diff --git a/.pipelines/ci-aks-prod-release.yaml b/.pipelines/ci-aks-prod-release.yaml index 4d7f20d24..fa303618b 100644 --- a/.pipelines/ci-aks-prod-release.yaml +++ b/.pipelines/ci-aks-prod-release.yaml @@ -475,422 +475,3 @@ extends: displayName: Ev2 - Monitoring inputs: Ev2MonintoringUrl: $(Ev2MonintoringUrl) - - stage: Stage_3 - displayName: Deploy - trigger: manual - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: Job_1 - displayName: Agent job - condition: succeeded() - timeoutInMinutes: '0' - variables: - - name: OneESPT.JobType - value: releaseJob - readonly: true - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: runCodesignValidationInjection - value: false - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: true - - name: skipNugetSecurityAnalysis - value: true - - name: OneES_targetName - value: host - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - condition: false - inputs: - repository: none - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - BUILD_REASON: $(Build.Reason) - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: -TargetName '' -StepTargets '' -StepsLength 0 -SkipStatelessValidation True -OS windows -IgnoreProductionPoolCheck -IsOfficialTemplate -IsProductionReleasePipeline - - task: 1ESGPTRunTask@3.0.376 - displayName: Branch Validation (1ES PT) - continueOnError: true - target: - container: host - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - BUILD_SOURCEBRANCH: $(Build.SourceBranch) - BUILD_REPOSITORY_NAME: $(Build.Repository.Name) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORYPROVIDER: $(Build.Repository.Provider) - BUILD_SOURCEVERSION: $(Build.SourceVersion) - TASK_MODE: audit - inputs: - repoId: microsoft/Docker-Provider - path: release_gating.py - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-aks-prod-release.projectID) - definition: $(resources.pipeline._ci-aks-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-aks-prod-release.runID) - pipeline: _ci-aks-prod-release - target: - container: host - - task: AzureArtifacts.drop-validator-task.drop-validator-task.DropValidatorTask@0 - displayName: "\U0001F6E1 Validate SBoM Manifest (1ES PT)" - condition: succeeded() - continueOnError: False - timeoutInMinutes: 30 - env: - SBOMVALIDATOR_TEMPIGNOREMISSING: true - inputs: - BuildDropPath: $(Pipeline.Workspace) - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - ValidateSignature: True - Verbosity: 'Verbose' - - task: 1ESGPTRunTask@3.0.376 - displayName: Post-SBoM Validation (1ES PT) - continueOnError: true - target: - container: host - condition: succeeded() - env: - OutputPath: $(Agent.TempDirectory)/sbom_validation_results.json - inputs: - repoId: microsoft/Docker-Provider - path: post_sbom_validation.py - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Source Build (1ES PT) - continueOnError: false - target: - container: host - env: - BuildDropPath: $(Pipeline.Workspace) - IsProduction: True - OneES_ArtifactType: $(DownloadPipelineArtifactResourceTypes) - inputs: - repoId: microsoft/Docker-Provider - path: validate_source_build.py - - task: securedevelopmentteam.vss-secure-development-tools.build-task-codesignvalidation.CodeSign@1 - displayName: "\U0001F6E1 Guardian: CodeSign Validation" - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - continueOnError: true - timeoutInMinutes: 10 - inputs: - Path: $(Pipeline.Workspace) - MaxThreads: $(OneES_UsableProcessorCount) - FailIfNoTargetsFound: false - ExcludePassesFromLog: False - Targets: f|**\*.dll;f|**\*.exe;f|**\*.sys;f|**\*.ps1;f|**\*.psm1;f|**\*.ps1xml;f|**\*.psc1;f|**\*.psd1;f|**\*.cdxml;f|**\*.vbs;f|**\*.js;f|**\*.wsf;-|.gdn\**; - - task: 1ESGPTRunTask@3.0.376 - displayName: "\U0001F6E1 Guardian: Check CodeSign Validation Results (1ES PT)" - continueOnError: true - target: - container: host - condition: and(succeeded(), ne(variables['ONEES_ENFORCED_CODESIGNVALIDATION_ENABLED'], 'false')) - env: - OneES_PipelineWorkspace: $(Pipeline.Workspace) - OneES_DeleteCodeSignValidationResult: True - OneES_CustomPolicyFile: '' - inputs: - repoId: microsoft/Docker-Provider - path: check_csv_results.ps1 - - task: AzureCLI@2 - displayName: 'Fetch Service Connection Subscription Id (1ES PT)' - continueOnError: true - inputs: - azureSubscription: ContainerInsights_Build_Subscription (9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb) - scriptType: 'pscore' - scriptLocation: 'inlineScript' - inlineScript: | - try { - $accountInfo = az account show --query "{subscriptionId:id, tenantId:tenantId}" --only-show-errors --output json | ConvertFrom-Json - Write-Host "Subscription ID: $($accountInfo.subscriptionId)" - Write-Host "##vso[task.setvariable variable=ONEES_SERVICE_CONNECTION_SUBSCRIPTIONID;]$($accountInfo.subscriptionId)" - Write-Host "Tenant ID: $($accountInfo.tenantId)" - Write-Host "##vso[task.setvariable variable=ONEES_SERVICE_CONNECTION_TENANTID;]$($accountInfo.tenantId)" - } catch { - Write-Host "Failed to fetch subscription id." - Write-Host $_.Exception.Message - exit 0 - } - - task: 1ESGPTRunTask@3.0.376 - displayName: Service Connection Environment Verification (1ES PT) - continueOnError: true - target: - container: host - env: - IGNORE_MSFT_TENANT: True - ONEBRANCH_PIPELINE_TYPE: $(PIPELINE_TYPE) - SERVICE_CONNECTION_NAME: ContainerInsights_Build_Subscription (9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb) - SERVICE_CONNECTION_SUBSCRIPTIONID: $(ONEES_SERVICE_CONNECTION_SUBSCRIPTIONID) - SERVICE_CONNECTION_TENANTID: $(ONEES_SERVICE_CONNECTION_TENANTID) - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - IS_PRODUCTION: True - TASK_NAME: AzureCLI@2 - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - inputs: - repoId: microsoft/Docker-Provider - path: serviceConnectionEnvironmentVerification.ps1 - - task: AzureCLI@2 - inputs: - connectedServiceNameARM: ContainerInsights_Build_Subscription (9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb) - scriptType: bash - scriptPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/get-workspace-id-and-key.sh - scriptArguments: WorkspaceResourceId=$(WorkspaceResourceId) - cwd: $(Pipeline.Workspace)/ev2Artifact/drop/build - target: - container: host - displayName: Get Workspace ID and Key - - task: Bash@3 - inputs: - filePath: $(Pipeline.Workspace)/ev2Artifact/drop/build/update-place-holders-in-yaml.sh - arguments: ClusterResourceId=$(ClusterResourceId) ClusterRegion=$(ClusterRegion) CIRelease=$(CIRelease) CIImageTagSuffix=$(AgentImageTagSuffix) - workingDirectory: $(Pipeline.Workspace)/ev2Artifact/drop/build - target: - container: host - displayName: Update Cluster ResourceId, Region, Image, WSID and WSKEY - - task: AzureCLI@2 - displayName: 'Fetch Service Connection Subscription Id (1ES PT)' - continueOnError: true - inputs: - azureSubscription: ContainerInsights_Build_Subscription (9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb) - scriptType: 'pscore' - scriptLocation: 'inlineScript' - inlineScript: | - try { - $accountInfo = az account show --query "{subscriptionId:id, tenantId:tenantId}" --only-show-errors --output json | ConvertFrom-Json - Write-Host "Subscription ID: $($accountInfo.subscriptionId)" - Write-Host "##vso[task.setvariable variable=ONEES_SERVICE_CONNECTION_SUBSCRIPTIONID;]$($accountInfo.subscriptionId)" - Write-Host "Tenant ID: $($accountInfo.tenantId)" - Write-Host "##vso[task.setvariable variable=ONEES_SERVICE_CONNECTION_TENANTID;]$($accountInfo.tenantId)" - } catch { - Write-Host "Failed to fetch subscription id." - Write-Host $_.Exception.Message - exit 0 - } - - task: 1ESGPTRunTask@3.0.376 - displayName: Service Connection Environment Verification (1ES PT) - continueOnError: true - target: - container: host - env: - IGNORE_MSFT_TENANT: True - ONEBRANCH_PIPELINE_TYPE: $(PIPELINE_TYPE) - SERVICE_CONNECTION_NAME: ContainerInsights_Build_Subscription (9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb) - SERVICE_CONNECTION_SUBSCRIPTIONID: $(ONEES_SERVICE_CONNECTION_SUBSCRIPTIONID) - SERVICE_CONNECTION_TENANTID: $(ONEES_SERVICE_CONNECTION_TENANTID) - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - IS_PRODUCTION: True - TASK_NAME: Kubernetes@1 - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - inputs: - repoId: microsoft/Docker-Provider - path: serviceConnectionEnvironmentVerification.ps1 - - task: Kubernetes@1 - inputs: - connectionType: Azure Resource Manager - azureSubscriptionEndpoint: ContainerInsights_Build_Subscription (9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb) - azureResourceGroup: ciprod-rc-aks16-weu-rg - kubernetesCluster: ciprod-rc-aks16-weu - useClusterAdmin: true - namespace: kube-system - command: apply - arguments: -f ama-logs.yaml - cwd: $(Pipeline.Workspace)/ev2Artifact/drop/build - target: - container: host - displayName: kubectl apply - - task: HelmInstaller@0 - inputs: - helmVersion: 3.2.1 - checkLatestHelmVersion: false - target: - container: host - displayName: Install Helm 3.2.1 - - task: AzureCLI@2 - displayName: 'Fetch Service Connection Subscription Id (1ES PT)' - continueOnError: true - inputs: - azureSubscription: ContainerInsights_Build_Subscription (9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb) - scriptType: 'pscore' - scriptLocation: 'inlineScript' - inlineScript: | - try { - $accountInfo = az account show --query "{subscriptionId:id, tenantId:tenantId}" --only-show-errors --output json | ConvertFrom-Json - Write-Host "Subscription ID: $($accountInfo.subscriptionId)" - Write-Host "##vso[task.setvariable variable=ONEES_SERVICE_CONNECTION_SUBSCRIPTIONID;]$($accountInfo.subscriptionId)" - Write-Host "Tenant ID: $($accountInfo.tenantId)" - Write-Host "##vso[task.setvariable variable=ONEES_SERVICE_CONNECTION_TENANTID;]$($accountInfo.tenantId)" - } catch { - Write-Host "Failed to fetch subscription id." - Write-Host $_.Exception.Message - exit 0 - } - - task: 1ESGPTRunTask@3.0.376 - displayName: Service Connection Environment Verification (1ES PT) - continueOnError: true - target: - container: host - env: - IGNORE_MSFT_TENANT: True - ONEBRANCH_PIPELINE_TYPE: $(PIPELINE_TYPE) - SERVICE_CONNECTION_NAME: ContainerInsights_Build_Subscription (9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb) - SERVICE_CONNECTION_SUBSCRIPTIONID: $(ONEES_SERVICE_CONNECTION_SUBSCRIPTIONID) - SERVICE_CONNECTION_TENANTID: $(ONEES_SERVICE_CONNECTION_TENANTID) - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - IS_PRODUCTION: True - TASK_NAME: AzureCLI@2 - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - inputs: - repoId: microsoft/Docker-Provider - path: serviceConnectionEnvironmentVerification.ps1 - - task: AzureCLI@2 - inputs: - connectedServiceNameARM: ContainerInsights_Build_Subscription (9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb) - scriptType: bash - scriptPath: $(Pipeline.Workspace)/ev2Artifact/drop/build/get-kube-config-from-kv.sh - scriptArguments: KV=$(CIKV) KVSECRETNAMEKUBECONFIG=$(AKSEngineClusterKubeConfigSecretName) - target: - container: host - displayName: Download Kubeconfig for AKS-Engine - - task: Bash@3 - inputs: - filePath: $(Pipeline.Workspace)/ev2Artifact/drop/build/install-chart-to-aks-engine-cluster.sh - arguments: ClusterName=$(AKSEngineCluster) CIRelease=$(CIRelease) CIImageTagSuffix=$(AgentImageTagSuffix) - workingDirectory: $(Pipeline.Workspace)/ev2Artifact/drop/build - target: - container: host - displayName: Install chart to aks-engine cluster - - stage: Stage_4 - displayName: Deploy2ScaleCluster - dependsOn: - - Stage_3 - pool: - name: Azure-Pipelines-CI-Test-EO - image: ci-1es-managed-windows-2022 - os: windows - jobs: - - job: Job_1 - displayName: Agent job - condition: succeeded() - timeoutInMinutes: '0' - variables: - - name: OneESPT - value: true - readonly: true - - name: OneESPT.BuildType - value: Official - readonly: true - - name: OneESPT.OS - value: windows - readonly: true - - name: Codeql.SkipTaskAutoInjection - value: true - - name: skipComponentGovernanceDetection - value: false - - name: OneES_targetName - value: host - steps: - - task: 6d15af64-176c-496d-b583-fd2ae21d4df4@1 - inputs: - repository: self - persistCredentials: true - - task: DownloadPipelineArtifact@2 - displayName: ⏬ Pipeline Artifact Download - inputs: - buildType: specific - project: $(resources.pipeline._ci-aks-prod-release.projectID) - definition: $(resources.pipeline._ci-aks-prod-release.pipelineID) - allowFailedBuilds: false - buildVersionToDownload: specific - pipelineId: $(resources.pipeline._ci-aks-prod-release.runID) - pipeline: _ci-aks-prod-release - target: - container: host - - task: 1ESGPTRunTask@3.0.376 - displayName: Validate Hosted Pool Information (1ES PT) - continueOnError: false - target: - container: host - env: - HOST_ARCHITECTURE: amd64 - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - SYSTEM_DEFINITIONID: $(System.DefinitionId) - SYSTEM_COLLECTIONURI: $(System.CollectionUri) - SYSTEM_TEAMPROJECT: $(System.TeamProject) - SYSTEM_TEAMPROJECTID: $(System.TeamProjectId) - BUILD_REPOSITORY_ID: $(Build.Repository.ID) - BUILD_REPOSITORY_URI: $(Build.Repository.Uri) - PIPELINEGOVERNANCESTATUS_AUDITED: variables['PipelineGovernanceStatus_Audited'] - PIPELINECLASSIFICATION_AUDITED: variables['PipelineClassification_Audited'] - inputs: - repoId: microsoft/Docker-Provider - path: validateHostedPool.ps1 - arguments: '-TargetName $(OneES_targetName) -StepTargets [] -StepsLength 0 -SkipStatelessValidation False -OS windows -IsOfficialTemplate -IgnoreProductionPoolCheck ' - - task: CodeQL3000Init@0 - displayName: "\U0001F6E1 CodeQL Initialize" - condition: and(ne(variables['ONEES_ENFORCED_CODEQL_ENABLED'], 'false'), or(eq(False, true), eq(variables['OneES_DefaultRepoBranch'], variables['Build.SourceBranch']))) - target: - container: host - continueOnError: true - inputs: - Enabled: true - BuildIdentifier: Stage_4_Job_1 - LanguageDetectorFilter: compiled - - task: ms-1es.1es-networkisolation-tasks.661EE24A-9364-4A3B-A725-3CBEB6F35E4B.1ESNetworkIsolation@1 - displayName: 'Start Network Isolation' - continueOnError: true - timeoutInMinutes: 2 - inputs: - networkIsolationMode: Enforce - - task: ms-1es.1es-networkisolation-tasks.661EE24A-9364-4A3B-A725-3CBEB6F35E4B.1ESNetworkIsolation@1 - displayName: 'Stop Network Isolation' - condition: always() - continueOnError: true - timeoutInMinutes: 2 - inputs: - networkIsolationMode: Stop - - task: CodeQL3000Finalize@0 - displayName: "\U0001F6E1 CodeQL Finalize" - condition: and(ne(variables['ONEES_ENFORCED_CODEQL_ENABLED'], 'false'), or(eq(False, true), eq(variables['OneES_DefaultRepoBranch'], variables['Build.SourceBranch']))) - target: - container: host - continueOnError: true