mirror of
https://github.com/google/nomulus.git
synced 2025-07-29 22:16:29 +02:00
1465410f0e
This PR changes the two flavors of OIDC authentication mechanisms to verify the same audience. This allows the same token to pass both mechanisms. Previously the regular OIDC flavor uses the project id as its required audience, which does not work for local user credentials (such as ones used by the nomulus tool), which requires a valid OAuth client ID as audience when minting the token (project id is NOT a valid OAuth client ID). I considered allowing multiple audiences, but the result is not as clean as just using the same everywhere, because the fall-through logic would have generated a lot of noises for failed attempts. This PR also changes the client side to solely use OIDC token whenever possible, including the proxy, cloud scheduler and cloud tasks. The nomulus tool still uses OAuth access token by default because it requires USER level authentication, which in turn requires us to fill the User table with objects corresponding to the email address of everyone needing access to the tool. TESTED=verified each client is able to make authenticated calls on QA with or without IAP.
101 lines
4 KiB
YAML
101 lines
4 KiB
YAML
# To run the build locally, install cloud-build-local first.
|
|
# Then run:
|
|
# cloud-build-local --config=cloudbuild-deploy.yaml --dryrun=false \
|
|
# --substitutions=TAG_NAME=[TAG],_ENV=[ENV] ..
|
|
#
|
|
# This will deploy the GAE config files and save the deployed tags in GCS.
|
|
#
|
|
# To manually trigger a build on GCB, run:
|
|
# gcloud builds submit --config=cloudbuild-deploy.yaml \
|
|
# --substitutions=TAG_NAME=[TAG],_ENV=[ENV] ..
|
|
#
|
|
# To trigger a build automatically, follow the instructions below and add a trigger:
|
|
# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
|
|
#
|
|
# Note: to work around issue in Spinnaker's 'Deployment Manifest' stage,
|
|
# variable references must avoid the ${var} format. Valid formats include
|
|
# $var or ${"${var}"}. This file uses the former. Since TAG_NAME and _ENV are
|
|
# expanded in the copies sent to Spinnaker, we preserve the brackets around
|
|
# them for safe pattern matching during release.
|
|
# See https://github.com/spinnaker/spinnaker/issues/3028 for more information.
|
|
steps:
|
|
# Pull the credential for nomulus tool.
|
|
- name: 'gcr.io/$PROJECT_ID/builder:latest'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
gcloud secrets versions access latest \
|
|
--secret nomulus-tool-cloudbuild-credential > tool-credential.json
|
|
# Create/Update cloud scheduler and cloud tasks based on a cloud-scheduler-tasks.xml
|
|
- name: 'gcr.io/$PROJECT_ID/builder:latest'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
gcloud auth activate-service-account --key-file=tool-credential.json
|
|
if [ ${_ENV} == production ]; then
|
|
project_id="domain-registry"
|
|
else
|
|
project_id="domain-registry-${_ENV}"
|
|
fi
|
|
gsutil cp gs://$PROJECT_ID-deploy/${TAG_NAME}/${_ENV}.tar .
|
|
tar -xvf ${_ENV}.tar
|
|
unzip default/WEB-INF/lib/core.jar
|
|
deployCloudSchedulerAndQueue google/registry/config/files/nomulus-config-${_ENV}.yaml default/WEB-INF/cloud-scheduler-tasks.xml $project_id
|
|
deployCloudSchedulerAndQueue google/registry/config/files/nomulus-config-${_ENV}.yaml default/WEB-INF/cloud-tasks-queue.xml $project_id
|
|
# Deploy the GAE config files.
|
|
# First authorize the gcloud tool to use the credential json file, then
|
|
# download and unzip the tarball that contains the relevant config files
|
|
- name: 'gcr.io/$PROJECT_ID/builder:latest'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
gcloud auth activate-service-account --key-file=tool-credential.json
|
|
if [ ${_ENV} == production ]; then
|
|
project_id="domain-registry"
|
|
else
|
|
project_id="domain-registry-${_ENV}"
|
|
fi
|
|
gcloud -q --project $project_id app deploy default/WEB-INF/appengine-generated/dispatch.yaml
|
|
# Save the deployed tag for the current environment on GCS, and update the
|
|
# mappings from Nomulus releases to Appengine versions.
|
|
- name: 'gcr.io/$PROJECT_ID/builder:latest'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
echo ${TAG_NAME} | \
|
|
gsutil cp - gs://$PROJECT_ID-deployed-tags/nomulus.${_ENV}.tag
|
|
# Update the release to AppEngine version mapping.
|
|
if [ ${_ENV} == production ]; then
|
|
project_id="domain-registry"
|
|
else
|
|
project_id="domain-registry-${_ENV}"
|
|
fi
|
|
local_map="nomulus.${_ENV}.tmp"
|
|
gcloud app versions list \
|
|
--project $project_id --hide-no-traffic \
|
|
--format="csv[no-heading](SERVICE,VERSION.ID)" | \
|
|
grep -e "^backend\|^default\|^pubapi\|^tools" |\
|
|
while read line; do echo "${TAG_NAME},$line"; done | tee "$local_map"
|
|
num_versions=$(cat "$local_map" | wc -l)
|
|
if [ "$num_versions" -ne 4 ]; then
|
|
echo "Expecting exactly four active services. Found $num_versions"
|
|
exit 1
|
|
fi
|
|
gsutil cp "$local_map" gs://$PROJECT_ID-deployed-tags/nomulus.${_ENV}.tmp
|
|
# Atomically append uploaded tmp file to nomulus.${_ENV}.versions
|
|
gsutil compose \
|
|
gs://$PROJECT_ID-deployed-tags/nomulus.${_ENV}.versions \
|
|
gs://$PROJECT_ID-deployed-tags/nomulus.${_ENV}.tmp \
|
|
gs://$PROJECT_ID-deployed-tags/nomulus.${_ENV}.versions
|
|
|
|
timeout: 3600s
|
|
options:
|
|
machineType: 'E2_HIGHCPU_32'
|