Skip to content

Commit

Permalink
Build Windows FIPS Agent containers (DataDog#31727)
Browse files Browse the repository at this point in the history
  • Loading branch information
@clarkb7
clarkb7 authored Dec 6, 2024
1 parent bf19c87 commit 12815d6
Show file tree
Hide file tree
Showing 5 changed files with 101 additions and 110 deletions.
16 changes: 16 additions & 0 deletions .gitlab/container_build/docker_windows.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,5 +62,21 @@
BUILD_ARG: "--build-arg BASE_IMAGE=mcr.microsoft.com/powershell:windowsservercore-${VARIANT} --build-arg WITH_JMX=${WITH_JMX} --build-arg VARIANT=${VARIANT} --build-arg INSTALL_INFO=core-${VARIANT}"
SERVERCORE: "-servercore"

.docker_build_fips_agent7_windows_common:
extends:
- .docker_build_agent7_windows_common
needs:
["windows_msi_and_bosh_zip_x64-a7-fips", "build_windows_container_entrypoint"]
variables:
AGENT_ZIP: "datadog-fips-agent-7*-x86_64.zip"
BUILD_ARG: "--build-arg BASE_IMAGE=mcr.microsoft.com/powershell:lts-nanoserver-${VARIANT} --build-arg WITH_JMX=${WITH_JMX} --build-arg WITH_FIPS=true --build-arg VARIANT=${VARIANT} --build-arg INSTALL_INFO=nano-${VARIANT}-fips"

.docker_build_fips_agent7_windows_servercore_common:
extends:
- .docker_build_fips_agent7_windows_common
variables:
BUILD_ARG: "--build-arg BASE_IMAGE=mcr.microsoft.com/powershell:windowsservercore-${VARIANT} --build-arg WITH_JMX=${WITH_JMX} --build-arg WITH_FIPS=true --build-arg VARIANT=${VARIANT} --build-arg INSTALL_INFO=core-${VARIANT}-fips"
SERVERCORE: "-servercore"

include:
- .gitlab/container_build/docker_windows_agent7.yml
20 changes: 18 additions & 2 deletions .gitlab/container_build/docker_windows_agent7.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ docker_build_agent7_windows2022_jmx:
extends:
- .docker_build_agent7_windows_common
tags: ["runner:windows-docker", "windowsversion:2022"]
needs: ["windows_msi_and_bosh_zip_x64-a7", "build_windows_container_entrypoint"]
variables:
VARIANT: ltsc2022
TAG_SUFFIX: -7-jmx
Expand Down Expand Up @@ -67,8 +66,25 @@ docker_build_agent7_windows2022_core_jmx:
extends:
- .docker_build_agent7_windows_servercore_common
tags: ["runner:windows-docker", "windowsversion:2022"]
needs: ["windows_msi_and_bosh_zip_x64-a7", "build_windows_container_entrypoint"]
variables:
VARIANT: ltsc2022
TAG_SUFFIX: -7-jmx
WITH_JMX: "true"

docker_build_fips_agent7_windows2022_core:
extends:
- .docker_build_fips_agent7_windows_servercore_common
tags: ["runner:windows-docker", "windowsversion:2022"]
variables:
VARIANT: ltsc2022
TAG_SUFFIX: "-7-fips"
WITH_JMX: "false"

docker_build_fips_agent7_windows2022_core_jmx:
extends:
- .docker_build_fips_agent7_windows_servercore_common
tags: ["runner:windows-docker", "windowsversion:2022"]
variables:
VARIANT: ltsc2022
TAG_SUFFIX: -7-fips-jmx
WITH_JMX: "true"
155 changes: 49 additions & 106 deletions .gitlab/dev_container_deploy/docker_windows.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,9 @@
include:
- .gitlab/common/container_publish_job_templates.yml

dev_branch-a7-windows:
.dev_a7-windows-common:
extends: .docker_publish_job_definition
stage: dev_container_deploy
rules:
!reference [.manual]
needs:
- docker_build_agent7_windows1809
- docker_build_agent7_windows1809_jmx
Expand All @@ -23,16 +21,16 @@ dev_branch-a7-windows:
# Multi-arch
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-win1809-amd64,%BASE%-winltsc2022-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win
IMG_DESTINATIONS: agent-dev:${IMG_DESTINATION_SLUG}-py3-win
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_SOURCES: "%BASE%-win1809-amd64,%BASE%-winltsc2022-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win
IMG_DESTINATIONS: agent-dev:${IMG_DESTINATION_SLUG}-py3-jmx-win
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-win1809-servercore-amd64,%BASE%-winltsc2022-servercore-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-servercore
IMG_DESTINATIONS: agent-dev:${IMG_DESTINATION_SLUG}-py3-win-servercore
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_SOURCES: "%BASE%-win1809-servercore-amd64,%BASE%-winltsc2022-servercore-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-servercore
IMG_DESTINATIONS: agent-dev:${IMG_DESTINATION_SLUG}-py3-jmx-win-servercore
# ltsc2019
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-win1809-amd64"
Expand Down Expand Up @@ -60,118 +58,63 @@ dev_branch-a7-windows:
IMG_SOURCES: "%BASE%-winltsc2022-servercore-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-servercore-ltsc2022

dev_branch-a7-windows:
extends: .dev_a7-windows-common
rules:
!reference [.manual]
variables:
IMG_DESTINATION_SLUG: ${CI_COMMIT_REF_SLUG}

dev_master-a7-windows:
extends: .docker_publish_job_definition
stage: dev_container_deploy
extends: .dev_a7-windows-common
rules:
!reference [.on_main]
needs:
- docker_build_agent7_windows1809
- docker_build_agent7_windows1809_jmx
- docker_build_agent7_windows1809_core
- docker_build_agent7_windows1809_core_jmx
- docker_build_agent7_windows2022
- docker_build_agent7_windows2022_jmx
- docker_build_agent7_windows2022_core
- docker_build_agent7_windows2022_core_jmx
variables:
IMG_REGISTRIES: dev
parallel:
matrix:
# Multi-arch
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-win1809-amd64,%BASE%-winltsc2022-amd64"
IMG_DESTINATIONS: agent-dev:master-py3-win
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_SOURCES: "%BASE%-win1809-amd64,%BASE%-winltsc2022-amd64"
IMG_DESTINATIONS: agent-dev:master-py3-jmx-win
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-win1809-servercore-amd64,%BASE%-winltsc2022-servercore-amd64"
IMG_DESTINATIONS: agent-dev:master-py3-win-servercore
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_SOURCES: "%BASE%-win1809-servercore-amd64,%BASE%-winltsc2022-servercore-amd64"
IMG_DESTINATIONS: agent-dev:master-py3-jmx-win-servercore
# ltsc2019
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-win1809-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-ltsc2019
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_SOURCES: "%BASE%-win1809-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-ltsc2019
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-win1809-servercore-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-servercore-ltsc2019
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_SOURCES: "%BASE%-win1809-servercore-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-servercore-ltsc2019
# ltsc2022
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-winltsc2022-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-ltsc2022
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_SOURCES: "%BASE%-winltsc2022-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-ltsc2022
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-winltsc2022-servercore-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-servercore-ltsc2022
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_SOURCES: "%BASE%-winltsc2022-servercore-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-servercore-ltsc2022
IMG_DESTINATION_SLUG: master

dev_nightly-a7-windows:
extends: .docker_publish_job_definition
stage: dev_container_deploy
extends: .dev_a7-windows-common
rules:
!reference [.on_deploy_nightly_repo_branch]
variables:
IMG_DESTINATION_SLUG: nightly

.dev_fips-a7-windows-common:
extends: .docker_publish_job_definition
stage: dev_container_deploy
needs:
- docker_build_agent7_windows1809
- docker_build_agent7_windows1809_jmx
- docker_build_agent7_windows1809_core
- docker_build_agent7_windows1809_core_jmx
- docker_build_agent7_windows2022
- docker_build_agent7_windows2022_jmx
- docker_build_agent7_windows2022_core
- docker_build_agent7_windows2022_core_jmx
- docker_build_fips_agent7_windows2022_core
- docker_build_fips_agent7_windows2022_core_jmx
variables:
IMG_REGISTRIES: dev
# Only publish ltsc2022 servercore for now, that's all that's used by the integrations testing
parallel:
matrix:
# Multi-arch
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-win1809-amd64,%BASE%-winltsc2022-amd64"
IMG_DESTINATIONS: agent-dev:nightly-${CI_COMMIT_SHORT_SHA}-py3-win
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_SOURCES: "%BASE%-win1809-amd64,%BASE%-winltsc2022-amd64"
IMG_DESTINATIONS: agent-dev:nightly-${CI_COMMIT_SHORT_SHA}-py3-jmx-win
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-win1809-servercore-amd64,%BASE%-winltsc2022-servercore-amd64"
IMG_DESTINATIONS: agent-dev:nightly-${CI_COMMIT_SHORT_SHA}-py3-win-servercore
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_SOURCES: "%BASE%-win1809-servercore-amd64,%BASE%-winltsc2022-servercore-amd64"
IMG_DESTINATIONS: agent-dev:nightly-${CI_COMMIT_SHORT_SHA}-py3-jmx-win-servercore
# ltsc2019
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-win1809-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-ltsc2019
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_SOURCES: "%BASE%-win1809-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-ltsc2019
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-win1809-servercore-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-servercore-ltsc2019
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_SOURCES: "%BASE%-win1809-servercore-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-servercore-ltsc2019
# ltsc2022
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
IMG_SOURCES: "%BASE%-winltsc2022-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-ltsc2022
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_SOURCES: "%BASE%-winltsc2022-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-ltsc2022
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7"
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-fips"
IMG_SOURCES: "%BASE%-winltsc2022-servercore-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-servercore-ltsc2022
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-fips-win-servercore-ltsc2022
- IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-fips-jmx"
IMG_SOURCES: "%BASE%-winltsc2022-servercore-amd64"
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-servercore-ltsc2022
IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-fips-jmx-win-servercore-ltsc2022

dev_branch-fips-a7-windows:
extends: .dev_fips-a7-windows-common
rules:
!reference [.manual]
variables:
IMG_DESTINATION_SLUG: ${CI_COMMIT_REF_SLUG}

dev_master-fips-a7-windows:
extends: .dev_fips-a7-windows-common
rules:
!reference [.on_main]
variables:
IMG_DESTINATION_SLUG: master

dev_nightly-fips-a7-windows:
extends: .dev_fips-a7-windows-common
rules:
!reference [.on_deploy_nightly_repo_branch]
variables:
IMG_DESTINATION_SLUG: nightly
19 changes: 17 additions & 2 deletions Dockerfiles/agent/install-fips.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,16 @@
$ErrorActionPreference = 'Stop'

# Removes temporary files for FIPS setup
function Remove-TempFiles {
Remove-Item -Force -Recurse \fips-build
}

if ("$env:WITH_FIPS" -ne "true") {
# If FIPS is not enabled, skip the FIPS setup
Remove-TempFiles
exit 0
}

$maven_sha512 = '8BEAC8D11EF208F1E2A8DF0682B9448A9A363D2AD13CA74AF43705549E72E74C9378823BF689287801CBBFC2F6EA9596201D19CCACFDFB682EE8A2FF4C4418BA'

if ("$env:WITH_JMX" -ne "false") {
Expand All @@ -18,6 +29,10 @@ if ("$env:WITH_JMX" -ne "false") {
if (!$?) {
Write-Error ("BouncyCastle self check failed with exit code: {0}" -f $LASTEXITCODE)
}
cd \
}
cd \
Remove-Item -Force -Recurse \fips-build

# TODO: Run openssl fipsinstall command here when embedded Python work is completed
# HERE

Remove-TempFiles
1 change: 1 addition & 0 deletions Dockerfiles/agent/windows/amd64/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ ARG WITH_JMX="false"
ARG VARIANT="unknown"
ARG INSTALL_INFO="unknown"
ARG GENERAL_ARTIFACTS_CACHE_BUCKET_URL
ARG WITH_FIPS="false"

LABEL maintainer "Datadog <[email protected]>"

Expand Down

0 comments on commit 12815d6

Please sign in to comment.