-
Notifications
You must be signed in to change notification settings - Fork 117
/
Copy pathdct-pipeline.yml
143 lines (130 loc) · 5.8 KB
/
dct-pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#
# Microservice : Claims API Microservice
# Language : ASP.NET Core 3.1
# Date: 09-26-2019
# Author: Ganesh Radhakrishnan (ganrad01@gmail.com)
#
# Description:
# Pipeline script (yaml) for building and deploying the 'claims-api' .NET Core microservice on AKS.
# The container image will be built and scanned for known OS vulnerabilities using Aqua Trivy container scanner.
# Next, the container image will be digitally signed using DCT and then pushed into an ACR. Note: ACR Premium
# SKU is required for pushing DCT enabled images!
# Finally, Helm will be used to deploy the Claims API microservice on AKS. This application deployment will use
# the signed container image.
#
# IMPORTANT:
# This pipeline requires a custom self-hosted pipeline agent for running all tasks. Instructions for deploying
# a self-hosted Azure DevOps Services agent on AKS can be found here:
# https://github.com/ganrad/Az-DevOps-Agent-On-AKS
#
# This pipeline requires the following variables to be set.
# - 'containerRegistryServiceConnection' : Create a 'Service Connection' for ACR in Azure DevOps Services (Project settings) and then specify the service connection name.
# - 'imageRepository' : Name of the image repository in ACR. This repository should have been intialized (initiated) with a root key (docker trust signer add ...)
# - 'DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE' : Passphrase used while generating delegation key pair (Should be a secret)
# - 'privateKeyFilename' : Name of the secure file containing the delegation private key
# - 'azureSubscriptionEndpoint' : Azure DevOps ARM Connection name
# - 'azureContainerRegistry' : Azure Container Registry name
# - 'azureResourceGroup' : Azure Resource Group name
# - 'kubernetesCluster' : Azure Kubernetes Service cluster name
# 'sqlDbConnectionString' : Azure SQL DB Connection String value. Refer to 'appsettings.json' file.
#
# Add steps that run tests, create a NuGet package, deploy, and more:
# https://docs.microsoft.com/azure/devops/pipelines/languages/dotnet-core
#
# --------------------------------
# NOTES:
# ID06082020: ganrad01: Updated script to .NET Core 3.1
# ID03042021: ganrad01: Helm Init task is not required in Helm v3. There is no need to initialize the local client.
# --------------------------------
# pool:
# vmImage: 'Ubuntu 16.04'
pool:
name: <Name of AKS Agent Pool in Azure DevOps Services eg., AKS-Agent-Pool>
variables:
system.debug: false
containerRegistryServiceConnection: <Specify ACR service connection>
imageRepository: claims-api
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: <Passphrase for DCT delegation key pair>
privateKeyFilename: <Name of the secure file containing the private key>
azureSubscriptionEndpoint: <Specify Azure RM connection>
azureContainerRegistry: <Azure Container Registry name - name.azurecr.io>
azureResourceGroup: <Azure Resource Group - name>
kubernetesCluster: <Azure Kubernetes Service - name>
sqlDbConnectionString: <Azure SQL DB Connection String>
steps:
- task: DownloadSecureFile@1
displayName: Download secure file
name: privateKey
inputs:
secureFile: $(privateKeyFilename)
- task: Docker@2
displayName: Build container image
inputs:
command: build
containerRegistry: $(containerRegistryServiceConnection)
Dockerfile: '**/dockerfile'
repository: $(imageRepository)
tags: |
$(Build.BuildId)
- task: Bash@3
displayName: Scan container image with Aqua Trivy
name: aqua_trivy
inputs:
targetType: inline
script: |
trivy --exit-code 0 --clear-cache --ignore-unfixed --vuln-type os --severity MEDIUM,HIGH,CRITICAL $(azureContainerRegistry)/$(imageRepository):$(Build.BuildId)
# trivy --exit-code 1 --ignore-unfixed --vuln-type os --severity CRITICAL $(imageRepository):$(Build.BuildId)
- task: Docker@2
displayName: Docker login to ACR
inputs:
command: login
containerRegistry: $(containerRegistryServiceConnection)
- script: |
mkdir -p $(DOCKER_CONFIG)/trust/private
cp $(privateKey.secureFilePath) $(DOCKER_CONFIG)/trust/private
- task: Docker@2
displayName: Sign and push container image to ACR
inputs:
command: push
containerRegistry: $(containerRegistryServiceConnection)
repository: $(imageRepository)
tags: |
$(Build.BuildId)
arguments: '--disable-content-trust=false'
env:
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: $(DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE)
- script: |
docker trust inspect --pretty $(azureContainerRegistry)/$(imageRepository):$(Build.BuildId)
# ID03042021.so
#- task: HelmDeploy@0
#displayName: Helm init
#name: helm_init
#inputs:
#connectionType: Azure Resource Manager
#azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
#azureResourceGroup: $(azureResourceGroup)
#kubernetesCluster: $(kubernetesCluster)
#command: init
#upgradetiller: false
#waitForExecution: true
#arguments: --client-only
# ID03042021.so
- task: HelmDeploy@0
displayName: Helm upgrade on AKS - $(azureResourceGroup):$(kubernetesCluster)
name: helm_deploy
inputs:
connectionType: Azure Resource Manager
azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
azureResourceGroup: $(azureResourceGroup)
kubernetesCluster: $(kubernetesCluster)
command: upgrade
arguments: --namespace dev-dct --create-namespace --set image.repository=$(azureContainerRegistry)/claims-api --set image.tag=$(Build.BuildId) --set sqldb.connectionString="$(sqlDbConnectionString)" --set blue.enabled=true
chartType: filepath
chartPath: $(System.DefaultWorkingDirectory)/claims-api
releaseName: aks-aspnetcore-lab-dct
# overrideValues: image.repository=csulabtest.azurecr.io/claims-api,image.tag=$(Build.BuildId)
install: true
waitForExecution: true
- script: "echo 'Finished Helm Deploy...'"
displayName: Helm deploy end
name: echo_helm_end