forked from google/nomulus
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcloudbuild-nomulus.yaml
211 lines (211 loc) · 9.39 KB
/
cloudbuild-nomulus.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
# To manually trigger a build on GCB, run:
# gcloud builds submit --config cloudbuild-nomulus.yaml --substitutions TAG_NAME=[TAG] ..
#
# To trigger a build automatically, follow the instructions below and add a trigger:
# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
steps:
# Create a directory to store the artifacts
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
args: ['mkdir', 'nomulus']
# Run tests
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
# Set home for Gradle caches. Must be consistent with last step below
# and ./build_nomulus_for_env.sh
env: [ 'GRADLE_USER_HOME=/workspace/cloudbuild-caches' ]
args: ['./gradlew',
'test',
'-PskipDockerIncompatibleTests=true',
'-PmavenUrl=gcs://domain-registry-maven-repository/maven',
'-PpluginsUrl=gcs://domain-registry-maven-repository/plugins'
]
# Build and package the deployment files for each environment, and the tool
# binary and image.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
# Set home for Gradle caches. Must be consistent with last step below
# and ./build_nomulus_for_env.sh
env: [ 'GRADLE_USER_HOME=/workspace/cloudbuild-caches' ]
entrypoint: /bin/bash
args:
- -c
- |
for _env in tool alpha crash sandbox production
do
release/build_nomulus_for_env.sh $${_env} output
done
# Save TAG_NAME in ./output/tag_name, to be uploaded later. This file is purely
# informational. It makes it easier to tell the tag of the current 'live' release.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
entrypoint: /bin/bash
args: [ '-c', 'echo ${TAG_NAME} > output/tag_name' ]
# Build Nomulus, tool and proxy image, them upload them to GCR.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
# Set home for Gradle caches. Must be consistent with last step below
# and ./build_nomulus_for_env.sh
env: [ 'GRADLE_USER_HOME=/workspace/cloudbuild-caches' ]
entrypoint: /bin/bash
args:
- -c
- |
./gradlew :jetty:buildNomulusImage :proxy:buildProxyImage :core:buildToolImage\
-PmavenUrl=gcs://domain-registry-maven-repository/maven \
-PpluginsUrl=gcs://domain-registry-maven-repository/plugins
docker tag nomulus gcr.io/${PROJECT_ID}/nomulus:${TAG_NAME}
docker tag nomulus gcr.io/${PROJECT_ID}/nomulus:latest
docker push gcr.io/${PROJECT_ID}/nomulus:${TAG_NAME}
docker push gcr.io/${PROJECT_ID}/nomulus:latest
docker tag proxy gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}
docker tag proxy gcr.io/${PROJECT_ID}/proxy:latest
docker push gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}
docker push gcr.io/${PROJECT_ID}/proxy:latest
docker tag nomulus-tool gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME}
docker tag nomulus-tool gcr.io/${PROJECT_ID}/nomulus-tool:latest
docker push gcr.io/${PROJECT_ID}/nomulus-tool:${TAG_NAME}
docker push gcr.io/${PROJECT_ID}/nomulus-tool:latest
# Sign nomulus and proxy images.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
entrypoint: /bin/bash
args:
- -c
- |
nomulus_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/nomulus \
--format="get(digest)" --filter="tags = ${TAG_NAME}")
proxy_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/proxy \
--format="get(digest)" --filter="tags = ${TAG_NAME}")
gcloud --project=${PROJECT_ID} beta container binauthz attestations \
sign-and-create --artifact-url=gcr.io/${PROJECT_ID}/nomulus@$nomulus_digest \
--attestor=build-attestor --attestor-project=${PROJECT_ID} \
--keyversion-project=${PROJECT_ID} --keyversion-location=global \
--keyversion-keyring=attestor-keys --keyversion-key=signing \
--keyversion=1
gcloud --project=${PROJECT_ID} beta container binauthz attestations \
sign-and-create --artifact-url=gcr.io/${PROJECT_ID}/proxy@$proxy_digest \
--attestor=build-attestor --attestor-project=${PROJECT_ID} \
--keyversion-project=${PROJECT_ID} --keyversion-location=global \
--keyversion-keyring=attestor-keys --keyversion-key=signing \
--keyversion=1
# Get the tool image digest and substitute in the digest in other GCB files.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
entrypoint: /bin/bash
args:
- -c
- |
set -e
digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/nomulus-tool \
--format="get(digest)" --filter="tags = ${TAG_NAME}")
# schema-deploy and schema-verify scripts
sed -i s/nomulus-tool:latest/nomulus-tool@$digest/g release/cloudbuild-schema-*.yaml
# Build and upload the prober_cert_updater image. This image extends from the `builder` and the
# nomulus.jar built earlier.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
entrypoint: /bin/bash
args:
- -c
- |
set -e
# The nomulus jar is not under the working dir. Must be copied over.
cp ../../output/nomulus.jar .
docker build -t gcr.io/${PROJECT_ID}/prober_cert_updater:${TAG_NAME} \
--build-arg TAG_NAME=${TAG_NAME} --build-arg PROJECT_ID=${PROJECT_ID} .
docker tag gcr.io/${PROJECT_ID}/prober_cert_updater:${TAG_NAME} \
gcr.io/${PROJECT_ID}/prober_cert_updater:latest
docker push gcr.io/${PROJECT_ID}/prober_cert_updater:${TAG_NAME}
docker push gcr.io/${PROJECT_ID}/prober_cert_updater:latest
dir: 'release/prober-cert-updater/'
# Build and upload the db_object_updater image. This image extends from the `builder` and the
# nomulus.jar built earlier.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
entrypoint: /bin/bash
args:
- -c
- |
set -e
# The nomulus jar is not under the working dir. Must be copied over.
cp ../../output/nomulus.jar .
docker build -t gcr.io/${PROJECT_ID}/db_object_updater:${TAG_NAME} \
--build-arg TAG_NAME=${TAG_NAME} --build-arg PROJECT_ID=${PROJECT_ID} .
docker tag gcr.io/${PROJECT_ID}/db_object_updater:${TAG_NAME} \
gcr.io/${PROJECT_ID}/db_object_updater:latest
docker push gcr.io/${PROJECT_ID}/db_object_updater:${TAG_NAME}
docker push gcr.io/${PROJECT_ID}/db_object_updater:latest
dir: 'release/db-object-updater/'
# Build and stage Dataflow Flex templates.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
entrypoint: /bin/bash
# Set home for Gradle caches. Must be consistent with the previous steps above
# and ./build_nomulus_for_env.sh
env: [ 'GRADLE_USER_HOME=/workspace/cloudbuild-caches' ]
args:
- -c
- |
./release/stage_beam_pipeline.sh \
beamPipelineCommon \
beam_pipeline_common \
${TAG_NAME} \
${PROJECT_ID} \
google.registry.beam.spec11.Spec11Pipeline \
google/registry/beam/spec11_pipeline_metadata.json \
google.registry.beam.billing.InvoicingPipeline \
google/registry/beam/invoicing_pipeline_metadata.json \
google.registry.beam.billing.ExpandBillingRecurrencesPipeline \
google/registry/beam/expand_billing_recurrences_pipeline_metadata.json \
google.registry.beam.rde.RdePipeline \
google/registry/beam/rde_pipeline_metadata.json \
google.registry.beam.resave.ResaveAllEppResourcesPipeline \
google/registry/beam/resave_all_epp_resources_pipeline_metadata.json \
google.registry.beam.wipeout.WipeOutContactHistoryPiiPipeline \
google/registry/beam/wipe_out_contact_history_pii_pipeline_metadata.json
# Tentatively build and publish Cloud SQL schema jar here, before the schema release process is
# finalized. Also publish nomulus:core jars that are needed for server/schema compatibility tests.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
entrypoint: /bin/bash
# Set home for Gradle caches. Must be consistent with previous steps above
# and ./build_nomulus_for_env.sh
env: [ 'GRADLE_USER_HOME=/workspace/cloudbuild-caches' ]
args:
- -c
- |
set -e
./gradlew \
:db:publish \
-PmavenUrl=gcs://domain-registry-maven-repository/maven \
-PpluginsUrl=gcs://domain-registry-maven-repository/plugins \
-Ppublish_repo=gcs://${PROJECT_ID}-deployed-tags/maven \
-Pschema_version=${TAG_NAME}
./gradlew \
:core:publish \
-PmavenUrl=gcs://domain-registry-maven-repository/maven \
-PpluginsUrl=gcs://domain-registry-maven-repository/plugins \
-Ppublish_repo=gcs://${PROJECT_ID}-deployed-tags/maven \
-Pnomulus_version=${TAG_NAME}
# Upload schema jar for use by schema deployment.
# TODO(weiminyu): consider using the jar in maven repo during deployment and
# stop the upload here.
cp db/build/libs/schema.jar output/
# The tarballs and jars to upload to GCS.
artifacts:
objects:
location: 'gs://${PROJECT_ID}-deploy/${TAG_NAME}'
paths:
- 'output/*.tar'
- 'output/tag_name'
- 'output/nomulus.jar'
- 'output/schema.jar'
- 'core/src/main/java/google/registry/config/files/nomulus-config-*.yaml'
- 'core/src/main/java/google/registry/config/files/cloud-tasks-queue.xml'
- 'core/src/main/java/google/registry/config/files/tasks/cloud-scheduler-tasks-*.xml'
- 'release/cloudbuild-sync-and-tag.yaml'
- 'release/cloudbuild-deploy-*.yaml'
- 'release/cloudbuild-delete-*.yaml'
- 'release/cloudbuild-schema-deploy-*.yaml'
- 'release/cloudbuild-schema-verify-*.yaml'
- 'release/cloudbuild-restart-proxies-*.yaml'
- 'jetty/kubernetes/*.yaml'
- 'jetty/kubernetes/gateway/*.yaml'
# The images are already uploaded, but we still need to include them there so that
# the GCB pubsub message contains them (for Spinnaker to consume).
images:
- 'gcr.io/${PROJECT_ID}/nomulus:${TAG_NAME}'
- 'gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}'
timeout: 7200s
options:
machineType: 'E2_HIGHCPU_32'