From 6868c04ff917ec1b44756ba4c7dca4685e0b1453 Mon Sep 17 00:00:00 2001 From: Spencer Gilbert Date: Fri, 28 Feb 2025 03:15:12 -0500 Subject: [PATCH] [BARX-792] Provide FedRAMP compliant images for agent and dca FIPS images (#34540) --- .../internal_image_deploy.yml | 55 +++++++++++++++++-- 1 file changed, 51 insertions(+), 4 deletions(-) diff --git a/.gitlab/internal_image_deploy/internal_image_deploy.yml b/.gitlab/internal_image_deploy/internal_image_deploy.yml index 3418e7cb872d5..8368813194ac1 100644 --- a/.gitlab/internal_image_deploy/internal_image_deploy.yml +++ b/.gitlab/internal_image_deploy/internal_image_deploy.yml @@ -14,7 +14,7 @@ docker_trigger_internal: tags: ["arch:amd64"] variables: DYNAMIC_BUILD_RENDER_RULES: agent-build-only # fake rule to not trigger the ones in the images repo - IMAGE_VERSION: tmpl-v11 + IMAGE_VERSION: tmpl-v12 IMAGE_NAME: datadog-agent RELEASE_TAG: ${CI_COMMIT_REF_SLUG}-jmx BUILD_TAG: ${CI_COMMIT_REF_SLUG}-jmx @@ -60,7 +60,7 @@ docker_trigger_internal-fips: tags: ["arch:amd64"] variables: DYNAMIC_BUILD_RENDER_RULES: agent-build-only # fake rule to not trigger the ones in the images repo - IMAGE_VERSION: tmpl-v11 + IMAGE_VERSION: tmpl-v12 IMAGE_NAME: datadog-agent RELEASE_TAG: ${CI_COMMIT_REF_SLUG}-fips-jmx BUILD_TAG: ${CI_COMMIT_REF_SLUG}-fips-jmx @@ -106,7 +106,7 @@ docker_trigger_internal-ot: tags: ["arch:amd64"] variables: DYNAMIC_BUILD_RENDER_RULES: agent-build-only # fake rule to not trigger the ones in the images repo - IMAGE_VERSION: tmpl-v11 + IMAGE_VERSION: tmpl-v12 IMAGE_NAME: datadog-agent RELEASE_TAG: ${CI_COMMIT_REF_SLUG}-ot-beta-jmx BUILD_TAG: ${CI_COMMIT_REF_SLUG}-ot-beta-jmx @@ -152,7 +152,7 @@ docker_trigger_cluster_agent_internal: tags: ["arch:amd64"] variables: DYNAMIC_BUILD_RENDER_RULES: agent-build-only # fake rule to not trigger the ones in the images repo - IMAGE_VERSION: tmpl-v5 + IMAGE_VERSION: tmpl-v6 IMAGE_NAME: datadog-cluster-agent RELEASE_TAG: ${CI_COMMIT_REF_SLUG} BUILD_TAG: ${CI_COMMIT_REF_SLUG} @@ -186,3 +186,50 @@ docker_trigger_cluster_agent_internal: --variable TARGET_ENV --variable DYNAMIC_BUILD_RENDER_TARGET_FORWARD_PARAMETERS" retry: 2 + +docker_trigger_cluster_agent_internal-fips: + stage: internal_image_deploy + rules: !reference [.on_deploy_internal_or_manual] + needs: + - job: docker_build_cluster_agent_fips_amd64 + artifacts: false + - job: docker_build_cluster_agent_fips_arm64 + artifacts: false + image: registry.ddbuild.io/ci/datadog-agent-buildimages/deb_x64$DATADOG_AGENT_BUILDIMAGES_SUFFIX:$DATADOG_AGENT_BUILDIMAGES + tags: ["arch:amd64"] + variables: + DYNAMIC_BUILD_RENDER_RULES: agent-build-only # fake rule to not trigger the ones in the images repo + IMAGE_VERSION: tmpl-v6 + IMAGE_NAME: datadog-cluster-agent + RELEASE_TAG: ${CI_COMMIT_REF_SLUG}-fips + BUILD_TAG: ${CI_COMMIT_REF_SLUG}-fips + TMPL_SRC_IMAGE: v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-fips + TMPL_SRC_REPO: ci/datadog-agent/cluster-agent + RELEASE_STAGING: "true" + RELEASE_PROD: "true" + script: + - GITLAB_TOKEN=$($CI_PROJECT_DIR/tools/ci/fetch_secret.sh $GITLAB_TOKEN write_api) || exit $?; export GITLAB_TOKEN + - if [ "$BUCKET_BRANCH" = "beta" ] || [ "$BUCKET_BRANCH" = "stable" ]; then TMPL_SRC_REPO="${TMPL_SRC_REPO}-release"; fi + - | + if [ "$BUCKET_BRANCH" = "nightly" ]; then + RELEASE_TAG="${RELEASE_TAG}-${CI_COMMIT_SHORT_SHA}" + TMPL_SRC_REPO="${TMPL_SRC_REPO}-nightly" + fi + - if [ "$BUCKET_BRANCH" = "dev" ]; then RELEASE_TAG="dev-${RELEASE_TAG}-${CI_COMMIT_SHORT_SHA}"; fi + - "inv pipeline.trigger-child-pipeline --project-name DataDog/images --git-ref master --timeout 3600 + --variable IMAGE_VERSION + --variable IMAGE_NAME + --variable RELEASE_TAG + --variable BUILD_TAG + --variable TMPL_SRC_IMAGE + --variable TMPL_SRC_REPO + --variable RELEASE_STAGING + --variable RELEASE_PROD + --variable DYNAMIC_BUILD_RENDER_RULES + --variable APPS + --variable BAZEL_TARGET + --variable DDR + --variable DDR_WORKFLOW_ID + --variable TARGET_ENV + --variable DYNAMIC_BUILD_RENDER_TARGET_FORWARD_PARAMETERS" + retry: 2