diff --git a/eng/docker-tools/templates/jobs/build-images.yml b/eng/docker-tools/templates/jobs/build-images.yml index db9b4f7fd..025d3c8d0 100644 --- a/eng/docker-tools/templates/jobs/build-images.yml +++ b/eng/docker-tools/templates/jobs/build-images.yml @@ -91,8 +91,6 @@ jobs: --architecture $(architecture) --retry --digests-out-var 'builtImages' - --acr-subscription '${{ parameters.publishConfig.BuildRegistry.subscription }}' - --acr-resource-group '${{ parameters.publishConfig.BuildRegistry.resourceGroup }}' $(manifestVariables) $(imageBuilderBuildArgs) - template: /eng/docker-tools/templates/steps/publish-artifact.yml@self diff --git a/eng/docker-tools/templates/jobs/publish.yml b/eng/docker-tools/templates/jobs/publish.yml index 98e29f4a7..b86ec1ee2 100644 --- a/eng/docker-tools/templates/jobs/publish.yml +++ b/eng/docker-tools/templates/jobs/publish.yml @@ -97,8 +97,6 @@ jobs: internalProjectName: ${{ parameters.internalProjectName }} args: >- copyAcrImages - '${{ parameters.publishConfig.BuildRegistry.subscription }}' - '${{ parameters.publishConfig.BuildRegistry.resourceGroup }}' '${{ parameters.publishConfig.BuildRegistry.repoPrefix }}' '${{ parameters.publishConfig.BuildRegistry.server }}' --os-type '*' diff --git a/eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml b/eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml index 424f3aaf5..6f3e4995d 100644 --- a/eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml +++ b/eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml @@ -53,35 +53,44 @@ stages: InternalMirrorRegistry: server: $(acr-staging-test.server) repoPrefix: $(internalMirrorRepoPrefix) - resourceGroup: $(testResourceGroup) - subscription: $(testSubscription) - serviceConnection: - name: $(internal-mirror-test.serviceConnectionName) - id: $(internal-mirror-test.serviceConnection.id) - clientId: $(internal-mirror-test.serviceConnection.clientId) - tenantId: $(testTenant) PublicMirrorRegistry: server: $(public-mirror.server) repoPrefix: $(publicMirrorRepoPrefix) - resourceGroup: $(public-mirror.resourceGroup) - subscription: $(public-mirror.subscription) - serviceConnection: - name: $(public-mirror.serviceConnectionName) - id: $(public-mirror.serviceConnection.id) - tenantId: $(public-mirror.serviceConnection.tenantId) - clientId: $(public-mirror.serviceConnection.clientId) BuildRegistry: server: $(acr-staging-test.server) - resourceGroup: $(testResourceGroup) - subscription: $(testSubscription) repoPrefix: "${{ parameters.stagingRepoPrefix }}${{ parameters.sourceBuildPipelineRunId }}/" - serviceConnection: - name: $(build-test.serviceConnectionName) - id: $(build-test.serviceConnection.id) - clientId: $(build-test.serviceConnection.clientId) - tenantId: $(testTenant) + + PublishRegistry: + server: $(acr-test.server) + repoPrefix: "${{ parameters.publishRepoPrefix }}" + + RegistryAuthentication: + - server: $(acr-staging-test.server) + resourceGroup: $(testResourceGroup) + subscription: $(testSubscription) + serviceConnection: + name: $(build-test.serviceConnectionName) + id: $(build-test.serviceConnection.id) + clientId: $(build-test.serviceConnection.clientId) + tenantId: $(testTenant) + - server: $(public-mirror.server) + resourceGroup: $(public-mirror.resourceGroup) + subscription: $(public-mirror.subscription) + serviceConnection: + name: $(public-mirror.serviceConnectionName) + id: $(public-mirror.serviceConnection.id) + tenantId: $(public-mirror.serviceConnection.tenantId) + clientId: $(public-mirror.serviceConnection.clientId) + - server: $(acr-test.server) + resourceGroup: $(testResourceGroup) + subscription: $(testSubscription) + serviceConnection: + name: $(publish-test.serviceConnectionName) + id: $(publish-test.serviceConnection.id) + clientId: $(publish-test.serviceConnection.clientId) + tenantId: $(testTenant) cleanServiceConnection: name: $(clean-test.serviceConnectionName) @@ -94,14 +103,3 @@ stages: id: $(test-nonprod.serviceConnection.id) clientId: $(test-nonprod.serviceConnection.clientId) tenantId: $(testTenant) - - PublishRegistry: - server: $(acr-test.server) - resourceGroup: $(testResourceGroup) - subscription: $(testSubscription) - repoPrefix: "${{ parameters.publishRepoPrefix }}" - serviceConnection: - name: $(publish-test.serviceConnectionName) - id: $(publish-test.serviceConnection.id) - clientId: $(publish-test.serviceConnection.clientId) - tenantId: $(testTenant) diff --git a/eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml b/eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml index 7f9a4e007..24746b3ae 100644 --- a/eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml +++ b/eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml @@ -53,35 +53,44 @@ stages: InternalMirrorRegistry: server: $(acr-staging.server) repoPrefix: $(internalMirrorRepoPrefix) - resourceGroup: $(acr-staging.resourceGroup) - subscription: $(acr-staging.subscription) - serviceConnection: - name: $(internal-mirror.serviceConnectionName) - id: $(internal-mirror.serviceConnection.id) - clientId: $(internal-mirror.serviceConnection.clientId) - tenantId: $(internal-mirror.serviceConnection.tenantId) PublicMirrorRegistry: server: $(public-mirror.server) repoPrefix: $(publicMirrorRepoPrefix) - resourceGroup: $(public-mirror.resourceGroup) - subscription: $(public-mirror.subscription) - serviceConnection: - name: $(public-mirror.serviceConnectionName) - id: $(public-mirror.serviceConnection.id) - tenantId: $(public-mirror.serviceConnection.tenantId) - clientId: $(public-mirror.serviceConnection.clientId) BuildRegistry: server: $(acr-staging.server) - resourceGroup: $(acr-staging.resourceGroup) - subscription: $(acr-staging.subscription) repoPrefix: "${{ parameters.stagingRepoPrefix }}${{ parameters.sourceBuildPipelineRunId }}/" - serviceConnection: - name: $(build.serviceConnectionName) - id: $(build.serviceConnection.id) - clientId: $(build.serviceConnection.clientId) - tenantId: $(build.serviceConnection.tenantId) + + PublishRegistry: + server: $(acr.server) + repoPrefix: "${{ parameters.publishRepoPrefix }}" + + RegistryAuthentication: + - server: $(acr-staging.server) + resourceGroup: $(acr-staging.resourceGroup) + subscription: $(acr-staging.subscription) + serviceConnection: + name: $(build.serviceConnectionName) + id: $(build.serviceConnection.id) + clientId: $(build.serviceConnection.clientId) + tenantId: $(build.serviceConnection.tenantId) + - server: $(public-mirror.server) + resourceGroup: $(public-mirror.resourceGroup) + subscription: $(public-mirror.subscription) + serviceConnection: + name: $(public-mirror.serviceConnectionName) + id: $(public-mirror.serviceConnection.id) + tenantId: $(public-mirror.serviceConnection.tenantId) + clientId: $(public-mirror.serviceConnection.clientId) + - server: $(acr.server) + resourceGroup: $(acr.resourceGroup) + subscription: $(acr.subscription) + serviceConnection: + name: $(publish.serviceConnectionName) + id: $(publish.serviceConnection.id) + clientId: $(publish.serviceConnection.clientId) + tenantId: $(publish.serviceConnection.tenantId) cleanServiceConnection: name: $(clean.serviceConnectionName) @@ -94,14 +103,3 @@ stages: id: $(test.serviceConnection.id) clientId: $(test.serviceConnection.clientId) tenantId: $(test.serviceConnection.tenantId) - - PublishRegistry: - server: $(acr.server) - resourceGroup: $(acr.resourceGroup) - subscription: $(acr.subscription) - repoPrefix: "${{ parameters.publishRepoPrefix }}" - serviceConnection: - name: $(publish.serviceConnectionName) - id: $(publish.serviceConnection.id) - clientId: $(publish.serviceConnection.clientId) - tenantId: $(publish.serviceConnection.tenantId) diff --git a/eng/docker-tools/templates/stages/setup-service-connections.yml b/eng/docker-tools/templates/stages/setup-service-connections.yml index 2ef74e90c..405bc703a 100644 --- a/eng/docker-tools/templates/stages/setup-service-connections.yml +++ b/eng/docker-tools/templates/stages/setup-service-connections.yml @@ -3,6 +3,10 @@ # it is declared in this stage's parameters, even if your pipeline has already # been granted access to the service connection. This stage also does not need # to complete before the service connection is used. +# +# There are two ways to specify service connections: +# - Pass `serviceConnections` directly (list of {name: string} objects) +# - Pass `publishConfig` + `registries` to look up auth from RegistryAuthentication parameters: - name: pool type: object @@ -10,14 +14,26 @@ parameters: name: $(default1ESInternalPoolName) image: $(default1ESInternalPoolImage) os: linux -# serviceConnections object shape: -# - name: string + +# Explicit list of service connections to initialize +# Shape: [{ name: string }] - name: serviceConnections type: object default: [] -stages: +# List of registry servers that need authentication. These will be looked up in +# publishConfig.RegistryAuthentication. +# Make sure to provide the publishConfig parameter. +- name: usesRegistries + type: object + default: [] +# Look up service connections from publishConfig based on registries +# The publish configuration containing RegistryAuthentication entries. +- name: publishConfig + type: object + default: {} +stages: - stage: SetupServiceConnectionsStage displayName: Setup service connections jobs: @@ -27,6 +43,8 @@ stages: pool: ${{ parameters.pool }} steps: - checkout: none + + # Direct service connections list - ${{ each serviceConnection in parameters.serviceConnections }}: - task: AzureCLI@2 displayName: Setup ${{ serviceConnection.name }} @@ -36,3 +54,15 @@ stages: scriptLocation: inlineScript inlineScript: | az account show + + # Setup registry service connections + - ${{ if gt(length(parameters.usesRegistries), 0) }}: + - ${{ each auth in parameters.publishConfig.RegistryAuthentication }}: + - ${{ if containsValue(parameters.usesRegistries, auth.server) }}: + - task: AzureCLI@2 + displayName: Setup ${{ auth.serviceConnection.name }} + inputs: + azureSubscription: ${{ auth.serviceConnection.name }} + scriptType: pscore + scriptLocation: inlineScript + inlineScript: az account show diff --git a/eng/docker-tools/templates/steps/copy-base-images.yml b/eng/docker-tools/templates/steps/copy-base-images.yml index 0e9e09f68..6664c8f9a 100644 --- a/eng/docker-tools/templates/steps/copy-base-images.yml +++ b/eng/docker-tools/templates/steps/copy-base-images.yml @@ -3,8 +3,6 @@ parameters: type: object default: server: "" - subscription: "" - resourceGroup: "" repoPrefix: "" - name: additionalOptions type: string @@ -29,8 +27,6 @@ steps: # error args: >- copyBaseImages - '${{ parameters.acr.subscription }}' - '${{ parameters.acr.resourceGroup }}' $(dockerHubRegistryCreds) $(customCopyBaseImagesArgs) --repo-prefix '${{ parameters.acr.repoPrefix }}' diff --git a/eng/docker-tools/templates/variables/docker-images.yml b/eng/docker-tools/templates/variables/docker-images.yml index b93270353..e0eaaff9d 100644 --- a/eng/docker-tools/templates/variables/docker-images.yml +++ b/eng/docker-tools/templates/variables/docker-images.yml @@ -1,5 +1,5 @@ variables: - imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2887966 + imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2894609 imageNames.imageBuilder: $(imageNames.imageBuilderName) imageNames.imageBuilder.withrepo: imagebuilder-withrepo:$(Build.BuildId)-$(System.JobId) imageNames.testRunner: mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux3.0-docker-testrunner diff --git a/eng/pipelines/templates/stages/build-test-publish.yml b/eng/pipelines/templates/stages/build-test-publish.yml index 043b49a06..d6705e0ae 100644 --- a/eng/pipelines/templates/stages/build-test-publish.yml +++ b/eng/pipelines/templates/stages/build-test-publish.yml @@ -39,12 +39,12 @@ stages: - ${{ if ne(variables['Build.Reason'], 'PullRequest') }}: - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self parameters: - serviceConnections: - - name: ${{ parameters.publishConfig.InternalMirrorRegistry.serviceConnection.name }} - - name: ${{ parameters.publishConfig.BuildRegistry.serviceConnection.name }} - - name: ${{ parameters.publishConfig.PublishRegistry.serviceConnection.name }} - - ${{ each serviceConnection in parameters.additionalServiceConnections }}: - - name: ${{ serviceConnection.name }} + publishConfig: ${{ parameters.publishConfig }} + usesRegistries: + - ${{ parameters.publishConfig.BuildRegistry.server }} + - ${{ parameters.publishConfig.PublishRegistry.server }} + - ${{ parameters.publishConfig.InternalMirrorRegistry.server }} + serviceConnections: ${{ parameters.additionalServiceConnections }} - template: /eng/docker-tools/templates/stages/dotnet/build-test-publish-repo.yml@self parameters: diff --git a/eng/pipelines/templates/stages/check-base-image-updates.yml b/eng/pipelines/templates/stages/check-base-image-updates.yml index 0ebfc8598..0e8596414 100644 --- a/eng/pipelines/templates/stages/check-base-image-updates.yml +++ b/eng/pipelines/templates/stages/check-base-image-updates.yml @@ -16,15 +16,10 @@ parameters: stages: - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self parameters: - serviceConnections: - - name: ${{ parameters.publishConfig.InternalMirrorRegistry.serviceConnection.name }} - # Workaround for https://github.com/dotnet/docker-tools/issues/1914: - # "ACR authentication can fail when using two different service connections for the same ACR" - # Both InternalMirrorRegistry and BuildRegistry point to the same ACR, but - # have different service connections. BuildRegistry is listed first in the - # publish config, so we have to declare it here since it will be used for - # ACR authentication. - - name: ${{ parameters.publishConfig.BuildRegistry.serviceConnection.name }} + publishConfig: ${{ parameters.publishConfig }} + usesRegistries: + - ${{ parameters.publishConfig.InternalMirrorRegistry.server }} + - ${{ parameters.publishConfig.BuildRegistry.server }} - stage: CheckBaseImages displayName: Check Base Images diff --git a/eng/pipelines/templates/stages/mirror-base-images.yml b/eng/pipelines/templates/stages/mirror-base-images.yml index cc0341d7a..a1882915a 100644 --- a/eng/pipelines/templates/stages/mirror-base-images.yml +++ b/eng/pipelines/templates/stages/mirror-base-images.yml @@ -21,8 +21,9 @@ parameters: stages: - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self parameters: - serviceConnections: - - name: ${{ parameters.publishConfig.PublicMirrorRegistry.serviceConnection.name }} + publishConfig: ${{ parameters.publishConfig }} + usesRegistries: + - ${{ parameters.publishConfig.PublicMirrorRegistry.server }} - stage: MirrorBaseImages displayName: Mirror Base Images