Use credential in secretmanager to deploy schema (#1055)

* Use credential in secretmanager to deploy schema

Fetch the schema_deployer credential from SecretManager when deploying
the schema to Cloud SQL.

release/cloudbuild-schema-deploy.yaml

@@ -27,9 +27,9 @@
 # See https://github.com/spinnaker/spinnaker/issues/3028 for more information.
 steps:
 # Download and decrypt the nomulus tool credential, which has the privilege to
-# start Cloud SQL proxy to all environments.
-# Also download and decrypt the admin_credential file, which has the cloud
-# instance name and database login name and password.
+# start Cloud SQL proxy to all environments. This credential is also used to
+# authenticate the nomulus tool when fetching the schema deployer credential in
+# the next step.
 - name: 'gcr.io/$PROJECT_ID/builder:latest'
   volumes:
   - name: 'secrets'
@@ -45,13 +45,21 @@ steps:
         --ciphertext-file=- \
         --plaintext-file=/secrets/cloud_sql_credential.json \
         --location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key
-    gsutil cp gs://$PROJECT_ID-deploy/cloudsql-credentials/${_ENV}/admin_credential.enc - \
-      | base64 -d \
-      | gcloud kms decrypt \
-        --ciphertext-file=- \
-        --plaintext-file=/secrets/admin_credential.dec \
-        --location global --keyring=nomulus-tool-keyring \
-        --key=nomulus-tool-key
+# Fetch the Cloud SQL credential for schema_deployer
+- name: 'gcr.io/$PROJECT_ID/nomulus-tool:latest'
+  volumes:
+  - name: 'secrets'
+    path: '/secrets'
+  args:
+  - -e
+  - ${_ENV}
+  - --credential
+  - /secrets/cloud_sql_credential.json
+  - get_sql_credential
+  - --user
+  - schema_deployer
+  - --output
+  - /secrets/schema_deployer_credential.dec
 # Download the schema jar to be deployed.
 - name: 'gcr.io/$PROJECT_ID/builder:latest'
   volumes:

release/schema-deployer/deploy_sql_schema.sh

@@ -18,19 +18,19 @@
 # - /flyway/jars: the schema jar to be deployed.
 #
 # Database login info may be passed in two ways:
-# - Decrypt the admin_credential.enc file on GCS and map it as
-#   /secrets/admin_credential.dec
-# - Provide the content of the admin_credential as command line arguments
+# - Save it in the format of "cloud_sql_instance login password" in a file and
+#   map the file as /secrets/schema_deployer_credential.dec
+# - Provide the content of the credential as command line arguments
 
 set -e
 if [ "$#" -le 1 ]; then
-  if [ ! -f /secrets/admin_credential.dec ]; then
-    echo "Missing /secrets/admin_credential.dec"
+  if [ ! -f /secrets/schema_deployer_credential.dec ]; then
+    echo "Missing /secrets/schema_deployer_credential.dec"
     exit 1
   fi
-  cloud_sql_instance=$(cut -d' ' -f1 /secrets/admin_credential.dec)
-  db_user=$(cut -d' ' -f2 /secrets/admin_credential.dec)
-  db_password=$(cut -d' ' -f3 /secrets/admin_credential.dec)
+  cloud_sql_instance=$(cut -d' ' -f1 /secrets/schema_deployer_credential.dec)
+  db_user=$(cut -d' ' -f2 /secrets/schema_deployer_credential.dec)
+  db_password=$(cut -d' ' -f3 /secrets/schema_deployer_credential.dec)
   flyway_action=${1:-validate}
 elif [ "$#" -ge 3 ]; then
   cloud_sql_instance=$1