PRSQRL and Patient Portal
Introduction
Azure DevOps is a Microsoft product used by Orchard Molecular to facilitate its Agile development process. It provides version control, reporting, and project management as well as automated building, testing, and deployment.
Orchard's Azure platform is hosted on Microsoft's US East region servers.
Azure Pipeline Agent
Azure Pipeline Agents are used for building and deploying Orchard Molecular software packages such as PRSQRL and Patient Portal. During deployment, the agent not only downloads code updates, but can also restart webserver, Microsoft IIS, and perform other administrative tasks as necessary.
Installation
One or more Azure Pipeline Agents are installed on the application server by executing a PowerShell script provided within DevOps. The script will download and install the agent using the URL below, or similar.
The number of agents installed depends on the number of sites hosted on a particular server. There will be one agent per site: production, stage, or development.
Connectivity with DevOps
The following information was taken directly from Microsoft documentation that can be found at the following URL.
The agent communicates with Azure Pipelines or Azure DevOps Server to determine which job it needs to run, and to report the logs and job status. This communication is always initiated by the agent. All the messages from the agent to Azure Pipelines or Azure DevOps Server happen over HTTP or HTTPS, depending on how you configure the agent. This pull model allows the agent to be configured in different topologies as shown below.
Here is a common communication pattern between the agent and Azure Pipelines or Azure DevOps Server.
- The user registers an agent with Azure Pipelines or Azure DevOps Server by adding it to an agent pool. You need to be an agent pool administrator to register an agent in that agent pool. The identity of an agent pool administrator is needed only at the time of registration and is not persisted on the agent, nor is it used in any further communication between the agent and Azure Pipelines or Azure DevOps Server. Once the registration is complete, the agent downloads a listener OAuth token and uses it to listen to the job queue.
- The agent listens to see if a new job request has been posted for it in the job queue in Azure Pipelines/Azure DevOps Server using an HTTP long poll. When a job is available, the agent downloads the job as well as a job-specific OAuth token. This token is generated by Azure Pipelines/Azure DevOps Server for the scoped identity specified in the pipeline. That token is short lived and is used by the agent to access resources (for example, source code) or modify resources (for example, upload test results) on Azure Pipelines or Azure DevOps Server within that job.
- After the job is completed, the agent discards the job-specific OAuth token and goes back to checking if there is a new job request using the listener OAuth token.
The payload of the messages exchanged between the agent and Azure Pipelines/Azure DevOps Server are secured using asymmetric encryption. Each agent has a public-private key pair, and the public key is exchanged with the server during registration. The server uses the public key to encrypt the payload of the job before sending it to the agent. The agent decrypts the job content using its private key. This is how secrets stored in pipelines or variable groups are secured as they are exchanged with the agent.
The URL used by the agent to communicate with DevOps is below.
Data Collection
Certain system data is collected by the Azure Pipeline Agent and stored in DevOps. In DevOps, these are referred to as capabilities. These capabilities are used to ensure that deployment jobs are sent to the proper agents. Some capabilities can be ignored and, thus, not sent to and stored in DevOps. This is done by setting the VSO_AGENT_IGNORE environment variable, with a comma-delimited list of variables to ignore. For example, PATH is a critical variable that you might want to ignore if you're installing software.
These capabilities are transmitted to DevOps over HTTPS using TLS 1.2.
An example of the data collected by the Azure DevOps agent.
