diff --git a/.config/CredScanSuppressions.json b/.config/CredScanSuppressions.json new file mode 100644 index 000000000..e8451b4dd --- /dev/null +++ b/.config/CredScanSuppressions.json @@ -0,0 +1,13 @@ +{ + "tool": "Credential Scanner", + "suppressions": [ + { + "file": "test/utils/credentials/credentials.go", + "_justification": "False positive variable." + }, + { + "file": "vendor/k8s.io/kubernetes/test/utils/admission_webhook.go", + "_justification": "An example certificate with command to create it to go along with it." + } + ] +} diff --git a/BLOB_CSI_VERSION b/BLOB_CSI_VERSION new file mode 100644 index 000000000..4250ea042 --- /dev/null +++ b/BLOB_CSI_VERSION @@ -0,0 +1 @@ +BLOB_CSI_VERSION=v4.3.0 diff --git a/pipelines/OneBranch.NonOfficial.yml b/pipelines/OneBranch.NonOfficial.yml new file mode 100644 index 000000000..da4aab813 --- /dev/null +++ b/pipelines/OneBranch.NonOfficial.yml @@ -0,0 +1,80 @@ +################################################################################# +# OneBranch Pipelines # +# This pipeline was created by EasyStart from a sample located at: # +# https://aka.ms/obpipelines/easystart/samples # +# Documentation: https://aka.ms/obpipelines # +# Yaml Schema: https://aka.ms/obpipelines/yaml/schema # +# Retail Tasks: https://aka.ms/obpipelines/tasks # +# Support: https://aka.ms/onebranchsup # +################################################################################# +trigger: none + +resources: + repositories: + - repository: templates + type: git + name: OneBranch.Pipelines/GovernedTemplates + ref: refs/heads/main + - repository: Hydra + clean: true + type: git + name: One/Hydra + ref: main + +variables: + - template: pipelines/templates/OneBranch.shared.variables.yml@Hydra + parameters: + buildType: buddy + - template: pipelines/templates/shared_variables.yml@Hydra + parameters: + location: eastus + # Usually used for build number (but N/A for OneBranch). + pipelineShortName: OneBranch + - name: BlobImageRepo + value: "blob-csi" + - name: IsStaging + value: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/staging') }} + - name: IsOfficial + value: ${{ eq(variables['ONEBRANCH_BUILD_TYPE'], 'official') }} + +parameters: + - name: acr + displayName: ACR for container image publish + type: string + default: hydraedgecidev + values: + - hydraedge + - hydraedgecidev + - name: architectures + displayName: Architectures to build + type: object + default: + - amd64 + - arm64 + +extends: + template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates + parameters: + containers: + - container: linux_build_container + image: $(LinuxContainerImage) + type: Linux + endpoint: "hydraedge-acr-connection" + + globalSdl: # https://aka.ms/obpipelines/sdl + # Details on TSA onboarding: + # https://onebranch.visualstudio.com/OneBranch/_wiki/wikis/OneBranch.wiki/4637/TSA-and-TSA-Onboarding-in-OneBranch-Pipelines + tsa: + enabled: false + credscan: + enabled: true + suppressionsFile: $(Build.SourcesDirectory)/.config/CredScanSuppressions.json + policheck: + break: true # always break the build on policheck issues. You can disable it by setting to 'false' + stages: + - template: OneBranch.body.yml@self + parameters: + acr: ${{ parameters.acr }} + architectures: ${{ parameters.architectures }} + buildType: official + diff --git a/pipelines/OneBranch.Official.yml b/pipelines/OneBranch.Official.yml new file mode 100644 index 000000000..e3f342090 --- /dev/null +++ b/pipelines/OneBranch.Official.yml @@ -0,0 +1,84 @@ +################################################################################# +# OneBranch Pipelines # +# This pipeline was created by EasyStart from a sample located at: # +# https://aka.ms/obpipelines/easystart/samples # +# Documentation: https://aka.ms/obpipelines # +# Yaml Schema: https://aka.ms/obpipelines/yaml/schema # +# Retail Tasks: https://aka.ms/obpipelines/tasks # +# Support: https://aka.ms/onebranchsup # +################################################################################# +trigger: + batch: true + branches: + include: + - staging + +resources: + repositories: + - repository: templates + type: git + name: OneBranch.Pipelines/GovernedTemplates + ref: refs/heads/main + - repository: Hydra + clean: true + type: git + name: One/Hydra + ref: main + +variables: + - template: pipelines/templates/OneBranch.shared.variables.yml@Hydra + parameters: + buildType: official + - template: pipelines/templates/shared_variables.yml@Hydra + parameters: + location: eastus + # Usually used for build number (but N/A for OneBranch). + pipelineShortName: OneBranch + - name: BlobImageRepo + value: "blob-csi" + - name: IsStaging + value: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/staging') }} + - name: IsOfficial + value: ${{ eq(variables['ONEBRANCH_BUILD_TYPE'], 'official') }} + +parameters: + - name: acr + displayName: ACR for container image publish + type: string + default: hydraedge + values: + - hydraedge + - hydraedgecidev + - name: architectures + displayName: Architectures to build + type: object + default: + - amd64 + - arm64 + +extends: + template: v2/OneBranch.Official.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates + parameters: + containers: + - container: linux_build_container + image: $(LinuxContainerImage) + type: Linux + endpoint: "hydraedge-acr-connection" + + globalSdl: # https://aka.ms/obpipelines/sdl + # Details on TSA onboarding: + # https://onebranch.visualstudio.com/OneBranch/_wiki/wikis/OneBranch.wiki/4637/TSA-and-TSA-Onboarding-in-OneBranch-Pipelines + tsa: + enabled: false + credscan: + enabled: true + suppressionsFile: $(Build.SourcesDirectory)/.config/CredScanSuppressions.json + policheck: + break: true # always break the build on policheck issues. You can disable it by setting to 'false' + stages: + - template: OneBranch.body.yml@self + parameters: + acr: ${{ parameters.acr }} + architectures: ${{ parameters.architectures }} + buildType: official + diff --git a/pipelines/OneBranch.body.yml b/pipelines/OneBranch.body.yml new file mode 100644 index 000000000..230a5aa24 --- /dev/null +++ b/pipelines/OneBranch.body.yml @@ -0,0 +1,186 @@ +# ------------------------------------------------------------------------------ +# ONEBRANCH BODY +# +# This template contains the body used by pipelines/OneBranch.*Official.yml so +# that both the official and non-official OneBranch pipelines share the same +# logic. Changes to the OneBranch pipeline will largely need to be done here +# rather than in the top-level files. +# ------------------------------------------------------------------------------ + +# NOTE: The parameters must match the pipeline parameters in +# pipelines/OneBranch.*Official.yml and should be provided with every +# call of this template. +parameters: + - name: acr + displayName: ACR for container image publish + type: string + - name: architectures + displayName: Architectures to build + type: object + - name: buildType + displayName: The type of build. + type: string + values: + - official + - buddy + + +stages: + - stage: setup + jobs: + - job: Setup + timeoutInMinutes: 30 + displayName: Setup + pool: + type: linux + variables: + ob_outputDirectory: "$(Build.ArtifactStagingDirectory)/out" + steps: + - checkout: Hydra + - template: pipelines/templates/job_start.yml@Hydra + parameters: + logInAgentUami: false + uploadAdx: false + installVenv: false + installReportGenerator: false + + - task: onebranch.pipeline.version@1 + displayName: "Setup BuildNumber" + inputs: + system: "RevisionCounter" + major: "1" + minor: "0" + exclude_commit: true + + - bash: | + pushd Hydra + scripts/setup_pipeline_variables.sh $(Build.BuildId) + popd + + source BLOB_CSI_VERSION + echo "##vso[task.setvariable variable=BLOB_CSI_VERSION;isOutput=true]${BLOB_CSI_VERSION}" + displayName: Setup environment + name: setupEnvironment + + - stage: build + dependsOn: + - setup + variables: + TOOLCHAIN_IMAGE: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.TOOLCHAIN_IMAGE'] ] + pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ] + jobs: + - ${{ each arch in parameters.architectures }}: + - job: build_csi_container_${{ arch }} + timeoutInMinutes: 60 + displayName: Build ${{ arch }} BlobCSIImage + pool: + type: docker + os: linux + hostArchitecture: ${{ arch }} + variables: + ob_git_checkout: true + steps: + - template: pipelines/templates/job_start.yml@Hydra + parameters: + logInAgentUami: false + uploadAdx: false + installVenv: false + installReportGenerator: false + + # We always sign in to hydraedge since it holds our runtime/toolchain + # images, in addition to the ACR that we'll actually put the built + # images in. + - template: pipelines/templates/acr_login.yml@Hydra + parameters: + acr: hydraedge + onebranch: true + + - template: pipelines/templates/acr_login.yml@Hydra + parameters: + acr: ${{ parameters.acr }} + onebranch: true + + - task: onebranch.pipeline.imagebuildinfo@1@2 + displayName: Build blob csi ${{ arch }} image + inputs: + dockerFileContextPath: . + dockerFileRelPath: pkg/blobplugin/Dockerfile.mariner + repositoryName: $(BlobImageRepo) + registry: "${{ parameters.acr }}.azurecr.io" + saveImageToPath: "$(BlobImageRepo)-${{ arch }}.tar" + enable_network: true # We may not want to do this... but current files require it + enable_acr_push: true + buildkit: 1 # turn on for optimizations like caching, parallelization, new dockerfile options + enable_cache: true # take advantage of multi-stage caching + endpoint: "${{ parameters.acr }}-acr-connection" + arguments: --build-arg ARCH=${{ arch }} --build-arg BUILD_IMAGE=$(TOOLCHAIN_IMAGE) + build_tag: "$(pipelineBuildTag)-${{ arch }}" + + - stage: publish + dependsOn: + - setup + - build + variables: + pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ] + blobCsiVersion: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.BLOB_CSI_VERSION'] ] + HYDRA_REPO_PREFIX: "artifact/$(ServiceTreeId)/$(ONEBRANCH_BUILD_TYPE)/" + jobs: + - job: PublishArtifacts + timeoutInMinutes: 30 + displayName: Publish artifacts + pool: + type: linux + isCustom: true + name: $(AGENT_POOL) + variables: + ob_outputDirectory: "$(Build.SourcesDirectory)/out" + steps: + - checkout: Hydra + - template: pipelines/templates/job_start.yml@Hydra + parameters: + logInAgentUami: false + uploadAdx: false + installVenv: false + installReportGenerator: false + + - template: pipelines/templates/acr_login.yml@Hydra + parameters: + acr: ${{ parameters.acr }} + onebranch: true + + - template: pipelines/templates/make_images_multiarch.yml@Hydra + parameters: + hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)" + acr: "${{ parameters.acr }}" + architectures: ${{ parameters.architectures }} + images: + - $(BlobImageRepo) + + - task: AzureCLI@2 + displayName: "Check if version tag exists" + target: host + inputs: + azureSubscription: $(AZURE_SERVICE_CONNECTION) + scriptType: bash + scriptLocation: inlineScript + inlineScript: | + image="$(HYDRA_REPO_PREFIX)$(BlobImageRepo):$(blobCsiVersion)" + + if ! az acr repository show -n "${{ parameters.acr }}" --image "$image" &>2 ; then + echo "##vso[task.setvariable variable=pushLatest]true" + else + echo "##vso[task.setvariable variable=pushLatest]false" + fi + name: csi_version + condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True')) + + - template: pipelines/templates/make_images_latest.yml@Hydra + parameters: + condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True'), eq(variables['pushLatest'], 'true')) + hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)" + acr: "${{ parameters.acr }}" + dstBuildTag: "$(blobCsiVersion)" + srcBuildTag: "$(pipelineBuildTag)" + images: + - $(BlobImageRepo) + diff --git a/pkg/blobplugin/Dockerfile b/pkg/blobplugin/Dockerfile index 293844626..6c99d6f07 100644 --- a/pkg/blobplugin/Dockerfile +++ b/pkg/blobplugin/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM registry.k8s.io/build-image/debian-base:bullseye-v1.4.3 +FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 ARG ARCH=amd64 ARG binary=./_output/${ARCH}/blobplugin @@ -28,14 +28,10 @@ RUN chmod +x /blobfuse-proxy/init.sh && \ chmod +x /blobfuse-proxy/blobfuse-proxy.service && \ chmod +x /blobfuse-proxy/blobfuse-proxy -RUN apt update && apt upgrade -y && apt-mark unhold libcap2 && clean-install ca-certificates uuid-dev util-linux mount udev wget e2fsprogs nfs-common netbase +RUN tdnf updateinfo && \ + tdnf install -y util-linux e2fsprogs nfs-utils quota-rpc rpcbind blobfuse2 fuse3 libcap-ng libcap ca-certificates && \ + tdnf clean all -ARG ARCH=amd64 -RUN if [ "$ARCH" = "amd64" ] ; then \ - clean-install libcurl4-gnutls-dev && \ - wget -O /blobfuse-proxy/packages-microsoft-prod-22.04.deb https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb && \ - wget -O /blobfuse-proxy/packages-microsoft-prod-18.04.deb https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb && \ - dpkg -i /blobfuse-proxy/packages-microsoft-prod-18.04.deb && apt update && apt install blobfuse blobfuse2 fuse -y && apt remove wget -y; fi LABEL maintainers="andyzhangx" LABEL description="Azure Blob Storage CSI driver" diff --git a/pkg/blobplugin/Dockerfile.mariner b/pkg/blobplugin/Dockerfile.mariner new file mode 100644 index 000000000..a0c1e4dc7 --- /dev/null +++ b/pkg/blobplugin/Dockerfile.mariner @@ -0,0 +1,59 @@ +# Copyright 2019 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +############## +# Build binaries +############## + +ARG BUILD_IMAGE +FROM ${BUILD_IMAGE} AS build-stage + +WORKDIR /app + +ARG ARCH=amd64 + +COPY go.mod go.sum ./ +RUN go mod download + +ADD . . +RUN make clean && make + +############## +# Build CSI container +############## + +FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 + +ARG ARCH=amd64 + +RUN mkdir /blobfuse-proxy/ + +COPY --from=build-stage /app/_output/${ARCH}/blobplugin /blobplugin +COPY --from=build-stage /app/_output/${ARCH}/blobfuse-proxy /blobfuse-proxy/ +COPY --from=build-stage /app/pkg/blobfuse-proxy/init.sh /blobfuse-proxy/ +COPY --from=build-stage /app/pkg/blobfuse-proxy/blobfuse-proxy.service /blobfuse-proxy/ + +RUN chmod +x /blobfuse-proxy/init.sh && \ + chmod +x /blobfuse-proxy/blobfuse-proxy.service && \ + chmod +x /blobfuse-proxy/blobfuse-proxy + +RUN tdnf updateinfo && \ + tdnf install -y util-linux e2fsprogs nfs-utils quota-rpc rpcbind blobfuse2 fuse3 libcap-ng libcap ca-certificates && \ + tdnf clean all + +LABEL maintainers="andyzhangx" +LABEL description="Azure Blob Storage CSI driver" + +ENTRYPOINT ["/blobplugin"] +