mirror of
https://github.com/google/nomulus.git
synced 2025-08-12 04:29:39 +02:00
Use SecretManager for nomulus-tool-cloudbuild cred (#1188)
* Use SecretManager for nomulus-tool-cloudbuild cred Store cloudbuild's nomulus-tool credential in SecretManager and make the deployment pipeline load it from the SecretManager. The tool-credential.json.enc file in the gs://domain-registry-dev-deploy/secrets folder is no longer needed.
This commit is contained in:
parent
14069ac88a
commit
fed5f1c5fa
2 changed files with 5 additions and 18 deletions
|
@ -20,22 +20,14 @@
|
||||||
# See https://github.com/spinnaker/spinnaker/issues/3028 for more information.
|
# See https://github.com/spinnaker/spinnaker/issues/3028 for more information.
|
||||||
steps:
|
steps:
|
||||||
# Pull the credential for nomulus tool.
|
# Pull the credential for nomulus tool.
|
||||||
- name: 'gcr.io/$PROJECT_ID/builder:latest'
|
|
||||||
args:
|
|
||||||
- gsutil
|
|
||||||
- cp
|
|
||||||
- gs://$PROJECT_ID-deploy/secrets/tool-credential.json.enc
|
|
||||||
- .
|
|
||||||
# Decrypt the credential.
|
|
||||||
- name: 'gcr.io/$PROJECT_ID/builder:latest'
|
- name: 'gcr.io/$PROJECT_ID/builder:latest'
|
||||||
entrypoint: /bin/bash
|
entrypoint: /bin/bash
|
||||||
args:
|
args:
|
||||||
- -c
|
- -c
|
||||||
- |
|
- |
|
||||||
set -e
|
set -e
|
||||||
cat tool-credential.json.enc | base64 -d | gcloud kms decrypt \
|
gcloud secrets versions access latest \
|
||||||
--ciphertext-file=- --plaintext-file=tool-credential.json \
|
--secret nomulus-tool-cloudbuild-credential > tool-credential.json
|
||||||
--location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key
|
|
||||||
# Deploy the GAE config files.
|
# Deploy the GAE config files.
|
||||||
# First authorize the gcloud tool to use the credential json file, then
|
# First authorize the gcloud tool to use the credential json file, then
|
||||||
# download and unzip the tarball that contains the relevant config files
|
# download and unzip the tarball that contains the relevant config files
|
||||||
|
@ -53,8 +45,6 @@ steps:
|
||||||
fi
|
fi
|
||||||
gsutil cp gs://$PROJECT_ID-deploy/${TAG_NAME}/${_ENV}.tar .
|
gsutil cp gs://$PROJECT_ID-deploy/${TAG_NAME}/${_ENV}.tar .
|
||||||
tar -xvf ${_ENV}.tar
|
tar -xvf ${_ENV}.tar
|
||||||
# Note that this currently does not work for google.com projects that
|
|
||||||
# we use due to b/137891685. External projects are likely to work.
|
|
||||||
for filename in cron dispatch dos index queue; do
|
for filename in cron dispatch dos index queue; do
|
||||||
gcloud -q --project $project_id app deploy \
|
gcloud -q --project $project_id app deploy \
|
||||||
default/WEB-INF/appengine-generated/$filename.yaml
|
default/WEB-INF/appengine-generated/$filename.yaml
|
||||||
|
|
|
@ -39,12 +39,9 @@ steps:
|
||||||
- -c
|
- -c
|
||||||
- |
|
- |
|
||||||
set -e
|
set -e
|
||||||
gsutil cp gs://$PROJECT_ID-deploy/secrets/tool-credential.json.enc - \
|
gcloud secrets versions access latest \
|
||||||
| base64 -d \
|
--secret nomulus-tool-cloudbuild-credential \
|
||||||
| gcloud kms decrypt \
|
> /secrets/cloud_sql_credential.json
|
||||||
--ciphertext-file=- \
|
|
||||||
--plaintext-file=/secrets/cloud_sql_credential.json \
|
|
||||||
--location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key
|
|
||||||
# Fetch the Cloud SQL credential for schema_deployer
|
# Fetch the Cloud SQL credential for schema_deployer
|
||||||
- name: 'gcr.io/$PROJECT_ID/nomulus-tool:latest'
|
- name: 'gcr.io/$PROJECT_ID/nomulus-tool:latest'
|
||||||
volumes:
|
volumes:
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue