Publish and Verify image using CI/CD Pipeline (fluent#19)

Publish and Verify image using CI/CD Pipeline

buildspec.yml

@@ -0,0 +1,21 @@
+version: 0.2         
+phases:
+  install:
+    runtime-versions:
+      golang: 1.12
+  pre_build:
+    commands:
+      - echo Building the AWS for Fluent Bit image
+  build:
+    commands:
+      # Command to build your project
+      - make release
+
+      # List the docker images 
+      - docker images
+
+      # Push the image to ECR in the same account and same region the pipeline is hosted.
+      - ecs-cli push amazon/aws-for-fluent-bit-test:latest
+artifacts:
+  files:
+    - '**/*'

buildspec_integ.yml

@@ -0,0 +1,28 @@
+version: 0.2         
+phases:
+  install:
+    runtime-versions:
+      golang: 1.12
+  pre_build:
+    commands:
+      - echo Running the integration test
+  build:
+    commands:
+      # Get the default credentials and set as environment variables
+      - 'CREDS=`curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`'
+      - 'export AWS_ACCESS_KEY_ID=`echo $CREDS | jq -r .AccessKeyId`'
+      - 'export AWS_SECRET_ACCESS_KEY=`echo $CREDS | jq -r .SecretAccessKey`'
+      - 'export AWS_SESSION_TOKEN=`echo $CREDS | jq -r .Token`'
+
+      # Pull the image that we built and pushed in the `Build` stage
+      - 'ecs-cli pull amazon/aws-for-fluent-bit-test:latest'                                                            
+      - 'docker tag ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:latest amazon/aws-for-fluent-bit:latest'
+
+      # List the images to do a double check
+      - 'docker images'
+
+      # Command to run the integration test
+      - 'make integ'
+artifacts:
+  files:
+    - '**/*'

buildspec_publish_dockerhub.yml

@@ -0,0 +1,25 @@
+version: 0.2         
+phases:
+  install:
+    runtime-versions:
+      golang: 1.12
+  pre_build:
+    commands:
+      - echo Publish the image to DockerHub
+  build:
+    commands:
+      # Pull the image that we built and pushed in the `Build` stage
+      - 'ecs-cli pull amazon/aws-for-fluent-bit-test:latest'
+      - 'docker tag ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:latest amazon/aws-for-fluent-bit:latest'
+
+      # List the docker images 
+      - docker images
+
+      # Push the image to dockerhub
+      - 'DRY_RUN="false" ./scripts/publish.sh cicd-publish dockerhub'
+
+      # Pull the image from dockerhub and verify
+      - './scripts/publish.sh cicd-verify dockerhub'
+artifacts:
+  files:
+    - '**/*'

buildspec_publish_ecr.yml

@@ -0,0 +1,48 @@
+version: 0.2         
+phases:
+  install:
+    runtime-versions:
+      golang: 1.12
+  pre_build:
+    commands:
+      - echo Publish the image to ECR
+  build:
+    commands:
+      # Pull the image that we built and pushed in the `Build` stage
+      - 'ecs-cli pull amazon/aws-for-fluent-bit-test:latest'
+      - 'docker tag ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:latest amazon/aws-for-fluent-bit:latest'
+
+      # List the docker images 
+      - docker images
+
+      # Assume role to publish, get the credentials, and set them as environment variables
+      - |
+        if [ "${PUBLISH_ROLE_ARN}" != "" ]; then
+          CREDS=`aws sts assume-role --role-arn ${PUBLISH_ROLE_ARN} --role-session-name ${REGION_TO_PUSH} --region ${REGION_TO_PUSH}`
+          export AWS_ACCESS_KEY_ID=`echo $CREDS | jq -r .Credentials.AccessKeyId`
+          export AWS_SECRET_ACCESS_KEY=`echo $CREDS | jq -r .Credentials.SecretAccessKey`
+          export AWS_SESSION_TOKEN=`echo $CREDS | jq -r .Credentials.SessionToken`
+        fi
+
+      # Push the image to ECR 
+      - './scripts/publish.sh cicd-publish ${REGION_TO_PUSH}'
+
+      # Nullify the temporary credentials for the assumed role to publish
+      - |
+        if [ "${PUBLISH_ROLE_ARN}" != "" ]; then
+          export AWS_ACCESS_KEY_ID=
+          export AWS_SECRET_ACCESS_KEY=
+          export AWS_SESSION_TOKEN=
+        fi
+
+      # Assume role to verify, get the credentials, and set them as environment variables
+      - CREDS=`aws sts assume-role --role-arn ${VERIFY_ROLE_ARN} --role-session-name ${REGION_TO_PUSH} --region ${REGION_TO_PUSH}`
+      - export AWS_ACCESS_KEY_ID=`echo $CREDS | jq -r .Credentials.AccessKeyId`
+      - export AWS_SECRET_ACCESS_KEY=`echo $CREDS | jq -r .Credentials.SecretAccessKey`
+      - export AWS_SESSION_TOKEN=`echo $CREDS | jq -r .Credentials.SessionToken`
+
+      # Verify from the verification account
+      - './scripts/publish.sh cicd-verify ${REGION_TO_PUSH}'
+artifacts:
+  files:
+    - '**/*'

scripts/publish.sh

@@ -17,6 +17,8 @@ set -xeuo pipefail
 scripts=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
 cd "${scripts}"
 
+IMAGE_SHA_MATCHED="FALSE"
+
 classic_regions="
 us-east-1
 eu-west-1
@@ -152,6 +154,50 @@ verify_ecr() {
 	account_id=${2}
 	pull_ecr ${account_id}.dkr.ecr.${region}.amazonaws.com/aws-for-fluent-bit:latest ${region}
 	pull_ecr ${account_id}.dkr.ecr.${region}.amazonaws.com/aws-for-fluent-bit:${AWS_FOR_FLUENT_BIT_VERSION} ${region}
+
+	# Get the image SHA's
+	sha1=$(docker inspect --format='{{index .RepoDigests 0}}' ${account_id}.dkr.ecr.${region}.amazonaws.com/aws-for-fluent-bit:latest)
+	sha2=$(docker inspect --format='{{index .RepoDigests 0}}' ${account_id}.dkr.ecr.${region}.amazonaws.com/aws-for-fluent-bit:${AWS_FOR_FLUENT_BIT_VERSION})
+
+	verify_sha $sha1 $sha2
+}
+
+verify_dockerhub() {
+	# Get the image SHA's
+	sha1=$(docker pull amazon/aws-for-fluent-bit:latest | grep sha256: | cut -f 3 -d :)
+	sha2=$(docker pull amazon/aws-for-fluent-bit:${AWS_FOR_FLUENT_BIT_VERSION} | grep sha256: | cut -f 3 -d :)
+
+	verify_sha $sha1 $sha2
+}
+
+verify_sha() {
+	sha1=${1}
+	sha2=${2}
+
+	match_two_sha $sha1 $sha2
+
+	if [ "$IMAGE_SHA_MATCHED" = "TRUE" ]; then
+		echo '[Publish Verification] Successfull'
+		IMAGE_SHA_MATCHED="FALSE"
+	else
+		echo '[Publish Verification] Failed'
+		exit 1
+	fi
+}
+
+match_two_sha() {
+	sha1=${1}
+	sha2=${2}
+
+	# Get the last 64 chars of the SHA string
+	last64_1=$(echo $sha1 | egrep -o '.{1,64}$')
+	last64_2=$(echo $sha2 | egrep -o '.{1,64}$')
+
+	if [ "$last64_1" = "$last64_2" ]; then
+		IMAGE_SHA_MATCHED="TRUE"
+	else
+		IMAGE_SHA_MATCHED="FALSE"
+	fi
 }
 
 AWS_FOR_FLUENT_BIT_VERSION=$(cat ../AWS_FOR_FLUENT_BIT_VERSION)
@@ -313,3 +359,34 @@ if [ "${1}" = "rollback-ssm" ]; then
 		rollback_ssm ${bahrain_region}
 	fi
 fi
+
+# Publish using CI/CD pipeline
+# Following scripts will be called only from the CI/CD pipeline
+if [ "${1}" = "cicd-publish" ]; then
+	if [ "${2}" = "dockerhub" ]; then
+		publish_to_docker_hub amazon/aws-for-fluent-bit:latest amazon/aws-for-fluent-bit:${AWS_FOR_FLUENT_BIT_VERSION}
+	elif [ "${2}" = "aws-us-gov" ]; then
+		for region in ${gov_regions}; do
+			gov_cloud_sync ${region} ${gov_regions_account_id} 
+		done
+	elif [ "${2}" = "${hongkong_region}" ]; then
+		publish_ecr ${hongkong_region} ${hongkong_account_id}
+	elif [ "${2}" = "${bahrain_region}" ]; then
+		publish_ecr ${bahrain_region} ${bahrain_account_id}
+	else
+		publish_ecr "${2}" ${classic_regions_account_id}
+	fi
+fi
+
+# Verify using CI/CD pipeline
+if [ "${1}" = "cicd-verify" ]; then
+	if [ "${2}" = "dockerhub" ]; then
+		verify_dockerhub
+	elif [ "${2}" = "${hongkong_region}" ]; then
+		verify_ecr ${hongkong_region} ${hongkong_account_id}
+	elif [ "${2}" = "${bahrain_region}" ]; then
+		verify_ecr ${bahrain_region} ${bahrain_account_id}
+	else
+		verify_ecr "${2}" ${classic_regions_account_id}
+	fi
+fi