mirror of
https://github.com/google/nomulus.git
synced 2025-05-21 19:59:34 +02:00
5da48184f9
* Merge beam and GAE configs deployment to one GCB job Deployment of GAE configs requires that the credential used by gcloud to have GAE admin role of the project to be managed. We do not want to grant the GCB service account that role, because it would all *any* GCB job to deploy anything to GAE. Instead we use a dedicated credential originally created to deploy beam pipelines. This credential is encrypted by KMS and stored on GCS. Since the beam pipeline deployment GCB job already does the decryption, it make sense to add the config deployment step there as well. The beam deployment steps are tweaked to use the nomulus tool docker image instead of the jar file. Also moved the content of deploy_configs_to_env.sh to the GCB yaml file itself because the shell script is not uploaded to GC Bat the same time as the yaml file when the job is triggered by Spinnaker. Lastly, due to b/137891685, using GCB to deploy cron jobs does not work as we cannot use service account credential to deploy to projects under google.com.
150 lines
6.1 KiB
YAML
150 lines
6.1 KiB
YAML
# To run the build locally, install cloud-build-local first.
|
|
# You will need access to a private registry, so be sure to install the docker
|
|
# credential helper.
|
|
# See: https://cloud.google.com/cloud-build/docs/build-debug-locally
|
|
# Then run:
|
|
# cloud-build-local --config=cloudbuild-release.yaml --dryrun=false \
|
|
# --substitutions TAG_NAME=[TAG],_INTERNAL_REPO_URL=[URL] ..
|
|
#
|
|
# To manually trigger a build on GCB, run:
|
|
# gcloud builds submit --config cloudbuild-release.yaml --substitutions \
|
|
# TAG_NAME=[TAG],_INTERNAL_REPO_URL=[URL] ..
|
|
#
|
|
# To trigger a build automatically, follow the instructions below and add a trigger:
|
|
# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
|
|
#
|
|
# This pipeline prepares a release. The pipeline should be run against the Nomulus public repo on
|
|
# GitHub. It builds the builder and base images, and hard codes the sha256 hashes of the resulting
|
|
# images in the merged code base (internal + public) , which is tagged and pushed into the release
|
|
# repo. Actual release artifacts are built from the release repo, ensuring reproducibility.
|
|
steps:
|
|
# Check the out internal repo.
|
|
- name: 'gcr.io/cloud-builders/git'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
git clone https://gerrit.googlesource.com/gcompute-tools
|
|
./gcompute-tools/git-cookie-authdaemon
|
|
git clone ${_INTERNAL_REPO_URL} nomulus-internal
|
|
# Tag and push the internal repo.
|
|
- name: 'gcr.io/cloud-builders/git'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
git tag ${TAG_NAME}
|
|
git push origin ${TAG_NAME}
|
|
dir: 'nomulus-internal'
|
|
# Merge the repos.
|
|
- name: 'gcr.io/cloud-builders/git'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
shopt -s dotglob
|
|
rm -rf .git && rm -rf nomulus-internal/.git
|
|
cp -rf nomulus-internal/* .
|
|
rm -rf nomulus-internal
|
|
# Build the builder image and tag the proxy base image, then upload them to GCR.
|
|
- name: 'gcr.io/cloud-builders/docker'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
docker build -t gcr.io/${PROJECT_ID}/builder:${TAG_NAME} .
|
|
docker tag gcr.io/${PROJECT_ID}/builder:${TAG_NAME} gcr.io/${PROJECT_ID}/builder:latest
|
|
docker pull gcr.io/distroless/java
|
|
docker tag gcr.io/distroless/java gcr.io/${PROJECT_ID}/base:${TAG_NAME}
|
|
docker tag gcr.io/distroless/java gcr.io/${PROJECT_ID}/base:latest
|
|
docker pull gcr.io/distroless/java:debug
|
|
docker tag gcr.io/distroless/java:debug gcr.io/${PROJECT_ID}/base-debug:${TAG_NAME}
|
|
docker tag gcr.io/distroless/java:debug gcr.io/${PROJECT_ID}/base-debug:latest
|
|
docker push gcr.io/${PROJECT_ID}/builder:latest
|
|
docker push gcr.io/${PROJECT_ID}/builder:${TAG_NAME}
|
|
docker push gcr.io/${PROJECT_ID}/base:latest
|
|
docker push gcr.io/${PROJECT_ID}/base:${TAG_NAME}
|
|
docker push gcr.io/${PROJECT_ID}/base-debug:latest
|
|
docker push gcr.io/${PROJECT_ID}/base-debug:${TAG_NAME}
|
|
dir: 'release/builder/'
|
|
# Do text replacement in the merged repo, hardcoding image digests.
|
|
- name: 'gcr.io/cloud-builders/gcloud'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
builder_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/builder \
|
|
--format='get(digest)' --filter='tags = ${TAG_NAME}')
|
|
base_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/base \
|
|
--format='get(digest)' --filter='tags = ${TAG_NAME}')
|
|
debug_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/base-debug \
|
|
--format='get(digest)' --filter='tags = ${TAG_NAME}')
|
|
sed -i s%distroless/java%${PROJECT_ID}/base@$base_digest% proxy/Dockerfile
|
|
sed -i s%distroless/java:debug%${PROJECT_ID}/base-debug@$debug_digest% core/Dockerfile
|
|
sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-proxy.yaml
|
|
sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-nomulus.yaml
|
|
sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-deploy.yaml
|
|
sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-sync.yaml
|
|
sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-tag.yaml
|
|
sed -i s/GCP_PROJECT/${PROJECT_ID}/ proxy/kubernetes/proxy-*.yaml
|
|
sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-sync.yaml
|
|
sed -i s/'$${TAG_NAME}'/${TAG_NAME}/g release/cloudbuild-deploy.yaml
|
|
for environment in alpha crash sandbox production; do
|
|
sed s/'$${_ENV}'/${environment}/g release/cloudbuild-deploy.yaml \
|
|
> release/cloudbuild-deploy-${environment}.yaml
|
|
done
|
|
# Upload the gradle binary to GCS if it does not exist and point URL in gradle wrapper to it.
|
|
- name: 'gcr.io/cloud-builders/gsutil'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
gradle_url=$(grep distributionUrl gradle/wrapper/gradle-wrapper.properties \
|
|
| awk -F = '{print $2}' | sed 's/\\//g')
|
|
gradle_bin=$(basename $gradle_url)
|
|
gcs_loc="domain-registry-maven-repository/gradle"
|
|
curl -O -L ${gradle_url}
|
|
if gsutil -q stat gs://${gcs_loc}/${gradle_bin}
|
|
then
|
|
local_md5=$(md5sum ${gradle_bin} | awk '{print $1}')
|
|
remote_md5=$(gsutil hash -h gs://${gcs_loc}/${gradle_bin} | grep md5 | awk '{print $3}')
|
|
if [[ ${local_md5} != ${remote_md5} ]]
|
|
then
|
|
echo "${gradle_bin} HAS CHANGED ON GRADLE WEBSITE, USING THE BINARY ON GCS."
|
|
fi
|
|
else
|
|
gsutil cp $gradle_bin gs://${gcs_loc}/
|
|
gsutil acl ch -u AllUsers:R gs://${gcs_loc}/${gradle_bin}
|
|
fi
|
|
rm ${gradle_bin}
|
|
sed -i s%services.gradle.org/distributions%storage.googleapis.com/${gcs_loc}% \
|
|
gradle/wrapper/gradle-wrapper.properties
|
|
# Check out the release repo.
|
|
- name: 'gcr.io/cloud-builders/gcloud'
|
|
args: ['source', 'repos', 'clone', 'nomulus-release']
|
|
# Tag and check in the release repo.
|
|
- name: 'gcr.io/cloud-builders/git'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
cp -rf nomulus-release/.git .
|
|
rm -rf nomulus-release
|
|
git config --global user.name "Cloud Build"
|
|
git config --global user.email \
|
|
$(gcloud auth list --format='get(account)' --filter=active)
|
|
git add .
|
|
git commit -m "Release commit for tag ${TAG_NAME}"
|
|
git push origin master
|
|
git tag ${TAG_NAME}
|
|
git push origin ${TAG_NAME}
|
|
timeout: 3600s
|
|
options:
|
|
machineType: 'N1_HIGHCPU_8'
|