zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-04-30 12:07:51 +02:00
Code Issues Projects Releases Packages Wiki Activity

Work around Spinnaker issue wrt variables (#465)

Browse source 
* Work around Spinnaker issue wrt variables

Cloud Build variable reference need to stay from the  ${var} pattern
to prevent Spinnaker from trying to resolve it. In all files that
are used by Spinnaker, we change variable reference to the $var form.

We made the minimum amount of change possible, and will review this
issue after the permanent solution is available.
This commit is contained in:
Weimin Yu 2020-01-30 13:28:36 -05:00 committed by GitHub
parent af8ef38b0a
commit 0c8df9d89b
4 changed files with 55 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
release/cloudbuild-deploy.yaml
View file

@ -12,16 +12,23 @@
# #
# To trigger a build automatically, follow the instructions below and add a trigger: # To trigger a build automatically, follow the instructions below and add a trigger:
# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds # https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
#
# Note: to work around issue in Spinnaker's 'Deployment Manifest' stage,
# variable references must avoid the ${var} format. Valid formats include
# $var or ${"${var}"}. This file use the former. Since TAG_NAME and _ENV are
# expanded in the copies sent to Spinnaker, we preserve the brackets around
# them for safe pattern matching during release.
# See https://github.com/spinnaker/spinnaker/issues/3028 for more information.
steps: steps:
# Pull the credential for nomulus tool. # Pull the credential for nomulus tool.
- name: 'gcr.io/${PROJECT_ID}/builder:latest' - name: 'gcr.io/$PROJECT_ID/builder:latest'
args: args:
- gsutil - gsutil
- cp - cp
- gs://${PROJECT_ID}-deploy/secrets/tool-credential.json.enc - gs://$PROJECT_ID-deploy/secrets/tool-credential.json.enc
- . - .
# Decrypt the credential. # Decrypt the credential.
- name: 'gcr.io/${PROJECT_ID}/builder:latest' - name: 'gcr.io/$PROJECT_ID/builder:latest'
entrypoint: /bin/bash entrypoint: /bin/bash
args: args:
- -c - -c
@ -31,7 +38,7 @@ steps:
--ciphertext-file=- --plaintext-file=tool-credential.json \ --ciphertext-file=- --plaintext-file=tool-credential.json \
--location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key --location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key
# Deploy the Spec11 pipeline to GCS. # Deploy the Spec11 pipeline to GCS.
- name: 'gcr.io/${PROJECT_ID}/nomulus-tool:latest' - name: 'gcr.io/$PROJECT_ID/nomulus-tool:latest'
args: args:
- -e - -e
- ${_ENV} - ${_ENV}
@ -39,7 +46,7 @@ steps:
- tool-credential.json - tool-credential.json
- deploy_spec11_pipeline - deploy_spec11_pipeline
# Deploy the invoicing pipeline to GCS. # Deploy the invoicing pipeline to GCS.
- name: 'gcr.io/${PROJECT_ID}/nomulus-tool:latest' - name: 'gcr.io/$PROJECT_ID/nomulus-tool:latest'
args: args:
- -e - -e
- ${_ENV} - ${_ENV}
@ -49,18 +56,18 @@ steps:
# Save the deployed tag for the current environment on GCS. Because of b/137891685 # Save the deployed tag for the current environment on GCS. Because of b/137891685
# which causes the for-loop in the next step to fail, this may not be the last step. # which causes the for-loop in the next step to fail, this may not be the last step.
# TODO(weiminyu): do this in last step. # TODO(weiminyu): do this in last step.
- name: 'gcr.io/${PROJECT_ID}/builder:latest' - name: 'gcr.io/$PROJECT_ID/builder:latest'
entrypoint: /bin/bash entrypoint: /bin/bash
args: args:
- -c - -c
- | - |
set -e set -e
echo ${TAG_NAME} | \ echo ${TAG_NAME} | \
gsutil cp - gs://${PROJECT_ID}-deployed-tags/nomulus.${_ENV}.tag gsutil cp - gs://$PROJECT_ID-deployed-tags/nomulus.${_ENV}.tag
# Deploy the GAE config files. # Deploy the GAE config files.
# First authorize the gcloud tool to use the credential json file, then # First authorize the gcloud tool to use the credential json file, then
# download and unzip the tarball that contains the relevant config files # download and unzip the tarball that contains the relevant config files
- name: 'gcr.io/${PROJECT_ID}/builder:latest' - name: 'gcr.io/$PROJECT_ID/builder:latest'
entrypoint: /bin/bash entrypoint: /bin/bash
args: args:
- -c - -c
@ -72,13 +79,13 @@ steps:
else else
project_id="domain-registry-${_ENV}" project_id="domain-registry-${_ENV}"
fi fi
gsutil cp gs://${PROJECT_ID}-deploy/${TAG_NAME}/${_ENV}.tar . gsutil cp gs://$PROJECT_ID-deploy/${TAG_NAME}/${_ENV}.tar .
tar -xvf ${_ENV}.tar tar -xvf ${_ENV}.tar
# Note that this currently does not work for google.com projects that # Note that this currently does not work for google.com projects that
# we use due to b/137891685. External projects are likely to work. # we use due to b/137891685. External projects are likely to work.
for filename in cron dispatch dos index queue; do for filename in cron dispatch dos index queue; do
gcloud -q --project ${project_id} app deploy \ gcloud -q --project $project_id app deploy \
default/WEB-INF/appengine-generated/${filename}.yaml default/WEB-INF/appengine-generated/$filename.yaml
done done
timeout: 3600s timeout: 3600s

26
release/cloudbuild-schema-deploy.yaml
View file

@ -15,14 +15,22 @@
# #
# Note that the release process hardens the tags and variables in this file: # Note that the release process hardens the tags and variables in this file:
# - The 'latest' tag on docker images will be replaced by their image digests. # - The 'latest' tag on docker images will be replaced by their image digests.
# - The ${TAG_NAME} pattern will be replaced by the acutal release tag. # - The ${TAG_NAME} pattern will be replaced by the actual release tag.
# - The ${_ENV} pattern will be replaced by the actual environment name.
# Please refer to ./cloudbuild-release.yaml for more details. # Please refer to ./cloudbuild-release.yaml for more details.
# Note 2: to work around issue in Spinnaker's 'Deployment Manifest' stage,
# variable references must avoid the ${var} format. Valid formats include
# $var or ${"${var}"}. This file use the former. Since TAG_NAME and _ENV are
# expanded in the copies sent to Spinnaker, we preserve the brackets around
# them for safe pattern matching during release.
# See https://github.com/spinnaker/spinnaker/issues/3028 for more information.
steps: steps:
# Download and decrypt the nomulus tool credential, which has the privilege to # Download and decrypt the nomulus tool credential, which has the privilege to
# start Cloud SQL proxy to all environments. # start Cloud SQL proxy to all environments.
# Also download and decrypt the admin_credential file, which has the cloud # Also download and decrypt the admin_credential file, which has the cloud
# instance name and database login name and password. # instance name and database login name and password.
- name: 'gcr.io/${PROJECT_ID}/builder:latest' - name: 'gcr.io/$PROJECT_ID/builder:latest'
volumes: volumes:
- name: 'secrets' - name: 'secrets'
path: '/secrets' path: '/secrets'
@ -31,13 +39,13 @@ steps:
- -c - -c
- | - |
set -e set -e
gsutil cp gs://${PROJECT_ID}-deploy/secrets/tool-credential.json.enc - \ gsutil cp gs://$PROJECT_ID-deploy/secrets/tool-credential.json.enc - \
| base64 -d \ | base64 -d \
| gcloud kms decrypt \ | gcloud kms decrypt \
--ciphertext-file=- \ --ciphertext-file=- \
--plaintext-file=/secrets/cloud_sql_credential.json \ --plaintext-file=/secrets/cloud_sql_credential.json \
--location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key --location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key
gsutil cp gs://${PROJECT_ID}-deploy/cloudsql-credentials/${_ENV}/admin_credential.enc - \ gsutil cp gs://$PROJECT_ID-deploy/cloudsql-credentials/${_ENV}/admin_credential.enc - \
| base64 -d \ | base64 -d \
| gcloud kms decrypt \ | gcloud kms decrypt \
--ciphertext-file=- \ --ciphertext-file=- \
@ -45,7 +53,7 @@ steps:
--location global --keyring=nomulus-tool-keyring \ --location global --keyring=nomulus-tool-keyring \
--key=nomulus-tool-key --key=nomulus-tool-key
# Download the schema jar to be deployed. # Download the schema jar to be deployed.
- name: 'gcr.io/${PROJECT_ID}/builder:latest' - name: 'gcr.io/$PROJECT_ID/builder:latest'
volumes: volumes:
- name: 'flyway' - name: 'flyway'
path: '/flyway/jars' path: '/flyway/jars'
@ -54,10 +62,10 @@ steps:
- -c - -c
- | - |
set -e set -e
gsutil cp gs://domain-registry-dev-deploy/${TAG_NAME}/schema.jar \ gsutil cp gs://$PROJECT_ID-deploy/${TAG_NAME}/schema.jar \
/flyway/jars /flyway/jars
# Deploy SQL schema # Deploy SQL schema
- name: 'gcr.io/${PROJECT_ID}/schema_deployer:latest' - name: 'gcr.io/$PROJECT_ID/schema_deployer:latest'
volumes: volumes:
- name: 'secrets' - name: 'secrets'
path: '/secrets' path: '/secrets'
@ -68,14 +76,14 @@ steps:
# location. Do not use the 'artifacts' section for this since it will # location. Do not use the 'artifacts' section for this since it will
# upload an extra metadata file every time and pollute the folder. # upload an extra metadata file every time and pollute the folder.
# TODO(weiminyu): modify this step so that TAG_NAME may be 'live'. # TODO(weiminyu): modify this step so that TAG_NAME may be 'live'.
- name: 'gcr.io/${PROJECT_ID}/builder:latest' - name: 'gcr.io/$PROJECT_ID/builder:latest'
entrypoint: /bin/bash entrypoint: /bin/bash
args: args:
- -c - -c
- | - |
set -e set -e
echo ${TAG_NAME} | \ echo ${TAG_NAME} | \
gsutil cp - gs://${PROJECT_ID}-deployed-tags/sql.${_ENV}.tag\ gsutil cp - gs://$PROJECT_ID-deployed-tags/sql.${_ENV}.tag\
timeout: 3600s timeout: 3600s
options: options:
machineType: 'N1_HIGHCPU_8' machineType: 'N1_HIGHCPU_8'

13
release/cloudbuild-sync.yaml
View file

@ -9,16 +9,23 @@
# #
# To trigger a build automatically, follow the instructions below and add a trigger: # To trigger a build automatically, follow the instructions below and add a trigger:
# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds # https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
#
# Note: to work around issue in Spinnaker's 'Deployment Manifest' stage,
# variable references must avoid the ${var} format. Valid formats include
# $var or ${"${var}"}. This file use the former. Since TAG_NAME is
# expanded in the copies sent to Spinnaker, we preserve the brackets around
# them for safe pattern matching during release.
# See https://github.com/spinnaker/spinnaker/issues/3028 for more information.
steps: steps:
# Rsync the folder. # Rsync the folder.
- name: 'gcr.io/${PROJECT_ID}/builder:latest' - name: 'gcr.io/$PROJECT_ID/builder:latest'
args: args:
- gsutil - gsutil
- -m - -m
- rsync - rsync
- -d - -d
- gs://${PROJECT_ID}-deploy/${TAG_NAME} - gs://$PROJECT_ID-deploy/${TAG_NAME}
- gs://${PROJECT_ID}-deploy/live - gs://$PROJECT_ID-deploy/live
timeout: 3600s timeout: 3600s
options: options:
machineType: 'N1_HIGHCPU_8' machineType: 'N1_HIGHCPU_8'

13
release/cloudbuild-tag.yaml
View file

@ -11,15 +11,22 @@
# #
# To trigger a build automatically, follow the instructions below and add a trigger: # To trigger a build automatically, follow the instructions below and add a trigger:
# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds # https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
#
# Note: to work around issue in Spinnaker's 'Deployment Manifest' stage,
# variable references must avoid the ${var} format. Valid formats include
# $var or ${"${var}"}. This file use the former. Since TAG_NAME is
# expanded in the copies sent to Spinnaker, we preserve the brackets around
# them for safe pattern matching during release.
# See https://github.com/spinnaker/spinnaker/issues/3028 for more information.
steps: steps:
- name: 'gcr.io/${PROJECT_ID}/builder:latest' - name: 'gcr.io/$PROJECT_ID/builder:latest'
args: args:
- gcloud - gcloud
- container - container
- images - images
- add-tag - add-tag
- gcr.io/${PROJECT_ID}/${_IMAGE}:${TAG_NAME} - gcr.io/$PROJECT_ID/${_IMAGE}:${TAG_NAME}
- gcr.io/${PROJECT_ID}/${_IMAGE}:live - gcr.io/$PROJECT_ID/${_IMAGE}:live
timeout: 3600s timeout: 3600s
options: options:
machineType: 'N1_HIGHCPU_8' machineType: 'N1_HIGHCPU_8'