[Fleet Automation] Sign and deploy the PowerShell script (#29605)

Co-authored-by: Nicolas Schweitzer <[email protected]>
DataDog · Sep 30, 2024 · a3c8f2a · a3c8f2a
1 parent a069984
commit a3c8f2a
Show file tree

Hide file tree

Showing 8 changed files with 58 additions and 7 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -109,6 +109,8 @@
 /.gitlab/functional_test/common.yml                  @DataDog/agent-devx-infra @DataDog/windows-kernel-integrations
 /.gitlab/functional_test/oracle.yml                  @DataDog/agent-devx-infra @DataDog/database-monitoring
 
+/.gitlab/powershell_script_deploy/powershell_script_deploy.yml  @DataDog/agent-delivery @DataDog/windows-agent
+/.gitlab/powershell_script_deploy/powershell_script_signing.yml @DataDog/agent-delivery @DataDog/windows-agent
 
 /.gitlab/choco_build/choco_build.yml                 @DataDog/agent-delivery @DataDog/windows-agent
 /.gitlab/choco_deploy/choco_deploy.yml               @DataDog/agent-delivery @DataDog/windows-agent

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -8,6 +8,8 @@ include:
   - .gitlab/check_merge/do_not_merge.yml
   - .gitlab/choco_build/choco_build.yml
   - .gitlab/choco_deploy/choco_deploy.yml
+  - .gitlab/powershell_script_signing/powershell_script_signing.yml
+  - .gitlab/powershell_script_deploy/powershell_script_deploy.yml
   - .gitlab/common/shared.yml
   - .gitlab/common/skip_ci_check.yml
   - .gitlab/common/pr_commenter.yml
@@ -91,8 +93,8 @@ stages:
   - deploy_cws_instrumentation
   - deploy_dca
   - trigger_release
-  - choco_build
-  - choco_deploy
+  - choco_and_install_script_build
+  - choco_and_install_script_deploy
   - internal_image_deploy
   - install_script_testing
   - e2e_pre_test
@@ -142,6 +144,7 @@ variables:
   WINDOWS_TESTING_S3_BUCKET_A6: pipelines/A6/$CI_PIPELINE_ID
   WINDOWS_TESTING_S3_BUCKET_A7: pipelines/A7/$CI_PIPELINE_ID
   WINDOWS_BUILDS_S3_BUCKET: $WIN_S3_BUCKET/builds
+  WINDOWS_POWERSHELL_DIR: $CI_PROJECT_DIR/signed_scripts
   DEB_RPM_TESTING_BUCKET_BRANCH: testing # branch of the DEB_TESTING_S3_BUCKET and RPM_TESTING_S3_BUCKET repos to release to, 'testing'
   S3_CP_OPTIONS: --no-progress --region us-east-1 --sse AES256
   S3_CP_CMD: aws s3 cp $S3_CP_OPTIONS

diff --git a/.gitlab/JOBOWNERS b/.gitlab/JOBOWNERS
@@ -42,6 +42,7 @@ iot-agent-*                          @DataDog/agent-delivery
 agent_suse*                          @DataDog/agent-delivery
 windows-installer*                   @DataDog/windows-agent
 windows_*                            @DataDog/windows-agent
+powershell_script_signing            @DataDog/windows-agent
 
 # Packaging
 agent_deb*                           @DataDog/agent-delivery
@@ -105,6 +106,8 @@ deploy_installer*                      @DataDog/agent-delivery
 deploy_packages*                       @DataDog/agent-delivery
 deploy_staging*                        @DataDog/agent-delivery
 publish_winget*                        @DataDog/windows-agent
+powershell_script_deploy               @DataDog/windows-agent
+windows_bootstrapper_deploy             @DataDog/windows-agent
 qa_*_oci                               @DataDog/agent-delivery
 
 # Deploy containers

diff --git a/.gitlab/choco_build/choco_build.yml b/.gitlab/choco_build/choco_build.yml
@@ -6,7 +6,7 @@
 windows_choco_offline_7_x64:
   rules:
     !reference [.manual]
-  stage: choco_build
+  stage: choco_and_install_script_build
   tags: ["runner:windows-docker", "windowsversion:1809"]
   needs: ["windows_msi_and_bosh_zip_x64-a7"]
   variables:
@@ -28,7 +28,7 @@ windows_choco_offline_7_x64:
 windows_choco_online_7_x64:
   rules:
     !reference [.on_deploy_stable_or_beta_repo_branch_manual]
-  stage: choco_build
+  stage: choco_and_install_script_build
   tags: ["runner:windows-docker", "windowsversion:1809"]
   needs: ["deploy_staging_windows_tags-7"]
   variables:

diff --git a/.gitlab/choco_deploy/choco_deploy.yml b/.gitlab/choco_deploy/choco_deploy.yml
@@ -4,7 +4,7 @@
 
 publish_choco_7_x64:
   rules: !reference [.on_deploy_stable_or_beta_repo_branch_manual]
-  stage: choco_deploy
+  stage: choco_and_install_script_deploy
   tags: ["runner:windows-docker", "windowsversion:1809"]
   needs: ["windows_choco_online_7_x64"]
   variables:

diff --git a/.gitlab/powershell_script_deploy/powershell_script_deploy.yml b/.gitlab/powershell_script_deploy/powershell_script_deploy.yml
@@ -0,0 +1,28 @@
+# We could (should?) piggy back on deploy_installer_packages_windows-x64 to also deploy this
+# script to $S3_RELEASE_INSTALLER_ARTIFACTS_URI and have the agent-release-management repository
+# publish it to a production bucket like ddagent-windows-stable.
+# For now we can use the dd-agent-mstesting bucket to store the PowerShell script.
+powershell_script_deploy:
+  image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/ci/datadog-agent-buildimages/gitlab_agent_deploy$DATADOG_AGENT_BUILDIMAGES_SUFFIX:$DATADOG_AGENT_BUILDIMAGES
+  tags: ["arch:amd64"]
+  stage: choco_and_install_script_deploy
+  rules:
+    !reference [.manual]
+  needs: ["powershell_script_signing"]
+  script:
+    - ls $WINDOWS_POWERSHELL_DIR
+    - $S3_CP_CMD $WINDOWS_POWERSHELL_DIR/Install-Datadog.ps1 s3://dd-agent-mstesting/Install-Datadog.ps1 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers full=id=3a6e02b08553fd157ae3fb918945dd1eaae5a1aa818940381ef07a430cf25732
+
+# Technically deploy_installer_packages_windows-x64 also uploads the bootstrapper to $S3_RELEASE_INSTALLER_ARTIFACTS_URI
+# but it requires changes in agent-release-management to deploy to a production bucket like ddagent-windows-stable.
+# For now we can use the dd-agent-mstesting bucket to store the bootstrapper.
+windows_bootstrapper_deploy:
+  image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/ci/datadog-agent-buildimages/gitlab_agent_deploy$DATADOG_AGENT_BUILDIMAGES_SUFFIX:$DATADOG_AGENT_BUILDIMAGES
+  tags: ["arch:amd64"]
+  stage: choco_and_install_script_deploy
+  rules:
+    !reference [.manual]
+  needs: ["windows-installer-amd64"]
+  script:
+    - ls $OMNIBUS_PACKAGE_DIR
+    - $S3_CP_CMD $OMNIBUS_PACKAGE_DIR/datadog-installer-*-1-x86_64.exe s3://dd-agent-mstesting/datadog-installer-x86_64.exe --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers full=id=3a6e02b08553fd157ae3fb918945dd1eaae5a1aa818940381ef07a430cf25732
diff --git a/.gitlab/powershell_script_signing/powershell_script_signing.yml b/.gitlab/powershell_script_signing/powershell_script_signing.yml
@@ -0,0 +1,16 @@
+powershell_script_signing:
+  tags: ["runner:windows-docker", "windowsversion:1809"]
+  stage: choco_and_install_script_build
+  needs: []
+  variables:
+    ARCH: "x64"
+  rules:
+    !reference [.manual]
+  artifacts:
+    expire_in: 2 weeks
+    paths:
+      - $WINDOWS_POWERSHELL_DIR
+  script:
+    - mkdir $WINDOWS_POWERSHELL_DIR
+    - docker run --rm -v "$(Get-Location):c:\mnt" -e AWS_NETWORKING=true -e IS_AWS_CONTAINER=true 486234852809.dkr.ecr.us-east-1.amazonaws.com/ci/datadog-agent-buildimages/windows_1809_${ARCH}${Env:DATADOG_AGENT_WINBUILDIMAGES_SUFFIX}:${Env:DATADOG_AGENT_WINBUILDIMAGES} powershell -C "dd-wcs sign \mnt\tools\windows\DatadogAgentInstallScript\Install-Datadog.ps1"
+    - copy .\tools\windows\DatadogAgentInstallScript\Install-Datadog.ps1 $WINDOWS_POWERSHELL_DIR\Install-Datadog.ps1
diff --git a/tools/windows/DatadogAgentInstallScript/Install-Datadog.ps1 b/tools/windows/DatadogAgentInstallScript/Install-Datadog.ps1
@@ -128,8 +128,7 @@ function Start-ProcessWithOutput {
 # Set some defaults if not provided
 $ddInstallerUrl = $env:DD_INSTALLER_URL
 if (-Not $ddInstallerUrl) {
-   # Replace with https://s3.amazonaws.com/ddagent-windows-stable/datadog-installer-x86_64.exe when ready
-   $ddInstallerUrl = "https://s3.amazonaws.com/dd-agent-omnibus/datadog-installer-x86_64.exe"
+   $ddInstallerUrl = "https://s3.amazonaws.com/dd-agent-mstesting/datadog-installer-x86_64.exe"
 }
 
 $ddRemoteUpdates = $env:DD_REMOTE_UPDATES