Builds: Eliminate insecure docker login (Azure#5098) (Azure#5109)

Replacing manual docker login with the service connection approach. There is one occurrence of manual docker login I could not replace as it happens through an ssh connection. https://github.com/Azure/iotedge/blob/master/builds/misc/templates/mqtt-perf-setup.yaml#L44
suneetnangia · Jun 15, 2021 · ef31cbf · ef31cbf
1 parent dafe2ec
commit ef31cbf
Show file tree

Hide file tree

Showing 10 changed files with 120 additions and 119 deletions.
diff --git a/builds/e2e/templates/e2e-clear-docker-cached-images.yaml b/builds/e2e/templates/e2e-clear-docker-cached-images.yaml
@@ -1,6 +1,6 @@
 steps:
 - task: Docker@2
-  displayName: Docker login
+  displayName: Docker login edgebuilds
   inputs:
     command: login
     containerRegistry: iotedge-edgebuilds-acr

diff --git a/builds/misc/addons-publish.yaml b/builds/misc/addons-publish.yaml
@@ -20,13 +20,19 @@ jobs:
           - checkout: self
             clean: true
             fetchDepth: 100
-
-          - task: Bash@3
-            displayName: Log into Registries
+
+          # Both docker logins needed for if we need to test this job. In this case images should go to edgebuilds.
+          - task: Docker@2
+            displayName: Docker login edgebuilds
+            inputs:
+              command: login
+              containerRegistry: iotedge-edgebuilds-acr
+
+          - task: Docker@2
+            displayName: Docker login edgerelease
             inputs:
-              targetType: Inline
-              script: |
-                docker login $(registry.address) --username $(registry.user) --password $(registry.password)
+              command: login
+              containerRegistry: iotedge-release-acr
 
           - task: Bash@3
             displayName: 'Publish Api Proxy - Linux amd64'
@@ -51,4 +57,4 @@ jobs:
             inputs:
               targetType: filePath
               filePath: '$(System.DefaultWorkingDirectory)/scripts/linux/buildManifest.sh'
-              arguments: '-r $(registry.address) -u $(registry.user) -p $(registry.password) -v $(version) -t $(System.DefaultWorkingDirectory)/edge-modules/api-proxy-module/docker/manifest.yaml.template -n $(to.registry.namespace) --tags "$(tags)"'
+              arguments: '-r $(registry.address) -v $(version) -t $(System.DefaultWorkingDirectory)/edge-modules/api-proxy-module/docker/manifest.yaml.template -n $(to.registry.namespace) --tags "$(tags)"'
diff --git a/builds/misc/addons-release.yaml b/builds/misc/addons-release.yaml
@@ -25,11 +25,17 @@ jobs:
             docker buildx use mbuilder
             docker -v
         displayName: 'Set build version'
-      - bash: |
-            # Need to login to EdgeBuilds Container Registry for base images.
-            docker login '$(build.registry.address)' --username '$(build.registry.user)' --password '$(build.registry.password)'
-            docker login '$(registry.address)' --username '$(registry.user)' --password '$(registry.password)'
-        displayName: 'Docker Login'
+      # Both docker logins needed for if we need to test this job. In this case images should go to edgebuilds.
+      - task: Docker@2
+        displayName: Docker login edgebuilds
+        inputs:
+          command: login
+          containerRegistry: iotedge-edgebuilds-acr
+      - task: Docker@2
+        displayName: Docker login edgerelease
+        inputs:
+          command: login
+          containerRegistry: iotedge-release-acr
       # Build API Proxy executable
       - template: templates/build-api-proxy.yaml
       # Build API Proxy Image
@@ -54,12 +60,23 @@ jobs:
     dependsOn:
       - linux_API_proxy_module
     steps:
+    # Both docker logins needed for if we need to test this job. In this case images should go to edgebuilds.
+    - task: Docker@2
+      displayName: Docker login edgebuilds
+      inputs:
+        command: login
+        containerRegistry: iotedge-edgebuilds-acr
+    - task: Docker@2
+      displayName: Docker login edgerelease
+      inputs:
+        command: login
+        containerRegistry: iotedge-release-acr
     - bash: |
           if [ -z '$(version)' ]; then
             echo '##vso[task.setvariable variable=buildVersion]$(Build.BuildNumber)'
           else
             echo '##vso[task.setvariable variable=buildVersion]$(version)'
           fi
       displayName: 'Set build version'
-    - script: scripts/linux/buildManifest.sh -r $(registry.address) -u $(registry.user) -p $(registry.password) -v $(buildVersion) -t $(System.DefaultWorkingDirectory)/edge-modules/api-proxy-module/docker/manifest.yaml.template -n microsoft --tags "$(tags)"
+    - script: scripts/linux/buildManifest.sh -r $(registry.address) -v $(buildVersion) -t $(System.DefaultWorkingDirectory)/edge-modules/api-proxy-module/docker/manifest.yaml.template -n microsoft --tags "$(tags)"
       displayName: 'Publish azureiotedge-api-proxy Manifest'
diff --git a/builds/misc/images-mqtt.yaml b/builds/misc/images-mqtt.yaml
@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - task: Docker@2
-        displayName: Docker Login
+        displayName: Docker login edgebuilds
         inputs:
           command: login
           containerRegistry: iotedge-edgebuilds-acr
@@ -72,7 +72,7 @@ jobs:
 
     steps:
       - task: Docker@2
-        displayName: Docker Login
+        displayName: Docker login edgebuilds
         inputs:
           command: login
           containerRegistry: iotedge-edgebuilds-acr

diff --git a/builds/misc/images-release.yaml b/builds/misc/images-release.yaml
@@ -14,11 +14,19 @@ jobs:
     pool: 
       vmImage: ubuntu-18.04
     steps: 
-      # Setup dependencies
-      - bash: |
-            docker login '$(build.registry.address)' --username '$(build.registry.user)' --password '$(build.registry.password)'
-            docker login '$(registry.address)' --username '$(registry.user)' --password '$(registry.password)'
-        displayName: 'Docker Login'
+      # Both docker logins needed for if we need to test this job. In this case images should go to edgebuilds.
+      - task: Docker@2
+        displayName: Docker login edgebuilds
+        inputs:
+          command: login
+          containerRegistry: iotedge-edgebuilds-acr
+      - task: Docker@2
+        displayName: Docker login edgerelease
+        inputs:
+          command: login
+          containerRegistry: iotedge-release-acr
+      # Dotnet 2 needed for codesign
+      - template: ../templates/install-dotnet2.yaml
       - template: ../templates/install-dotnet3.yaml
       - template: ../templates/dotnet3-globaljson.yaml # use dotnet 3 as primary install for build
       # Build
@@ -326,11 +334,22 @@ jobs:
     dependsOn:
       - linux_dotnet_projects
     steps:
-    - script: scripts/linux/buildManifest.sh -r '$(registry.address)' -u '$(registry.user)' -p '$(registry.password)' -v '$(version)' -t '$(System.DefaultWorkingDirectory)/edge-modules/iotedge-diagnostics-dotnet/docker/manifest.yaml.template' -n '$(namespace)' --tags '$(tags)'
+    # Both docker logins needed for if we need to test this job. In this case images should go to edgebuilds.
+    - task: Docker@2
+      displayName: Docker login edgebuilds
+      inputs:
+        command: login
+        containerRegistry: iotedge-edgebuilds-acr
+    - task: Docker@2
+      displayName: Docker login edgerelease
+      inputs:
+        command: login
+        containerRegistry: iotedge-release-acr
+    - script: scripts/linux/buildManifest.sh -r '$(registry.address)' -v '$(version)' -t '$(System.DefaultWorkingDirectory)/edge-modules/iotedge-diagnostics-dotnet/docker/manifest.yaml.template' -n '$(namespace)' --tags '$(tags)'
       displayName: 'Publish azureiotedge-diagnostics Manifest'
-    - script: scripts/linux/buildManifest.sh -r '$(registry.address)' -u '$(registry.user)' -p '$(registry.password)' -v '$(version)' -t '$(System.DefaultWorkingDirectory)/edge-agent/docker/manifest.yaml.template' -n '$(namespace)' --tags '$(tags)'
+    - script: scripts/linux/buildManifest.sh -r '$(registry.address)' -v '$(version)' -t '$(System.DefaultWorkingDirectory)/edge-agent/docker/manifest.yaml.template' -n '$(namespace)' --tags '$(tags)'
       displayName: 'Publish Edge Agent Manifest'
-    - script: scripts/linux/buildManifest.sh -r '$(registry.address)' -u '$(registry.user)' -p '$(registry.password)' -v '$(version)' -t '$(System.DefaultWorkingDirectory)/edge-hub/docker/manifest.yaml.template' -n '$(namespace)' --tags '$(tags)'
+    - script: scripts/linux/buildManifest.sh -r '$(registry.address)' -v '$(version)' -t '$(System.DefaultWorkingDirectory)/edge-hub/docker/manifest.yaml.template' -n '$(namespace)' --tags '$(tags)'
       displayName: 'Publish Edge Hub Manifest'
-    - script: scripts/linux/buildManifest.sh -r '$(registry.address)' -u '$(registry.user)' -p '$(registry.password)' -v '$(version)' -t '$(System.DefaultWorkingDirectory)/edge-modules/SimulatedTemperatureSensor/docker/manifest.yaml.template' -n '$(namespace)' --tags '$(tags)'
+    - script: scripts/linux/buildManifest.sh -r '$(registry.address)' -v '$(version)' -t '$(System.DefaultWorkingDirectory)/edge-modules/SimulatedTemperatureSensor/docker/manifest.yaml.template' -n '$(namespace)' --tags '$(tags)'
       displayName: 'Publish Temperature Sensor Manifest'
diff --git a/builds/misc/images.yaml b/builds/misc/images.yaml
@@ -20,8 +20,11 @@ jobs:
     steps:
       - template: ../templates/install-dotnet3.yaml
 
-      - bash: 'docker login $(registry.address) --username $(registry.user) --password $(registry.password)'
-        displayName: 'Docker Login'
+      - task: Docker@2
+        displayName: Docker login edgebuilds
+        inputs:
+          command: login
+          containerRegistry: iotedge-edgebuilds-acr
 
       - script: scripts/linux/buildBranch.sh -c $(Build.Configuration) --no-rocksdb-bin
         name: build
@@ -193,15 +196,18 @@ jobs:
     pool:
       vmImage: 'ubuntu-18.04'
     steps:
+      - task: Docker@2
+        displayName: Docker login edgebuilds
+        inputs:
+          command: login
+          containerRegistry: iotedge-edgebuilds-acr
       - bash: |
             sudo apt-get update && sudo apt-get -y install qemu binfmt-support qemu-user-static && \
             docker run --rm --privileged multiarch/qemu-user-static --reset -p yes && \
             docker buildx rm  mbuilder || true  && \
             docker buildx create --name mbuilder  || true  && \
             docker buildx use mbuilder
             docker -v
-      - bash: 'docker login $(registry.address) --username $(registry.user) --password $(registry.password)'
-        displayName: 'Docker Login'
       # Build API Proxy executable
       - template: templates/build-api-proxy.yaml
       # Build API Proxy Image
@@ -246,13 +252,18 @@ jobs:
     variables:
       tags: "['latest']"
     steps:
-    - script: scripts/linux/buildManifest.sh -r $(registry.address) -u $(registry.user) -p $(registry.password) -v $(Build.BuildNumber) -t $(System.DefaultWorkingDirectory)/edge-agent/docker/manifest.yaml.template -n microsoft --tags "$(tags)"
+    - task: Docker@2
+      displayName: Docker login edgebuilds
+      inputs:
+        command: login
+        containerRegistry: iotedge-edgebuilds-acr
+    - script: scripts/linux/buildManifest.sh -r $(registry.address) -v $(Build.BuildNumber) -t $(System.DefaultWorkingDirectory)/edge-agent/docker/manifest.yaml.template -n microsoft --tags "$(tags)"
       displayName: 'Publish Edge Agent Manifest'
-    - script: scripts/linux/buildManifest.sh -r $(registry.address) -u $(registry.user) -p $(registry.password) -v $(Build.BuildNumber) -t $(System.DefaultWorkingDirectory)/edge-hub/docker/manifest.yaml.template -n microsoft --tags "$(tags)"
+    - script: scripts/linux/buildManifest.sh -r $(registry.address) -v $(Build.BuildNumber) -t $(System.DefaultWorkingDirectory)/edge-hub/docker/manifest.yaml.template -n microsoft --tags "$(tags)"
       displayName: 'Publish Edge Hub Manifest'
-    - script: scripts/linux/buildManifest.sh -r $(registry.address) -u $(registry.user) -p $(registry.password) -v $(Build.BuildNumber) -t $(System.DefaultWorkingDirectory)/edge-modules/SimulatedTemperatureSensor/docker/manifest.yaml.template -n microsoft --tags "$(tags)"
+    - script: scripts/linux/buildManifest.sh -r $(registry.address) -v $(Build.BuildNumber) -t $(System.DefaultWorkingDirectory)/edge-modules/SimulatedTemperatureSensor/docker/manifest.yaml.template -n microsoft --tags "$(tags)"
       displayName: 'Publish Temperature Sensor Manifest'
-    - script: scripts/linux/buildManifest.sh -r $(registry.address) -u $(registry.user) -p $(registry.password) -v $(Build.BuildNumber) -t $(System.DefaultWorkingDirectory)/edge-modules/iotedge-diagnostics-dotnet/docker/manifest.yaml.template -n microsoft --tags "$(tags)"
+    - script: scripts/linux/buildManifest.sh -r $(registry.address) -v $(Build.BuildNumber) -t $(System.DefaultWorkingDirectory)/edge-modules/iotedge-diagnostics-dotnet/docker/manifest.yaml.template -n microsoft --tags "$(tags)"
       displayName: 'Publish azureiotedge-diagnostics Manifest'
-    - script: scripts/linux/buildManifest.sh -r $(registry.address) -u $(registry.user) -p $(registry.password) -v $(Build.BuildNumber) -t $(System.DefaultWorkingDirectory)/edge-modules/api-proxy-module/docker/manifest.yaml.template -n microsoft --tags "$(tags)"
+    - script: scripts/linux/buildManifest.sh -r $(registry.address) -v $(Build.BuildNumber) -t $(System.DefaultWorkingDirectory)/edge-modules/api-proxy-module/docker/manifest.yaml.template -n microsoft --tags "$(tags)"
       displayName: 'Publish azureiotedge-api-proxy Manifest'
diff --git a/builds/misc/templates/image-linux.yaml b/builds/misc/templates/image-linux.yaml
@@ -11,15 +11,15 @@ steps:
     displayName: Build Image - ${{ parameters.name }} - amd64
     inputs:
       filePath: scripts/linux/buildImage.sh
-      arguments: -r "$(registry.address)" -u "$(registry.user)" -p "$(registry.password)" -i "${{ parameters.imageName }}" -n "${{ parameters.namespace }}" -P "${{ parameters.project }}" -v "${{ parameters.version }}"
+      arguments: -r "$(registry.address)" -i "${{ parameters.imageName }}" -n "${{ parameters.namespace }}" -P "${{ parameters.project }}" -v "${{ parameters.version }}"
   - task: Bash@3
     displayName: Build Image - ${{ parameters.name }} - arm32
     inputs:
       filePath: scripts/linux/buildImage.sh
-      arguments: -r "$(registry.address)" -u "$(registry.user)" -p "$(registry.password)" -i "${{ parameters.imageName }}" -n "${{ parameters.namespace }}" -P "${{ parameters.project }}" -v "${{ parameters.version }}" --target-arch armv7l --buildx_flag ${{ parameters.buildx_flag }}  
+      arguments: -r "$(registry.address)" -i "${{ parameters.imageName }}" -n "${{ parameters.namespace }}" -P "${{ parameters.project }}" -v "${{ parameters.version }}" --target-arch armv7l --buildx_flag ${{ parameters.buildx_flag }}  
   - task: Bash@3
     displayName: Build Image - ${{ parameters.name }} - arm64 
     condition: and(ne('${{ parameters.name }}', 'Functions Sample'), succeeded())
     inputs:
       filePath: scripts/linux/buildImage.sh
-      arguments: -r "$(registry.address)" -u "$(registry.user)" -p "$(registry.password)" -i "${{ parameters.imageName }}" -n "${{ parameters.namespace }}" -P "${{ parameters.project }}" -v "${{ parameters.version }}" --target-arch aarch64 --buildx_flag ${{ parameters.buildx_flag }}
+      arguments: -r "$(registry.address)" -i "${{ parameters.imageName }}" -n "${{ parameters.namespace }}" -P "${{ parameters.project }}" -v "${{ parameters.version }}" --target-arch aarch64 --buildx_flag ${{ parameters.buildx_flag }}
diff --git a/builds/templates/install-dotnet2.yaml b/builds/templates/install-dotnet2.yaml
@@ -0,0 +1,6 @@
+steps:
+  - task: UseDotNet@2
+    displayName: Install .NET Core sdk
+    inputs:
+      packageType: sdk
+      version: 2.2.207
diff --git a/scripts/linux/buildImage.sh b/scripts/linux/buildImage.sh
@@ -53,8 +53,6 @@ usage()
     echo " -i, --image-name     Image name (e.g. edge-agent)"
     echo " -P, --project        Project to build image for (e.g. Microsoft.Azure.Devices.Edge.Agent.Service)"
     echo " -r, --registry       Docker registry required to build, tag and run the module"
-    echo " -u, --username       Docker Registry Username"
-    echo " -p, --password       Docker Username's password"
     echo " -n, --namespace      Docker namespace (default: $DEFAULT_DOCKER_NAMESPACE)"
     echo " -v, --image-version  Docker Image Version. Either use this option or set env variable BUILD_BUILDNUMBER"
     echo " -t, --target-arch    Target architecture (default: uname -m)"
@@ -83,50 +81,42 @@ process_args()
             DOCKER_REGISTRY="$arg"
             save_next_arg=0
         elif [[ ${save_next_arg} -eq 2 ]]; then
-            DOCKER_USERNAME="$arg"
-            save_next_arg=0
-        elif [[ ${save_next_arg} -eq 3 ]]; then
-            DOCKER_PASSWORD="$arg"
-            save_next_arg=0
-        elif [[ ${save_next_arg} -eq 4 ]]; then
             DOCKER_IMAGEVERSION="$arg"
             save_next_arg=0
-        elif [[ ${save_next_arg} -eq 5 ]]; then
+        elif [[ ${save_next_arg} -eq 3 ]]; then
             BUILD_BINARIESDIRECTORY="$arg"
             save_next_arg=0
-        elif [[ ${save_next_arg} -eq 6 ]]; then
+        elif [[ ${save_next_arg} -eq 4 ]]; then
             BASE_TAG="$arg"
             save_next_arg=0
-        elif [[ ${save_next_arg} -eq 7 ]]; then
+        elif [[ ${save_next_arg} -eq 5 ]]; then
             ARCH="$arg"
             check_arch
             save_next_arg=0
-        elif [[ ${save_next_arg} -eq 8 ]]; then
+        elif [[ ${save_next_arg} -eq 6 ]]; then
             PROJECT="$arg"
             save_next_arg=0
-        elif [[ ${save_next_arg} -eq 9 ]]; then
+        elif [[ ${save_next_arg} -eq 7 ]]; then
             DOCKER_IMAGENAME="$arg"
             save_next_arg=0
-        elif [[ ${save_next_arg} -eq 10 ]]; then
+        elif [[ ${save_next_arg} -eq 8 ]]; then
             DOCKER_NAMESPACE="$arg"
             save_next_arg=0
-        elif [[ ${save_next_arg} -eq 11 ]]; then
+        elif [[ ${save_next_arg} -eq 9 ]]; then
             DOCKER_USE_BUILDX="$arg"
             save_next_arg=0            
         else
             case "$arg" in
                 "-h" | "--help" ) usage;;
                 "-r" | "--registry" ) save_next_arg=1;;
-                "-u" | "--username" ) save_next_arg=2;;
-                "-p" | "--password" ) save_next_arg=3;;
-                "-v" | "--image-version" ) save_next_arg=4;;
-                "--bin-dir" ) save_next_arg=5;;
-                "--base-tag" ) save_next_arg=6;;
-                "-t" | "--target-arch" ) save_next_arg=7;;
-                "-P" | "--project" ) save_next_arg=8;;
-                "-i" | "--image-name" ) save_next_arg=9;;
-                "-n" | "--namespace" ) save_next_arg=10;;
-                "-b" | "--buildx_flag" ) save_next_arg=11;;
+                "-v" | "--image-version" ) save_next_arg=2;;
+                "--bin-dir" ) save_next_arg=3;;
+                "--base-tag" ) save_next_arg=4;;
+                "-t" | "--target-arch" ) save_next_arg=5;;
+                "-P" | "--project" ) save_next_arg=6;;
+                "-i" | "--image-name" ) save_next_arg=7;;
+                "-n" | "--namespace" ) save_next_arg=8;;
+                "-b" | "--buildx_flag" ) save_next_arg=9;;
                 "--skip-push" ) SKIP_PUSH=1 ;;
                 * ) usage;;
             esac
@@ -138,18 +128,6 @@ process_args()
         print_help_and_exit
     fi
 
-    if [[ ${SKIP_PUSH} -eq 0 ]]; then
-        if [[ -z ${DOCKER_USERNAME} ]]; then
-            echo "Docker username parameter invalid"
-            print_help_and_exit
-        fi
-
-        if [[ -z ${DOCKER_PASSWORD} ]]; then
-            echo "Docker password parameter invalid"
-            print_help_and_exit
-        fi
-    fi
-
     if [[ -z ${DOCKER_IMAGENAME} ]]; then
         echo "Docker image name parameter invalid"
         print_help_and_exit
@@ -284,15 +262,6 @@ docker_build_and_tag_and_push()
 check_arch
 process_args "$@"
 
-# log in to container registry
-if [[ ${SKIP_PUSH} -eq 0 ]]; then
-    docker login "${DOCKER_REGISTRY}" -u "${DOCKER_USERNAME}" -p "${DOCKER_PASSWORD}"
-    if [[ $? -ne 0 ]]; then
-        echo "Docker login failed!"
-        exit 1
-    fi
-fi
-
 build_args=( "EXE_DIR=." )
 [[ -z "$BASE_TAG" ]] || build_args+=( "base_tag=$BASE_TAG" )