Use SecretManager for nomulus-tool-cloudbuild cred (#1188)

* Use SecretManager for nomulus-tool-cloudbuild cred

Store cloudbuild's nomulus-tool credential in SecretManager and make the
deployment pipeline load it from the SecretManager.

The tool-credential.json.enc file in the
gs://domain-registry-dev-deploy/secrets folder is no longer needed.
This commit is contained in:
Weimin Yu 2021-06-02 09:32:57 -04:00 committed by GitHub
parent 14069ac88a
commit fed5f1c5fa
2 changed files with 5 additions and 18 deletions

View file

@ -20,22 +20,14 @@
# See https://github.com/spinnaker/spinnaker/issues/3028 for more information. # See https://github.com/spinnaker/spinnaker/issues/3028 for more information.
steps: steps:
# Pull the credential for nomulus tool. # Pull the credential for nomulus tool.
- name: 'gcr.io/$PROJECT_ID/builder:latest'
args:
- gsutil
- cp
- gs://$PROJECT_ID-deploy/secrets/tool-credential.json.enc
- .
# Decrypt the credential.
- name: 'gcr.io/$PROJECT_ID/builder:latest' - name: 'gcr.io/$PROJECT_ID/builder:latest'
entrypoint: /bin/bash entrypoint: /bin/bash
args: args:
- -c - -c
- | - |
set -e set -e
cat tool-credential.json.enc | base64 -d | gcloud kms decrypt \ gcloud secrets versions access latest \
--ciphertext-file=- --plaintext-file=tool-credential.json \ --secret nomulus-tool-cloudbuild-credential > tool-credential.json
--location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key
# Deploy the GAE config files. # Deploy the GAE config files.
# First authorize the gcloud tool to use the credential json file, then # First authorize the gcloud tool to use the credential json file, then
# download and unzip the tarball that contains the relevant config files # download and unzip the tarball that contains the relevant config files
@ -53,8 +45,6 @@ steps:
fi fi
gsutil cp gs://$PROJECT_ID-deploy/${TAG_NAME}/${_ENV}.tar . gsutil cp gs://$PROJECT_ID-deploy/${TAG_NAME}/${_ENV}.tar .
tar -xvf ${_ENV}.tar tar -xvf ${_ENV}.tar
# Note that this currently does not work for google.com projects that
# we use due to b/137891685. External projects are likely to work.
for filename in cron dispatch dos index queue; do for filename in cron dispatch dos index queue; do
gcloud -q --project $project_id app deploy \ gcloud -q --project $project_id app deploy \
default/WEB-INF/appengine-generated/$filename.yaml default/WEB-INF/appengine-generated/$filename.yaml

View file

@ -39,12 +39,9 @@ steps:
- -c - -c
- | - |
set -e set -e
gsutil cp gs://$PROJECT_ID-deploy/secrets/tool-credential.json.enc - \ gcloud secrets versions access latest \
| base64 -d \ --secret nomulus-tool-cloudbuild-credential \
| gcloud kms decrypt \ > /secrets/cloud_sql_credential.json
--ciphertext-file=- \
--plaintext-file=/secrets/cloud_sql_credential.json \
--location=global --keyring=nomulus-tool-keyring --key=nomulus-tool-key
# Fetch the Cloud SQL credential for schema_deployer # Fetch the Cloud SQL credential for schema_deployer
- name: 'gcr.io/$PROJECT_ID/nomulus-tool:latest' - name: 'gcr.io/$PROJECT_ID/nomulus-tool:latest'
volumes: volumes: