avoltz · chaireez · Oct 4, 2023 · Oct 4, 2023 · Oct 4, 2023 · Oct 4, 2023
diff --git a/.config/CredScanSuppressions.json b/.config/CredScanSuppressions.json
@@ -0,0 +1,13 @@
+{
+   "tool": "Credential Scanner",
+   "suppressions": [
+     {
+       "file": "test/utils/credentials/credentials.go",
+       "_justification": "False positive variable."
+     },
+     {
+       "file": "vendor/k8s.io/kubernetes/test/utils/admission_webhook.go",
+       "_justification": "An example certificate with command to create it to go along with it."
+     }
+   ]
+}
diff --git a/BLOB_CSI_VERSION b/BLOB_CSI_VERSION
@@ -0,0 +1 @@
+BLOB_CSI_VERSION=v4.3.0
diff --git a/pipelines/OneBranch.NonOfficial.yml b/pipelines/OneBranch.NonOfficial.yml
@@ -0,0 +1,80 @@
+#################################################################################
+#                               OneBranch Pipelines                             #
+# This pipeline was created by EasyStart from a sample located at:              #
+#   https://aka.ms/obpipelines/easystart/samples                                #
+# Documentation:  https://aka.ms/obpipelines                                    #
+# Yaml Schema:    https://aka.ms/obpipelines/yaml/schema                        #
+# Retail Tasks:   https://aka.ms/obpipelines/tasks                              #
+# Support:        https://aka.ms/onebranchsup                                   #
+#################################################################################
+trigger: none
+
+resources:
+  repositories: 
+  - repository: templates
+    type: git
+    name: OneBranch.Pipelines/GovernedTemplates
+    ref: refs/heads/main
+  - repository: Hydra
+    clean: true
+    type: git
+    name: One/Hydra
+    ref: main
+
+variables:
+  - template: pipelines/templates/OneBranch.shared.variables.yml@Hydra
+    parameters:
+      buildType: buddy
+  - template: pipelines/templates/shared_variables.yml@Hydra
+    parameters:
+      location: eastus
+      # Usually used for build number (but N/A for OneBranch).
+      pipelineShortName: OneBranch
+  - name: BlobImageRepo
+    value: "blob-csi"
+  - name: IsStaging
+    value: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/staging') }}
+  - name: IsOfficial
+    value: ${{ eq(variables['ONEBRANCH_BUILD_TYPE'], 'official') }}
+
+parameters:
+  - name: acr
+    displayName: ACR for container image publish
+    type: string
+    default: hydraedgecidev
+    values:
+      - hydraedge
+      - hydraedgecidev
+  - name: architectures
+    displayName: Architectures to build
+    type: object
+    default:
+      - amd64
+      - arm64
+
+extends:
+  template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates
+  parameters:
+    containers:
+      - container: linux_build_container
+        image: $(LinuxContainerImage)
+        type: Linux
+        endpoint: "hydraedge-acr-connection"
+
+    globalSdl: # https://aka.ms/obpipelines/sdl
+      # Details on TSA onboarding:
+      # https://onebranch.visualstudio.com/OneBranch/_wiki/wikis/OneBranch.wiki/4637/TSA-and-TSA-Onboarding-in-OneBranch-Pipelines
+      tsa:
+        enabled: false
+      credscan:
+        enabled: true
+        suppressionsFile: $(Build.SourcesDirectory)/.config/CredScanSuppressions.json
+      policheck:
+        break: true # always break the build on policheck issues. You can disable it by setting to 'false'
+    stages:
+      - template: OneBranch.body.yml@self
+        parameters:
+          acr: ${{ parameters.acr }}
+          architectures: ${{ parameters.architectures }}
+          buildType: official
+
diff --git a/pipelines/OneBranch.Official.yml b/pipelines/OneBranch.Official.yml
@@ -0,0 +1,84 @@
+#################################################################################
+#                               OneBranch Pipelines                             #
+# This pipeline was created by EasyStart from a sample located at:              #
+#   https://aka.ms/obpipelines/easystart/samples                                #
+# Documentation:  https://aka.ms/obpipelines                                    #
+# Yaml Schema:    https://aka.ms/obpipelines/yaml/schema                        #
+# Retail Tasks:   https://aka.ms/obpipelines/tasks                              #
+# Support:        https://aka.ms/onebranchsup                                   #
+#################################################################################
+trigger:
+  batch: true
+  branches:
+    include:
+      - staging
+
+resources:
+  repositories: 
+  - repository: templates
+    type: git
+    name: OneBranch.Pipelines/GovernedTemplates
+    ref: refs/heads/main
+  - repository: Hydra
+    clean: true
+    type: git
+    name: One/Hydra
+    ref: main
+
+variables:
+  - template: pipelines/templates/OneBranch.shared.variables.yml@Hydra
+    parameters:
+      buildType: official
+  - template: pipelines/templates/shared_variables.yml@Hydra
+    parameters:
+      location: eastus
+      # Usually used for build number (but N/A for OneBranch).
+      pipelineShortName: OneBranch
+  - name: BlobImageRepo
+    value: "blob-csi"
+  - name: IsStaging
+    value: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/staging') }}
+  - name: IsOfficial
+    value: ${{ eq(variables['ONEBRANCH_BUILD_TYPE'], 'official') }}
+
+parameters:
+  - name: acr
+    displayName: ACR for container image publish
+    type: string
+    default: hydraedge
+    values:
+      - hydraedge
+      - hydraedgecidev
+  - name: architectures
+    displayName: Architectures to build
+    type: object
+    default:
+      - amd64
+      - arm64
+
+extends:
+  template: v2/OneBranch.Official.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates
+  parameters:
+    containers:
+      - container: linux_build_container
+        image: $(LinuxContainerImage)
+        type: Linux
+        endpoint: "hydraedge-acr-connection"
+
+    globalSdl: # https://aka.ms/obpipelines/sdl
+      # Details on TSA onboarding:
+      # https://onebranch.visualstudio.com/OneBranch/_wiki/wikis/OneBranch.wiki/4637/TSA-and-TSA-Onboarding-in-OneBranch-Pipelines
+      tsa:
+        enabled: false
+      credscan:
+        enabled: true
+        suppressionsFile: $(Build.SourcesDirectory)/.config/CredScanSuppressions.json
+      policheck:
+        break: true # always break the build on policheck issues. You can disable it by setting to 'false'
+    stages:
+      - template: OneBranch.body.yml@self
+        parameters:
+          acr: ${{ parameters.acr }}
+          architectures: ${{ parameters.architectures }}
+          buildType: official
+
diff --git a/pipelines/OneBranch.body.yml b/pipelines/OneBranch.body.yml
@@ -0,0 +1,186 @@
+# ------------------------------------------------------------------------------
+# ONEBRANCH BODY
+#
+# This template contains the body used by pipelines/OneBranch.*Official.yml so
+# that both the official and non-official OneBranch pipelines share the same
+# logic. Changes to the OneBranch pipeline will largely need to be done here
+# rather than in the top-level files.
+# ------------------------------------------------------------------------------
+
+# NOTE: The parameters must match the pipeline parameters in
+#       pipelines/OneBranch.*Official.yml and should be provided with every
+#       call of this template.
+parameters:
+  - name: acr
+    displayName: ACR for container image publish
+    type: string
+  - name: architectures
+    displayName: Architectures to build
+    type: object
+  - name: buildType
+    displayName: The type of build.
+    type: string
+    values:
+      - official
+      - buddy
+
+
+stages:
+  - stage: setup
+    jobs:
+      - job: Setup
+        timeoutInMinutes: 30
+        displayName: Setup
+        pool:
+          type: linux
+        variables:
+          ob_outputDirectory: "$(Build.ArtifactStagingDirectory)/out"
+        steps:
+          - checkout: Hydra
+          - template: pipelines/templates/job_start.yml@Hydra
+            parameters:
+              logInAgentUami: false
+              uploadAdx: false
+              installVenv: false
+              installReportGenerator: false
+
+          - task: onebranch.pipeline.version@1
+            displayName: "Setup BuildNumber"
+            inputs:
+              system: "RevisionCounter"
+              major: "1"
+              minor: "0"
+              exclude_commit: true
+
+          - bash: |
+              pushd Hydra
+                scripts/setup_pipeline_variables.sh $(Build.BuildId)
+              popd
+
+              source BLOB_CSI_VERSION
+              echo "##vso[task.setvariable variable=BLOB_CSI_VERSION;isOutput=true]${BLOB_CSI_VERSION}"
+            displayName: Setup environment
+            name: setupEnvironment
+
+  - stage: build
+    dependsOn:
+      - setup
+    variables:
+      TOOLCHAIN_IMAGE: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.TOOLCHAIN_IMAGE'] ]
+      pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ]
+    jobs:
+    - ${{ each arch in parameters.architectures }}:
+      - job: build_csi_container_${{ arch }}
+        timeoutInMinutes: 60
+        displayName: Build ${{ arch }} BlobCSIImage
+        pool:
+          type: docker
+          os: linux
+          hostArchitecture: ${{ arch }}
+        variables:
+          ob_git_checkout: true
+        steps:
+          - template: pipelines/templates/job_start.yml@Hydra
+            parameters:
+              logInAgentUami: false
+              uploadAdx: false
+              installVenv: false
+              installReportGenerator: false
+
+          # We always sign in to hydraedge since it holds our runtime/toolchain
+          # images, in addition to the ACR that we'll actually put the built
+          # images in.
+          - template: pipelines/templates/acr_login.yml@Hydra
+            parameters:
+              acr: hydraedge
+              onebranch: true
+
+          - template: pipelines/templates/acr_login.yml@Hydra
+            parameters:
+              acr: ${{ parameters.acr }}
+              onebranch: true
+
+          - task: onebranch.pipeline.imagebuildinfo@1@2
+            displayName: Build blob csi ${{ arch }} image
+            inputs:
+              dockerFileContextPath: .
+              dockerFileRelPath: pkg/blobplugin/Dockerfile.mariner
+              repositoryName: $(BlobImageRepo)
+              registry: "${{ parameters.acr }}.azurecr.io"
+              saveImageToPath: "$(BlobImageRepo)-${{ arch }}.tar"
+              enable_network: true # We may not want to do this... but current files require it
+              enable_acr_push: true
+              buildkit: 1 # turn on for optimizations like caching, parallelization, new dockerfile options
+              enable_cache: true # take advantage of multi-stage caching
+              endpoint: "${{ parameters.acr }}-acr-connection"
+              arguments: --build-arg ARCH=${{ arch }} --build-arg BUILD_IMAGE=$(TOOLCHAIN_IMAGE)
+              build_tag: "$(pipelineBuildTag)-${{ arch }}"
+
+  - stage: publish
+    dependsOn:
+      - setup
+      - build
+    variables:
+      pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ]
+      blobCsiVersion: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.BLOB_CSI_VERSION'] ]
+      HYDRA_REPO_PREFIX: "artifact/$(ServiceTreeId)/$(ONEBRANCH_BUILD_TYPE)/"
+    jobs:
+      - job: PublishArtifacts
+        timeoutInMinutes: 30
+        displayName: Publish artifacts
+        pool:
+          type: linux
+          isCustom: true
+          name: $(AGENT_POOL)
+        variables:
+          ob_outputDirectory: "$(Build.SourcesDirectory)/out"
+        steps:
+          - checkout: Hydra
+          - template: pipelines/templates/job_start.yml@Hydra
+            parameters:
+              logInAgentUami: false
+              uploadAdx: false
+              installVenv: false
+              installReportGenerator: false
+
+          - template: pipelines/templates/acr_login.yml@Hydra
+            parameters:
+              acr: ${{ parameters.acr }}
+              onebranch: true
+
+          - template: pipelines/templates/make_images_multiarch.yml@Hydra
+            parameters:
+              hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)"
+              acr: "${{ parameters.acr }}"
+              architectures: ${{ parameters.architectures }}
+              images:
+                - $(BlobImageRepo)
+
+          - task: AzureCLI@2
+            displayName: "Check if version tag exists"
+            target: host
+            inputs:
+              azureSubscription: $(AZURE_SERVICE_CONNECTION)
+              scriptType: bash
+              scriptLocation: inlineScript
+              inlineScript: |
+                image="$(HYDRA_REPO_PREFIX)$(BlobImageRepo):$(blobCsiVersion)"
+
+                if ! az acr repository show -n "${{ parameters.acr }}" --image "$image" &>2 ; then
+                  echo "##vso[task.setvariable variable=pushLatest]true"
+                else
+                  echo "##vso[task.setvariable variable=pushLatest]false"
+                fi
+            name: csi_version
+            condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True'))
+
+          - template: pipelines/templates/make_images_latest.yml@Hydra
+            parameters:
+              condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True'), eq(variables['pushLatest'], 'true'))
+              hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)"
+              acr: "${{ parameters.acr }}"
+              dstBuildTag: "$(blobCsiVersion)"
+              srcBuildTag: "$(pipelineBuildTag)"
+              images:
+                - $(BlobImageRepo)
+
diff --git a/pkg/blobplugin/Dockerfile b/pkg/blobplugin/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM registry.k8s.io/build-image/debian-base:bullseye-v1.4.3
+FROM mcr.microsoft.com/cbl-mariner/base/core:2.0
 
 ARG ARCH=amd64
 ARG binary=./_output/${ARCH}/blobplugin
@@ -28,14 +28,10 @@ RUN chmod +x /blobfuse-proxy/init.sh && \
  chmod +x /blobfuse-proxy/blobfuse-proxy.service && \
  chmod +x /blobfuse-proxy/blobfuse-proxy
 
-RUN apt update && apt upgrade -y && apt-mark unhold libcap2 && clean-install ca-certificates uuid-dev util-linux mount udev wget e2fsprogs nfs-common netbase
+RUN tdnf updateinfo && \
+    tdnf install -y util-linux e2fsprogs nfs-utils quota-rpc rpcbind blobfuse2 fuse3 libcap-ng libcap ca-certificates && \
+    tdnf clean all
 
-ARG ARCH=amd64
-RUN if [ "$ARCH" = "amd64" ] ; then \
-  clean-install libcurl4-gnutls-dev && \
-  wget -O /blobfuse-proxy/packages-microsoft-prod-22.04.deb https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb && \
-  wget -O /blobfuse-proxy/packages-microsoft-prod-18.04.deb https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb && \
-  dpkg -i /blobfuse-proxy/packages-microsoft-prod-18.04.deb && apt update && apt install blobfuse blobfuse2 fuse -y && apt remove wget -y; fi
 LABEL maintainers="andyzhangx"
 LABEL description="Azure Blob Storage CSI driver"