Skip to content
Permalink
Browse files

Merge branch 'release/v3.0.0'

  • Loading branch information...
andrejusk committed May 18, 2019
2 parents 6e86094 + 0d71392 commit dad369148cb0a39d07aa119a90ee59b8dbd0d486
@@ -0,0 +1,5 @@
{
"projects": {
"default": "andrejus-web"
}
}
@@ -0,0 +1,38 @@
---
name: Bug report
about: Create a report to help improve the site
title: "[BUG] Report"
labels: "bug \U0001F41E"
assignees: ''

---

**Describe the bug**
A clear and concise description of what the bug is.

**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

**Expected behavior**
A clear and concise description of what you expected to happen.

**Screenshots**
If applicable, add screenshots to help explain your problem.

**Desktop (please complete the following information):**
- OS: [e.g. iOS]
- Browser [e.g. chrome, safari]
- Version [e.g. 22]

**Smartphone (please complete the following information):**
- Device: [e.g. iPhone6]
- OS: [e.g. iOS8.1]
- Browser [e.g. stock browser, safari]
- Version [e.g. 22]

**Additional context**
Add any other context about the problem here.
@@ -1,3 +1,3 @@
[submodule "themes/hugo-alageek-theme"]
path = themes/hugo-alageek-theme
url = https://github.com/gkmngrgn/hugo-alageek-theme
[submodule "themes/hugo-psi-theme"]
path = themes/hugo-psi-theme
url = https://github.com/andrejusk/hugo-psi-theme
@@ -0,0 +1,7 @@
andrejusk.github.io (c) by Andrejus Kostarevas

andrejusk.github.io is licensed under a
Creative Commons Attribution-ShareAlike 4.0 International License.

You should have received a copy of the license along with this
work. If not, see <http://creativecommons.org/licenses/by-sa/4.0/>.
107 README.md
@@ -1 +1,106 @@
# andrejusk.github.io
# [andrejus.uk](https://andrejus.uk/)

Built and deployed with Google Cloud.

Actual README.md coming eventually. GCP documentation in the meantime.

## Container Registry Images

We'll need a Hugo builder image and a Firebase deployer image for the Cloud Build steps, along with the default gcloud images.

For the Hugo builder image, run the following in Cloud Shell [[1]].
```sh
### Clone community cloud builders repo
git clone https://github.com/andrejusk/cloud-builders-community.git
### Navigate to Hugo (cloud-builders-community)
cd cloud-builders-community/hugo
### Build Hugo image
gcloud builds submit --config cloudbuild.yaml .
```

Firebase deployer image for prod [[1]]. Run after above.
```sh
### Navigate to Firebase (cloud-builders-community)
cd ../firebase
### Permissions fix
chmod +x firebase.bash
### Build Firebase image
gcloud builds submit --config cloudbuild.yaml .
```

## KMS for Production Deployment

The Firebase deployer needs a token to authenticate. Creating a deployment token and encrypting it [[2]]. Run locally or in Cloud Shell.

```sh
### Generate new token to be encrypted
firebase login:ci
```

Run in Cloud Shell.

```sh
### Set token as envrionment variable
TOKEN=<GENERATED_TOKEN>
```

If KMS not used before.
```sh
### Enable Cryptographic Keys service
gcloud services enable cloudkms.googleapis.com
```


```sh
#### Create a keyring for Cloud Build
gcloud kms keyrings create cloudbuilder --location global
#### Create a key for the Firebase token
gcloud kms keys create firebase-token --location global --keyring cloudbuilder --purpose encryption
#### Create the encrypted token
echo -n $TOKEN | gcloud kms encrypt \
--plaintext-file=- \
--ciphertext-file=- \
--location=global \
--keyring=cloudbuilder \
--key=firebase-token | base64
```

Now add the encrypted token to the [cloudbuild.yaml](cloudbuild.yaml) definition, as follows.

```yaml
secrets:
- kmsKeyName: 'projects/<PROJECT_ID>/locations/global/keyRings/cloudbuilder/cryptoKeys/firebase-token'
secretEnv:
FIREBASE_TOKEN: '<ENCRYPTED_TOKEN>'
```

## IAM for Deployments

The Firebase deployment token was encrypted using a KMS key. By default, the Cloud Builder's service account cannot access other GCP services, and hence cannot access the key to decrypt the token.

To allow Cloud Build to decrypt the key.

Grant `<PROJECT_NUMBER>@cloudbuild.gserviceaccount.com`
the IAM `Cloud KMS CryptoKey Decrypter` role.

To allow Cloud Build to deploy to App Engine.

Grant `<PROJECT_NUMBER>@cloudbuild.gserviceaccount.com`
the IAM `App Engine Admin` role.

## References

[1]: https://robertsahlin.com/serverless-static-blog-powered-by-hugo-github-cloud-build-and-firebase/
[[1]] - R. Sahlin,
_Serverless Static Blog powered by Hugo, Github, Cloud Build and Firebase_,
August 3, 2018.

[2]: https://github.com/GoogleCloudPlatform/cloud-builders-community/tree/master/firebase
[[2]] - GoogleCloudPlatform,
_cloud-builders-community/firebase_.
@@ -0,0 +1,16 @@
runtime: python27
api_version: 1
threadsafe: true

handlers:
- url: /$
static_files: public/index.html
upload: public/index.html

- url: /(.*)/$
static_files: public/\1/index.html
upload: public/.*/index.html

- url: /(.+)
static_files: public/\1
upload: public/(.*)

This file was deleted.

0 comments on commit dad3691

Please sign in to comment.
You can’t perform that action at this time.