zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-08-06 09:45:19 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge beam and GAE configs deployment to one GCB job (#182)

Browse source 
* Merge beam and GAE configs deployment to one GCB job

Deployment of GAE configs requires that the credential used by gcloud to
have GAE admin role of the project to be managed. We do not want to
grant the GCB service account that role, because it would all *any* GCB
job to deploy anything to GAE. Instead we use a dedicated credential
originally created to deploy beam pipelines. This credential is
encrypted by KMS and stored on GCS. Since the beam pipeline deployment
GCB job already does the decryption, it make sense to add the config
deployment step there as well. The beam deployment steps are tweaked to
use the nomulus tool docker image instead of the jar file.

Also moved the content of deploy_configs_to_env.sh to the GCB yaml file
itself because the shell script is not uploaded to GC Bat the same time
as the yaml file when the job is triggered by Spinnaker.

Lastly, due to b/137891685, using GCB to deploy cron jobs does not work
as we cannot use service account credential to deploy to projects under
google.com.
This commit is contained in:
Lai Jiang 2019-07-19 16:54:56 -04:00 committed by GitHub
parent 1abfd169f0
commit f080259e5e
8 changed files with 112 additions and 142 deletions
Download patch file Download diff file Expand all files Collapse all files

14
release/cloudbuild-proxy.yaml
View file

@ -16,11 +16,11 @@ steps:
# Build the proxy docker image.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
args:
- './gradlew'
- ':proxy:test'
- ':proxy:buildProxyImage'
- '-PmavenUrl=https://storage.googleapis.com/domain-registry-maven-repository/maven'
- '-PpluginsUrl=https://storage.googleapis.com/domain-registry-maven-repository/plugins'
- ./gradlew
- :proxy:test
- :proxy:buildProxyImage
- -PmavenUrl=https://storage.googleapis.com/domain-registry-maven-repository/maven
- -PpluginsUrl=https://storage.googleapis.com/domain-registry-maven-repository/plugins
# Tag and push the image. We can't let Cloud Build's default processing do that for us
# because we need to push the image before we can sign it in the following step.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
@ -28,8 +28,11 @@ steps:
args:
- -c
- |
set -e
docker tag proxy gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}
docker tag proxy gcr.io/${PROJECT_ID}/proxy:latest
docker push gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}
docker push gcr.io/${PROJECT_ID}/proxy:latest
dir: 'proxy'
# Get the image digest, sign it and substitute in the digest in the tagging yaml file.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
@ -37,6 +40,7 @@ steps:
args:
- -c
- |
set -e
digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/proxy \
--format="get(digest)" --filter="tags = ${TAG_NAME}")
gcloud --project=${PROJECT_ID} alpha container binauthz attestations \