feat(client): add official build + publishing pipeline definition (#153)

Co-authored-by: Cameron Meissner <cameissner@microsoft.com>

Author: cameronmeissner

.pipelines/client/e2e.yaml

@@ -11,7 +11,6 @@ pr:
     - client/go.sum
     - client/**/*.go
     - .pipelines/client/e2e.yaml
-    - .pipelines/client/scripts/common.sh
     - .pipelines/client/scripts/run-pipeline.sh
 
 pool:

.pipelines/client/publish.yaml

@@ -0,0 +1,88 @@
+parameters:
+  - name: VERSION
+    displayName: Version
+    type: string
+
+stages:
+- stage: build
+  jobs:
+  - job: build_linux_amd64
+    displayName: Build linux-amd64
+    pool:
+      name: $(AMD64_POOL_NAME)
+    dependsOn: []
+    steps:
+    - template: templates/build-template.yaml
+      parameters:
+        VERSION: ${{ parameters.VERSION }}
+        OS: linux
+        ARCH: amd64
+
+  - job: build_linux_arm64
+    displayName: Build linux-arm64
+    pool:
+      name: $(ARM64_POOL_NAME)
+    dependsOn: []
+    steps:
+    - template: templates/build-template.yaml
+      parameters:
+        VERSION: ${{ parameters.VERSION }}
+        OS: linux
+        ARCH: arm64
+
+  - job: build_windows_amd64
+    displayName: Build windows-amd64
+    pool:
+      name: $(AMD64_POOL_NAME)
+    dependsOn: []
+    steps:
+    - template: templates/build-template.yaml
+      parameters:
+        VERSION: ${{ parameters.VERSION }}
+        OS: windows
+        ARCH: amd64
+        EXTENSION: .exe
+      
+- stage: publish
+  pool:
+    name: $(AMD64_POOL_NAME)
+  dependsOn: build
+  jobs:
+  - job: publish
+    steps:
+    - checkout: self
+
+    - task: DownloadPipelineArtifact@2
+      displayName: Download linux-amd64
+      inputs:
+        buildType: current
+        artifactName: linux-amd64
+        path: $(Build.ArtifactStagingDirectory)
+
+    - task: DownloadPipelineArtifact@2
+      displayName: Download linux-arm64
+      inputs:
+        buildType: current
+        artifactName: linux-arm64
+        path: $(Build.ArtifactStagingDirectory)
+
+    - task: DownloadPipelineArtifact@2
+      displayName: Download windows-amd64
+      inputs:
+        buildType: current
+        artifactName: windows-amd64
+        path: $(Build.ArtifactStagingDirectory)
+
+    - bash: /bin/bash .pipelines/client/scripts/generate-github-token.sh
+      env:
+        PRIVATE_KEY: $(aks-node-sig-release-assistant-private-key)
+        CLIENT_ID: $(aks-node-sig-release-assistant-client-id)
+        INSTALLATION_ID: $(aks-node-sig-release-assistant-installation-id)
+      displayName: Generate GitHub token
+
+    - bash: /bin/bash .pipelines/client/scripts/github-publish.sh
+      env:
+        ARTIFACT_DIRECTORY: "$(Build.ArtifactStagingDirectory)"
+        VERSION: ${{ parameters.Version }}
+        GITHUB_TOKEN: $(GITHUB_TOKEN)
+      displayName: Publish new GitHub release

.pipelines/client/scripts/build.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+set -euxo pipefail
+
+[ -z "${VERSION:-}" ] && echo "VERSION must be specified" && exit 1
+[ -z "${OS:-}" ] && echo "OS must be specified" && exit 1
+[ -z "${ARCH:-}" ] && echo "ARCH must be specified" && exit 1
+[ -z "${STAGING_DIRECTORY:-}" ] && echo "STAGING_DIRECTORY must be specified" && exit 1
+
+EXTENSION="${EXTENSION:-}"
+
+# checkout the particular tag we'd like to build
+git checkout client/${VERSION}
+
+# run unit tests
+cd client && make test
+
+# build the binary for the target OS/arch
+LDFLAGS="-X github.com/Azure/aks-secure-tls-bootstrap/client/internal/build.version=${VERSION}"
+make build-prod OS="${OS}" ARCH="${ARCH}" EXTENSION="${EXTENSION}" LDFLAGS="${LDFLAGS}"
+
+BIN_PATH="bin/aks-secure-tls-bootstrap-client-${ARCH}${EXTENSION}"
+if [ ! -f "${BIN_PATH}" ]; then
+    echo "binary ${BIN_PATH} is missing after building with make"
+    exit 1
+fi
+
+# we can only test linux binaries since we're using Ubuntu-based build agents
+if [ "${OS,,}" = "linux" ]; then
+    set +e
+    sudo chmod +x "${BIN_PATH}"
+    HELP_OUTPUT=$(sudo ./${BIN_PATH} -h 2>&1)
+    EXIT_CODE=$?
+    set -e
+
+    if [ $EXIT_CODE -ne 0 ]; then
+        echo "failed to run help command on newly-built binary, exit code: ${EXIT_CODE}"
+        exit 1
+    fi
+    if [[ "${HELP_OUTPUT}" != *"${VERSION}"* ]]; then
+        echo "help command output did not contain expected version string: \"${VERSION}\""
+        exit 1
+    fi
+fi
+
+# move the newly-built binary to the staging directory
+mv "${BIN_PATH}" "${STAGING_DIRECTORY}/aks-secure-tls-bootstrap-client-${ARCH}${EXTENSION}"

.pipelines/client/scripts/common.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+set -euo pipefail
+
+[ -z "${PRIVATE_KEY:-}" ] && echo "PRIVATE_KEY must be set" && exit 1
+[ -z "${CLIENT_ID:-}" ] && echo "CLIENT_ID must be set" && exit 1
+[ -z "${INSTALLATION_ID:-}" ] && echo "INSTALLATION_ID must be set" && exit 1
+
+REPO_NAME="aks-secure-tls-bootstrap"
+
+now=$(date +%s)
+iat=$((${now} - 60)) # issues 60 seconds in the past
+exp=$((${now} + 600)) # expires 10 minutes in the future
+
+b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
+
+header_json='{
+    "typ":"JWT",
+    "alg":"RS256"
+}'
+# encode the JWT header
+header=$(echo -n "${header_json}" | b64enc)
+
+payload_json="{
+    \"iat\":${iat},
+    \"exp\":${exp},
+    \"iss\":\"${CLIENT_ID}\"
+}"
+# encode the JWT payload
+payload=$(echo -n "${payload_json}" | b64enc)
+
+# create the JWT signature
+header_payload="${header}"."${payload}"
+signature=$(
+    openssl dgst -sha256 -sign <(echo -n "${PRIVATE_KEY}") \
+    <(echo -n "${header_payload}") | b64enc
+)
+
+# create the JWT
+jwt="${header_payload}"."${signature}"
+
+# get the installation token
+response=$(curl -X POST -L \
+    -H "Accept: application/vnd.github+json" \
+    -H "Authorization: Bearer $jwt" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    -d "{\"repositories\":[\"$REPO_NAME\"]}" \
+    "https://api.github.com/app/installations/${INSTALLATION_ID}/access_tokens")
+
+token="$(echo $response | jq -r '.token')"
+if [ -z "$token" ] || [ "$token" == "null" ]; then
+    echo "unable to generate installation access token for repository: $REPO_NAME"
+    echo "unable to extract token from GitHub resposne"
+    exit 1
+fi
+
+echo "##vso[task.setvariable variable=GITHUB_TOKEN;issecret=true]$token"
+echo "generated installation access token for repository: $REPO_NAME"

.pipelines/client/scripts/generate-github-token.sh

@@ -0,0 +1,124 @@
+#!/bin/bash
+set -euxo pipefail
+
+[ -z "${VERSION:-}" ] && echo "VERSION must be specified" && exit 1
+[ -z "${ARTIFACT_DIRECTORY:-}" ] && echo "ARTIFACT_DIRECTORY must be specified" && exit 1
+
+LINUX_AMD64_PATH="${ARTIFACT_DIRECTORY}/aks-secure-tls-bootstrap-client-amd64"
+LINUX_ARM64_PATH="${ARTIFACT_DIRECTORY}/aks-secure-tls-bootstrap-client-arm64"
+WINDOWS_AMD64_PATH="${ARTIFACT_DIRECTORY}/aks-secure-tls-bootstrap-client-amd64.exe"
+
+REPO_PATH="Azure/aks-secure-tls-bootstrap"
+
+verify_artifacts() {
+    if [ ! -f "${LINUX_AMD64_PATH}" ]; then
+        echo "could not find linux-amd64 client binary artifact at: ${LINUX_AMD64_PATH}"
+        exit 1
+    fi
+    if [ ! -f "${LINUX_ARM64_PATH}" ]; then
+        echo "could not find linux-arm64 client binary artifact at: ${LINUX_ARM64_PATH}"
+        exit 1
+    fi
+    if [ ! -f "${WINDOWS_AMD64_PATH}" ]; then
+        echo "could not find windows-amd64 client binary artifact at: ${WINDOWS_AMD64_PATH}"
+        exit 1
+    fi
+}
+
+create_linux_tarballs() {
+    CLIENT_PATH="aks-secure-tls-bootstrap-client"
+
+    # create linux-amd64 tarball
+    mv "${LINUX_AMD64_PATH}" "${CLIENT_PATH}"
+    LINUX_AMD64_TAR="linux-amd64.tar.gz"
+    tar -czvf "${LINUX_AMD64_TAR}" "${CLIENT_PATH}"
+
+    # cleanup
+    rm -f "${CLIENT_PATH}"
+
+    # create linux-arm64 tarball
+    mv "${LINUX_ARM64_PATH}" "${CLIENT_PATH}"
+    LINUX_ARM64_TAR="linux-arm64.tar.gz"
+    tar -czvf "${LINUX_ARM64_TAR}" "${CLIENT_PATH}"
+
+    # cleanup
+    rm -f "${CLIENT_PATH}"
+}
+
+create_windows_zip_archive() {
+    CLIENT_PATH="aks-secure-tls-bootstrap-client.exe"
+
+    #create windows-amd64 zip archive
+    mv "${WINDOWS_AMD64_PATH}" "${CLIENT_PATH}"
+    WINDOWS_AMD64_ZIP="windows-amd64.zip"
+    zip -r "${WINDOWS_AMD64_ZIP}" "${CLIENT_PATH}"
+
+    # cleanup
+    rm -f "${CLIENT_PATH}"
+}
+
+create_github_release() {
+    TAG_NAME="client/${VERSION}"
+    echo "Creating GitHub release for tag: ${TAG_NAME}"
+            
+    # create the release
+    CREATE_RELEASE_RESPONSE=$(curl -s -X POST \
+        -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+        -H "Accept: application/vnd.github.v3+json" \
+        -H "Content-Type: application/json" \
+        "https://api.github.com/repos/${REPO_PATH}/releases" \
+        -d "{
+            \"tag_name\": \"${TAG_NAME}\",
+            \"name\": \"${TAG_NAME}\",
+            \"draft\": false,
+            \"prerelease\": false
+        }")
+    RELEASE_ID=$(echo "${CREATE_RELEASE_RESPONSE}" | jq -r '.id')
+    UPLOAD_URL=$(echo "${CREATE_RELEASE_RESPONSE}" | jq -r '.upload_url')
+    UPLOAD_URL="${UPLOAD_URL%\{*}"
+    if [ -z "${RELEASE_ID}" ] || [ "${RELEASE_ID}" = "null" ] || [ -z "${UPLOAD_URL}" ] || [ "${UPLOAD_URL}" = "null" ]; then
+        echo "Failed to create GitHub release. Response:"
+        echo "${CREATE_RELEASE_RESPONSE}"
+        exit 1
+    fi
+    
+    echo "Created GitHub release with ID: ${RELEASE_ID}"
+    
+    # upload artifacts
+    upload_asset "${UPLOAD_URL}" "${LINUX_AMD64_TAR}" "application/gzip"
+    upload_asset "${UPLOAD_URL}" "${LINUX_ARM64_TAR}" "application/gzip"
+    upload_asset "${UPLOAD_URL}" "${WINDOWS_AMD64_ZIP}" "application/zip"
+
+    echo "Successfully created GitHub release for tag: ${TAG_NAME}"
+    echo "Release URL: https://github.com/${REPO_PATH}/releases/tag/${TAG_NAME}"
+}
+
+upload_asset() {
+    local upload_url="$1"
+    local file_path="$2"
+    local content_type="$3"
+    local file_name=$(basename "${file_path}")
+    
+    echo "Uploading asset: ${file_name}"
+    
+    UPLOAD_RESPONSE=$(curl -s -X POST \
+        -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+        -H "Accept: application/vnd.github.v3+json" \
+        -H "Content-Type: ${content_type}" \
+        "${upload_url}?name=${file_name}" \
+        --data-binary "@${file_path}")
+    
+    # Check if upload was successful
+    if [ "$(echo "${UPLOAD_RESPONSE}" | jq -r '.state')" = "uploaded" ]; then
+        echo "Successfully uploaded: ${file_name}"
+    else
+        echo "Failed to upload asset: ${file_name}. Response:"
+        echo "${UPLOAD_RESPONSE}"
+        exit 1
+    fi
+}
+
+verify_artifacts
+create_linux_tarballs
+create_windows_zip_archive
+create_github_release

.pipelines/client/scripts/github-publish.sh

@@ -2,8 +2,6 @@
 set -euo pipefail
 set +x
 
-source .pipelines/client/scripts/common.sh
-
 TEST_BRANCH="${TEST_BRANCH:-master}"
 ADDITIONAL_VARS="${ADDITIONAL_VARS:-}"
 
@@ -15,6 +13,22 @@ ADDITIONAL_VARS="${ADDITIONAL_VARS:-}"
 
 WAIT_SECONDS=300 # 5 minutes
 
+retrycmd_if_failure() {
+    retries=$1; wait_sleep=$2; shift && shift
+    for i in $(seq 1 $retries); do
+        "${@}" && break || \
+        echo "Failed to execute command \"$@\""
+        if [ $i -eq $retries ]; then
+            echo "ERROR: Exhausted all retries (${i}/${retries})"
+            return 1
+        else
+            echo "$(($retries - $i)) retries remaining"
+            sleep $wait_sleep
+        fi
+    done
+    echo Executed \"$@\" $i times;
+}
+
 main() {
   # retry 3 times, waiting 1 minute between attempts
   retrycmd_if_failure 3 60 runSuite || exit $?