Build docker image of nomulus tool (#142)

* Build docker image of nomulus tool

In the course of "gradle build", build a docker image of nomulus tool so that
users can run this to allow us to bundle the java version with the image.

.gcloudignore

@@ -4,3 +4,6 @@ python/
 .*/
 repos/**
 **/.idea/
+*.jar
+!third_party/**/*.jar
+!/gradle/wrapper/**/*.jar

core/Dockerfile

@@ -0,0 +1,3 @@
+FROM gcr.io/distroless/java:debug
+ADD build/libs/nomulus.jar /nomulus.jar
+ENTRYPOINT ["/usr/bin/java", "-jar", "/nomulus.jar"]

core/build.gradle

@@ -645,10 +645,11 @@ test {
 }.dependsOn(fragileTest, outcastTest)
 
 createUberJar('nomulus', 'nomulus', 'google.registry.tools.RegistryTool')
-createUberJar('gtechTool', 'gtech_tool', 'google.registry.tools.GtechTool')
 project.nomulus.dependsOn project(':third_party').jar
-project.gtechTool.dependsOn project(':third_party').jar
 
-project.build.dependsOn nomulus
+task buildToolImage(dependsOn: nomulus, type: Exec) {
-project.build.dependsOn gtechTool
+  commandLine 'docker', 'build', '-t', 'nomulus-tool', '.'
+}
+
+project.build.dependsOn buildToolImage
 project.build.dependsOn ':stage'

release/build_nomulus_for_env.sh

@@ -31,7 +31,7 @@ if [ "${environment}" == tool ]
 then
   mkdir -p "${dest}"
 
-  ./gradlew clean :core:nomulus \
+  ./gradlew clean :core:buildToolImage \
     -PmavenUrl=https://"${gcs_prefix}"/maven \
     -PpluginsUrl=https://"${gcs_prefix}"/plugins
 

release/cloudbuild-nomulus.yaml

@@ -22,9 +22,27 @@ steps:
 # Run tests
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   args: ['./gradlew', 'test', '-PskipDockerIncompatibleTests=true']
-# Build the tool binary.
+# Build the tool binary and image.
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   args: ['release/build_nomulus_for_env.sh', 'tool', 'output']
+# Tag the tool image and push it to the registry.
+- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+  entrypoint: /bin/bash
+  args:
+    - -c
+    - |
+      docker tag nomulus-tool gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME}
+      docker push gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME}
+# Get the tool image digest and substitute in the digest in the tagging yaml file.
+- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+  entrypoint: /bin/bash
+  args:
+  - -c
+  - |
+    digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/nomulus-tool \
+      --format="get(digest)" --filter="tags = ${TAG_NAME}")
+    sed -i s/'$${_IMAGE}'/nomulus-tool/g release/cloudbuild-tag.yaml
+    sed -i s/':$${TAG_NAME}'/@$digest/g release/cloudbuild-tag.yaml
 # Build and package the deployment files for alpha.
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   args: ['release/build_nomulus_for_env.sh', 'alpha', 'output']
@@ -44,6 +62,7 @@ artifacts:
     paths:
     - 'output/*.tar'
     - 'output/nomulus.jar'
+    - 'release/cloudbuild-tag.yaml'
     - 'release/cloudbuild-sync.yaml'
     - 'release/cloudbuild-beam.yaml'
 timeout: 3600s

release/cloudbuild-proxy.yaml

@@ -36,16 +36,17 @@ steps:
   entrypoint: /bin/bash
   args:
   - -c
-  - >
+  - |
     digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/proxy \
-      --format="get(digest)" --filter="tags = ${TAG_NAME}") && \
+      --format="get(digest)" --filter="tags = ${TAG_NAME}")
     gcloud --project=${PROJECT_ID} alpha container binauthz attestations \
       sign-and-create --artifact-url=gcr.io/${PROJECT_ID}/proxy@$digest \
       --attestor=build-attestor --attestor-project=${PROJECT_ID} \
       --keyversion-project=${PROJECT_ID} --keyversion-location=global \
       --keyversion-keyring=attestor-keys --keyversion-key=signing \
       --keyversion=1
-    sed -i s/proxy:'$${TAG_NAME}'/proxy@$digest/g release/cloudbuild-tag.yaml
+    sed -i s/'$${_IMAGE}'/proxy/g release/cloudbuild-tag.yaml
+    sed -i s/':$${TAG_NAME}'/@$digest/g release/cloudbuild-tag.yaml
 # Images to upload to GCR. Even though the image has already been uploaded, we still include it
 # here so that the GCB pubsub message contains it (for Spinnaker to consume).
 images: ['gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}']

release/cloudbuild-release.yaml

@@ -57,10 +57,15 @@ steps:
     docker pull gcr.io/distroless/java
     docker tag gcr.io/distroless/java gcr.io/${PROJECT_ID}/base:${TAG_NAME}
     docker tag gcr.io/distroless/java gcr.io/${PROJECT_ID}/base:latest
-    docker push gcr.io/${PROJECT_ID}/base:latest
+    docker pull gcr.io/distroless/java:debug
-    docker push gcr.io/${PROJECT_ID}/base:${TAG_NAME}
+    docker tag gcr.io/distroless/java:debug gcr.io/${PROJECT_ID}/base-debug:${TAG_NAME}
+    docker tag gcr.io/distroless/java:debug gcr.io/${PROJECT_ID}/base-debug:latest
     docker push gcr.io/${PROJECT_ID}/builder:latest
     docker push gcr.io/${PROJECT_ID}/builder:${TAG_NAME}
+    docker push gcr.io/${PROJECT_ID}/base:latest
+    docker push gcr.io/${PROJECT_ID}/base:${TAG_NAME}
+    docker push gcr.io/${PROJECT_ID}/base-debug:latest
+    docker push gcr.io/${PROJECT_ID}/base-debug:${TAG_NAME}
   dir: 'release/builder/'
 # Do text replacement in the merged repo, hardcoding image digests.
 - name: 'gcr.io/cloud-builders/gcloud'
@@ -72,10 +77,15 @@ steps:
       --format='get(digest)' --filter='tags = ${TAG_NAME}')
     base_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/base \
       --format='get(digest)' --filter='tags = ${TAG_NAME}')
+    debug_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/base-debug \
+      --format='get(digest)' --filter='tags = ${TAG_NAME}')
     sed -i s%distroless/java%${PROJECT_ID}/base@$base_digest% proxy/Dockerfile
+    sed -i s%distroless/java:debug%${PROJECT_ID}/base-debug@$debug_digest% core/Dockerfile
     sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-proxy.yaml
     sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-nomulus.yaml
     sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-beam.yaml
+    sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-sync.yaml
+    sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-tag.yaml
     sed -i s/GCP_PROJECT/${PROJECT_ID}/ proxy/kubernetes/proxy-*.yaml
     sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-sync.yaml
     sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-beam.yaml

release/cloudbuild-tag.yaml

@@ -1,11 +1,13 @@
 # To run the build locally, install cloud-build-local first.
 # Then run:
-# cloud-build-local --config=cloudbuild-tag.yaml --dryrun=false --substitutions TAG_NAME=[TAG] ..
+# cloud-build-local --config=cloudbuild-tag.yaml --dryrun=false --substitutions \
-# This will add a "live" tag to the proxy image in gcr.io/[PROJECT_ID]/proxy:[TAG].
+#   TAG_NAME=[TAG],_IMAGE=[IMAGE] ..
+# This will add a "live" tag to the image in gcr.io/[PROJECT_ID]/[IMAGE]:[TAG].
 # The PROJECT_ID is the current project name that gcloud uses.
 #
 # To manually trigger a build on GCB, run:
-# gcloud builds submit --config cloudbuild-tag.yaml --substitutions TAG_NAME=[TAG] ..
+# gcloud builds submit --config cloudbuild-tag.yaml --substitutions \
+#   TAG_NAME=[TAG],_IMAGE=[IMAGE] ..
 #
 # To trigger a build automatically, follow the instructions below and add a trigger:
 # https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
@@ -16,8 +18,8 @@ steps:
   - container
   - images
   - add-tag
-  - gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}
+  - gcr.io/${PROJECT_ID}/${_IMAGE}:${TAG_NAME}
-  - gcr.io/${PROJECT_ID}/proxy:live
+  - gcr.io/${PROJECT_ID}/${_IMAGE}:live
 timeout: 3600s
 options:
   machineType: 'N1_HIGHCPU_8'