mirror of
https://github.com/google/nomulus.git
synced 2025-08-04 08:52:12 +02:00
655f05c58c
* Update cloudbuild-nomulus to save standardTest logs to GCS * Remove step changes from cloudbuild-nomulus
86 lines
3.4 KiB
YAML
86 lines
3.4 KiB
YAML
# This will generate a new SSL certificate and apply it to the probers in the
|
|
# environment specified by ${_ENV}.
|
|
#
|
|
# To manually trigger a build on GCB, run:
|
|
# gcloud builds submit --config=cloudbuild-renew-prober-certs.yaml \
|
|
# --substitutions=_ENV=[ENV] ..
|
|
#
|
|
# To manually trigger a build on GCB using a released version, with TAG being
|
|
# the release tag and _ENV being the environment, run:
|
|
# cd $(mktemp -d);
|
|
# gcloud storage cp \
|
|
# gs://domain-registry-dev-deploy/{TAG}/cloudbuild-renew-prober-certs-{_ENV}.yaml .
|
|
# gcloud builds submit --config="./cloudbuild-renew-prober-certs-{_ENV}.yaml"
|
|
#
|
|
# To trigger a build automatically, follow the instructions below and add a trigger:
|
|
# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
|
|
#
|
|
# Note that the release process hardens the tags and variables in this file:
|
|
# - The 'latest' tag on docker images will be replaced by their image digests.
|
|
# - The ${_ENV} pattern will be replaced by the actual environment name.
|
|
# Please refer to ./cloudbuild-release.yaml for more details.
|
|
steps:
|
|
# Generate new SSL certs
|
|
- name: 'gcr.io/$PROJECT_ID/builder:latest'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
# Download the CA certificate files for signing the new certificate.
|
|
gcloud storage cp gs://$PROJECT_ID-prober-certs/ca.* .
|
|
# Get the passphrase
|
|
gcloud secrets versions access latest \
|
|
--secret=epp-prober-passphrase-${_ENV} \
|
|
--out-file=./passphrase.txt
|
|
openssl req -new -newkey rsa:4096 -nodes \
|
|
-out prober-client-tls.req \
|
|
-keyout prober-client-tls.key \
|
|
-subj "/C=US/ST=New York/L=New York/O=Google/OU=gTLD/CN=Google Registry/emailAddress=example@example.com" \
|
|
-passout file:./passphrase.txt
|
|
openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -days 398 \
|
|
-in prober-client-tls.req \
|
|
-out prober-client-tls.pem
|
|
openssl pkcs12 -export -in prober-client-tls.pem \
|
|
-inkey prober-client-tls.key -out prober-client-tls.p12 \
|
|
-password file:./passphrase.txt
|
|
# Download the nomulus-tools credential, which has the privilege to invoke tools
|
|
# commands. Also download the list of probers.
|
|
- name: 'gcr.io/$PROJECT_ID/builder:latest'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
# Download the list of prober registrars in a file.
|
|
prober_list_name=prober_registrars.${_ENV}
|
|
gcloud storage cp \
|
|
gs://$PROJECT_ID-prober-certs/$prober_list_name ./prober-list
|
|
# Get the nomulus-tools credential, which is needed by the next step for
|
|
# invoking nomulus-tools commands.
|
|
gcloud secrets versions access latest \
|
|
--secret nomulus-tool-cloudbuild-credential \
|
|
> nomulus_tool_credential.json
|
|
# Install the new pem cert in the Nomulus server. After this step, both the
|
|
# current cert and the new cert are accepted for login by the server.
|
|
- name: 'gcr.io/$PROJECT_ID/prober_cert_updater:latest'
|
|
args:
|
|
- ${_ENV}
|
|
- ./prober-client-tls.pem
|
|
- ./prober-list
|
|
- ./nomulus_tool_credential.json
|
|
# Add the p12 cert to SecretManager. Prober instances will start using this
|
|
# cert when they restart.
|
|
- name: 'gcr.io/$PROJECT_ID/builder:latest'
|
|
entrypoint: /bin/bash
|
|
args:
|
|
- -c
|
|
- |
|
|
set -e
|
|
if [ ${_ENV} == production ]; then
|
|
secret_id="prober-keys"
|
|
else
|
|
secret_id="prober-keys-${_ENV}"
|
|
fi
|
|
gcloud secrets versions add $secret_id \
|
|
--data-file="./prober-client-tls.p12"
|