diff --git a/.gcloudignore b/.gcloudignore index 2115f6519..c40ea5703 100644 --- a/.gcloudignore +++ b/.gcloudignore @@ -4,3 +4,6 @@ python/ .*/ repos/** **/.idea/ +*.jar +!third_party/**/*.jar +!/gradle/wrapper/**/*.jar diff --git a/core/Dockerfile b/core/Dockerfile new file mode 100644 index 000000000..5f919798f --- /dev/null +++ b/core/Dockerfile @@ -0,0 +1,3 @@ +FROM gcr.io/distroless/java:debug +ADD build/libs/nomulus.jar /nomulus.jar +ENTRYPOINT ["/usr/bin/java", "-jar", "/nomulus.jar"] diff --git a/core/build.gradle b/core/build.gradle index 3271fafbd..bc430dc54 100644 --- a/core/build.gradle +++ b/core/build.gradle @@ -645,10 +645,11 @@ test { }.dependsOn(fragileTest, outcastTest) createUberJar('nomulus', 'nomulus', 'google.registry.tools.RegistryTool') -createUberJar('gtechTool', 'gtech_tool', 'google.registry.tools.GtechTool') project.nomulus.dependsOn project(':third_party').jar -project.gtechTool.dependsOn project(':third_party').jar -project.build.dependsOn nomulus -project.build.dependsOn gtechTool +task buildToolImage(dependsOn: nomulus, type: Exec) { + commandLine 'docker', 'build', '-t', 'nomulus-tool', '.' +} + +project.build.dependsOn buildToolImage project.build.dependsOn ':stage' diff --git a/release/build_nomulus_for_env.sh b/release/build_nomulus_for_env.sh index ec3e6503e..5e316e739 100755 --- a/release/build_nomulus_for_env.sh +++ b/release/build_nomulus_for_env.sh @@ -31,7 +31,7 @@ if [ "${environment}" == tool ] then mkdir -p "${dest}" - ./gradlew clean :core:nomulus \ + ./gradlew clean :core:buildToolImage \ -PmavenUrl=https://"${gcs_prefix}"/maven \ -PpluginsUrl=https://"${gcs_prefix}"/plugins diff --git a/release/cloudbuild-nomulus.yaml b/release/cloudbuild-nomulus.yaml index 567e050b4..90ad73cca 100644 --- a/release/cloudbuild-nomulus.yaml +++ b/release/cloudbuild-nomulus.yaml @@ -22,9 +22,27 @@ steps: # Run tests - name: 'gcr.io/${PROJECT_ID}/builder:latest' args: ['./gradlew', 'test', '-PskipDockerIncompatibleTests=true'] -# Build the tool binary. +# Build the tool binary and image. - name: 'gcr.io/${PROJECT_ID}/builder:latest' args: ['release/build_nomulus_for_env.sh', 'tool', 'output'] +# Tag the tool image and push it to the registry. +- name: 'gcr.io/${PROJECT_ID}/builder:latest' + entrypoint: /bin/bash + args: + - -c + - | + docker tag nomulus-tool gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME} + docker push gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME} +# Get the tool image digest and substitute in the digest in the tagging yaml file. +- name: 'gcr.io/${PROJECT_ID}/builder:latest' + entrypoint: /bin/bash + args: + - -c + - | + digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/nomulus-tool \ + --format="get(digest)" --filter="tags = ${TAG_NAME}") + sed -i s/'$${_IMAGE}'/nomulus-tool/g release/cloudbuild-tag.yaml + sed -i s/':$${TAG_NAME}'/@$digest/g release/cloudbuild-tag.yaml # Build and package the deployment files for alpha. - name: 'gcr.io/${PROJECT_ID}/builder:latest' args: ['release/build_nomulus_for_env.sh', 'alpha', 'output'] @@ -44,6 +62,7 @@ artifacts: paths: - 'output/*.tar' - 'output/nomulus.jar' + - 'release/cloudbuild-tag.yaml' - 'release/cloudbuild-sync.yaml' - 'release/cloudbuild-beam.yaml' timeout: 3600s diff --git a/release/cloudbuild-proxy.yaml b/release/cloudbuild-proxy.yaml index 0f1ddf9e9..0801256fe 100644 --- a/release/cloudbuild-proxy.yaml +++ b/release/cloudbuild-proxy.yaml @@ -36,16 +36,17 @@ steps: entrypoint: /bin/bash args: - -c - - > + - | digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/proxy \ - --format="get(digest)" --filter="tags = ${TAG_NAME}") && \ + --format="get(digest)" --filter="tags = ${TAG_NAME}") gcloud --project=${PROJECT_ID} alpha container binauthz attestations \ sign-and-create --artifact-url=gcr.io/${PROJECT_ID}/proxy@$digest \ --attestor=build-attestor --attestor-project=${PROJECT_ID} \ --keyversion-project=${PROJECT_ID} --keyversion-location=global \ --keyversion-keyring=attestor-keys --keyversion-key=signing \ --keyversion=1 - sed -i s/proxy:'$${TAG_NAME}'/proxy@$digest/g release/cloudbuild-tag.yaml + sed -i s/'$${_IMAGE}'/proxy/g release/cloudbuild-tag.yaml + sed -i s/':$${TAG_NAME}'/@$digest/g release/cloudbuild-tag.yaml # Images to upload to GCR. Even though the image has already been uploaded, we still include it # here so that the GCB pubsub message contains it (for Spinnaker to consume). images: ['gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}'] diff --git a/release/cloudbuild-release.yaml b/release/cloudbuild-release.yaml index bb079242b..ba9e39f7d 100644 --- a/release/cloudbuild-release.yaml +++ b/release/cloudbuild-release.yaml @@ -57,10 +57,15 @@ steps: docker pull gcr.io/distroless/java docker tag gcr.io/distroless/java gcr.io/${PROJECT_ID}/base:${TAG_NAME} docker tag gcr.io/distroless/java gcr.io/${PROJECT_ID}/base:latest - docker push gcr.io/${PROJECT_ID}/base:latest - docker push gcr.io/${PROJECT_ID}/base:${TAG_NAME} + docker pull gcr.io/distroless/java:debug + docker tag gcr.io/distroless/java:debug gcr.io/${PROJECT_ID}/base-debug:${TAG_NAME} + docker tag gcr.io/distroless/java:debug gcr.io/${PROJECT_ID}/base-debug:latest docker push gcr.io/${PROJECT_ID}/builder:latest docker push gcr.io/${PROJECT_ID}/builder:${TAG_NAME} + docker push gcr.io/${PROJECT_ID}/base:latest + docker push gcr.io/${PROJECT_ID}/base:${TAG_NAME} + docker push gcr.io/${PROJECT_ID}/base-debug:latest + docker push gcr.io/${PROJECT_ID}/base-debug:${TAG_NAME} dir: 'release/builder/' # Do text replacement in the merged repo, hardcoding image digests. - name: 'gcr.io/cloud-builders/gcloud' @@ -72,10 +77,15 @@ steps: --format='get(digest)' --filter='tags = ${TAG_NAME}') base_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/base \ --format='get(digest)' --filter='tags = ${TAG_NAME}') + debug_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/base-debug \ + --format='get(digest)' --filter='tags = ${TAG_NAME}') sed -i s%distroless/java%${PROJECT_ID}/base@$base_digest% proxy/Dockerfile + sed -i s%distroless/java:debug%${PROJECT_ID}/base-debug@$debug_digest% core/Dockerfile sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-proxy.yaml sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-nomulus.yaml sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-beam.yaml + sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-sync.yaml + sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-tag.yaml sed -i s/GCP_PROJECT/${PROJECT_ID}/ proxy/kubernetes/proxy-*.yaml sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-sync.yaml sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-beam.yaml diff --git a/release/cloudbuild-tag.yaml b/release/cloudbuild-tag.yaml index 65f49c7c2..aab2e74d2 100644 --- a/release/cloudbuild-tag.yaml +++ b/release/cloudbuild-tag.yaml @@ -1,11 +1,13 @@ # To run the build locally, install cloud-build-local first. # Then run: -# cloud-build-local --config=cloudbuild-tag.yaml --dryrun=false --substitutions TAG_NAME=[TAG] .. -# This will add a "live" tag to the proxy image in gcr.io/[PROJECT_ID]/proxy:[TAG]. +# cloud-build-local --config=cloudbuild-tag.yaml --dryrun=false --substitutions \ +# TAG_NAME=[TAG],_IMAGE=[IMAGE] .. +# This will add a "live" tag to the image in gcr.io/[PROJECT_ID]/[IMAGE]:[TAG]. # The PROJECT_ID is the current project name that gcloud uses. # # To manually trigger a build on GCB, run: -# gcloud builds submit --config cloudbuild-tag.yaml --substitutions TAG_NAME=[TAG] .. +# gcloud builds submit --config cloudbuild-tag.yaml --substitutions \ +# TAG_NAME=[TAG],_IMAGE=[IMAGE] .. # # To trigger a build automatically, follow the instructions below and add a trigger: # https://cloud.google.com/cloud-build/docs/running-builds/automate-builds @@ -16,8 +18,8 @@ steps: - container - images - add-tag - - gcr.io/${PROJECT_ID}/proxy:${TAG_NAME} - - gcr.io/${PROJECT_ID}/proxy:live + - gcr.io/${PROJECT_ID}/${_IMAGE}:${TAG_NAME} + - gcr.io/${PROJECT_ID}/${_IMAGE}:live timeout: 3600s options: machineType: 'N1_HIGHCPU_8'