zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-04-30 12:07:51 +02:00
Code Issues Projects Releases Packages Wiki Activity

Use rearranged sql credentials in flyway task (#712)

Browse source 
* Use rearranged sql credentials in flyway task

Let the flyway tasks use the sql credential files set up for BEAM
pipelines.

Credential files have been created for each environment in GCS
at gs://${project}-beam/cloudsql/admin_credential.enc. All
project editors have access to this file, including the Dataflow
control service account.

Alpha and crash use the 'nomulus-tools-key' in their own project to
decrypt the credential file.

Sandbox and production use the 'nomulus-tools-key' in
domain-registry-dev to decrypt the credential file.

Note that this setup is temporary. It will become obsolete once
we migrate to Cloud Secret Manager for secret storage.
This commit is contained in:
Weimin Yu 2020-07-24 15:32:01 -04:00 committed by GitHub
parent 518166a1dc
commit 48674c8d0c
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
db/build.gradle
View file

@ -36,6 +36,7 @@ ext {
} }
getAccessInfoByHostPort = { hostAndPort -> getAccessInfoByHostPort = { hostAndPort ->
println "Database set to ${hostAndPort}."
return [ return [
url: "jdbc:postgresql://${hostAndPort}/${dbName}", url: "jdbc:postgresql://${hostAndPort}/${dbName}",
user: findProperty('dbUser'), user: findProperty('dbUser'),
@ -45,6 +46,7 @@ ext {
getSocketFactoryAccessInfo = { env -> getSocketFactoryAccessInfo = { env ->
def cred = getCloudSqlCredential(env, 'admin').split(' ') def cred = getCloudSqlCredential(env, 'admin').split(' ')
def sqlInstance = cred[0] def sqlInstance = cred[0]
println "Database set to Cloud SQL instance ${sqlInstance}."
return [ return [
url: """\ url: """\
jdbc:postgresql://google/${dbName}?cloudSqlInstance= jdbc:postgresql://google/${dbName}?cloudSqlInstance=
@ -73,14 +75,17 @@ ext {
getCloudSqlCredential = { env, role -> getCloudSqlCredential = { env, role ->
def devProject = project.hasProperty('devProject') def devProject = project.hasProperty('devProject')
? project.getProperty('devProject') : rootProject.devProject ? project.getProperty('devProject') : rootProject.devProject
def gcpProject = project.hasProperty('gcpProject')
? project.getProperty('gcpProject') : rootProject.gcpProject
def keyProject = env in restrictedDbEnv? devProject : gcpProject
def command = def command =
"""gsutil cp \ """gsutil cp \
gs://${devProject}-deploy/cloudsql-credentials/${env}/${role}_credential.enc - | \ gs://${gcpProject}-beam/cloudsql/${role}_credential.enc - | \
base64 -d | \ base64 -d | \
gcloud kms decrypt --location global --keyring nomulus-tool-keyring \ gcloud kms decrypt --location global --keyring nomulus-tool-keyring \
--key nomulus-tool-key --plaintext-file=- \ --key nomulus-tool-key --plaintext-file=- \
--ciphertext-file=- \ --ciphertext-file=- \
--project=${devProject}""" --project=${keyProject}"""
return execInBash(command, '/tmp') return execInBash(command, '/tmp')
} }