ci: Add Binary Signing Task

.pipelines/build/binaries.jobs.yaml

@@ -43,3 +43,37 @@ jobs:
           target: $(name)
           os: $(OS)
           arch: $(ARCH)
+
+
+  - ${{ elseif and(eq(job_data.templateContext.action, 'sign'), job_data.templateContext.isOfficial) }}:
+    - job: sign_${{ job_data.job }}
+      displayName: "Sign Binary - ${{ job_data.displayName }} -"
+      strategy: ${{ job_data.strategy }}
+      pool:
+        ${{ if eq(job_data.job, 'windows_amd64') }}:
+          type: windows
+        ${{ else }}:
+          type: linux
+      variables:
+        ob_outputDirectory: $(Build.SourcesDirectory)
+        ob_artifactSuffix: _$(artifact)
+        ob_git_checkout: false
+      steps:
+      - task: DownloadPipelineArtifact@2
+        inputs:
+          targetPath: $(Build.SourcesDirectory)
+          artifact: '${{ job_data.templateContext.repositoryArtifact }}'
+
+      - task: ExtractFiles@1
+        inputs:
+          archiveFilePatterns: '**/*.?(tgz|tgz.gz|zip)'
+          destinationFolder: $(Build.SourcesDirectory)
+          cleanDestinationFolder: false
+          overwriteExistingFiles: true
+
+      - task: onebranch.pipeline.signing@1
+        inputs:
+          command: 'sign'
+          signing_profile: 'external_distribution'
+          files_to_sign: '**/*'
+          search_root: $(Build.SourcesDirectory)

.pipelines/build/dockerfiles/azure-ipam.Dockerfile

@@ -0,0 +1,16 @@
+ARG ARCH
+
+
+# skopeo inspect docker://mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 --format "{{.Name}}@{{.Digest}}"
+FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as windows
+ARG ARTIFACT_DIR .
+
+COPY ${ARTIFACT_DIR}/bin/dropgz.exe /dropgz.exe
+ENTRYPOINT [ "/dropgz.exe" ]
+
+
+FROM scratch AS linux
+ARG ARTIFACT_DIR .
+
+COPY ${ARTIFACT_DIR}/bin/dropgz /dropgz
+ENTRYPOINT [ "/dropgz" ]

.pipelines/build/dockerfiles/cni.Dockerfile

@@ -0,0 +1,16 @@
+ARG ARCH
+
+
+# skopeo inspect docker://mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 --format "{{.Name}}@{{.Digest}}"
+FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as windows
+ARG ARTIFACT_DIR .
+
+COPY ${ARTIFACT_DIR}/bin/dropgz.exe /dropgz.exe
+ENTRYPOINT [ "/dropgz.exe" ]
+
+
+FROM scratch AS linux
+ARG ARTIFACT_DIR .
+
+COPY ${ARTIFACT_DIR}/bin/dropgz /dropgz
+ENTRYPOINT [ "/dropgz" ]

.pipelines/build/dockerfiles/cns.Dockerfile

@@ -0,0 +1,28 @@
+ARG ARCH
+
+
+# mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0
+FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b AS windows
+ARG ARTIFACT_DIR .
+
+COPY ${ARTIFACT_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml
+COPY ${ARTIFACT_DIR}/scripts/setkubeconfigpath.ps1 setkubeconfigpath.ps1
+COPY ${ARTIFACT_DIR}/bin/azure-cns.exe /azure-cns.exe
+ENTRYPOINT ["azure-cns.exe"]
+EXPOSE 10090
+
+
+# mcr.microsoft.com/cbl-mariner/base/core:2.0
+# skopeo inspect docker://mcr.microsoft.com/cbl-mariner/base/core:2.0 --format "{{.Name}}@{{.Digest}}"
+FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/base/core@sha256:961bfedbbbdc0da51bc664f51d959da292eced1ad46c3bf674aba43b9be8c703 AS build-helper
+RUN tdnf install -y iptables
+
+# mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0
+FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:7778a86d86947d5f64c1280a7ee0cf36c6c6d76b5749dd782fbcc14f113961bf AS linux
+ARG ARTIFACT_DIR .
+
+COPY --from=build-helper /usr/sbin/*tables* /usr/sbin/
+COPY --from=build-helper /usr/lib /usr/lib
+COPY ${ARTIFACT_DIR}/bin/azure-cns /usr/local/bin/azure-cns
+ENTRYPOINT [ "/usr/local/bin/azure-cns" ]
+EXPOSE 10090

.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile

@@ -0,0 +1,10 @@
+ARG ARCH
+
+
+FROM --platform=linux/${ARCH} mcr.microsoft.com/azurelinux/distroless/minimal:3.0 AS linux
+ARG ARTIFACT_DIR
+COPY ${ARTIFACT_DIR}/lib/* /lib
+COPY ${ARTIFACT_DIR}/bin/ipv6-hp-bpf /ipv6-hp-bpf
+COPY ${ARTIFACT_DIR}/bin/nft /usr/sbin/nft
+COPY ${ARTIFACT_DIR}/bin/ip /sbin/ip
+CMD ["/ipv6-hp-bpf"]

.pipelines/build/dockerfiles/npm.Dockerfile

@@ -0,0 +1,29 @@
+ARG ARCH
+
+
+# intermediate for win-ltsc2022
+FROM --platform=windows/${ARCH} mcr.microsoft.com/windows/servercore@sha256:45952938708fbde6ec0b5b94de68bcdec3f8c838be018536b1e9e5bd95e6b943 as windows
+ARG ARTIFACT_DIR
+
+COPY ${ARTIFACT_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml
+COPY ${ARTIFACT_DIR}/scripts/setkubeconfigpath.ps1 setkubeconfigpath.ps1
+COPY ${ARTIFACT_DIR}/scripts/setkubeconfigpath-capz.ps1 setkubeconfigpath-capz.ps1
+COPY ${ARTIFACT_DIR}/bin/azure-npm.exe npm.exe
+
+CMD ["npm.exe", "start" "--kubeconfig=.\\kubeconfig"]
+
+
+FROM --platform=linux/${ARCH} mcr.microsoft.com/mirror/docker/library/ubuntu:24.04 as linux
+ARG ARTIFACT_DIR
+
+RUN apt-get update && apt-get install -y iptables ipset ca-certificates && apt-get autoremove -y && apt-get clean
+#RUN apt-get update && \
+#    apt-get install -y \
+#      linux-libc-dev \
+#      libc6-dev \
+#      libtasn1-6 \
+#      gnutls30 iptables ipset ca-certificates
+#RUN apt-get autoremove -y && apt-get clean
+
+COPY ${ARTIFACT_DIR}/bin/azure-npm /usr/bin/azure-npm
+ENTRYPOINT ["/usr/bin/azure-npm", "start"]

.pipelines/build/generate-manifest.steps.yaml

@@ -10,7 +10,7 @@ steps:
     MANIFEST_DATA=$(echo "$IMAGE_PLATFORM_DATA" | \
       jq -r '.[] | 
         .args = [ (.platform | split("/")[0]), (.platform     | split("/")[1]) ] | 
-        .args = [ ("--os "   + .args[0]     ), ("--arch " + .args[1]     ) ] | 
+        .args = [ ("--os "   + .args[0]     ), ("--arch "     + .args[1]     ) ] | 
         if .osVersion then .args += ["--os-version " + .osVersion] else . end    |
         { image: .imageReference, annotate: .args }' | \
       jq -rcs)

.pipelines/build/image.steps.yaml

@@ -15,10 +15,6 @@ parameters:
   type: string
   default: ""
 
-- name: dockerfile_path
-  type: string
-  default: ""
-
 - name: archive_file
   type: string
   default: '$(name)-$(os)-$(platform)-$(Tag)'
@@ -50,8 +46,8 @@ parameters:
 steps:
 - task: DownloadPipelineArtifact@2
   inputs:
-    targetPath: $(Build.SourcesDirectory)/dst/${{ parameters.source }}
-    artifact: '${{ parameters.source }}'
+    targetPath: $(Build.SourcesDirectory)/dst/artifacts
+    artifact: ${{ parameters.source }}
 
 - task: onebranch.pipeline.containercontrol@1
   displayName: "Login to ACR"
@@ -70,14 +66,13 @@ steps:
     repositoryName: $(os)-$(arch)/${{ parameters.name }}
     os: '${{ parameters.os }}'
     buildkit: 1
-    dockerFileRelPath: ${{ parameters.dockerfile_path }}/Dockerfile
-    dockerFileContextPath: ${{ parameters.source }}
+    dockerFileRelPath: artifacts/Dockerfile
     enable_network: true
     enable_pull: true
     build_tag: ${{ parameters.build_tag }}
     enable_acr_push: true
-
     saveImageToPath: images/$(os)-$(arch)/${{ parameters.archive_file }}.tar.gz
+    enabled_cache: false
     #compress: true
     #saveMetadataToPath: images/$(os)-$(arch)/metadata/${{ parameters.archive_file }}-metadata.json
     #enable_isolated_acr_push: true

.pipelines/build/images.jobs.yaml

@@ -0,0 +1,149 @@
+parameters:
+- name: images
+  type: jobList
+
+
+jobs:
+- ${{ each job_data in parameters.images }}:
+  - job: pkg_${{ job_data.job }}
+    displayName: "Prepare Image Package - ${{ job_data.displayName }} -"
+    ${{ if job_data.strategy }}:
+      strategy: ${{ job_data.strategy }}
+    ${{ if job_data.dependsOn }}:
+      dependsOn: ${{ job_data.dependsOn }}
+    pool:
+      type: linux
+      ${{ if eq(job_data.job, 'linux_arm64') }}:
+        hostArchitecture: arm64
+
+    variables:
+      ob_artifactSuffix: _$(name)
+      ob_git_checkout: false
+      # keep these variables concerned with instrumentation.
+      GEN_DIR: $(Build.SourcesDirectory)/temp
+      REPO_ROOT: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }}
+      OUT_DIR: $(Build.ArtifactStagingDirectory)
+      DROPGZ_VERSION: v0.0.12
+      DEBUG: $[ coalesce(variables['System.Debug'], 'False') ]
+      ob_outputDirectory: $(Build.ArtifactStagingDirectory)
+      ${{ if eq(job_data.job, 'linux_amd64') }}:
+        DEBIAN_FRONTEND: noninteractive
+        LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2404:latest'
+        #mcr.microsoft.com/mirror/docker/library/ubuntu:24.04'
+        #LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0'
+        OS: linux
+        ARCH: amd64
+      ${{ elseif eq(job_data.job, 'windows_amd64') }}:
+        LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0'
+        ob_enable_qemu: true
+        OS: windows
+        ARCH: amd64
+      ${{ elseif eq(job_data.job, 'linux_arm64') }}:
+        LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0'
+        OS: linux
+        ARCH: arm64
+        GOARCH: arm64
+    steps:
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        targetPath: $(REPO_ROOT)
+        artifact: '${{ job_data.templateContext.repositoryArtifact }}'
+
+    - task: GoTool@0
+      inputs:
+        version: '$(GOVERSION)'
+
+    - task: ShellScript@2
+      inputs:
+        scriptPath: $(REPO_ROOT)/${{ job_data.templateContext.buildScript }}
+
+    - script: |
+        ls -la "$SOURCE"
+        cp "$SOURCE" "$DEST"
+        ls -la "$DEST"
+      env:
+        SOURCE: $(REPO_ROOT)/${{ job_data.templateContext.obDockerfile }}
+        DEST: $(OUT_DIR)/Dockerfile
+
+    - task: onebranch.pipeline.signing@1
+      inputs:
+        command: 'sign'
+        signing_profile: 'external_distribution'
+        files_to_sign: '**/*'
+        search_root: $(OUT_DIR)
+
+
+    - task: ShellScript@2
+      displayName: "Package with DropGZ"
+      condition: and(
+        succeeded(), 
+        eq(variables.packageWithDropGZ, 'True'))
+      inputs:
+        scriptPath: $(REPO_ROOT)/.pipelines/build/scripts/dropgz.sh
+
+    - ${{ if not(contains(job_data.job, 'linux')) }}:
+      - task: onebranch.pipeline.signing@1
+        condition: and(
+          succeeded(), 
+          eq(variables.packageWithDropGZ, 'True'))
+        inputs:
+          command: 'sign'
+          signing_profile: 'external_distribution'
+          files_to_sign: '**/dropgz*'
+          search_root: $(OUT_DIR)
+
+    # OneBranch artifacts are stored on a Windows machine which obliterates
+    # Linux file permissions.
+    # This task is added (along with ob_extract_root_artifact in jobs that 
+    # download the artifact) to protect those file permissions from changing
+    # during image build time.
+    #
+    # See: https://eng.ms/docs/products/onebranch/build/containerbasedworkflow/dockerimagesandacr/preservefilepermissionsfordockerbuild
+    - script: |
+        tar cvf "$OUT_DIR"/root_artifact.tar --exclude=root_artifact.tar "$OUT_DIR"
+      displayName: "Zip to Preserve Linux File Permissions"
+
+
+  - job: images_${{ job_data.job }}
+    displayName: "Build Images - ${{ job_data.displayName }} -"
+    dependsOn:
+    - pkg_${{ job_data.job }}
+    strategy: ${{ job_data.strategy }}
+    pool:
+      os: linux
+      type: docker
+#      ${{ if eq(job_data.job, 'linux_arm64') }}:
+#        hostArchitecture: arm64
+#      ${{ else }}:
+#        LinuxHostVersion: 'AzLinux3.0AMD64'
+    variables:
+      ob_outputDirectory: $(Build.ArtifactStagingDirectory)
+      ob_artifactSuffix: _$(name)
+      ob_git_checkout: false
+      ob_extract_root_artifact: true
+      ${{ if eq(job_data.job, 'linux_amd64') }}:
+        LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0'
+        ARCH: amd64
+        OS: linux
+      ${{ elseif eq(job_data.job, 'windows_amd64') }}:
+        LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0'
+        ob_enable_qemu: true
+        ARCH: amd64
+        OS: windows
+      ${{ elseif eq(job_data.job, 'linux_arm64') }}:
+        LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0'
+        ob_enable_qemu: true
+        ARCH: arm64
+        OS: linux
+        GOARCH: arm64
+
+    steps:
+    - template: image.steps.yaml
+      parameters:
+        arch: $(ARCH)
+        os: $(OS)
+        name: $(name)
+        build_tag: $(imageTag)
+        extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="/__w/1/a"
+        archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion)
+        source: drop_build_pkg_${{ job_data.job }}_$(name)