zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-04-29 19:47:51 +02:00
Code Issues Projects Releases Packages Wiki Activity
google-nomulus/release/cloudbuild-schema-deploy.yaml
Weimin Yu fed5f1c5fa Use SecretManager for nomulus-tool-cloudbuild cred (#1188) 
* Use SecretManager for nomulus-tool-cloudbuild cred

Store cloudbuild's nomulus-tool credential in SecretManager and make the
deployment pipeline load it from the SecretManager.

The tool-credential.json.enc file in the
gs://domain-registry-dev-deploy/secrets folder is no longer needed.
2021-06-02 09:32:57 -04:00

94 lines
3.2 KiB
YAML
Raw Blame History

# To run the build locally, install cloud-build-local first.
# Then run:
# cloud-build-local --config=cloudbuild-schema-deploy.yaml --dryrun=false \
# --substitutions=TAG_NAME=[TAG],_ENV=[ENV] ..
#
# This will deploy Cloud SQL schema release with tag value ${TAG_NAME} to
# the environment specified by ${_ENV}.
#
# To manually trigger a build on GCB, run:
# gcloud builds submit --config=cloudbuild-schema-deploy.yaml \
# --substitutions=TAG_NAME=[TAG],_ENV=[ENV] ..
#
# To trigger a build automatically, follow the instructions below and add a trigger:
# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
#
# Note that the release process hardens the tags and variables in this file:
# - The 'latest' tag on docker images will be replaced by their image digests.
# - The ${TAG_NAME} pattern will be replaced by the actual release tag.
# - The ${_ENV} pattern will be replaced by the actual environment name.
# Please refer to ./cloudbuild-release.yaml for more details.
# Note 2: to work around issue in Spinnaker's 'Deployment Manifest' stage,
# variable references must avoid the ${var} format. Valid formats include
# $var or ${"${var}"}. This file use the former. Since TAG_NAME and _ENV are
# expanded in the copies sent to Spinnaker, we preserve the brackets around
# them for safe pattern matching during release.
# See https://github.com/spinnaker/spinnaker/issues/3028 for more information.
steps:
# Download and decrypt the nomulus tool credential, which has the privilege to
# start Cloud SQL proxy to all environments. This credential is also used to
# authenticate the nomulus tool when fetching the schema deployer credential in
# the next step.
- name: 'gcr.io/$PROJECT_ID/builder:latest'
volumes:
- name: 'secrets'
path: '/secrets'
entrypoint: /bin/bash
args:
- -c
- |
set -e
gcloud secrets versions access latest \
--secret nomulus-tool-cloudbuild-credential \
> /secrets/cloud_sql_credential.json
# Fetch the Cloud SQL credential for schema_deployer
- name: 'gcr.io/$PROJECT_ID/nomulus-tool:latest'
volumes:
- name: 'secrets'
path: '/secrets'
args:
- -e
- ${_ENV}
- --credential
- /secrets/cloud_sql_credential.json
- get_sql_credential
- --user
- schema_deployer
- --output
- /secrets/schema_deployer_credential.dec
# Download the schema jar to be deployed.
- name: 'gcr.io/$PROJECT_ID/builder:latest'
volumes:
- name: 'flyway'
path: '/flyway/jars'
entrypoint: /bin/bash
args:
- -c
- |
set -e
gsutil cp gs://$PROJECT_ID-deploy/${TAG_NAME}/schema.jar \
/flyway/jars
# Deploy SQL schema
- name: 'gcr.io/$PROJECT_ID/schema_deployer:latest'
volumes:
- name: 'secrets'
path: '/secrets'
- name: 'flyway'
path: '/flyway/jars'
args: ['migrate']
# Save the deployed tag for the current environment on GCS to a well-known.
# location. Do not use the 'artifacts' section for this since it will
# upload an extra metadata file every time and pollute the folder.
# TODO(weiminyu): modify this step so that TAG_NAME may be 'live'.
- name: 'gcr.io/$PROJECT_ID/builder:latest'
entrypoint: /bin/bash
args:
- -c
- |
set -e
echo ${TAG_NAME} | \
gsutil cp - gs://$PROJECT_ID-deployed-tags/sql.${_ENV}.tag\
timeout: 3600s
options:
machineType: 'E2_HIGHCPU_32'
Reference in a new issue View git blame Copy permalink