - inputs: - Ev2MonintoringUrl: $(Ev2MonintoringUrl) +trigger: none +name: $(Date:yyyyMMdd).$(Rev:r) +variables: +- name: ACRName + value: $(VAR_ACR_NAME) +- name: ADMIN_SUBSCRIPTION_ID + value: $(VAR_ADMIN_SUBSCRIPTION_ID) +- name: CHART_VERSION + value: $(VAR_CHART_VERSION) +- name: IS_CUSTOMER_HIDDEN + value: $(VAR_IS_CUSTOMER_HIDDEN) +- name: MANAGED_IDENTITY + value: $(VAR_MANAGED_IDENTITY) +- name: REGISTER_REGIONS_CANARY + value: $(VAR_REGISTER_REGIONS_CANARY) +- name: RELEASE_TRAINS_PREVIEW_PATH + value: $(VAR_RELEASE_TRAINS_PREVIEW_PATH) +- name: RELEASE_TRAINS_STABLE_PATH + value: $(VAR_RELEASE_TRAINS_STABLE_PATH) +- name: RepoType + value: $(VAR_REPO_TYPE) +- name: RESOURCE_AUDIENCE + value: $(VAR_RESOURCE_AUDIENCE) +- name: ServiceTreeGuid + value: $(VAR_SERVICE_TREE_GUID) +- name: SPN_CLIENT_ID + value: $(VAR_SPN_CLIENT_ID) +- name: SPN_SECRET + value: '' +- name: SPN_TENANT_ID + value: $(VAR_SPN_TENANT_ID) +- name: REGISTER_REGIONS_BATCH + value: '' +- name: RELEASE_STAGE_NAME + value: 'Stable' +- name: configurationOverrides + value: '{"ConfigurationSpecification":{"Settings":{"adminSubscriptionId":"$(ADMIN_SUBSCRIPTION_ID)","chartVersion":"$(CHART_VERSION)","isCustomerHidden":"$(IS_CUSTOMER_HIDDEN)","registerRegionsCanary":"$(REGISTER_REGIONS_CANARY)","releaseTrainsPreviewPath":"$(RELEASE_TRAINS_PREVIEW_PATH)","releaseTrainsStablePath":"$(RELEASE_TRAINS_STABLE_PATH)","registerRegionsBatch":"$(REGISTER_REGIONS_BATCH)","resourceAudience":"$(RESOURCE_AUDIENCE)","spnClientId":"$(SPN_CLIENT_ID)","spnSecret":"$(SPN_SECRET)","spnTenantId":"$(SPN_TENANT_ID)","managedIdentity":"$(MANAGED_IDENTITY)","releaseStage":"$(RELEASE_STAGE_NAME)","acrName":"$(ACRName)","repoType":"$(RepoType)"}}}' +resources: + containers: [] + pipelines: + - pipeline: '_ci-arc-k8s-extension-prod-release' + project: 'microsoft' + source: 'CDPX\docker-provider\ContainerInsights-MultiArch-MergedBranches' + repositories: + - repository: 1ESPipelineTemplates + type: git + name: 1ESPipelineTemplates/1ESPipelineTemplates + ref: refs/tags/release +extends: + template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates + parameters: + settings: + networkIsolationPolicy: Permissive,CFSClean + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + sdl: + sourceAnalysisPool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + customBuildTags: + - ES365AIMigrationTooling + stages: + - stage: Stage_1 + displayName: ci-arc-k8s-extension-all-regions-prod-release(MCR) + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: releaseGating + displayName: Release Gating + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + steps: + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + - task: 1ESGPTRunTask@3.0.376 + displayName: Branch Validation (1ES PT) + continueOnError: true + target: + container: host + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + BUILD_SOURCEBRANCH: $(Build.SourceBranch) + BUILD_REPOSITORY_NAME: $(Build.Repository.Name) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) + BUILD_SOURCEVERSION: $(Build.SourceVersion) + TASK_MODE: audit + inputs: + repoId: microsoft/Docker-Provider + path: release_gating.py + - job: approval + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Approval + pool: + name: server + timeoutInMinutes: 7200 + dependsOn: + - releaseGating + steps: + - task: ApprovalTask@1 + inputs: + environment: $(ev2Environment) + servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 + - job: Ev2_rollout_ev2_rollout + displayName: Agent Job - Ev2 Ev2 Rollout + timeoutInMinutes: '0' + condition: succeeded() + dependsOn: + - approval + variables: + - name: ev2Environment + value: Production + - name: RELEASE_STAGE_NAME + value: Pilot + - name: Ev2MonintoringUrl + value: https://azureservicedeploy.msft.net/api/monitorrollout + - name: OneESPT.JobType + value: releaseJob + readonly: true + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + - name: OneES_targetName + value: host + steps: + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Hosted Pool Information (1ES PT) + continueOnError: false + target: + container: host + env: + HOST_ARCHITECTURE: amd64 + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_DEFINITIONID: $(System.DefinitionId) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] + PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] + BUILD_REASON: $(Build.Reason) + inputs: + repoId: microsoft/Docker-Provider + path: validateHostedPool.ps1 + arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline + - task: DownloadPipelineArtifact@2 + displayName: ⏬ Pipeline Artifact Download + inputs: + buildType: specific + project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) + definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) + allowFailedBuilds: false + buildVersionToDownload: specific + pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) + pipeline: _ci-arc-k8s-extension-prod-release + targetPath: $(Pipeline.Workspace)/ev2Artifact + target: + container: host + - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 + displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" + condition: succeeded() + continueOnError: False + timeoutInMinutes: 30 + env: + SBOMVALIDATOR_TEMPIGNOREMISSING: true + inputs: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + ValidateSignature: True + Verbosity: 'Verbose' + - task: 1ESGPTRunTask@3.0.376 + displayName: Post-SBoM Validation (1ES PT) + continueOnError: true + target: + container: host + condition: succeeded() + env: + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + inputs: + repoId: microsoft/Docker-Provider + path: post_sbom_validation.py + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Source Build (1ES PT) + continueOnError: false + target: + container: host + env: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + IsProduction: True + OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) + inputs: + repoId: microsoft/Docker-Provider + path: validate_source_build.py + - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 + displayName: "\U0001F6E1 Guardian: CodeSign Validation" + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + continueOnError: true + timeoutInMinutes: 10 + inputs: + Path: $(Pipeline.Workspace)/ev2Artifact + MaxThreads: $(OneES_UsableProcessorCount) + FailIfNoTargetsFound: false + ExcludePassesFromLog: False + Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; + - task: 1ESGPTRunTask@3.0.376 + displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" + continueOnError: true + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + env: + OneES_PipelineWorkspace: $(Pipeline.Workspace) + OneES_DeleteCodeSignValidationResult: True + OneES_CustomPolicyFile: '' + inputs: + repoId: microsoft/Docker-Provider + path: check_csv_results.ps1 + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + target: + container: host + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Chart Push + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + UseServerMonitorTask: true + SkipRegistrationIfExists: True + ForceRegistration: true + ApprovalServiceEnvironment: $(ev2Environment) + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) + ConfigurationOverrides: $(configurationOverrides) + env: + ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 + target: + container: host + - job: Ev2_rollout_ev2_monitoring + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Agent Job - Ev2 Ev2 Monitoring + pool: + name: server + dependsOn: + - Ev2_rollout_ev2_rollout + timeoutInMinutes: '0' + steps: + - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 + displayName: Ev2 - Monitoring + inputs: + Ev2MonintoringUrl: $(Ev2MonintoringUrl) + - stage: Stage_2 + displayName: Pilot Regions + trigger: manual + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: releaseGating + displayName: Release Gating + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + steps: + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + - task: 1ESGPTRunTask@3.0.376 + displayName: Branch Validation (1ES PT) + continueOnError: true + target: + container: host + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + BUILD_SOURCEBRANCH: $(Build.SourceBranch) + BUILD_REPOSITORY_NAME: $(Build.Repository.Name) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) + BUILD_SOURCEVERSION: $(Build.SourceVersion) + TASK_MODE: audit + inputs: + repoId: microsoft/Docker-Provider + path: release_gating.py + - job: approval + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Approval + pool: + name: server + timeoutInMinutes: 7200 + dependsOn: + - releaseGating + steps: + - task: ApprovalTask@1 + inputs: + environment: $(ev2Environment) + servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 + - job: Ev2_rollout_ev2_rollout + displayName: Agent job - Ev2 Ev2 Rollout + timeoutInMinutes: '0' + condition: succeeded() + dependsOn: + - approval + variables: + - name: ev2Environment + value: Production + - name: REGISTER_REGIONS_BATCH + value: "westcentralus" + - name: Ev2MonintoringUrl + value: https://azureservicedeploy.msft.net/api/monitorrollout + - name: OneESPT.JobType + value: releaseJob + readonly: true + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + - name: OneES_targetName + value: host + steps: + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Hosted Pool Information (1ES PT) + continueOnError: false + target: + container: host + env: + HOST_ARCHITECTURE: amd64 + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_DEFINITIONID: $(System.DefinitionId) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] + PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] + BUILD_REASON: $(Build.Reason) + inputs: + repoId: microsoft/Docker-Provider + path: validateHostedPool.ps1 + arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline + - task: DownloadPipelineArtifact@2 + displayName: ⏬ Pipeline Artifact Download + inputs: + buildType: specific + project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) + definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) + allowFailedBuilds: false + buildVersionToDownload: specific + pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) + pipeline: _ci-arc-k8s-extension-prod-release + targetPath: $(Pipeline.Workspace)/ev2Artifact + target: + container: host + - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 + displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" + condition: succeeded() + continueOnError: False + timeoutInMinutes: 30 + env: + SBOMVALIDATOR_TEMPIGNOREMISSING: true + inputs: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + ValidateSignature: True + Verbosity: 'Verbose' + - task: 1ESGPTRunTask@3.0.376 + displayName: Post-SBoM Validation (1ES PT) + continueOnError: true + target: + container: host + condition: succeeded() + env: + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + inputs: + repoId: microsoft/Docker-Provider + path: post_sbom_validation.py + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Source Build (1ES PT) + continueOnError: false + target: + container: host + env: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + IsProduction: True + OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) + inputs: + repoId: microsoft/Docker-Provider + path: validate_source_build.py + - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 + displayName: "\U0001F6E1 Guardian: CodeSign Validation" + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + continueOnError: true + timeoutInMinutes: 10 + inputs: + Path: $(Pipeline.Workspace)/ev2Artifact + MaxThreads: $(OneES_UsableProcessorCount) + FailIfNoTargetsFound: false + ExcludePassesFromLog: False + Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; + - task: 1ESGPTRunTask@3.0.376 + displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" + continueOnError: true + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + env: + OneES_PipelineWorkspace: $(Pipeline.Workspace) + OneES_DeleteCodeSignValidationResult: True + OneES_CustomPolicyFile: '' + inputs: + repoId: microsoft/Docker-Provider + path: check_csv_results.ps1 + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + target: + container: host + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Deploy + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + UseServerMonitorTask: true + SkipRegistrationIfExists: True + ForceRegistration: true + ApprovalServiceEnvironment: $(ev2Environment) + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) + ConfigurationOverrides: $(configurationOverrides) + env: + ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 + target: + container: host + - job: Ev2_rollout_ev2_monitoring + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Agent job - Ev2 Ev2 Monitoring + pool: + name: server + dependsOn: + - Ev2_rollout_ev2_rollout + timeoutInMinutes: '0' + steps: + - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 + displayName: Ev2 - Monitoring + inputs: + Ev2MonintoringUrl: $(Ev2MonintoringUrl) + - stage: Wait_After_Stage_2 + displayName: Wait after Pilot Region + dependsOn: Stage_2 + jobs: + - job: WaitJob + displayName: Wait for Bake Time + timeoutInMinutes: 1600 + pool: server + steps: + - task: Delay@1 + inputs: + delayForMinutes: 1500 + - stage: Stage_3 + displayName: Light Load Region + dependsOn: + - Wait_After_Stage_2 + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: releaseGating + displayName: Release Gating + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + steps: + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + - task: 1ESGPTRunTask@3.0.376 + displayName: Branch Validation (1ES PT) + continueOnError: true + target: + container: host + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + BUILD_SOURCEBRANCH: $(Build.SourceBranch) + BUILD_REPOSITORY_NAME: $(Build.Repository.Name) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) + BUILD_SOURCEVERSION: $(Build.SourceVersion) + TASK_MODE: audit + inputs: + repoId: microsoft/Docker-Provider + path: release_gating.py + - job: approval + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Approval + pool: + name: server + timeoutInMinutes: 7200 + dependsOn: + - releaseGating + steps: + - task: ApprovalTask@1 + inputs: + environment: $(ev2Environment) + servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 + - job: Ev2_rollout_ev2_rollout + displayName: Agent job - Ev2 Ev2 Rollout + timeoutInMinutes: '0' + condition: succeeded() + dependsOn: + - approval + variables: + - name: ev2Environment + value: Production + - name: REGISTER_REGIONS_BATCH + value: "westcentralus,southcentralus,southeastasia,uksouth" + - name: Ev2MonintoringUrl + value: https://azureservicedeploy.msft.net/api/monitorrollout + - name: OneESPT.JobType + value: releaseJob + readonly: true + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + - name: OneES_targetName + value: host + steps: + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Hosted Pool Information (1ES PT) + continueOnError: false + target: + container: host + env: + HOST_ARCHITECTURE: amd64 + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_DEFINITIONID: $(System.DefinitionId) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] + PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] + BUILD_REASON: $(Build.Reason) + inputs: + repoId: microsoft/Docker-Provider + path: validateHostedPool.ps1 + arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline + - task: DownloadPipelineArtifact@2 + displayName: ⏬ Pipeline Artifact Download + inputs: + buildType: specific + project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) + definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) + allowFailedBuilds: false + buildVersionToDownload: specific + pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) + pipeline: _ci-arc-k8s-extension-prod-release + targetPath: $(Pipeline.Workspace)/ev2Artifact + target: + container: host + - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 + displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" + condition: succeeded() + continueOnError: False + timeoutInMinutes: 30 + env: + SBOMVALIDATOR_TEMPIGNOREMISSING: true + inputs: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + ValidateSignature: True + Verbosity: 'Verbose' + - task: 1ESGPTRunTask@3.0.376 + displayName: Post-SBoM Validation (1ES PT) + continueOnError: true + target: + container: host + condition: succeeded() + env: + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + inputs: + repoId: microsoft/Docker-Provider + path: post_sbom_validation.py + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Source Build (1ES PT) + continueOnError: false + target: + container: host + env: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + IsProduction: True + OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) + inputs: + repoId: microsoft/Docker-Provider + path: validate_source_build.py + - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 + displayName: "\U0001F6E1 Guardian: CodeSign Validation" + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + continueOnError: true + timeoutInMinutes: 10 + inputs: + Path: $(Pipeline.Workspace)/ev2Artifact + MaxThreads: $(OneES_UsableProcessorCount) + FailIfNoTargetsFound: false + ExcludePassesFromLog: False + Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; + - task: 1ESGPTRunTask@3.0.376 + displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" + continueOnError: true + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + env: + OneES_PipelineWorkspace: $(Pipeline.Workspace) + OneES_DeleteCodeSignValidationResult: True + OneES_CustomPolicyFile: '' + inputs: + repoId: microsoft/Docker-Provider + path: check_csv_results.ps1 + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + target: + container: host + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Deploy + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + UseServerMonitorTask: true + SkipRegistrationIfExists: True + ForceRegistration: true + ApprovalServiceEnvironment: $(ev2Environment) + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) + ConfigurationOverrides: $(configurationOverrides) + env: + ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 + target: + container: host + - job: Ev2_rollout_ev2_monitoring + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Agent job - Ev2 Ev2 Monitoring + pool: + name: server + dependsOn: + - Ev2_rollout_ev2_rollout + timeoutInMinutes: '0' + steps: + - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 + displayName: Ev2 - Monitoring + inputs: + Ev2MonintoringUrl: $(Ev2MonintoringUrl) + - stage: Wait_After_Stage_3 + displayName: Wait after Light Load Region + dependsOn: Stage_3 + jobs: + - job: WaitJob + displayName: Wait for Bake Time + timeoutInMinutes: 1600 + pool: server + steps: + - task: Delay@1 + inputs: + delayForMinutes: 1500 + - stage: Stage_4 + displayName: Medium Load Region + dependsOn: + - Wait_After_Stage_3 + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: releaseGating + displayName: Release Gating + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + steps: + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + - task: 1ESGPTRunTask@3.0.376 + displayName: Branch Validation (1ES PT) + continueOnError: true + target: + container: host + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + BUILD_SOURCEBRANCH: $(Build.SourceBranch) + BUILD_REPOSITORY_NAME: $(Build.Repository.Name) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) + BUILD_SOURCEVERSION: $(Build.SourceVersion) + TASK_MODE: audit + inputs: + repoId: microsoft/Docker-Provider + path: release_gating.py + - job: approval + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Approval + pool: + name: server + timeoutInMinutes: 7200 + dependsOn: + - releaseGating + steps: + - task: ApprovalTask@1 + inputs: + environment: $(ev2Environment) + servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 + - job: Ev2_rollout_ev2_rollout + displayName: Agent job - Ev2 Ev2 Rollout + timeoutInMinutes: '0' + condition: succeeded() + dependsOn: + - approval + variables: + - name: ev2Environment + value: Production + - name: REGISTER_REGIONS_BATCH + value: "westcentralus,southcentralus,southeastasia,uksouth,westus2,australiaeast,eastus2,northcentralus,koreacentral,eastasia,japaneast" + - name: Ev2MonintoringUrl + value: https://azureservicedeploy.msft.net/api/monitorrollout + - name: OneESPT.JobType + value: releaseJob + readonly: true + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + - name: OneES_targetName + value: host + steps: + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Hosted Pool Information (1ES PT) + continueOnError: false + target: + container: host + env: + HOST_ARCHITECTURE: amd64 + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_DEFINITIONID: $(System.DefinitionId) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] + PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] + BUILD_REASON: $(Build.Reason) + inputs: + repoId: microsoft/Docker-Provider + path: validateHostedPool.ps1 + arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline + - task: DownloadPipelineArtifact@2 + displayName: ⏬ Pipeline Artifact Download + inputs: + buildType: specific + project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) + definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) + allowFailedBuilds: false + buildVersionToDownload: specific + pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) + pipeline: _ci-arc-k8s-extension-prod-release + targetPath: $(Pipeline.Workspace)/ev2Artifact + target: + container: host + - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 + displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" + condition: succeeded() + continueOnError: False + timeoutInMinutes: 30 + env: + SBOMVALIDATOR_TEMPIGNOREMISSING: true + inputs: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + ValidateSignature: True + Verbosity: 'Verbose' + - task: 1ESGPTRunTask@3.0.376 + displayName: Post-SBoM Validation (1ES PT) + continueOnError: true + target: + container: host + condition: succeeded() + env: + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + inputs: + repoId: microsoft/Docker-Provider + path: post_sbom_validation.py + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Source Build (1ES PT) + continueOnError: false + target: + container: host + env: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + IsProduction: True + OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) + inputs: + repoId: microsoft/Docker-Provider + path: validate_source_build.py + - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 + displayName: "\U0001F6E1 Guardian: CodeSign Validation" + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + continueOnError: true + timeoutInMinutes: 10 + inputs: + Path: $(Pipeline.Workspace)/ev2Artifact + MaxThreads: $(OneES_UsableProcessorCount) + FailIfNoTargetsFound: false + ExcludePassesFromLog: False + Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; + - task: 1ESGPTRunTask@3.0.376 + displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" + continueOnError: true + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + env: + OneES_PipelineWorkspace: $(Pipeline.Workspace) + OneES_DeleteCodeSignValidationResult: True + OneES_CustomPolicyFile: '' + inputs: + repoId: microsoft/Docker-Provider + path: check_csv_results.ps1 + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + target: + container: host + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Deploy + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + UseServerMonitorTask: true + SkipRegistrationIfExists: True + ForceRegistration: true + ApprovalServiceEnvironment: $(ev2Environment) + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) + ConfigurationOverrides: $(configurationOverrides) + env: + ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 + target: + container: host + - job: Ev2_rollout_ev2_monitoring + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Agent job - Ev2 Ev2 Monitoring + pool: + name: server + dependsOn: + - Ev2_rollout_ev2_rollout + timeoutInMinutes: '0' + steps: + - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 + displayName: Ev2 - Monitoring + inputs: + Ev2MonintoringUrl: $(Ev2MonintoringUrl) + - stage: Wait_After_Stage_4 + displayName: Wait after Medium Load Region + dependsOn: Stage_4 + jobs: + - job: WaitJob + displayName: Wait for Bake Time + timeoutInMinutes: 1600 + pool: server + steps: + - task: Delay@1 + inputs: + delayForMinutes: 1500 + - stage: Stage_5 + displayName: High Load Region + dependsOn: + - Wait_After_Stage_4 + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: releaseGating + displayName: Release Gating + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + steps: + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + - task: 1ESGPTRunTask@3.0.376 + displayName: Branch Validation (1ES PT) + continueOnError: true + target: + container: host + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + BUILD_SOURCEBRANCH: $(Build.SourceBranch) + BUILD_REPOSITORY_NAME: $(Build.Repository.Name) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) + BUILD_SOURCEVERSION: $(Build.SourceVersion) + TASK_MODE: audit + inputs: + repoId: microsoft/Docker-Provider + path: release_gating.py + - job: approval + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Approval + pool: + name: server + timeoutInMinutes: 7200 + dependsOn: + - releaseGating + steps: + - task: ApprovalTask@1 + inputs: + environment: $(ev2Environment) + servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 + - job: Ev2_rollout_ev2_rollout + displayName: Agent job - Ev2 Ev2 Rollout + timeoutInMinutes: '0' + condition: succeeded() + dependsOn: + - approval + variables: + - name: ev2Environment + value: Production + - name: REGISTER_REGIONS_BATCH + value: "westcentralus,southcentralus,southeastasia,uksouth,westus2,australiaeast,eastus2,northcentralus,koreacentral,eastasia,japaneast,westeurope,northeurope,eastus,francecentral,westus,centralus,canadacentral,westus3,australiacentral,australiacentral2,australiasoutheast,brazilsouth,brazilsoutheast,canadaeast,centralindia,francesouth,germanycentral,germanynorth,germanynortheast,germanywestcentral,italynorth,japanwest,jioindiacentral,jioindiawest,koreasouth,norwayeast,norwaywest,polandcentral,qatarcentral,southafricanorth,southafricawest,southindia,swedencentral,swedensouth,switzerlandnorth,switzerlandwest,uaecentral,uaenorth,uknorth,uksouth2,ukwest,westindia" + - name: Ev2MonintoringUrl + value: https://azureservicedeploy.msft.net/api/monitorrollout + - name: OneESPT.JobType + value: releaseJob + readonly: true + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + - name: OneES_targetName + value: host + steps: + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Hosted Pool Information (1ES PT) + continueOnError: false + target: + container: host + env: + HOST_ARCHITECTURE: amd64 + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_DEFINITIONID: $(System.DefinitionId) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] + PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] + BUILD_REASON: $(Build.Reason) + inputs: + repoId: microsoft/Docker-Provider + path: validateHostedPool.ps1 + arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline + - task: DownloadPipelineArtifact@2 + displayName: ⏬ Pipeline Artifact Download + inputs: + buildType: specific + project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) + definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) + allowFailedBuilds: false + buildVersionToDownload: specific + pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) + pipeline: _ci-arc-k8s-extension-prod-release + targetPath: $(Pipeline.Workspace)/ev2Artifact + target: + container: host + - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 + displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" + condition: succeeded() + continueOnError: False + timeoutInMinutes: 30 + env: + SBOMVALIDATOR_TEMPIGNOREMISSING: true + inputs: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + ValidateSignature: True + Verbosity: 'Verbose' + - task: 1ESGPTRunTask@3.0.376 + displayName: Post-SBoM Validation (1ES PT) + continueOnError: true + target: + container: host + condition: succeeded() + env: + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + inputs: + repoId: microsoft/Docker-Provider + path: post_sbom_validation.py + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Source Build (1ES PT) + continueOnError: false + target: + container: host + env: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + IsProduction: True + OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) + inputs: + repoId: microsoft/Docker-Provider + path: validate_source_build.py + - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 + displayName: "\U0001F6E1 Guardian: CodeSign Validation" + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + continueOnError: true + timeoutInMinutes: 10 + inputs: + Path: $(Pipeline.Workspace)/ev2Artifact + MaxThreads: $(OneES_UsableProcessorCount) + FailIfNoTargetsFound: false + ExcludePassesFromLog: False + Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; + - task: 1ESGPTRunTask@3.0.376 + displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" + continueOnError: true + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + env: + OneES_PipelineWorkspace: $(Pipeline.Workspace) + OneES_DeleteCodeSignValidationResult: True + OneES_CustomPolicyFile: '' + inputs: + repoId: microsoft/Docker-Provider + path: check_csv_results.ps1 + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + target: + container: host + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Deploy + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + UseServerMonitorTask: true + SkipRegistrationIfExists: True + ForceRegistration: true + ApprovalServiceEnvironment: $(ev2Environment) + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) + ConfigurationOverrides: $(configurationOverrides) + env: + ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 + target: + container: host + - job: Ev2_rollout_ev2_monitoring + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Agent job - Ev2 Ev2 Monitoring + pool: + name: server + dependsOn: + - Ev2_rollout_ev2_rollout + timeoutInMinutes: '0' + steps: + - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 + displayName: Ev2 - Monitoring + inputs: + Ev2MonintoringUrl: $(Ev2MonintoringUrl) + - stage: Stage_6 + displayName: 'Fairfax & Mooncake: Create Escort JIT' + trigger: manual + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: Job_1 + displayName: Agentless job + condition: succeeded() + timeoutInMinutes: 7200 + pool: + name: server + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + steps: [] + - stage: Stage_7 + displayName: Fairfax Region Testing + trigger: manual + pool: + name: Azure-Pipelines-CI-Test-EO + image: ci-1es-managed-windows-2022 + os: windows + jobs: + - job: releaseGating + displayName: Release Gating + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + steps: + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + - task: 1ESGPTRunTask@3.0.376 + displayName: Branch Validation (1ES PT) + continueOnError: true + target: + container: host + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + BUILD_SOURCEBRANCH: $(Build.SourceBranch) + BUILD_REPOSITORY_NAME: $(Build.Repository.Name) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) + BUILD_SOURCEVERSION: $(Build.SourceVersion) + TASK_MODE: audit + inputs: + repoId: microsoft/Docker-Provider + path: release_gating.py + - job: approval + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Approval + pool: + name: server + timeoutInMinutes: 7200 + dependsOn: + - releaseGating + steps: + - task: ApprovalTask@1 + inputs: + environment: $(ev2Environment) + servicetreeguid: 3170cdd2-19f0-4027-912b-1027311691a2 + - job: Ev2_rollout_ev2_rollout + displayName: Agent job - Ev2 Ev2 Rollout + timeoutInMinutes: '0' + condition: succeeded() + dependsOn: + - approval + variables: + - name: ev2Environment + value: Production + - name: REGISTER_REGIONS_BATCH + value: "westcentralus,southcentralus,southeastasia,uksouth,westus2,australiaeast,eastus2,northcentralus,koreacentral,eastasia,japaneast,westeurope,northeurope,eastus,francecentral,westus,centralus,canadacentral,westus3,australiacentral,australiacentral2,australiasoutheast,brazilsouth,brazilsoutheast,canadaeast,centralindia,francesouth,germanycentral,germanynorth,germanynortheast,germanywestcentral,italynorth,japanwest,jioindiacentral,jioindiawest,koreasouth,norwayeast,norwaywest,polandcentral,qatarcentral,southafricanorth,southafricawest,southindia,swedencentral,swedensouth,switzerlandnorth,switzerlandwest,uaecentral,uaenorth,uknorth,uksouth2,ukwest,westindia,usgovvirginia" + - name: Ev2MonintoringUrl + value: https://azureservicedeploy.msft.net/api/monitorrollout + - name: OneESPT.JobType + value: releaseJob + readonly: true + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: runCodesignValidationInjection + value: false + - name: Codeql.SkipTaskAutoInjection + value: true + - name: skipComponentGovernanceDetection + value: true + - name: skipNugetSecurityAnalysis + value: true + - name: OneES_targetName + value: host + steps: + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Hosted Pool Information (1ES PT) + continueOnError: false + target: + container: host + env: + HOST_ARCHITECTURE: amd64 + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + SYSTEM_DEFINITIONID: $(System.DefinitionId) + SYSTEM_COLLECTIONURI: $(System.CollectionUri) + SYSTEM_TEAMPROJECT: $(System.TeamProject) + SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) + BUILD_REPOSITORY_ID: $(Build.Repository.ID) + BUILD_REPOSITORY_URI: $(Build.Repository.Uri) + PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] + PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] + BUILD_REASON: $(Build.Reason) + inputs: + repoId: microsoft/Docker-Provider + path: validateHostedPool.ps1 + arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline + - task: DownloadPipelineArtifact@2 + displayName: ⏬ Pipeline Artifact Download + inputs: + buildType: specific + project: $(resources.pipeline._ci-arc-k8s-extension-prod-release.projectID) + definition: $(resources.pipeline._ci-arc-k8s-extension-prod-release.pipelineID) + allowFailedBuilds: false + buildVersionToDownload: specific + pipelineId: $(resources.pipeline._ci-arc-k8s-extension-prod-release.runID) + pipeline: _ci-arc-k8s-extension-prod-release + targetPath: $(Pipeline.Workspace)/ev2Artifact + target: + container: host + - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 + displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" + condition: succeeded() + continueOnError: False + timeoutInMinutes: 30 + env: + SBOMVALIDATOR_TEMPIGNOREMISSING: true + inputs: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + ValidateSignature: True + Verbosity: 'Verbose' + - task: 1ESGPTRunTask@3.0.376 + displayName: Post-SBoM Validation (1ES PT) + continueOnError: true + target: + container: host + condition: succeeded() + env: + OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json + inputs: + repoId: microsoft/Docker-Provider + path: post_sbom_validation.py + - task: 1ESGPTRunTask@3.0.376 + displayName: Validate Source Build (1ES PT) + continueOnError: false + target: + container: host + env: + BuildDropPath: $(Pipeline.Workspace)/ev2Artifact/linux-drop + IsProduction: True + OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) + inputs: + repoId: microsoft/Docker-Provider + path: validate_source_build.py + - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 + displayName: "\U0001F6E1 Guardian: CodeSign Validation" + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + continueOnError: true + timeoutInMinutes: 10 + inputs: + Path: $(Pipeline.Workspace)/ev2Artifact + MaxThreads: $(OneES_UsableProcessorCount) + FailIfNoTargetsFound: false + ExcludePassesFromLog: False + Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; + - task: 1ESGPTRunTask@3.0.376 + displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" + continueOnError: true + target: + container: host + condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) + env: + OneES_PipelineWorkspace: $(Pipeline.Workspace) + OneES_DeleteCodeSignValidationResult: True + OneES_CustomPolicyFile: '' + inputs: + repoId: microsoft/Docker-Provider + path: check_csv_results.ps1 + - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 + condition: false + inputs: + repository: none + target: + container: host + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP - Deploy + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + UseServerMonitorTask: true + SkipRegistrationIfExists: True + ForceRegistration: true + ApprovalServiceEnvironment: $(ev2Environment) + ServiceRootPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot + RolloutSpecPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + StageMapName: Microsoft.Azure.SDP.Standard + Select: regions(*) + ConfigurationOverrides: $(configurationOverrides) + env: + ServiceTreeGuid: 3170cdd2-19f0-4027-912b-1027311691a2 + target: + container: host + - job: Ev2_rollout_ev2_monitoring + variables: + - name: OneESPT + value: true + readonly: true + - name: OneESPT.BuildType + value: Official + readonly: true + - name: OneESPT.OS + value: windows + readonly: true + - name: OneESPT.Workflow + value: ev2-classic + readonly: true + - name: ev2Environment + value: Production + - name: Ev2MonintoringUrl + value: 'https://azureservicedeploy.msft.net/api/monitorrollout' + displayName: Agent job - Ev2 Ev2 Monitoring + pool: + name: server + dependsOn: + - Ev2_rollout_ev2_rollout + timeoutInMinutes: '0' + steps: + - task: vsrm-ev2.vss-server-ev2.1950188C-A844-4040-A014-A326BC8332D3.Ev2Agentless@1 + displayName: Ev2 - Monitoring + inputs: + Ev2MonintoringUrl: $(Ev2MonintoringUrl) diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json new file mode 100644 index 0000000000..be1b63d73c --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json @@ -0,0 +1,38 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/ConfigurationSpecification.json", + "Settings": { + "tenantId": "33e01921-4d64-4f8c-a055-5bdaffd5e33d", + "environment": "Prod", + "releaseStage": "Pilot", + "adminSubscriptionId": "", + "chartVersion": "0.0.1", + "isCustomerHidden": "", + "registerRegionsCanary": "", + "releaseTrainsPreviewPath": "", + "releaseTrainsStablePath": "", + "registerRegionsBatch": "", + "resourceAudience": "", + "spnClientId": "", + "spnSecret": "", + "spnTenantId": "", + "managedIdentity": "/subscriptions/30c56c3a-54da-46ea-b004-06eb33432687/resourceGroups/containerinsightsprod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ev2-agent-release", + "acrName": "containerinsightsprod", + "repoType": "stable" + }, + "Geographies": [ + { + "Name": "United States", + "Settings": {}, + "Regions": [ + { + "Name": "eastus2", + "Settings": { + "stampCount": 1, + "azureResourceGroup": "ContainerInsightsExtension-ChartPush", + "subscriptionkey": "ContainerInsights-30c56c3a-54da-46ea-b004-06eb33432687" + } + } + ] + } + ] +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Parameters/ChartPush.Parameters.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Parameters/ChartPush.Parameters.json new file mode 100644 index 0000000000..daee1b4a23 --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Parameters/ChartPush.Parameters.json @@ -0,0 +1,50 @@ +{ + "$schema": "http://schema.express.azure.com/schemas/2022-01-01/RolloutParameters.json", + "contentVersion": "1.0.0.0", + "shellExtensions": [ + { + "name": "PushChartToACR", + "type": "ShellExtensionType", + "properties": { + "maxExecutionTime": "PT1H", + "useFallBackLocations": true, + "skipDeleteAfterExecution": false + }, + "package": { + "reference": { + "path": "artifacts.tar.gz" + } + }, + "launch": { + "command": [ + "/bin/bash", + "pushChartToAcr.sh" + ], + "environmentVariables": [ + { + "name": "RELEASE_STAGE", + "value": "__RELEASE_STAGE__" + }, + { + "name": "ACR_NAME", + "value": "__ACR_NAME__" + }, + { + "name": "REPO_TYPE", + "value": "__REPO_TYPE__" + }, + { + "name": "CHART_VERSION", + "value": "__CHART_VERSION__" + } + ], + "identity": { + "type": "userAssigned", + "userAssignedIdentities": [ + "__MANAGED_IDENTITY__" + ] + } + } + } + ] +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/RolloutSpec.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/RolloutSpec.json new file mode 100644 index 0000000000..562f0bedc9 --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/RolloutSpec.json @@ -0,0 +1,41 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-04-01/RegionAgnosticRolloutSpecification.json", + "contentVersion": "1.0.0.0", + "rolloutMetadata": { + "serviceModelPath": "ServiceModel.json", + "scopeBindingsPath": "ScopeBindings.json", + "name": "ContainerInsightsExtension-ChartPush", + "configuration": { + "serviceGroupScope": { + "specPath": "Configurations.Public.Prod.json" + } + }, + "rolloutType": "Major", + "buildSource": { + "parameters": { + "versionFile": "buildver.txt" + } + }, + "notification": { + "email": { + "to": "omscontainers@microsoft.com", + "options": { + "when": [ + "onError" + ] + } + } + } + }, + "orchestratedSteps": [ + { + "name": "Rollout.PushChartToACR", + "targetType": "ServiceResourceDefinition", + "targetName": "ShellExtension", + "actions": [ + "shell/PushChartToACR" + ], + "dependsOn": [] + } + ] +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ScopeBindings.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ScopeBindings.json new file mode 100644 index 0000000000..da07610949 --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ScopeBindings.json @@ -0,0 +1,31 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", + "contentVersion": "0.0.0.1", + "scopeBindings": [ + { + "scopeTagName": "Stable", + "bindings": [ + { + "find": "__RELEASE_STAGE__", + "replaceWith": "$config(releaseStage)" + }, + { + "find": "__ACR_NAME__", + "replaceWith": "$config(acrName)" + }, + { + "find": "__REPO_TYPE__", + "replaceWith": "$config(repoType)" + }, + { + "find": "__CHART_VERSION__", + "replaceWith": "$config(chartVersion)" + }, + { + "find": "__MANAGED_IDENTITY__", + "replaceWith": "$config(managedIdentity)" + } + ] + } + ] +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Scripts/pushChartToAcr.sh b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Scripts/pushChartToAcr.sh new file mode 100644 index 0000000000..e14e0dd251 --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Scripts/pushChartToAcr.sh @@ -0,0 +1,187 @@ +#!/bin/bash + +export HELM_EXPERIMENTAL_OCI=1 +export MCR_NAME="mcr.microsoft.com" + +# for prod-> stable and for test -> preview +# by default is preview, for the prod release piepline, pass the stable value in the Variables +if [ -z "$REPO_TYPE" ]; then + REPO_TYPE="preview" +fi + +# repo paths for arc k8s extension roll-out +# canary region +export CANARY_REGION_REPO_PATH="azuremonitor/containerinsights/canary/${REPO_TYPE}" +# pilot region +export PILOT_REGION_REPO_PATH="azuremonitor/containerinsights/prod1/${REPO_TYPE}" +# light load regions +export LIGHT_LOAD_REGION_REPO_PATH="azuremonitor/containerinsights/prod2/${REPO_TYPE}" +# medium load regions +export MEDIUM_LOAD_REGION_REPO_PATH="azuremonitor/containerinsights/prod3/${REPO_TYPE}" +# high load regions +export HIGH_LOAD_REGION_REPO_PATH="azuremonitor/containerinsights/prod4/${REPO_TYPE}" +# FairFax regions +export FF_REGION_REPO_PATH="azuremonitor/containerinsights/prod5/${REPO_TYPE}" +# Mooncake regions +export MC_REGION_REPO_PATH="azuremonitor/containerinsights/prod6/${REPO_TYPE}" + +export CHART_NAME="azuremonitor-containers" + +# pull chart from previous stage mcr and push chart to next stage acr +pull_chart_from_source_mcr_to_push_to_dest_acr() { + srcMcrFullPath=${1} + destAcrFullPath=${2} + + if [ -z $srcMcrFullPath ]; then + echo "-e error source mcr path must be provided " + exit 1 + fi + + if [ -z $destAcrFullPath ]; then + echo "-e error dest acr path must be provided " + exit 1 + fi + + echo "Pulling chart from MCR:${srcMcrFullPath} ..." + helm pull ${srcMcrFullPath} --version ${CHART_VERSION} + if [ $? -eq 0 ]; then + echo "Pulling chart from MCR:${srcMcrFullPath} completed successfully." + else + echo "-e error Pulling chart from MCR:${srcMcrFullPath} failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 + fi + + echo "pushing the azuremonitor-containers chart version: ${CHART_VERSION} to acr path: ${destAcrFullPath} ..." + helm push azuremonitor-containers-${CHART_VERSION}.tgz ${destAcrFullPath} + if [ $? -eq 0 ]; then + echo "pushing the azuremonitor-containers chart version ${CHART_VERSION} to acr path: ${destAcrFullPath} completed successfully." + else + echo "-e error pushing the azuremonitor-containers chart version ${CHART_VERSION} to acr path: ${destAcrFullPath} failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 + fi +} + +# push to local release candidate chart to canary region +push_local_chart_to_acr() { + destAcrFullPath=${1} + if [ -z $destAcrFullPath ]; then + echo "-e error dest acr path must be provided " + exit 1 + fi + + echo "generate chart package file" + export CHART_FILE=$(helm package charts/azuremonitor-containerinsights/ | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') + if [ $? -eq 0 ]; then + echo "chart package file generated successfully." + else + echo "-e error package generation failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 + fi + + echo "chart package file: ${CHART_FILE}" + + + echo "pushing the chart to acr path: ${destAcrFullPath} ..." + helm push $CHART_FILE $destAcrFullPath + if [ $? -eq 0 ]; then + echo "pushing the chart ${CHART_FILE} to acr path: ${destAcrFullPath} completed successfully." + else + echo "-e error pushing the chart ${CHART_FILE} to acr path: ${destAcrFullPath} failed.Please review Ev2 pipeline logs for more details on the error." + exit 1 + fi +} + +echo "START - Release stage : ${RELEASE_STAGE}" + +# login to acr +echo "Using acr : ${ACR_NAME}" +echo "Using acr repo type: ${REPO_TYPE}" + +#Login to az cli and authenticate to acr +echo "Login cli using managed identity" +az login --identity +if [ $? -eq 0 ]; then + echo "Logged in successfully" +else + echo "-e error az login with managed identity credentials failed. Please review the Ev2 pipeline logs for more details on the error." + exit 1 +fi + +ACCESS_TOKEN=$(az acr login --name ${ACR_NAME} --expose-token --output tsv --query accessToken) +if [ $? -ne 0 ]; then + echo "-e error az acr login failed. Please review the Ev2 pipeline logs for more details on the error." + exit 1 +fi + +echo "login to acr:${ACR_NAME} using helm ..." +echo $ACCESS_TOKEN | helm registry login $ACR_NAME -u 00000000-0000-0000-0000-000000000000 --password-stdin +if [ $? -eq 0 ]; then + echo "login to acr:${ACR_NAME} using helm completed successfully." +else + echo "-e error login to acr:${ACR_NAME} using helm failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 +fi + +case $RELEASE_STAGE in + + Canary) + echo "START: Release stage - Canary" + destAcrFullPath=oci://${ACR_NAME}/public/${CANARY_REGION_REPO_PATH} + push_local_chart_to_acr $destAcrFullPath + echo "END: Release stage - Canary" + ;; + + Pilot | Prod1) + echo "START: Release stage - Pilot" + destAcrFullPath=oci://${ACR_NAME}/public/${PILOT_REGION_REPO_PATH} + push_local_chart_to_acr $destAcrFullPath + echo "END: Release stage - Pilot" + ;; + + LightLoad | Pord2) + echo "START: Release stage - Light Load Regions" + srcMcrFullPath=oci://${MCR_NAME}/${PILOT_REGION_REPO_PATH}/${CHART_NAME} + destAcrFullPath=oci://${ACR_NAME}/public/${LIGHT_LOAD_REGION_REPO_PATH} + pull_chart_from_source_mcr_to_push_to_dest_acr $srcMcrFullPath $destAcrFullPath + echo "END: Release stage - Light Load Regions" + ;; + + MediumLoad | Prod3) + echo "START: Release stage - Medium Load Regions" + srcMcrFullPath=oci://${MCR_NAME}/${LIGHT_LOAD_REGION_REPO_PATH}/${CHART_NAME} + destAcrFullPath=oci://${ACR_NAME}/public/${MEDIUM_LOAD_REGION_REPO_PATH} + pull_chart_from_source_mcr_to_push_to_dest_acr $srcMcrFullPath $destAcrFullPath + echo "END: Release stage - Medium Load Regions" + ;; + + HighLoad | Prod4) + echo "START: Release stage - High Load Regions" + srcMcrFullPath=oci://${MCR_NAME}/${MEDIUM_LOAD_REGION_REPO_PATH}/${CHART_NAME} + destAcrFullPath=oci://${ACR_NAME}/public/${HIGH_LOAD_REGION_REPO_PATH} + pull_chart_from_source_mcr_to_push_to_dest_acr $srcMcrFullPath $destAcrFullPath + echo "END: Release stage - High Load Regions" + ;; + + FF | Prod5) + echo "START: Release stage - FF" + srcMcrFullPath=oci://${MCR_NAME}/${HIGH_LOAD_REGION_REPO_PATH}/${CHART_NAME} + destAcrFullPath=oci://${ACR_NAME}/public/${FF_REGION_REPO_PATH} + pull_chart_from_source_mcr_to_push_to_dest_acr $srcMcrFullPath $destAcrFullPath + echo "END: Release stage - FF" + ;; + + MC | Prod6) + echo "START: Release stage - MC" + srcMcrFullPath=oci://${MCR_NAME}/${FF_REGION_REPO_PATH}/${CHART_NAME} + destAcrFullPath=oci://${ACR_NAME}/public/${MC_REGION_REPO_PATH} + pull_chart_from_source_mcr_to_push_to_dest_acr $srcMcrFullPath $destAcrFullPath + echo "END: Release stage - MC" + ;; + + *) + echo -n "unknown release stage" + exit 1 + ;; +esac + +echo "END - Release stage : ${RELEASE_STAGE}" diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json new file mode 100644 index 0000000000..7a88a8a1be --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json @@ -0,0 +1,6 @@ +{ + "name": "Microsoft.ContainerInsights.Extension.ChartPush", + "description": "Container Insights Extension Chart Push", + "ownerGroupContactEmail": "omscontainers@microsoft.com", + "contentVersion": "1.0.0.0" +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceModel.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceModel.json new file mode 100644 index 0000000000..e06b90af73 --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceModel.json @@ -0,0 +1,51 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-04-01/RegionAgnosticServiceModel.json", + "contentVersion": "1.0.0.0", + "serviceMetadata": { + "serviceGroup": "Microsoft.ContainerInsights.Extension.ChartPush", + "serviceIdentifier": "3170cdd2-19f0-4027-912b-1027311691a2", + "tenantId": "$config(tenantId)", + "environment": "$config(environment)", + "displayName": "ContainerInsightsExtension-ChartPush", + "buildout": { + "isForAutomatedBuildout": "True" + }, + "serviceSpecificationPath": "ServiceSpec.json", + "serviceGroupSpecificationPath": "ServiceGroupSpec.json" + }, + "serviceResourceGroupDefinitions": [ + { + "name": "SRG.ShellExtension", + "azureResourceGroupName": "$config(azureResourceGroup)", + "scopeTags": [ + { + "name": "Stable" + } + ], + "subscriptionKey": "$config(subscriptionkey)", + "stamps": { + "count": "$config(stampCount)" + }, + "serviceResourceDefinitions": [ + { + "name": "ShellExtension", + "composedOf": { + "extension": { + "rolloutParametersPath": "Parameters\\ChartPush.Parameters.json", + "shell": [ + { + "type": "ShellExtensionType", + "properties": { + "imageName": "adm-ubuntu-2004-l", + "imageVersion": "v8" + } + } + ] + } + }, + "scopeTags": [] + } + ] + } + ] +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceSpec.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceSpec.json new file mode 100644 index 0000000000..d85fd8043d --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceSpec.json @@ -0,0 +1,8 @@ +{ + "providerType": "ServiceTree", + "identifier": "3170cdd2-19f0-4027-912b-1027311691a2", + "description": "Azure Monitor Container Insights Extension Release", + "ownerGroupContactEmail": "omscontainers@microsoft.com", + "policyCheckEnabled": true, + "contentVersion": "1.0.0.0" +} diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/buildver.txt b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/buildver.txt new file mode 100644 index 0000000000..b289f7bed4 --- /dev/null +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/buildver.txt @@ -0,0 +1 @@ +1.0.0.1 diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json new file mode 100644 index 0000000000..7812a84379 --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Configurations.Public.Prod.json @@ -0,0 +1,38 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/ConfigurationSpecification.json", + "Settings": { + "tenantId": "33e01921-4d64-4f8c-a055-5bdaffd5e33d", + "environment": "Prod", + "releaseStage": "Stable", + "adminSubscriptionId": "", + "chartVersion": "", + "isCustomerHidden": "", + "registerRegionsCanary": "", + "releaseTrainsPreviewPath": "", + "releaseTrainsStablePath": "", + "registerRegionsBatch": "", + "resourceAudience": "", + "spnClientId": "", + "spnSecret": "", + "spnTenantId": "", + "managedIdentity": "", + "acrName": "", + "repoType": "" + }, + "Geographies": [ + { + "Name": "United States", + "Settings": {}, + "Regions": [ + { + "Name": "eastus2", + "Settings": { + "stampCount": 1, + "azureResourceGroup": "ContainerInsightsExtension-Pilot-Release", + "subscriptionkey": "ContainerInsights-30c56c3a-54da-46ea-b004-06eb33432687" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml new file mode 100644 index 0000000000..d5b80b82bf --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ManagedSDPReleasePipeline.yml @@ -0,0 +1,90 @@ +trigger: none +resources: + pipelines: + - pipeline: build-artifacts + source: CDPX\docker-provider-arc\ARC-K8S-Extension-MergedBranches + repositories: + - repository: templates + type: git + name: OneBranch.Pipelines/GovernedTemplates + ref: refs/heads/main +parameters: +- name: rolloutType + displayName: Rollout Type + type: string + default: normal + values: + - normal + - emergency + - globaloutage +- name: overrideManagedValidationDuration + displayName: Override standard SDP duration? + type: boolean + default: false + values: + - true + - false +- name: managedValidationOverrideDurationInHours + displayName: Managed validation override duration in hours + type: number + default: 0 + values: +- name: icmIncidentId + displayName: ICM Incident Id + type: number + default: 0 + values: +- name: ServiceRootPath + displayName: Service Root Path + type: string + default: $(Pipeline.Workspace)/build-artifacts/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot + values: +- name: RolloutSpecPath + displayName: Rollout Spec Path + type: string + default: $(Pipeline.Workspace)/build-artifacts/drop/build/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json + values: +- name: select + displayName: Select + type: string + default: regions(*) + values: +variables: +- name: configurationOverrides + value: '{}' +extends: + template: v2/OneBranch.Official.CrossPlat.yml@templates + parameters: + stages: + - stage: PROD_Prod_Managed_SDP + displayName: 'Production: Managed SDP' + dependsOn: [] + variables: + ob_release_environment: Production + jobs: + - job: PROD_Prod_Managed_SDP + displayName: PROD_Prod_Managed_SDP + pool: + type: release + condition: + dependsOn: + steps: + - download: build-artifacts + - task: vsrm-ev2.ev2-rollout.ev2-rollout-task.Ev2RARollout@2 + displayName: Ev2 Managed SDP Rollout + inputs: + EndpointProviderType: ApprovalService + TaskAction: RegisterAndRollout + SkipRegistrationIfExists: True + ForceRegistration: true + ServiceRootPath: ${{parameters.ServiceRootPath}} + RolloutSpecPath: ${{parameters.RolloutSpecPath}} + StageMapName: Microsoft.Azure.SDP.Standard + Select: ${{parameters.select}} + ApprovalServiceEnvironment: Production + ConfigurationOverrides: $(configurationOverrides) + ev2ManagedSdpRolloutConfig: + rolloutType: ${{parameters.rolloutType}} + overrideManagedValidationDuration: ${{parameters.overrideManagedValidationDuration}} + managedValidationOverrideDurationInHours: ${{parameters.managedValidationOverrideDurationInHours}} + icmIncidentId: ${{parameters.icmIncidentId}} diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Parameters/RolloutParameter.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Parameters/RolloutParameter.json new file mode 100644 index 0000000000..f5c3102853 --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Parameters/RolloutParameter.json @@ -0,0 +1,90 @@ +{ + "$schema": "http://schema.express.azure.com/schemas/2022-01-01/RolloutParameters.json", + "contentVersion": "1.0.0.0", + "shellExtensions": [ + { + "name": "ArcExtensionRelease", + "type": "ShellExtensionType", + "properties": { + "maxExecutionTime": "PT1H", + "useFallBackLocations": false, + "skipDeleteAfterExecution": false + }, + "package": { + "reference": { + "path": "artifacts.tar.gz" + } + }, + "launch": { + "command": [ + "/bin/bash", + "arcExtensionRelease.sh" + ], + "environmentVariables": [ + { + "name": "RELEASE_STAGE", + "value": "__RELEASE_STAGE__" + }, + { + "name": "ADMIN_SUBSCRIPTION_ID", + "value": "__ADMIN_SUBSCRIPTION_ID__" + }, + { + "name": "CHART_VERSION", + "value": "__CHART_VERSION__" + }, + { + "name": "IS_CUSTOMER_HIDDEN", + "value": "__IS_CUSTOMER_HIDDEN__" + }, + { + "name": "REGISTER_REGIONS_CANARY", + "value": "__REGISTER_REGIONS_CANARY__" + }, + { + "name": "RELEASE_TRAINS_PREVIEW_PATH", + "value": "__RELEASE_TRAINS_PREVIEW_PATH__" + }, + { + "name": "RELEASE_TRAINS_STABLE_PATH", + "value": "__RELEASE_TRAINS_STABLE_PATH__" + }, + { + "name": "REGISTER_REGIONS_BATCH", + "value": "__REGISTER_REGIONS_BATCH__" + }, + { + "name": "RESOURCE_AUDIENCE", + "value": "__RESOURCE_AUDIENCE__" + }, + { + "name": "SPN_CLIENT_ID", + "value": "__SPN_CLIENT_ID__" + }, + { + "name": "SPN_SECRET", + "value": "__SPN_SECRET__" + }, + { + "name": "SPN_TENANT_ID", + "value": "__SPN_TENANT_ID__" + } + ], + "identity": { + "type": "userAssigned", + "userAssignedIdentities": [ + "__MANAGED_IDENTITY__" + ] + } + } + } + ], + "wait": [ + { + "name": "waitSdpBakeTime", + "properties": { + "duration": "PT24H" + } + } + ] +} \ No newline at end of file diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json new file mode 100644 index 0000000000..37387c2042 --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/RolloutSpec.json @@ -0,0 +1,41 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-04-01/RegionAgnosticRolloutSpecification.json", + "contentVersion": "1.0.0.0", + "rolloutMetadata": { + "serviceModelPath": "ServiceModel.json", + "scopeBindingsPath": "ScopeBindings.json", + "name": "ContainerInsightsExtension-Release", + "configuration": { + "serviceGroupScope": { + "specPath": "Configurations.Public.Prod.json" + } + }, + "rolloutType": "Major", + "buildSource": { + "parameters": { + "versionFile": "buildver.txt" + } + }, + "notification": { + "email": { + "to": "omscontainers@microsoft.com", + "options": { + "when": [ + "onError" + ] + } + } + } + }, + "orchestratedSteps": [ + { + "name": "Rollout.ArcExtensionRelease", + "targetType": "ServiceResourceDefinition", + "targetName": "ShellExtension", + "actions": [ + "shell/ArcExtensionRelease" + ], + "dependsOn": [] + } + ] +} \ No newline at end of file diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ScopeBindings.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ScopeBindings.json new file mode 100644 index 0000000000..86f89c46ee --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ScopeBindings.json @@ -0,0 +1,63 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-01-01/scopeBindings.json", + "contentVersion": "0.0.0.1", + "scopeBindings": [ + { + "scopeTagName": "Stable", + "bindings": [ + { + "find": "__RELEASE_STAGE__", + "replaceWith": "$config(releaseStage)" + }, + { + "find": "__ADMIN_SUBSCRIPTION_ID__", + "replaceWith": "$config(adminSubscriptionId)" + }, + { + "find": "__CHART_VERSION__", + "replaceWith": "$config(chartVersion)" + }, + { + "find": "__IS_CUSTOMER_HIDDEN__", + "replaceWith": "$config(isCustomerHidden)" + }, + { + "find": "__REGISTER_REGIONS_CANARY__", + "replaceWith": "$config(registerRegionsCanary)" + }, + { + "find": "__RELEASE_TRAINS_PREVIEW_PATH__", + "replaceWith": "$config(releaseTrainsPreviewPath)" + }, + { + "find": "__RELEASE_TRAINS_STABLE_PATH__", + "replaceWith": "$config(releaseTrainsStablePath)" + }, + { + "find": "__REGISTER_REGIONS_BATCH__", + "replaceWith": "$config(registerRegionsBatch)" + }, + { + "find": "__RESOURCE_AUDIENCE__", + "replaceWith": "$config(resourceAudience)" + }, + { + "find": "__SPN_CLIENT_ID__", + "replaceWith": "$config(spnClientId)" + }, + { + "find": "__SPN_SECRET__", + "replaceWith": "$config(spnSecret)" + }, + { + "find": "__SPN_TENANT_ID__", + "replaceWith": "$config(spnTenantId)" + }, + { + "find": "__MANAGED_IDENTITY__", + "replaceWith": "$config(managedIdentity)" + } + ] + } + ] +} \ No newline at end of file diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Scripts/arcExtensionRelease.sh b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Scripts/arcExtensionRelease.sh new file mode 100644 index 0000000000..3416e2d39f --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/Scripts/arcExtensionRelease.sh @@ -0,0 +1,266 @@ +#!/bin/bash +# Register azuremonitor-containers extension with Arc Registration API +export HELM_EXPERIMENTAL_OCI=1 + +REGISTER_REGIONS_CANARY='"'$(echo "$REGISTER_REGIONS_CANARY" | sed 's/,/","/g')'"' +RELEASE_TRAINS_PREVIEW_PATH='"'$(echo "$RELEASE_TRAINS_PREVIEW_PATH" | sed 's/,/","/g')'"' +RELEASE_TRAINS_STABLE_PATH='"'$(echo "$RELEASE_TRAINS_STABLE_PATH" | sed 's/,/","/g')'"' +REGISTER_REGIONS_BATCH='"'$(echo "$REGISTER_REGIONS_BATCH" | sed 's/,/","/g')'"' +IS_CUSTOMER_HIDDEN=$IS_CUSTOMER_HIDDEN +CHART_VERSION=${CHART_VERSION} + +PACKAGE_CONFIG_NAME="${PACKAGE_CONFIG_NAME:-microsoft.azuremonitor.containers-pkg092025}" +API_VERSION="${API_VERSION:-2021-05-01}" +METHOD="${METHOD:-put}" +REGISTRY_PATH_CANARY_STABLE="https://mcr.microsoft.com/azuremonitor/containerinsights/canary/stable/azuremonitor-containers" +REGISTRY_PATH_PROD_STABLE="https://mcr.microsoft.com/azuremonitor/containerinsights/prod1/stable/azuremonitor-containers" + +if [ -z "$REGISTER_REGIONS_CANARY" ]; then + echo "-e error release region must be provided " + exit 1 +fi +if [ -z "$IS_CUSTOMER_HIDDEN" ]; then + echo "-e error is_customer_hidden must be provided " + exit 1 +fi +if [ -z "$CHART_VERSION" ]; then + echo "-e error chart version must be provided " + exit 1 +fi + +echo "Start arc extension release stage ${RELEASE_STAGE}, REGISTER_REGIONS is $REGISTER_REGIONS_CANARY, RELEASE_TRAINS are $RELEASE_TRAINS_PREVIEW_PATH, $RELEASE_TRAINS_STABLE_PATH, PACKAGE_CONFIG_NAME is $PACKAGE_CONFIG_NAME, API_VERSION is $API_VERSION, METHOD is $METHOD" + +case $RELEASE_STAGE in + + CanaryPreview) +if [ -z "$RELEASE_TRAINS_PREVIEW_PATH" ]; then + echo "-e error preview release train must be provided " + exit 1 +fi +MCR_NAME_PATH="oci://mcr.microsoft.com/azuremonitor/containerinsights/canary/stable/azuremonitor-containers" +echo "Pulling chart from MCR:${MCR_NAME_PATH}" +helm pull ${MCR_NAME_PATH} --version ${CHART_VERSION} +if [ $? -eq 0 ]; then + echo "Pulling chart from MCR:${MCR_NAME_PATH}:${CHART_VERSION} completed successfully." +else + echo "-e error Pulling chart from MCR:${MCR_NAME_PATH}:${CHART_VERSION} failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 +fi +# Create JSON request body +cat < "request.json" +{ + "artifactEndpoints": [ + { + "Regions": [ + $REGISTER_REGIONS_CANARY + ], + "Releasetrains": [ + $RELEASE_TRAINS_PREVIEW_PATH + ], + "FullPathToHelmChart": "$REGISTRY_PATH_CANARY_STABLE", + "ExtensionUpdateFrequencyInMinutes": 60, + "IsCustomerHidden": $IS_CUSTOMER_HIDDEN, + "ReadyforRollout": true, + "RollbackVersion": null, + "PackageConfigName": "$PACKAGE_CONFIG_NAME" + }, +EOF +sed -i '$ s/.$//' request.json +cat <> "request.json" + ] +} +EOF + ;; + + CanaryStable) +if [ -z "$RELEASE_TRAINS_PREVIEW_PATH" ]; then + echo "-e error preview release train must be provided " + exit 1 +fi +if [ -z "$RELEASE_TRAINS_STABLE_PATH" ]; then + echo "-e error stable release train must be provided " + exit 1 +fi +MCR_NAME_PATH="oci://mcr.microsoft.com/azuremonitor/containerinsights/canary/stable/azuremonitor-containers" +echo "Pulling chart from MCR:${MCR_NAME_PATH}" +helm pull ${MCR_NAME_PATH} --version ${CHART_VERSION} +if [ $? -eq 0 ]; then + echo "Pulling chart from MCR:${MCR_NAME_PATH}:${CHART_VERSION} completed successfully." +else + echo "-e error Pulling chart from MCR:${MCR_NAME_PATH}:${CHART_VERSION} failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 +fi +# Create JSON request body +cat < "request.json" +{ + "artifactEndpoints": [ + { + "Regions": [ + $REGISTER_REGIONS_CANARY + ], + "Releasetrains": [ + $RELEASE_TRAINS_PREVIEW_PATH + ], + "FullPathToHelmChart": "$REGISTRY_PATH_CANARY_STABLE", + "ExtensionUpdateFrequencyInMinutes": 60, + "IsCustomerHidden": $IS_CUSTOMER_HIDDEN, + "ReadyforRollout": true, + "RollbackVersion": null, + "PackageConfigName": "$PACKAGE_CONFIG_NAME" + }, +EOF +cat <> "request.json" + { + "Regions": [ + $REGISTER_REGIONS_CANARY + ], + "Releasetrains": [ + $RELEASE_TRAINS_STABLE_PATH + ], + "FullPathToHelmChart": "$REGISTRY_PATH_CANARY_STABLE", + "ExtensionUpdateFrequencyInMinutes": 60, + "IsCustomerHidden": $IS_CUSTOMER_HIDDEN, + "ReadyforRollout": true, + "RollbackVersion": null, + "PackageConfigName": "$PACKAGE_CONFIG_NAME" + }, +EOF +sed -i '$ s/.$//' request.json +cat <> "request.json" + ] +} +EOF + ;; + + Stable) +if [ -z "$RELEASE_TRAINS_PREVIEW_PATH" ]; then + echo "-e error preview release train must be provided " + exit 1 +fi +if [ -z "$RELEASE_TRAINS_STABLE_PATH" ]; then + echo "-e error stable release train must be provided " + exit 1 +fi +if [ -z "$REGISTER_REGIONS_BATCH" ]; then + echo "-e error stable release regions must be provided " + exit 1 +fi +MCR_NAME_PATH="oci://mcr.microsoft.com/azuremonitor/containerinsights/prod1/stable/azuremonitor-containers" +echo "Pulling chart from MCR:${MCR_NAME_PATH}" +helm pull ${MCR_NAME_PATH} --version ${CHART_VERSION} +if [ $? -eq 0 ]; then + echo "Pulling chart from MCR:${MCR_NAME_PATH}:${CHART_VERSION} completed successfully." +else + echo "-e error Pulling chart from MCR:${MCR_NAME_PATH}:${CHART_VERSION} failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 +fi +# Create JSON request body +cat < "request.json" +{ + "artifactEndpoints": [ + { + "Regions": [ + $REGISTER_REGIONS_CANARY + ], + "Releasetrains": [ + $RELEASE_TRAINS_PREVIEW_PATH + ], + "FullPathToHelmChart": "$REGISTRY_PATH_CANARY_STABLE", + "ExtensionUpdateFrequencyInMinutes": 60, + "IsCustomerHidden": $IS_CUSTOMER_HIDDEN, + "ReadyforRollout": true, + "RollbackVersion": null, + "PackageConfigName": "$PACKAGE_CONFIG_NAME" + }, +EOF +cat <> "request.json" + { + "Regions": [ + $REGISTER_REGIONS_CANARY + ], + "Releasetrains": [ + $RELEASE_TRAINS_STABLE_PATH + ], + "FullPathToHelmChart": "$REGISTRY_PATH_CANARY_STABLE", + "ExtensionUpdateFrequencyInMinutes": 60, + "IsCustomerHidden": $IS_CUSTOMER_HIDDEN, + "ReadyforRollout": true, + "RollbackVersion": null, + "PackageConfigName": "$PACKAGE_CONFIG_NAME" + }, +EOF +cat <> "request.json" + { + "Regions": [ + $REGISTER_REGIONS_BATCH + ], + "Releasetrains": [ + $RELEASE_TRAINS_STABLE_PATH + ], + "FullPathToHelmChart": "$REGISTRY_PATH_PROD_STABLE", + "ExtensionUpdateFrequencyInMinutes": 60, + "IsCustomerHidden": $IS_CUSTOMER_HIDDEN, + "ReadyforRollout": true, + "RollbackVersion": null, + "PackageConfigName": "$PACKAGE_CONFIG_NAME" + }, +EOF +sed -i '$ s/.$//' request.json +cat <> "request.json" + ] +} +EOF + ;; + + *) + echo -n "unknown release stage" + exit 1 + ;; +esac + +cat request.json | jq + +# Send Request +SUBSCRIPTION=${ADMIN_SUBSCRIPTION_ID} +RESOURCE_AUDIENCE=${RESOURCE_AUDIENCE} + +echo "Request parameter preparation, SUBSCRIPTION is $SUBSCRIPTION, RESOURCE_AUDIENCE is $RESOURCE_AUDIENCE, CHART_VERSION is $CHART_VERSION, SPN_CLIENT_ID is $SPN_CLIENT_ID, SPN_TENANT_ID is $SPN_TENANT_ID" + +echo "Login cli using Managed Identity" +# Retries needed due to: https://stackoverflow.microsoft.com/questions/195032 +n=0 +signInExitCode=-1 +until [ "$n" -ge 5 ] +do + az login --identity --allow-no-subscriptions && signInExitCode=0 && break + n=$((n+1)) + sleep 15 +done + +if [ $signInExitCode -eq 0 ]; then + echo "Logged in successfully" +else + echo "-e error failed to login to az with managed identity credentials" + exit 1 +fi + +ACCESS_TOKEN=$(az account get-access-token --resource $RESOURCE_AUDIENCE --query accessToken -o json) +if [ $? -eq 0 ]; then + echo "get access token from resource:$RESOURCE_AUDIENCE successfully." +else + echo "-e error get access token from resource:$RESOURCE_AUDIENCE failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 +fi +ACCESS_TOKEN=$(echo $ACCESS_TOKEN | tr -d '"' | tr -d '"\r\n') + +ARC_API_URL="https://eastus2euap.dp.kubernetesconfiguration.azure.com" +EXTENSION_NAME="microsoft.azuremonitor.containers" + +echo "start send request" +az rest --method $METHOD --headers "{\"Authorization\": \"Bearer $ACCESS_TOKEN\", \"Content-Type\": \"application/json\"}" --body @request.json --uri $ARC_API_URL/subscriptions/$SUBSCRIPTION/extensionTypeRegistrations/$EXTENSION_NAME/versions/$CHART_VERSION?api-version=$API_VERSION +if [ $? -eq 0 ]; then + echo "arc extension registered successfully" +else + echo "-e error failed to register arc extension" + exit 1 +fi \ No newline at end of file diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json new file mode 100644 index 0000000000..d5f4dad46b --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceGroupSpec.json @@ -0,0 +1,6 @@ +{ + "name": "Microsoft.ContainerInsights.Extension", + "description": "Container Insights Arc K8s Extension Release", + "ownerGroupContactEmail": "omscontainers@microsoft.com", + "contentVersion": "1.0.0.0" +} diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceModel.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceModel.json new file mode 100644 index 0000000000..46ecef8b8d --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceModel.json @@ -0,0 +1,51 @@ +{ + "$schema": "https://ev2schema.azure.net/schemas/2020-04-01/RegionAgnosticServiceModel.json", + "contentVersion": "1.0.0.0", + "serviceMetadata": { + "serviceGroup": "Microsoft.ContainerInsights.Extension", + "serviceIdentifier": "3170cdd2-19f0-4027-912b-1027311691a2", + "tenantId": "$config(tenantId)", + "environment": "$config(environment)", + "displayName": "ContainerInsightsExtension", + "buildout": { + "isForAutomatedBuildout": "True" + }, + "serviceSpecificationPath": "ServiceSpec.json", + "serviceGroupSpecificationPath": "ServiceGroupSpec.json" + }, + "serviceResourceGroupDefinitions": [ + { + "name": "SRG.ShellExtension", + "azureResourceGroupName": "$config(azureResourceGroup)", + "scopeTags": [ + { + "name": "Stable" + } + ], + "subscriptionKey": "$config(subscriptionkey)", + "stamps": { + "count": "$config(stampCount)" + }, + "serviceResourceDefinitions": [ + { + "name": "ShellExtension", + "composedOf": { + "extension": { + "rolloutParametersPath": "Parameters\\RolloutParameter.json", + "shell": [ + { + "type": "ShellExtensionType", + "properties": { + "imageName": "adm-ubuntu-2004-l", + "imageVersion": "v8" + } + } + ] + } + }, + "scopeTags": [] + } + ] + } + ] +} \ No newline at end of file diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceSpec.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceSpec.json new file mode 100644 index 0000000000..df90683445 --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceSpec.json @@ -0,0 +1,8 @@ +{ + "providerType": "ServiceTree", + "identifier": "3170cdd2-19f0-4027-912b-1027311691a2", + "description": "Azure Monitor Container Insights Arc K8s Extension Release", + "ownerGroupContactEmail": "omscontainers@microsoft.com", + "policyCheckEnabled": true, + "contentVersion": "1.0.0.0" +} diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/buildver.txt b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/buildver.txt new file mode 100644 index 0000000000..53afb9e07d --- /dev/null +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/buildver.txt @@ -0,0 +1 @@ +1.0.0.1 From 091eb181de77e332e9e192637596c25f33463019 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Thu, 14 May 2026 15:20:48 -0700 Subject: [PATCH 28/30] fix: shorten ServiceSpec description to under 40 chars Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../ServiceGroupRoot/ServiceSpec.json | 2 +- .../ServiceGroupRoot/ServiceSpec.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceSpec.json b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceSpec.json index d85fd8043d..e34bb5fcf5 100644 --- a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceSpec.json +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/ServiceSpec.json @@ -1,7 +1,7 @@ { "providerType": "ServiceTree", "identifier": "3170cdd2-19f0-4027-912b-1027311691a2", - "description": "Azure Monitor Container Insights Extension Release", + "description": "Container Insights Extension", "ownerGroupContactEmail": "omscontainers@microsoft.com", "policyCheckEnabled": true, "contentVersion": "1.0.0.0" diff --git a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceSpec.json b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceSpec.json index df90683445..e34bb5fcf5 100644 --- a/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceSpec.json +++ b/deployment/arc-k8s-extension-release-v2-Managed-SDP/ServiceGroupRoot/ServiceSpec.json @@ -1,7 +1,7 @@ { "providerType": "ServiceTree", "identifier": "3170cdd2-19f0-4027-912b-1027311691a2", - "description": "Azure Monitor Container Insights Arc K8s Extension Release", + "description": "Container Insights Extension", "ownerGroupContactEmail": "omscontainers@microsoft.com", "policyCheckEnabled": true, "contentVersion": "1.0.0.0" From 198fdfa9a5894e0f92cd868a7849f579d0626b06 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Fri, 15 May 2026 13:54:02 -0700 Subject: [PATCH 29/30] fix: use CHART_VERSION variable in helm package for Pilot stage Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../ServiceGroupRoot/Scripts/pushChartToAcr.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Scripts/pushChartToAcr.sh b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Scripts/pushChartToAcr.sh index e14e0dd251..0199023544 100644 --- a/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Scripts/pushChartToAcr.sh +++ b/deployment/arc-k8s-extension-Managed-SDP/ServiceGroupRoot/Scripts/pushChartToAcr.sh @@ -70,7 +70,7 @@ push_local_chart_to_acr() { fi echo "generate chart package file" - export CHART_FILE=$(helm package charts/azuremonitor-containerinsights/ | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') + export CHART_FILE=$(helm package charts/azuremonitor-containerinsights/ --version ${CHART_VERSION} | awk -F'[:]' '{gsub(/ /, "", $2); print $2}') if [ $? -eq 0 ]; then echo "chart package file generated successfully." else From 0dc2c18023566c2d3f612826008c8dc19ea23d06 Mon Sep 17 00:00:00 2001 From: "LONG WAN (from Dev Box)" Date: Fri, 15 May 2026 17:32:08 -0700 Subject: [PATCH 30/30] update --- kubernetes/windows/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/windows/Dockerfile b/kubernetes/windows/Dockerfile index 3ca6cfdc82..0992643062 100644 --- a/kubernetes/windows/Dockerfile +++ b/kubernetes/windows/Dockerfile @@ -123,4 +123,4 @@ Remove-Item -Recurse -Force 'C:\ruby31\lib\ruby\3.1.0\rdoc\generator\template\js Remove-Item -Recurse -Force 'C:\ruby31\lib\ruby\3.1.0\rdoc\generator\template\darkfish\js'; \ Remove-Item -Force 'C:\ruby31\bin\ridk.ps1'" -ENTRYPOINT ["powershell", "C:\\opt\\amalogswindows\\scripts\\powershell\\main.ps1"] +ENTRYPOINT ["powershell", "C:\\opt\\amalogswindows\\scripts\\powershell\\main.ps1"]