Work around Spinnaker issue wrt variables (#465)

* Work around Spinnaker issue wrt variables

Cloud Build variable reference need to stay from the  ${var} pattern
to prevent Spinnaker from trying to resolve it. In all files that
are used by Spinnaker, we change variable reference to the $var form.

We made the minimum amount of change possible, and will review this
issue after the permanent solution is available.

release/cloudbuild-schema-deploy.yaml

@@ -15,14 +15,22 @@
 #
 # Note that the release process hardens the tags and variables in this file:
 # - The 'latest' tag on docker images will be replaced by their image digests.
-# - The ${TAG_NAME} pattern will be replaced by the acutal release tag.
+# - The ${TAG_NAME} pattern will be replaced by the actual release tag.
+# - The ${_ENV} pattern will be replaced by the actual environment name.
 # Please refer to ./cloudbuild-release.yaml for more details.
+
+# Note 2: to work around issue in Spinnaker's 'Deployment Manifest' stage,
+# variable references must avoid the ${var} format. Valid formats include
+# $var or ${"${var}"}. This file use the former. Since TAG_NAME and _ENV are
+# expanded in the copies sent to Spinnaker, we preserve the brackets around
+# them for safe pattern matching during release.
+# See https://github.com/spinnaker/spinnaker/issues/3028 for more information.
 steps:
 # Download and decrypt the nomulus tool credential, which has the privilege to
 # start Cloud SQL proxy to all environments.
 # Also download and decrypt the admin_credential file, which has the cloud
 # instance name and database login name and password.
-- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+- name: 'gcr.io/$PROJECT_ID/builder:latest'
   volumes:
   - name: 'secrets'
     path: '/secrets'
@@ -31,13 +39,13 @@ steps:
   - -c
   - |
     set -e
-    gsutil cp gs://${PROJECT_ID}-deploy/secrets/tool-credential.json.enc - \
+    gsutil cp gs://$PROJECT_ID-deploy/secrets/tool-credential.json.enc - \
       | base64 -d \
       | gcloud kms decrypt \
         --ciphertext-file=- \
         --plaintext-file=/secrets/cloud_sql_credential.json \
         --location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key
-    gsutil cp gs://${PROJECT_ID}-deploy/cloudsql-credentials/${_ENV}/admin_credential.enc - \
+    gsutil cp gs://$PROJECT_ID-deploy/cloudsql-credentials/${_ENV}/admin_credential.enc - \
       | base64 -d \
       | gcloud kms decrypt \
         --ciphertext-file=- \
@@ -45,7 +53,7 @@ steps:
         --location global --keyring=nomulus-tool-keyring \
         --key=nomulus-tool-key
 # Download the schema jar to be deployed.
-- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+- name: 'gcr.io/$PROJECT_ID/builder:latest'
   volumes:
   - name: 'flyway'
     path: '/flyway/jars'
@@ -54,10 +62,10 @@ steps:
   - -c
   - |
     set -e
-    gsutil cp gs://domain-registry-dev-deploy/${TAG_NAME}/schema.jar \
+    gsutil cp gs://$PROJECT_ID-deploy/${TAG_NAME}/schema.jar \
       /flyway/jars
 # Deploy SQL schema
-- name: 'gcr.io/${PROJECT_ID}/schema_deployer:latest'
+- name: 'gcr.io/$PROJECT_ID/schema_deployer:latest'
   volumes:
   - name: 'secrets'
     path: '/secrets'
@@ -68,14 +76,14 @@ steps:
 # location. Do not use the 'artifacts' section for this since it will
 # upload an extra metadata file every time and pollute the folder.
 # TODO(weiminyu): modify this step so that TAG_NAME may be 'live'.
-- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+- name: 'gcr.io/$PROJECT_ID/builder:latest'
   entrypoint: /bin/bash
   args:
   - -c
   - |
     set -e
     echo ${TAG_NAME} | \
-      gsutil cp - gs://${PROJECT_ID}-deployed-tags/sql.${_ENV}.tag\
+      gsutil cp - gs://$PROJECT_ID-deployed-tags/sql.${_ENV}.tag\
 timeout: 3600s
 options:
   machineType: 'N1_HIGHCPU_8'