mirror of
https://github.com/google/nomulus.git
synced 2025-08-01 15:34:48 +02:00
0c64d1bffc
This signs an attestation that the proxy image was built by cloud build, allowing the image to be used on a bin-auth restricted kubernetes cluster. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=242917524
91 lines
4 KiB
YAML
91 lines
4 KiB
YAML
# To run the build locally, install cloud-build-local first.
|
|
# You will need access to a private registry, so be sure to install the docker
|
|
# credential helper.
|
|
# See: https://cloud.google.com/cloud-build/docs/build-debug-locally
|
|
# Then run:
|
|
# cloud-build-local --config=cloudbuild-proxy.yaml --dryrun=false --substitutions TAG_NAME=[TAG] .
|
|
# This will create a docker image named gcr.io/[PROJECT_ID]/proxy:[TAG] locally.
|
|
# The PROJECT_ID is the current project name that gcloud uses.
|
|
#
|
|
# To manually trigger a build on GCB, run:
|
|
# gcloud builds submit --config cloudbuild-proxy.yaml --substitutions TAG_NAME=[TAG] .
|
|
#
|
|
# To trigger a build automatically, follow the instructions below and add a trigger:
|
|
# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
|
|
steps:
|
|
# Set permissions correctly. Not sure why it is necessary, but it is.
|
|
- name: 'alpine'
|
|
args: ['chown', '-R', 'root:root', '.']
|
|
- name: 'alpine'
|
|
args: ['chmod', '-R', '777', '.']
|
|
# Clone the private repo merge its contents.
|
|
- name: 'gcr.io/cloud-builders/gcloud'
|
|
args: ['source', 'repos', 'clone', 'nomulus-internal']
|
|
- name: 'alpine'
|
|
args: ['sh', '-c', 'cp -r nomulus-internal/* .']
|
|
# Build the deploy jar.
|
|
- name: 'openjdk:8-slim'
|
|
args:
|
|
- './gradlew'
|
|
- ':proxy:deployJar'
|
|
- '-x'
|
|
- 'autoLintGradle'
|
|
- '-PmavenUrl=gcs://domain-registry-maven-repository/maven'
|
|
- '-PpluginsUrl=gcs://domain-registry-maven-repository/plugins'
|
|
dir: 'gradle'
|
|
# Build the docker image.
|
|
- name: 'gcr.io/cloud-builders/docker'
|
|
args: ['build', '--tag', 'gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}', '.']
|
|
dir: 'gradle/proxy'
|
|
# Move config files to the working directory. This is necessary because of Spinnaker limitations.
|
|
# It will concantinate `location' and `path' in the artifact field to construct the artifact
|
|
# path, even though the artifact is always uploaded to the `location', and `path' can be a regular
|
|
# expression.
|
|
- name: 'alpine'
|
|
args: ['sh', '-c', 'mv java/google/registry/proxy/kubernetes/* .']
|
|
# Replace the tag "latest" with the git tag that triggered this build. This is due to a bug in
|
|
# Spinnaker where the tag is appended to the image name when the deployment pipeline is triggered
|
|
# by GCB pubsub messages. The bug is fixed in https://github.com/spinnaker/echo/pull/498 and we can
|
|
# remove this step and the "latest" tag in the manifests when Spinnaker 1.13 is deployed.
|
|
- name: 'alpine'
|
|
args: ['sh', '-c', 'sed -i s/:latest/:${TAG_NAME}/ proxy-*.yaml']
|
|
# Replace project name.
|
|
- name: 'alpine'
|
|
args: ['sh', '-c', 'sed -i s/GCP_PROJECT/${PROJECT_ID}/ proxy-*.yaml']
|
|
# Push the image. We can't let Cloud Build's default processing do that for us
|
|
# because we need to push the image before we can sign it in the following
|
|
# step.
|
|
- name: 'gcr.io/cloud-builders/docker'
|
|
args: ['push', 'gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}']
|
|
# Get the image hash and sign it.
|
|
- name: 'gcr.io/domain-registry-dev/builder'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- >
|
|
hash=$(gcloud container images list-tags \
|
|
gcr.io/${PROJECT_ID}/proxy \
|
|
--format="get(digest)" --filter="tags = ${TAG_NAME}") && \
|
|
gcloud --project=${PROJECT_ID} alpha container binauthz attestations \
|
|
sign-and-create --artifact-url=gcr.io/${PROJECT_ID}/proxy@$hash \
|
|
--attestor=build-attestor --attestor-project=${PROJECT_ID} \
|
|
--keyversion-project=${PROJECT_ID} --keyversion-location=global \
|
|
--keyversion-keyring=attestor-keys --keyversion-key=signing \
|
|
--keyversion=1
|
|
# Config files to upload to GCS.
|
|
artifacts:
|
|
objects:
|
|
location: 'gs://${PROJECT_ID}-deploy/${TAG_NAME}'
|
|
# This cannot be regexs because of how Spinnaker constructs artifact paths.
|
|
paths:
|
|
- 'proxy-deployment-crash.yaml'
|
|
- 'proxy-deployment-sandbox.yaml'
|
|
- 'proxy-deployment-production.yaml'
|
|
- 'proxy-deployment-crash-canary.yaml'
|
|
- 'proxy-deployment-sandbox-canary.yaml'
|
|
- 'proxy-deployment-production-canary.yaml'
|
|
- 'proxy-service.yaml'
|
|
- 'proxy-service-canary.yaml'
|
|
timeout: 3600s
|
|
options:
|
|
machineType: 'N1_HIGHCPU_8'
|