Use Signed Binaries for Docker Build

Author: sheylatrudo

.pipelines/build/dockerfiles/azure-ipam.Dockerfile

@@ -0,0 +1,11 @@
+ARG ARTIFACT_DIR
+
+FROM scratch AS linux
+COPY ${ARTIFACT_DIR}/bins/dropgz dropgz
+ENTRYPOINT [ "/dropgz" ]
+
+
+# skopeo inspect docker://mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 --format "{{.Name}}@{{.Digest}}"
+FROM mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as windows
+COPY ${ARTIFACT_DIR}/bins/dropgz dropgz.exe
+ENTRYPOINT [ "/dropgz.exe" ]

.pipelines/build/dockerfiles/cni.Dockerfile

@@ -0,0 +1,16 @@
+ARG ARCH
+ARG ARTIFACT_DIR
+
+FROM scratch AS linux
+ADD ${ARTIFACT_DIR}/bins/dropgz dropgz
+ENTRYPOINT [ "/dropgz" ]
+
+
+# mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0
+FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as hpc
+
+FROM hpc as windows
+ADD ${ARTIFACT_DIR}/bins/dropgz dropgz.exe
+ENTRYPOINT [ "/dropgz.exe" ]
+
+

.pipelines/build/dockerfiles/cns.Dockerfile

@@ -0,0 +1,23 @@
+ARG ARCH
+ARG ARCHIVE_DIR
+
+# mcr.microsoft.com/cbl-mariner/base/core:2.0
+FROM mcr.microsoft.com/cbl-mariner/base/core@sha256:961bfedbbbdc0da51bc664f51d959da292eced1ad46c3bf674aba43b9be8c703 AS iptables
+RUN tdnf install -y iptables
+
+# mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0
+FROM mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:7778a86d86947d5f64c1280a7ee0cf36c6c6d76b5749dd782fbcc14f113961bf AS linux
+COPY --from=iptables /usr/sbin/*tables* /usr/sbin/
+COPY --from=iptables /usr/lib /usr/lib
+COPY ${ARCHIVE_DIR}/bins/azure-cns /usr/local/bin/azure-cns
+ENTRYPOINT [ "/usr/local/bin/azure-cns" ]
+EXPOSE 10090
+
+
+# mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0
+FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b AS windows
+COPY ${ARCHIVE_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml
+COPY ${ARCHIVE_DIR}/files/setkubeconfigpath.ps1 setkubeconfigpath.ps1
+COPY ${ARCHIVE_DIR}/bins/azure-cns /azure-cns.exe
+ENTRYPOINT ["azure-cns.exe"]
+EXPOSE 10090

.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile

@@ -0,0 +1,8 @@
+ARG ARCHIVE_DIR
+
+FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux
+COPY ${ARCHIVE_DIR}/lib/* /lib
+COPY ${ARCHIVE_DIR}/bins/ipv6-hp-bpf /ipv6-hp-bpf
+COPY ${ARCHIVE_DIR}/bins/nft /usr/sbin/nft
+COPY ${ARCHIVE_DIR}/bins/ip /sbin/ip
+CMD ["/ipv6-hp-bpf"]

.pipelines/build/dockerfiles/npm.Dockerfile

@@ -0,0 +1,20 @@
+FROM mcr.microsoft.com/mirror/docker/library/ubuntu:20.04 as linux
+
+RUN apt-get update && \
+  apt-get install -y libc-bin=2.31-0ubuntu9.17 libc6=2.31-0ubuntu9.17 libtasn1-6=4.16.0-2ubuntu0.1 libgnutls30=3.6.13-2ubuntu1.12 iptables ipset ca-certificates && \
+  apt-get autoremove -y && \
+  apt-get clean
+
+RUN chmod +x /usr/bin/azure-npm
+ENTRYPOINT ["/usr/bin/azure-npm", "start"]
+
+
+# intermediate for win-ltsc2022
+FROM mcr.microsoft.com/windows/servercore@sha256:45952938708fbde6ec0b5b94de68bcdec3f8c838be018536b1e9e5bd95e6b943 as windows
+
+COPY ${ARTIFACT_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml
+COPY ${ARTIFACT_DIR}/files/setkubeconfigpath.ps1 setkubeconfigpath.ps1
+COPY ${ARTIFACT_DIR}/files/setkubeconfigpath-capz.ps1 setkubeconfigpath-capz.ps1
+COPY ${ARTIFACT_DIR}/bins/azure-npm.exe npm.exe
+
+CMD ["npm.exe", "start" "--kubeconfig=.\\kubeconfig"]

.pipelines/build/images.jobs.yaml

@@ -0,0 +1,114 @@
+parameters:
+- name: images
+  type: jobList
+
+
+jobs:
+- ${{ each job_data in parameters.images }}:
+  - job: pkg_${{ job_data.job }}
+    displayName: "Build Image Package - ${{ job_data.displayName }} -"
+    strategy: ${{ job_data.strategy }}
+    pool:
+      type: linux
+      ${{ if eq(job_data.job, 'linux_arm64') }}:
+        hostArchitecture: arm64
+
+    variables:
+      ob_outputDirectory: $(Build.ArtifactStagingDirectory)
+      ob_artifactSuffix: _$(artifact)
+      ob_git_checkout: false
+      ${{ if eq(job_data.job, 'linux_amd64') }}:
+        LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest'
+        ARCH: amd64
+        GOARCH: amd64
+        OS: linux
+        GOOS: linux
+      ${{ elseif eq(job_data.job, 'windows_amd64') }}:
+        LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest'
+        ARCH: amd64
+        GOARCH: amd64
+        OS: windows
+        GOOS: windows
+      ${{ elseif eq(job_data.job, 'linux_arm64') }}:
+        ob_enable_qemu: true
+        ARCH: arm64
+        GOARCH: arm64
+        OS: linux
+        GOOS: linux
+      # keep these variables concerned with instrumentation.
+      ob_outputDirectory: $(Build.ArtifactStagingDirectory)
+      GEN_DIR: $(Build.SourcesDirectory)/temp
+      REPO_ROOT: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }}
+      OUT_DIR: $(Build.ArtifactStagingDirectory)
+    steps:
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        targetPath: $(REPO_ROOT)
+        artifact: '${{ job_data.templateContext.repositoryArtifact }}'
+
+    - task: ShellScript@2
+      inputs:
+        scriptPath: ${{ job_data.templateContext.buildScript }}
+
+    - task: ExtractFiles@1
+      inputs:
+        archiveFilePatterns: '**/*.?(tgz|tgz.gz|zip)'
+        destinationFolder: $(OUT_DIR)
+        cleanDestinationFolder: false
+        overwriteExistingFiles: true
+
+    - shell: |
+        cp "$SOURCE" "$DEST"
+      env:
+        SOURCE: $(REPO_ROOT)/${{ job_data.templateContext.obDockerfile }}
+        DEST: $(OUT_DIR)/Dockerfile
+
+    - task: onebranch.pipeline.signing@1
+      inputs:
+        command: 'sign'
+        signing_profile: 'external_distribution'
+        files_to_sign: '**/*'
+        search_root: $(OUT_DIR)
+
+
+  - job: images_${{ job_data.job }}
+    displayName: "Build Images - ${{ job_data.displayName }} -"
+    dependsOn:
+    - pkg_${{ job_data.job }}
+    strategy: ${{ job_data.strategy }}
+    pool:
+      os: linux
+      type: docker
+      ${{ if eq(job_data.job, 'linux_arm64') }}:
+        hostArchitecture: arm64
+        LinuxHostVersion:
+          distribution: mariner
+          architecture: arm64
+    variables:
+      ob_outputDirectory: $(Build.SourcesDirectory)/out/images/$(os)_$(arch)
+      ob_artifactSuffix: _$(name)
+      ob_git_checkout: false
+      ${{ if eq(job_data.job, 'linux_amd64') }}:
+        LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest'
+        ARCH: amd64
+        OS: linux
+      ${{ elseif eq(job_data.job, 'windows_amd64') }}:
+        ob_enable_qemu: true
+        ARCH: amd64
+        OS: windows
+      ${{ elseif eq(job_data.job, 'linux_arm64') }}:
+        ob_build_container: true
+        ARCH: arm64
+        OS: linux
+
+    steps:
+    - template: build/image.steps.yaml
+      parameters:
+        arch: $(ARCH)
+        os: $(OS)
+        name: $(name)
+        dockerfile_path: ${{ job_data.templateContext.pkgArtifact }}
+        build_tag: $(imageTag)
+        extra_args: $(extraArgs)
+        archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion)
+        source: ${{ job_data.templateContext.pkgArtifact }}

.pipelines/build/scripts/azure-ipam.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+set -nex
+
+DROPGZ_VERSION="${DROPGZ_VERSION:-v0.0.12}"
+IPAM_BUILD_DIR=$(mktemp -d -p "$GEN_DIR")
+
+pushd "$ROOT_DIR"/azure-ipam
+  GOOS=$OS CGO_ENABLED=0 go build -v -a -o "$IPAM_BUILD_DIR"/azure-ipam -trimpath -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version="$AZURE_IPAM_VERSION" main.version="$VERSION"" -gcflags="-dwarflocationlists=true"
+  cp *.conflist "$IPAM_BUILD_DIR"
+  sha256sum * > sum.txt
+  gzip --verbose --best --recursive . && for f in *.gz; do mv -- "$f" "${f%%.gz}"; done
+popd
+
+go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION
+pushd "$GOPATH"/pkg/mod/github.com/azure/azure-container-networking/dropgz\@$DROPGZ_VERSION
+  cp "$IPAM_BUILD_DIR"/* pkg/embed/fs/
+  GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/dropgz -trimpath -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$VERSION"" -gcflags="-dwarflocationlists=true" main.go
+popd

.pipelines/build/scripts/cns.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+#ARG CNS_AI_ID
+#ARG CNS_AI_PATH
+
+mkdir -p "$OUT_DIR"/files
+mkdir -p "$OUT_DIR"/bins
+
+pushd "$REPO_ROOT"
+  GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-cns -ldflags "-X main.version="$VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" -gcflags="-dwarflocationlists=true" cns/service/*.go
+  cp cns/kubeconfigtemplate.yaml "$OUT_DIR"/files/kubeconfigtemplate.yaml
+  cp npm/examples/windows/setkubeconfigpath.ps1 "$OUT_DIR"/files/setkubeconfigpath.ps1
+popd

.pipelines/build/scripts/ipv6-hp-bpf.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+mkdir -p "$OUT_DIR"/bins
+mkdir -p "$OUT_DIR"/lib
+
+apt-get update -y
+apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2
+
+# Copy Needed Library Binaries
+cp /usr/sbin/nft "$OUT_DIR"/bins/nft
+cp /sbin/ip "$OUT_DIR"/bins/ip
+
+# Package up Needed C Files
+if [ "$ARCH" = "arm64" ]; then
+  apt-get install -y gcc-aarch64-linux-gnu
+  ARCH=aarch64-linux-gnu
+  cp /lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/
+
+  for dir in /usr/include/"$ARCH"/*; do 
+    ln -s "$dir" /usr/include/$(basename "$dir")
+  done
+
+elif [ "$ARCH" = "amd64" ]; then
+  apt-get install -y gcc-multilib
+  ARCH=x86_64-linux-gnu
+  cp /lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/
+
+  for dir in /usr/include/"$ARCH"/*; do 
+    ln -s "$dir" /usr/include/$(basename "$dir")
+  done
+fi
+
+ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm
+cp /lib/"$ARCH"/libnftables.so.1 "$OUT_DIR"/lib/
+cp /lib/"$ARCH"/libedit.so.2 "$OUT_DIR"/lib/
+cp /lib/"$ARCH"/libc.so.6 "$OUT_DIR"/lib/
+cp /lib/"$ARCH"/libmnl.so.0 "$OUT_DIR"/lib/
+cp /lib/"$ARCH"/libnftnl.so.11 "$OUT_DIR"/lib/
+cp /lib/"$ARCH"/libxtables.so.12 "$OUT_DIR"/lib/
+cp /lib/"$ARCH"/libjansson.so.4 "$OUT_DIR"/lib/
+cp /lib/"$ARCH"/libgmp.so.10 "$OUT_DIR"/lib/
+cp /lib/"$ARCH"/libtinfo.so.6 "$OUT_DIR"/lib/
+cp /lib/"$ARCH"/libbsd.so.0 "$OUT_DIR"/lib/
+cp /lib/"$ARCH"/libmd.so.0 "$OUT_DIR"/lib/
+
+
+# Build IPv6 HP BPF
+export C_INCLUDE_PATH=/usr/include/bpf
+pushd "$REPO_ROOT"/bpf-prog/ipv6-hp-bpf
+  cp ./cmd/ipv6-hp-bpf/*.go ./
+
+  if [ "$DEBUG" = "true" ]; then 
+    echo "\n#define DEBUG" >> ./include/helper.h
+  fi
+
+  GOOS=$OS CGO_ENABLED=0 go generate ./...
+  GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/ipv6-hp-bpf -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" .
+popd

.pipelines/build/scripts/npm.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -nex
+
+mkdir -p "$OUT_DIR"/files
+mkdir -p "$OUT_DIR"/bins
+
+pushd "$ROOT_DIR"/npm
+  GOOS=$OS CGO_ENABLED=0 go build -v -o "$OUT_DIR"/bins/azure-npm -ldflags "-X main.version="$VERSION" -X "$NPM_AI_PATH"="$NPM_AI_ID"" -gcflags="-dwarflocationlists=true" ./cmd/*.go
+
+  cp ./examples/windows/kubeconfigtemplate.yaml "$OUT_DIR"/files/kubeconfigtemplate.yaml
+  cp ./examples/windows/setkubeconfigpath.ps1 "$OUT_DIR"/files/setkubeconfigpath.ps1
+  cp ./examples/windows/setkubeconfigpath-capz.ps1 "$OUT_DIR"/files/setkubeconfigpath-capz.ps1
+popd