Deploy SQL schema from Cloud Build (#350)

Defined Docker image for schema deployment. Included schema deploymer docker in the Cloud Build release process. Defined Cloud Build config for schema deployment. TESTED=Used cloud-build-local to test deployment flow TESTED=Used docker to test schema deployer image in more ways
2025-08-05 17:28:25 +02:00 · 2019-11-12 11:06:16 -05:00 · 2019-11-12 11:06:16 -05:00 · bce09a3aa3
commit bce09a3aa3
parent cb87658827
5 changed files with 266 additions and 2 deletions
--- a/release/cloudbuild-schema-deploy.yaml
+++ b/release/cloudbuild-schema-deploy.yaml
@ -0,0 +1,81 @@
+# To run the build locally, install cloud-build-local first.
+# Then run:
+# cloud-build-local --config=cloudbuild-schema-deploy.yaml --dryrun=false \
+# --substitutions=TAG_NAME=[TAG],_ENV=[ENV] ..
+#
+# This will deploy Cloud SQL schema release with tag value ${TAG_NAME} to
+# the environment specified by ${_ENV}.
+#
+# To manually trigger a build on GCB, run:
+# gcloud builds submit --config=cloudbuild-schema-deploy.yaml \
+# --substitutions=TAG_NAME=[TAG],_ENV=[ENV] ..
+#
+# To trigger a build automatically, follow the instructions below and add a trigger:
+# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
+#
+# Note that the release process hardens the tags and variables in this file:
+# - The 'latest' tag on docker images will be replaced by their image digests.
+# - The ${TAG_NAME} pattern will be replaced by the acutal release tag.
+# Please refer to ./cloudbuild-release.yaml for more details.
+steps:
+# Download and decrypt the nomulus tool credential, which has the privilege to
+# start Cloud SQL proxy to all environments.
+# Also download and decrypt the admin_credential file, which has the cloud
+# instance name and database login name and password.
+- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+  volumes:
+  - name: 'secrets'
+    path: '/secrets'
+  entrypoint: /bin/bash
+  args:
+  - -c
+  - |
+    set -e
+    gsutil cp gs://${PROJECT_ID}-deploy/secrets/tool-credential.json.enc - \
+      | base64 -d \
+      | gcloud kms decrypt \
+        --ciphertext-file=- \
+        --plaintext-file=/secrets/cloud_sql_credential.json \
+        --location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key
+    gsutil cp gs://${PROJECT_ID}-deploy/cloudsql-credentials/${_ENV}/admin_credential.enc - \
+      | base64 -d \
+      | gcloud kms decrypt \
+        --ciphertext-file=- \
+        --plaintext-file=/secrets/admin_credential.dec \
+        --location global --keyring=nomulus-tool-keyring \
+        --key=nomulus-tool-key
+# Download the schema jar to be deployed.
+- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+  volumes:
+  - name: 'flyway'
+    path: '/flyway/jars'
+  entrypoint: /bin/bash
+  args:
+  - -c
+  - |
+    set -e
+    gsutil cp gs://domain-registry-dev-deploy/${TAG_NAME}/schema.jar \
+      /flyway/jars
+# Deploy SQL schema
+- name: 'gcr.io/${PROJECT_ID}/schema_deployer:latest'
+  volumes:
+  - name: 'secrets'
+    path: '/secrets'
+  - name: 'flyway'
+    path: '/flyway/jars'
+  args: ['migrate']
+# Save the deployed tag for the current environment on GCS to a well-known.
+# location. Do not use the 'artifacts' section for this since it will
+# upload an extra metadata file every time and pollute the folder.
+# TODO(weiminyu): modify this step so that TAG_NAME may be 'live'.
+- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+  entrypoint: /bin/bash
+  args:
+  - -c
+  - |
+    set -e
+    echo ${TAG_NAME} | \
+      gsutil cp - gs://${PROJECT_ID}-deployed-tags/sql.${_ENV}.tag\
+timeout: 3600s
+options:
+  machineType: 'N1_HIGHCPU_8'